Repository: incubator-ranger Updated Branches: refs/heads/master db3f7ceb5 -> b1ff4797f
Ranger-840: Regenrating the patch with merging both the related patches to one Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b1ff4797 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b1ff4797 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b1ff4797 Branch: refs/heads/master Commit: b1ff4797fb0879183edcd05e8653ebb4e461f921 Parents: db3f7ce Author: Sailaja Polavarapu <[email protected]> Authored: Tue Feb 16 12:48:19 2016 -0800 Committer: Velmurugan Periasamy <[email protected]> Committed: Wed Feb 17 00:46:34 2016 -0500 ---------------------------------------------------------------------- .../apache/ranger/common/PropertiesUtil.java | 8 + .../process/CustomSSLSocketFactory.java | 188 +++++++++++++++++++ .../process/LdapUserGroupBuilder.java | 8 +- 3 files changed, 201 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b1ff4797/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java index 5229fe7..b9caa76 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java @@ -22,6 +22,7 @@ */ package org.apache.ranger.common; +import java.security.KeyStore; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -65,6 +66,13 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer { String keyStr = key.toString(); propertiesMap.put(keyStr, props.getProperty(keyStr).trim()); } + + // update system trust store path with custom trust store. + if (propertiesMap!=null && propertiesMap.containsKey("ranger.truststore.file")) { + System.setProperty("javax.net.ssl.trustStore", propertiesMap.get("ranger.truststore.file")); + System.setProperty("javax.net.ssl.trustStorePassword", propertiesMap.get("ranger.truststore.password")); + System.setProperty("javax.net.ssl.trustStoreType", KeyStore.getDefaultType()); + } //update credential from keystore if(propertiesMap!=null && propertiesMap.containsKey("ranger.credential.provider.path") && propertiesMap.containsKey("ranger.jpa.jdbc.credential.alias")){ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b1ff4797/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java new file mode 100644 index 0000000..827b450 --- /dev/null +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java @@ -0,0 +1,188 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.ldapusersync.process; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.io.InputStream; +import java.net.InetAddress; +import java.net.Socket; +import java.net.UnknownHostException; +import java.security.KeyStore; +import java.security.SecureRandom; + +import javax.net.SocketFactory; +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; + +import org.apache.log4j.Logger; +import org.apache.ranger.unixusersync.config.UserGroupSyncConfig; +import org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder; + +public class CustomSSLSocketFactory extends SSLSocketFactory{ + private static final Logger LOG = Logger.getLogger(CustomSSLSocketFactory.class); + private SSLSocketFactory sockFactory; + private UserGroupSyncConfig config = UserGroupSyncConfig.getInstance(); + + public CustomSSLSocketFactory() { + SSLContext sslContext = null; + String keyStoreFile = config.getSSLKeyStorePath() ; + String keyStoreFilepwd = config.getSSLKeyStorePathPassword(); + String trustStoreFile = config.getSSLTrustStorePath(); + String trustStoreFilepwd = config.getSSLTrustStorePathPassword(); + String keyStoreType = KeyStore.getDefaultType(); + String trustStoreType = KeyStore.getDefaultType(); + try { + + KeyManager[] kmList = null; + TrustManager[] tmList = null; + + if (keyStoreFile != null && keyStoreFilepwd != null) { + + KeyStore keyStore = KeyStore.getInstance(keyStoreType); + InputStream in = null ; + try { + in = getFileInputStream(keyStoreFile) ; + if (in == null) { + LOG.error("Unable to obtain keystore from file [" + keyStoreFile + "]"); + return; + } + keyStore.load(in, keyStoreFilepwd.toCharArray()); + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + keyManagerFactory.init(keyStore, keyStoreFilepwd.toCharArray()); + kmList = keyManagerFactory.getKeyManagers(); + } + finally { + if (in != null) { + in.close(); + } + } + + } + + if (trustStoreFile != null && trustStoreFilepwd != null) { + + KeyStore trustStore = KeyStore.getInstance(trustStoreType); + InputStream in = null ; + try { + in = getFileInputStream(trustStoreFile) ; + if (in == null) { + LOG.error("Unable to obtain keystore from file [" + trustStoreFile + "]"); + return; + } + trustStore.load(in, trustStoreFilepwd.toCharArray()); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + trustManagerFactory.init(trustStore); + tmList = trustManagerFactory.getTrustManagers(); + } + finally { + if (in != null) { + in.close() ; + } + } + } + + sslContext = SSLContext.getInstance("TLS"); + + sslContext.init(kmList, tmList, new SecureRandom()); + sockFactory = sslContext.getSocketFactory(); + } + catch(Throwable t) { + throw new RuntimeException("Unable to create SSLConext for communication to policy manager", t); + } + } + + public static SocketFactory getDefault() { + return new CustomSSLSocketFactory(); + } + + @Override + public String[] getDefaultCipherSuites() { + return sockFactory.getDefaultCipherSuites(); + } + + @Override + public String[] getSupportedCipherSuites() { + return sockFactory.getSupportedCipherSuites(); + } + + @Override + public Socket createSocket(Socket socket, String host, int port, boolean bln) throws IOException { + return sockFactory.createSocket(socket, host, port, bln); + } + + @Override + public Socket createSocket(String host, int port) throws IOException, UnknownHostException { + return sockFactory.createSocket(host, port); + } + + @Override + public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { + return sockFactory.createSocket(host, port, localHost, localPort); + } + + @Override + public Socket createSocket(InetAddress localHost, int localPort) throws IOException { + return sockFactory.createSocket(localHost, localPort); + } + + @Override + public Socket createSocket(InetAddress address, int port, InetAddress localHost, int localPort) throws IOException { + return sockFactory.createSocket(address, port, localHost, localPort); + } + + private InputStream getFileInputStream(String path) throws FileNotFoundException { + + InputStream ret = null; + + File f = new File(path); + + if (f.exists()) { + ret = new FileInputStream(f); + } else { + ret = PolicyMgrUserGroupBuilder.class.getResourceAsStream(path); + + if (ret == null) { + if (! path.startsWith("/")) { + ret = getClass().getResourceAsStream("/" + path); + } + } + + if (ret == null) { + ret = ClassLoader.getSystemClassLoader().getResourceAsStream(path) ; + if (ret == null) { + if (! path.startsWith("/")) { + ret = ClassLoader.getSystemResourceAsStream("/" + path); + } + } + } + } + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b1ff4797/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index 99403d7..529af72 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -19,7 +19,6 @@ package org.apache.ranger.ldapusersync.process; - import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; @@ -186,7 +185,10 @@ public class LdapUserGroupBuilder implements UserGroupSource { env.put(Context.SECURITY_CREDENTIALS, ldapBindPassword); env.put(Context.SECURITY_AUTHENTICATION, ldapAuthenticationMechanism); env.put(Context.REFERRAL, ldapReferral) ; - + if (ldapUrl.startsWith("ldaps") && (config.getSSLTrustStorePath() != null && !config.getSSLTrustStorePath().trim().isEmpty())) { + env.put("java.naming.ldap.factory.socket", "org.apache.ranger.ldapusersync.process.CustomSSLSocketFactory"); + } + ldapContext = new InitialLdapContext(env, null); searchBase = config.getSearchBase(); @@ -580,4 +582,4 @@ class UserInfo { public List<String> getGroups() { return (new ArrayList<String>(groupList)); } -} +} \ No newline at end of file
