Repository: incubator-ranger Updated Branches: refs/heads/master a9775857d -> 928a5ef9f
Ranger-722: StartTLS support for Ranger Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/928a5ef9 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/928a5ef9 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/928a5ef9 Branch: refs/heads/master Commit: 928a5ef9f452894023b1409d8b189c739e7a748f Parents: a977585 Author: Sailaja Polavarapu <[email protected]> Authored: Thu Feb 18 14:39:16 2016 -0800 Committer: Velmurugan Periasamy <[email protected]> Committed: Fri Feb 19 13:43:52 2016 -0500 ---------------------------------------------------------------------- .../process/CustomSSLSocketFactory.java | 2 +- .../process/LdapUserGroupBuilder.java | 31 ++++++++++++++++---- .../config/UserGroupSyncConfig.java | 14 +++++++++ 3 files changed, 40 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/928a5ef9/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java index 827b450..9458e68 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java @@ -117,7 +117,7 @@ public class CustomSSLSocketFactory extends SSLSocketFactory{ } } - public static SocketFactory getDefault() { + public static SSLSocketFactory getDefault() { return new CustomSSLSocketFactory(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/928a5ef9/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index 6c3aa74..0fc90e6 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -42,6 +42,8 @@ import javax.naming.ldap.InitialLdapContext; import javax.naming.ldap.LdapContext; import javax.naming.ldap.PagedResultsControl; import javax.naming.ldap.PagedResultsResponseControl; +import javax.naming.ldap.StartTlsRequest; +import javax.naming.ldap.StartTlsResponse; import org.apache.log4j.Logger; import org.apache.ranger.unixusersync.config.UserGroupSyncConfig; @@ -88,6 +90,7 @@ public class LdapUserGroupBuilder implements UserGroupSource { private String groupNameAttribute; private LdapContext ldapContext; + StartTlsResponse tls; private boolean userNameCaseConversionFlag = false ; private boolean groupNameCaseConversionFlag = false ; @@ -181,15 +184,27 @@ public class LdapUserGroupBuilder implements UserGroupSource { env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, ldapUrl); - env.put(Context.SECURITY_PRINCIPAL, ldapBindDn); - env.put(Context.SECURITY_CREDENTIALS, ldapBindPassword); - env.put(Context.SECURITY_AUTHENTICATION, ldapAuthenticationMechanism); - env.put(Context.REFERRAL, ldapReferral) ; if (ldapUrl.startsWith("ldaps") && (config.getSSLTrustStorePath() != null && !config.getSSLTrustStorePath().trim().isEmpty())) { - env.put("java.naming.ldap.factory.socket", "org.apache.ranger.ldapusersync.process.CustomSSLSocketFactory"); - } + env.put("java.naming.ldap.factory.socket", "org.apache.ranger.ldapusersync.process.CustomSSLSocketFactory"); + } ldapContext = new InitialLdapContext(env, null); + if (!ldapUrl.startsWith("ldaps")) { + if (config.isStartTlsEnabled()) { + tls = (StartTlsResponse) ldapContext.extendedOperation(new StartTlsRequest()); + if (config.getSSLTrustStorePath() != null && !config.getSSLTrustStorePath().trim().isEmpty()) { + tls.negotiate(CustomSSLSocketFactory.getDefault()); + } else { + tls.negotiate(); + } + LOG.info("Starting TLS session..."); + } + } + + ldapContext.addToEnvironment(Context.SECURITY_PRINCIPAL, ldapBindDn); + ldapContext.addToEnvironment(Context.SECURITY_CREDENTIALS, ldapBindPassword); + ldapContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, ldapAuthenticationMechanism); + ldapContext.addToEnvironment(Context.REFERRAL, ldapReferral) ; searchBase = config.getSearchBase(); @@ -285,6 +300,10 @@ public class LdapUserGroupBuilder implements UserGroupSource { } private void closeLdapContext() throws Throwable { + if (tls != null) { + tls.close(); + } + if (ldapContext != null) { ldapContext.close(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/928a5ef9/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index e342cae..e7b00ca 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -97,6 +97,9 @@ public class UserGroupSyncConfig { private static final String LGSYNC_SOURCE_CLASS = "org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder"; private static final String LGSYNC_LDAP_URL = "ranger.usersync.ldap.url"; + + private static final String LGSYNC_LDAP_STARTTLS_ENABLED = "ranger.usersync.ldap.starttls"; + private static final boolean DEFAULT_LGSYNC_LDAP_STARTTLS_ENABLED = false; private static final String LGSYNC_LDAP_BIND_DN = "ranger.usersync.ldap.binddn"; @@ -839,6 +842,17 @@ public class UserGroupSyncConfig { return val; } + public boolean isStartTlsEnabled() { + boolean starttlsEnabled; + String val = prop.getProperty(LGSYNC_LDAP_STARTTLS_ENABLED); + if(val == null || val.trim().isEmpty()) { + starttlsEnabled = DEFAULT_LGSYNC_LDAP_STARTTLS_ENABLED; + } else { + starttlsEnabled = Boolean.valueOf(val); + } + return starttlsEnabled; + } + /* Used only for unit testing */ public void setUserSearchFilter(String filter) { prop.setProperty(LGSYNC_USER_SEARCH_FILTER, filter);
