Repository: sentry Updated Branches: refs/heads/master 6bc9ce703 -> 3f79a5d74
SENTRY-1076: Add SSL support, print version info on Sentry Service webpage (Li Li, Reviewed by: Sravya Tirukkovalur) Change-Id: Ic9bcaa7fb261447cba0b28e8d0d973d444482a5e Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/3f79a5d7 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/3f79a5d7 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/3f79a5d7 Branch: refs/heads/master Commit: 3f79a5d74136ba635aa8c2594aec9c5666827603 Parents: 6bc9ce7 Author: Sravya Tirukkovalur <[email protected]> Authored: Wed Apr 27 22:38:36 2016 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Wed Apr 27 22:38:36 2016 -0700 ---------------------------------------------------------------------- sentry-provider/sentry-provider-db/pom.xml | 23 ++++++++ .../db/service/thrift/SentryWebServer.java | 34 ++++++++++-- .../sentry/service/thrift/ServiceConstants.java | 8 +++ .../src/main/webapp/SentryService.html | 7 +++ .../src/main/webapp/css/sentry.css | 35 ++++++++++++- .../thrift/TestSentryWebServerWithSSL.java | 52 +++++++++++++++++++ .../thrift/SentryServiceIntegrationBase.java | 9 ++++ .../src/test/resources/cacerts.jks | Bin 0 -> 954 bytes .../src/test/resources/keystore.jks | Bin 0 -> 2245 bytes 9 files changed, 163 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/3f79a5d7/sentry-provider/sentry-provider-db/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml index 86e27e4..c075524 100644 --- a/sentry-provider/sentry-provider-db/pom.xml +++ b/sentry-provider/sentry-provider-db/pom.xml @@ -204,6 +204,29 @@ limitations under the License. </resources> <plugins> <plugin> + <groupId>com.google.code.maven-replacer-plugin</groupId> + <artifactId>replacer</artifactId> + <version>1.5.2</version> + <executions> + <execution> + <id>replaceTokens</id> + <phase>clean</phase> + <goals> + <goal>replace</goal> + </goals> + </execution> + </executions> + <configuration> + <file>${basedir}/src/main/webapp/SentryService.html</file> + <replacements> + <replacement> + <token>%PROJECT_VERSION%</token> + <value>${version}</value> + </replacement> + </replacements> + </configuration> + </plugin> + <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>build-helper-maven-plugin</artifactId> <executions> http://git-wip-us.apache.org/repos/asf/sentry/blob/3f79a5d7/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java index 1bdea2c..ab852dc 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java @@ -26,8 +26,13 @@ import java.util.EnumSet; import java.net.URL; import java.util.EventListener; import java.util.HashMap; +import java.util.List; import java.util.Map; +import java.util.Set; +import com.google.common.base.Splitter; +import com.google.common.base.Strings; +import com.google.common.collect.Sets; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; @@ -38,16 +43,17 @@ import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.handler.ContextHandlerCollection; import org.eclipse.jetty.server.handler.ResourceHandler; +import org.eclipse.jetty.server.nio.SelectChannelConnector; import org.eclipse.jetty.server.Server; +import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; import org.eclipse.jetty.servlet.FilterHolder; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.util.resource.Resource; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.util.List; - public class SentryWebServer { private static final Logger LOGGER = LoggerFactory.getLogger(SentryWebServer.class); @@ -59,7 +65,29 @@ public class SentryWebServer { public SentryWebServer(List<EventListener> listeners, int port, Configuration conf) { this.port = port; - server = new Server(port); + server = new Server(); + + // Create a channel connector for "http/https" requests + SelectChannelConnector connector = new SelectChannelConnector(); + if (conf.getBoolean(ServerConfig.SENTRY_WEB_USE_SSL, false)) { + SslContextFactory sslContextFactory = new SslContextFactory(); + sslContextFactory.setKeyStorePath(conf.get(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH, "")); + sslContextFactory.setKeyStorePassword( + conf.get(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, "")); + // Exclude SSL blacklist protocols + sslContextFactory.setExcludeProtocols(ServerConfig.SENTRY_SSL_PROTOCOL_BLACKLIST_DEFAULT); + Set<String> moreExcludedSSLProtocols = + Sets.newHashSet(Splitter.on(",").trimResults().omitEmptyStrings() + .split(Strings.nullToEmpty(conf.get(ServerConfig.SENTRY_SSL_PROTOCOL_BLACKLIST)))); + sslContextFactory.addExcludeProtocols(moreExcludedSSLProtocols.toArray( + new String[moreExcludedSSLProtocols.size()])); + connector = new SslSelectChannelConnector(sslContextFactory); + LOGGER.info("Now using SSL mode."); + } + + connector.setPort(port); + server.addConnector(connector); + ServletContextHandler servletContextHandler = new ServletContextHandler(); ServletHolder servletHolder = new ServletHolder(AdminServlet.class); servletContextHandler.addServlet(servletHolder, "/*"); http://git-wip-us.apache.org/repos/asf/sentry/blob/3f79a5d7/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java index 75d90ae..00e3fbd 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java @@ -160,6 +160,14 @@ public class ServiceConstants { public static final String SENTRY_REPORTER_JMX = SentryMetrics.Reporting.JMX.name(); //case insensitive public static final String SENTRY_REPORTER_CONSOLE = SentryMetrics.Reporting.CONSOLE.name();//case insensitive + // Web SSL + public static final String SENTRY_WEB_USE_SSL = "sentry.web.use.ssl"; + public static final String SENTRY_WEB_SSL_KEYSTORE_PATH = "sentry.web.ssl.keystore.path"; + public static final String SENTRY_WEB_SSL_KEYSTORE_PASSWORD = "sentry.web.ssl.keystore.password"; + public static final String SENTRY_SSL_PROTOCOL_BLACKLIST = "sentry.ssl.protocol.blacklist"; + // Blacklist SSL protocols that are not secure (e.g., POODLE vulnerability) + public static final String[] SENTRY_SSL_PROTOCOL_BLACKLIST_DEFAULT = {"SSLv2", "SSLv2Hello", "SSLv3"}; + // Web Security public static final String SENTRY_WEB_SECURITY_PREFIX = "sentry.service.web.authentication"; public static final String SENTRY_WEB_SECURITY_TYPE = SENTRY_WEB_SECURITY_PREFIX + ".type"; http://git-wip-us.apache.org/repos/asf/sentry/blob/3f79a5d7/sentry-provider/sentry-provider-db/src/main/webapp/SentryService.html ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/webapp/SentryService.html b/sentry-provider/sentry-provider-db/src/main/webapp/SentryService.html index ee112ce..9eb5f0e 100644 --- a/sentry-provider/sentry-provider-db/src/main/webapp/SentryService.html +++ b/sentry-provider/sentry-provider-db/src/main/webapp/SentryService.html @@ -44,11 +44,18 @@ limitations under the License. </nav> <div class="container"> + <div class="page-header"><h2>Sentry Service</h2></div> <ul> <li><a href="/metrics?pretty=true">Metrics</a></li> <li><a href="/threads">Threads</a></li> <li><a href="/conf">Configuration</a></li> </ul> </div> + + <footer class="footer"> + <div class="container"> + <p class="text-muted">SENTRY 1.8.0-SNAPSHOT</p> + </div> + </footer> </body> </html> http://git-wip-us.apache.org/repos/asf/sentry/blob/3f79a5d7/sentry-provider/sentry-provider-db/src/main/webapp/css/sentry.css ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/webapp/css/sentry.css b/sentry-provider/sentry-provider-db/src/main/webapp/css/sentry.css index e5b3d43..69cba19 100644 --- a/sentry-provider/sentry-provider-db/src/main/webapp/css/sentry.css +++ b/sentry-provider/sentry-provider-db/src/main/webapp/css/sentry.css @@ -16,6 +16,37 @@ * limitations under the License. */ -/* General styling */ -body { padding-top: 80px; } +html { + position: relative; + min-height: 100%; +} + +body { + /* Margin bottom by footer height */ + margin-bottom: 60px; + padding-top: 80px; +} + .navbar-collapse {margin-top:10px} + +.footer { + position: absolute; + bottom: 0; + width: 100%; + /* Set the fixed height of the footer here */ + height: 60px; + background-color: #f5f5f5; +} + +.container .text-muted { + margin: 20px 0; +} + +.footer > .container { + padding-right: 15px; + padding-left: 15px; +} + +code { + font-size: 80%; +} http://git-wip-us.apache.org/repos/asf/sentry/blob/3f79a5d7/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java new file mode 100644 index 0000000..d1d0b4b --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java @@ -0,0 +1,52 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.db.service.thrift; + +import com.google.common.io.Resources; +import org.apache.commons.io.IOUtils; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.junit.*; + +import javax.net.ssl.HttpsURLConnection; +import java.net.URL; +import java.util.Properties; + +/** + * Test sentry web server when ssl is enabled. + */ +public class TestSentryWebServerWithSSL extends SentryServiceIntegrationBase { + @BeforeClass + public static void setup() throws Exception { + webServerEnabled = true; + webSecurity = false; + useSSL = true; + SentryServiceIntegrationBase.setup(); + } + + @Test + public void testPing() throws Exception { + final URL url = new URL("https://"+ SERVER_HOST + ":" + webServerPort + "/ping"); + Properties systemProps = System.getProperties(); + systemProps.put( "javax.net.ssl.trustStore", Resources.getResource("cacerts.jks").getPath()); + System.setProperties(systemProps); + HttpsURLConnection conn = (HttpsURLConnection) url.openConnection(); + Assert.assertEquals(HttpsURLConnection.HTTP_OK, conn.getResponseCode()); + String response = IOUtils.toString(conn.getInputStream()); + Assert.assertEquals("pong\n", response); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/3f79a5d7/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java index e02bd8a..14de0fa 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java @@ -28,6 +28,7 @@ import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.LoginContext; +import com.google.common.io.Resources; import org.apache.commons.io.FileUtils; import org.apache.curator.test.TestingServer; import org.apache.hadoop.conf.Configuration; @@ -96,6 +97,8 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase protected static boolean pooled = false; + protected static boolean useSSL = false; + @BeforeClass public static void setup() throws Exception { kerberos = true; @@ -184,6 +187,12 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase if (pooled) { conf.set(ClientConfig.SENTRY_POOL_ENABLED, "true"); } + if (useSSL) { + conf.set(ServerConfig.SENTRY_WEB_USE_SSL, "true"); + conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH, + Resources.getResource("keystore.jks").getPath()); + conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, "password"); + } conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP); conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST); http://git-wip-us.apache.org/repos/asf/sentry/blob/3f79a5d7/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks b/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks new file mode 100644 index 0000000..6ac6495 Binary files /dev/null and b/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks differ http://git-wip-us.apache.org/repos/asf/sentry/blob/3f79a5d7/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks b/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks new file mode 100644 index 0000000..a6beece Binary files /dev/null and b/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks differ
