Repository: incubator-slider Updated Branches: refs/heads/develop 057a8c845 -> 8d774ea58 Updated Tags: refs/tags/tag_2015-02-24-prerelease-0.70-incubating [created] b37e0f0e2
SLIDER-784 improving the subject DN and openssl configuration Project: http://git-wip-us.apache.org/repos/asf/incubator-slider/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-slider/commit/8d774ea5 Tree: http://git-wip-us.apache.org/repos/asf/incubator-slider/tree/8d774ea5 Diff: http://git-wip-us.apache.org/repos/asf/incubator-slider/diff/8d774ea5 Branch: refs/heads/develop Commit: 8d774ea5884031a842419183eeebb04329a32b23 Parents: 057a8c8 Author: Jon Maron <[email protected]> Authored: Wed Feb 25 11:48:42 2015 -0500 Committer: Jon Maron <[email protected]> Committed: Wed Feb 25 11:48:42 2015 -0500 ---------------------------------------------------------------------- slider-agent/src/main/python/agent/main.py | 9 ++-- slider-agent/src/main/python/agent/security.py | 10 +++-- .../slider/providers/agent/AgentKeys.java | 3 +- .../providers/agent/AgentProviderService.java | 8 ++-- .../server/appmaster/SliderAppMaster.java | 4 +- .../services/security/CertificateManager.java | 46 +++++++++++++++++--- .../server/services/security/SecurityUtils.java | 41 +---------------- .../security/TestCertificateManager.java | 8 ++-- 8 files changed, 64 insertions(+), 65 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/8d774ea5/slider-agent/src/main/python/agent/main.py ---------------------------------------------------------------------- diff --git a/slider-agent/src/main/python/agent/main.py b/slider-agent/src/main/python/agent/main.py index 3a75cb1..3fdd938 100644 --- a/slider-agent/src/main/python/agent/main.py +++ b/slider-agent/src/main/python/agent/main.py @@ -223,20 +223,19 @@ def main(): if options.debug: agentConfig.set(AgentConfig.AGENT_SECTION, AgentConfig.APP_DBG_CMD, options.debug) - # set the security directory to a subdirectory of the run dir + logFile = posixpath.join(agentConfig.getResolvedPath(AgentConfig.LOG_DIR), logFileName) + setup_logging(options.verbose, logFile) + update_log_level(agentConfig, logFile) + secDir = posixpath.join(agentConfig.getResolvedPath(AgentConfig.RUN_DIR), "security") logger.info("Security/Keys directory: " + secDir) agentConfig.set(AgentConfig.SECURITY_SECTION, "keysdir", secDir) - logFile = posixpath.join(agentConfig.getResolvedPath(AgentConfig.LOG_DIR), logFileName) - perform_prestart_checks(agentConfig) ensure_folder_layout(agentConfig) # create security dir if necessary ensure_path_exists(secDir) - setup_logging(options.verbose, logFile) - update_log_level(agentConfig, logFile) write_pid() logger.info("Using AGENT_WORK_ROOT = " + options.root_folder) http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/8d774ea5/slider-agent/src/main/python/agent/security.py ---------------------------------------------------------------------- diff --git a/slider-agent/src/main/python/agent/security.py b/slider-agent/src/main/python/agent/security.py index 76671dc..421e1ac 100644 --- a/slider-agent/src/main/python/agent/security.py +++ b/slider-agent/src/main/python/agent/security.py @@ -162,6 +162,8 @@ class CertificateManager(): s = self.config.get('security', 'keysdir') + os.sep + "ca.crt" + logger.info("Checking for server cert at " + s) + server_crt_exists = os.path.exists(s) if not server_crt_exists: @@ -169,17 +171,17 @@ class CertificateManager(): self.loadSrvrCrt() else: logger.info("Server certicate exists, ok") - + agent_key_exists = os.path.exists(self.getAgentKeyName()) - + if not agent_key_exists: logger.info("Agent key not exists, generating request") self.genAgentCrtReq() else: logger.info("Agent key exists, ok") - + agent_crt_exists = os.path.exists(self.getAgentCrtName()) - + if not agent_crt_exists: logger.info("Agent certificate not exists, sending sign request") self.reqSignCrt() http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/8d774ea5/slider-core/src/main/java/org/apache/slider/providers/agent/AgentKeys.java ---------------------------------------------------------------------- diff --git a/slider-core/src/main/java/org/apache/slider/providers/agent/AgentKeys.java b/slider-core/src/main/java/org/apache/slider/providers/agent/AgentKeys.java index 7977181..2323f97 100644 --- a/slider-core/src/main/java/org/apache/slider/providers/agent/AgentKeys.java +++ b/slider-core/src/main/java/org/apache/slider/providers/agent/AgentKeys.java @@ -85,7 +85,8 @@ public interface AgentKeys { String AGENT_INSTANCE_DEBUG_DATA = "agent.instance.debug.data"; String AGENT_OUT_FILE = "slider-agent.out"; String KEY_AGENT_TWO_WAY_SSL_ENABLED = "ssl.server.client.auth"; - String CERT_FILE_LOCALIZATION_PATH = "certs/ca.crt"; + String INFRA_RUN_SECURITY_DIR = "infra/run/security/"; + String CERT_FILE_LOCALIZATION_PATH = INFRA_RUN_SECURITY_DIR + "ca.crt"; String KEY_CONTAINER_LAUNCH_DELAY = "container.launch.delay.sec"; String TEST_RELAX_VERIFICATION = "test.relax.validation"; } http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/8d774ea5/slider-core/src/main/java/org/apache/slider/providers/agent/AgentProviderService.java ---------------------------------------------------------------------- diff --git a/slider-core/src/main/java/org/apache/slider/providers/agent/AgentProviderService.java b/slider-core/src/main/java/org/apache/slider/providers/agent/AgentProviderService.java index 60236a5..74eda97 100644 --- a/slider-core/src/main/java/org/apache/slider/providers/agent/AgentProviderService.java +++ b/slider-core/src/main/java/org/apache/slider/providers/agent/AgentProviderService.java @@ -517,14 +517,14 @@ public class AgentProviderService extends AbstractProviderService implements fileSystem), LocalResourceType.FILE); // still using hostname as file name on the agent side, but the files // do end up under the specific container's file space - launcher.addLocalResource("certs/" + hostname + ".crt", - agentCertResource); + launcher.addLocalResource(AgentKeys.INFRA_RUN_SECURITY_DIR + hostname + + ".crt", agentCertResource); LocalResource agentKeyResource = fileSystem.createAmResource( uploadSecurityResource( CertificateManager.getAgentKeyFilePath(containerId), fileSystem), LocalResourceType.FILE); - launcher.addLocalResource("certs/" + hostname + ".key", - agentKeyResource); + launcher.addLocalResource(AgentKeys.INFRA_RUN_SECURITY_DIR + hostname + + ".key", agentKeyResource); } catch (Exception e) { throw new SliderException(SliderExitCodes.EXIT_DEPLOYMENT_FAILED, e, http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/8d774ea5/slider-core/src/main/java/org/apache/slider/server/appmaster/SliderAppMaster.java ---------------------------------------------------------------------- diff --git a/slider-core/src/main/java/org/apache/slider/server/appmaster/SliderAppMaster.java b/slider-core/src/main/java/org/apache/slider/server/appmaster/SliderAppMaster.java index 471a2d6..c990c23 100644 --- a/slider-core/src/main/java/org/apache/slider/server/appmaster/SliderAppMaster.java +++ b/slider-core/src/main/java/org/apache/slider/server/appmaster/SliderAppMaster.java @@ -747,7 +747,9 @@ public class SliderAppMaster extends AbstractSliderLaunchedService certificateManager = new CertificateManager(); MapOperations component = instanceDefinition.getAppConfOperations() .getComponent(SliderKeys.COMPONENT_AM); - certificateManager.initialize(component); + certificateManager.initialize(component, appMasterHostname, + appMasterContainerID.toString(), + clustername); certificateManager.setPassphrase(instanceDefinition.getPassphrase()); if (component.getOptionBool( http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/8d774ea5/slider-core/src/main/java/org/apache/slider/server/services/security/CertificateManager.java ---------------------------------------------------------------------- diff --git a/slider-core/src/main/java/org/apache/slider/server/services/security/CertificateManager.java b/slider-core/src/main/java/org/apache/slider/server/services/security/CertificateManager.java index a9f837f..14c8b73 100644 --- a/slider-core/src/main/java/org/apache/slider/server/services/security/CertificateManager.java +++ b/slider-core/src/main/java/org/apache/slider/server/services/security/CertificateManager.java @@ -30,6 +30,8 @@ import java.io.File; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; +import java.net.InetAddress; +import java.net.UnknownHostException; import java.nio.charset.Charset; import java.text.MessageFormat; @@ -43,7 +45,8 @@ public class CertificateManager { "-passout pass:{0} -out {1}" + File.separator + "{2} 4096 "; private static final String GEN_SRVR_REQ = "openssl req -passin pass:{0} " + "-new -key {1}" + File.separator + "{2} -out {1}" + File.separator + - "{5} -config {1}" + File.separator + "ca.config -batch"; + "{5} -config {1}" + File.separator + "ca.config " + + "-subj {6} -batch"; private static final String SIGN_SRVR_CRT = "openssl ca -create_serial " + "-out {1}" + File.separator + "{3} -days 365 -keyfile {1}" + File.separator + "{2} -key {0} -selfsign -extensions jdk7_ca -config {1}" + File.separator @@ -62,21 +65,37 @@ public class CertificateManager { "-keyfile {0}" + File.separator + "{4} -cert {0}" + File.separator + "{5}"; private static final String GEN_AGENT_KEY="openssl req -new -newkey " + "rsa:1024 -nodes -keyout {0}" + File.separator + - "{2}.key -subj /OU={1}/CN={2} -out {0}" + File.separator + "{2}.csr"; + "{2}.key -subj {1} -out {0}" + File.separator + "{2}.csr"; private String passphrase; + private String applicationName; + + + public void initialize(MapOperations compOperations) throws SliderException { + String hostname = null; + try { + hostname = InetAddress.getLocalHost().getCanonicalHostName(); + } catch (UnknownHostException e) { + hostname = "localhost"; + } + this.initialize(compOperations, hostname, null, null); + } /** * Verify that root certificate exists, generate it otherwise. */ - public void initialize(MapOperations compOperations) throws SliderException { + public void initialize(MapOperations compOperations, + String hostname, String containerId, + String appName) throws SliderException { SecurityUtils.initializeSecurityParameters(compOperations); LOG.info("Initialization of root certificate"); boolean certExists = isCertExists(); LOG.info("Certificate exists:" + certExists); + this.applicationName = appName; + if (!certExists) { - generateAMKeystore(); + generateAMKeystore(hostname, containerId); } } @@ -188,7 +207,8 @@ public class CertificateManager { LOG.info("Generation of agent certificate for {}", hostname); String srvrKstrDir = SecurityUtils.getSecurityDir(); - Object[] scriptArgs = {srvrKstrDir, hostname, containerId}; + Object[] scriptArgs = {srvrKstrDir, getSubjectDN(hostname, containerId, + this.applicationName), containerId}; try { String command = MessageFormat.format(GEN_AGENT_KEY, scriptArgs); @@ -232,7 +252,8 @@ public class CertificateManager { return String.format("keystore-%s-%s.p12", containerId, role); } - private void generateAMKeystore() throws SliderException { + private void generateAMKeystore(String hostname, String containerId) + throws SliderException { LOG.info("Generation of server certificate"); String srvrKstrDir = SecurityUtils.getSecurityDir(); @@ -243,7 +264,8 @@ public class CertificateManager { String srvrCrtPass = SecurityUtils.getKeystorePass(); Object[] scriptArgs = {srvrCrtPass, srvrKstrDir, srvrKeyName, - srvrCrtName, kstrName, srvrCsrName}; + srvrCrtName, kstrName, srvrCsrName, getSubjectDN(hostname, containerId, + this.applicationName)}; String command = MessageFormat.format(GEN_SRVR_KEY, scriptArgs); runCommand(command); @@ -454,4 +476,14 @@ public class CertificateManager { return agentCrtName; } + + private String getSubjectDN(String hostname, String containerId, + String appName) { + return String.format("/CN=%s%s%s", + hostname, + containerId != null ? "/OU=" + containerId : "", + appName != null ? "/OU=" + appName : ""); + + + } } http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/8d774ea5/slider-core/src/main/java/org/apache/slider/server/services/security/SecurityUtils.java ---------------------------------------------------------------------- diff --git a/slider-core/src/main/java/org/apache/slider/server/services/security/SecurityUtils.java b/slider-core/src/main/java/org/apache/slider/server/services/security/SecurityUtils.java index ce25c34..4b2c557 100644 --- a/slider-core/src/main/java/org/apache/slider/server/services/security/SecurityUtils.java +++ b/slider-core/src/main/java/org/apache/slider/server/services/security/SecurityUtils.java @@ -71,52 +71,15 @@ public class SecurityUtils { + "commonName = optional\n" + "emailAddress = optional\n" + "\n" - + "[ req ]\n" - + "default_bits = 2048\n" - + "default_md = sha1\n" - + "default_keyfile = privkey.pem\n" + + "[req]\n" + "distinguished_name = req_distinguished_name\n" - + "attributes = req_attributes\n" - + "x509_extensions = jdk7_ca# The extentions to add to the self signed cert\n" - + "\n" - + "string_mask = utf8only\n" + "\n" + "[ req_distinguished_name ]\n" - + "countryName = Country Name (2 letter code)\n" - + "countryName_default = XX\n" - + "countryName_min = 2\n" - + "countryName_max = 2\n" - + "\n" - + "stateOrProvinceName = State or Province Name (full name)\n" - + "stateOrProvinceName_default= Default Province\n" - + "\n" - + "localityName= Locality Name (eg, city)\n" - + "localityName_default= Default City\n" - + "\n" - + "0.organizationName= Organization Name (eg, company)\n" - + "0.organizationName_default= Default Company Ltd\n" - + "\n" - + "\n" - + "organizationalUnitName= Organizational Unit Name (eg, section)\n" - + "organizationalUnitName_default=\n" - + "\n" - + "commonName= Common Name (eg, your name or your server\\'s hostname)\n" - + "commonName_max= 64\n" - + "\n" - + "emailAddress= Email Address\n" - + "emailAddress_max= 64\n" - + "\n" - + "\n" - + "[ req_attributes ]\n" - + "challengePassword= A challenge password\n" - + "challengePassword_min= 4\n" - + "challengePassword_max= 20\n" + "\n" - + "unstructuredName= An optional company name\n" + "[ jdk7_ca ]\n" + "subjectKeyIdentifier = hash\n" + "authorityKeyIdentifier = keyid:always,issuer:always\n" - + "basicConstraints = CA:true"; + + "basicConstraints = CA:true\n"; private static final String PASS_TOKEN = "pass:"; private static String keystorePass; http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/8d774ea5/slider-core/src/test/java/org/apache/slider/server/services/security/TestCertificateManager.java ---------------------------------------------------------------------- diff --git a/slider-core/src/test/java/org/apache/slider/server/services/security/TestCertificateManager.java b/slider-core/src/test/java/org/apache/slider/server/services/security/TestCertificateManager.java index 29d4fa0..8f5c5db 100644 --- a/slider-core/src/test/java/org/apache/slider/server/services/security/TestCertificateManager.java +++ b/slider-core/src/test/java/org/apache/slider/server/services/security/TestCertificateManager.java @@ -103,14 +103,14 @@ public class TestCertificateManager { Principal principal = x509cert.getSubjectDN(); String subjectDn = principal.getName(); Assert.assertEquals("wrong DN", - "O=Default Company Ltd, L=Default City, ST=Default Province, C=XX", + "CN=localhost", subjectDn); // Get issuer principal = x509cert.getIssuerDN(); String issuerDn = principal.getName(); Assert.assertEquals("wrong Issuer DN", - "O=Default Company Ltd, L=Default City, ST=Default Province, C=XX", + "CN=localhost", issuerDn); } } finally { @@ -159,14 +159,14 @@ public class TestCertificateManager { // Get subject Principal principal = x509cert.getSubjectDN(); String subjectDn = principal.getName(); - Assert.assertEquals("wrong DN", "CN=container1, OU=localhost", + Assert.assertEquals("wrong DN", "CN=localhost, OU=container1", subjectDn); // Get issuer principal = x509cert.getIssuerDN(); String issuerDn = principal.getName(); Assert.assertEquals("wrong Issuer DN", - "O=Default Company Ltd, L=Default City, ST=Default Province, C=XX", + "CN=localhost", issuerDn); } } finally {
