Re: Review Request 65287: OOZIE-3157 - Setup truststore so that it also works in HTTP only mode

Fri, 26 Jan 2018 05:03:29 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65287/#review196327
-----------------------------------------------------------




docs/src/site/twiki/DG_QuickStart.twiki
Lines 149 (patched)
<https://reviews.apache.org/r/65287/#comment275897>

    If the Oozie server needs to establish secure connection with an external 
server with a self-signed certifacate, make sure you specify the location of a 
truststore that contains required certificates.



docs/src/site/twiki/DG_QuickStart.twiki
Lines 150 (patched)
<https://reviews.apache.org/r/65287/#comment275898>

    It can be done by configuring =oozie.https.truststore.file= in 
=oozie-site.xml=, or by setting the =javax.net.ssl.trustStore=
     system property.


- Attila Sasvari


On Jan. 26, 2018, noon, Kinga Marton wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65287/
> -----------------------------------------------------------
> 
> (Updated Jan. 26, 2018, noon)
> 
> 
> Review request for oozie, AndrĂ¡s Piros, Attila Sasvari, and Peter Cseh.
> 
> 
> Repository: oozie-git
> 
> 
> Description
> -------
> 
> oozie.https.truststore.file is not read and used when oozie.https.enabled is 
> false in oozie-site xml. As a result, the Oozie server will be unable to 
> communicate with servers with unsigned certificate. It is a critical problem 
> as authentication may involve external servers (for example KMS with 
> self-signed certificate). Submitting a workflow in such an environment can 
> result in an exception like:
> 
> `2018-01-08 10:13:51,471 WARN 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider: 
> SERVER[myserver] KMS provider at [https://myserver:16000/kms/v1/] threw an 
> IOException: 
> javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>  find valid certification path to requested target
>         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>         at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>         at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
>         at 
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
>         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
>         at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
>         at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
>         at 
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
>         at 
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
>         at 
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
>         at 
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
>         at 
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>         at 
> sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
>         at 
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:186)
>         at 
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:144)
>         at 
> org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:348)
>         at 
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.openConnection(DelegationTokenAuthenticatedURL.java:333)
>         at 
> org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:477)
>         at 
> org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:472)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:422)
>         at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962)
>         at 
> org.apache.hadoop.crypto.key.kms.KMSClientProvider.createConnection(KMSClientProvider.java:471)
>         at 
> org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:776)
>         at 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:287)
>         at 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:283)
>         at 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:123)
>         at 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.decryptEncryptedKey(LoadBalancingKMSClientProvider.java:283)
>         at 
> org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.decryptEncryptedKey(KeyProviderCryptoExtension.java:532)
>         at 
> org.apache.hadoop.hdfs.DFSClient.decryptEncryptedDataEncryptionKey(DFSClient.java:926)
>         at 
> org.apache.hadoop.hdfs.DFSClient.createWrappedInputStream(DFSClient.java:945)
>         at 
> org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:315)
>         at 
> org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:310)
>         at 
> org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
>         at 
> org.apache.hadoop.hdfs.DistributedFileSystem.open(DistributedFileSystem.java:322)
>         at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:949)
>         at 
> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:392)
>         at 
> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:263)
>         at 
> org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:99)`
> 
> 
> Diffs
> -----
> 
>   core/src/main/resources/oozie-default.xml 5b5e34f1 
>   docs/src/site/twiki/AG_Install.twiki 508949d1 
>   docs/src/site/twiki/DG_QuickStart.twiki 08b574fb 
>   server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java 
> a0c27b88 
>   server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java 
> 0b024e89 
>   server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java 
> b72247ed 
>   
> server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
>  2b48f7f5 
> 
> 
> Diff: https://reviews.apache.org/r/65287/diff/5/
> 
> 
> Testing
> -------
> 
> tested manyually + junit added
> 
> 
> Thanks,
> 
> Kinga Marton
> 
>

Reply via email to