Re: Review Request 66504: RANGER-2058: Add SSL enabled Postgres support in Ranger Admin

Tue, 10 Apr 2018 07:57:46 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66504/#review200820
-----------------------------------------------------------



.git/rebase-apply/patch:195: trailing whitespace.
                                
warning: 1 line adds whitespace errors.

Please fix above warning.

- Qiang Zhang


On April 9, 2018, 2:55 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66504/
> -----------------------------------------------------------
> 
> (Updated April 9, 2018, 2:55 p.m.)
> 
> 
> Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2058
>     https://issues.apache.org/jira/browse/RANGER-2058
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement:** Ranger can not communicate to ssl enabled Postgres 
> server
> 
> 
> **Proposed Solution:**
> To connect to a SSL Enabled Postgres Server JDBC connection string could be :
> =>For validating CA: 
> "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&sslmode=verify-ca".
> =>For Non validating CA: 
> "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&org.postgresql.ssl.NonValidatingFactory".
> 
> The 'ssl=true' property is added to the JDBC URL to attempt to communicate 
> via SSL. 
> The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to 
> bypass certificate validation.
> The 'sslmode=verify-ca' property is set to connect only if the Postgres 
> server trust certificate is available. If user wants to connect using 
> truststore then he can configure truststore files(certificate information for 
> the postgres  server and client both). 
> ---
> Following properties of install.properties file can be used to provide the 
> SSL config options, keystore and truststore path to connect to SSL enabled 
> Postgres server:
> 
> db_ssl_enabled=
> db_ssl_required=
> db_ssl_verifyServerCertificate=
> db_ssl_auth_type=
> javax_net_ssl_keyStore=
> javax_net_ssl_keyStorePassword=
> javax_net_ssl_trustStore=
> javax_net_ssl_trustStorePassword=
> ---
> **Rules:**
> 1. if [db_ssl_enabled=true] then ranger admin/kms JDBC URL will attempt to 
> communicate to postgres via SSL.
> 2. if [db_ssl_enabled=true and [db_ssl_required=false and 
> db_ssl_verifyServerCertificate=false]] then JDBC url will have parameter 
> 'sslfactory=org.postgresql.ssl.NonValidatingFactory' in it and CA validation 
> will be skipped.
> 3. if [db_ssl_enabled=true and [db_ssl_required=true or 
> db_ssl_verifyServerCertificate=true]] then JDBC url will have parameter 
> 'sslmode=verify-ca' in it and CA validation will be mandatory. 
>    3.1) if [db_ssl_auth_type=1-way] then User have to provide the certificate 
> and password through truststore 
> properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword) 
>    3.2) if [db_ssl_auth_type=2-way] then User have to provide the keystore 
> and password through keystore 
> properties(javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword) and CA 
> certificate and password through truststore 
> properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword).
> 
> **Note:**
> Ranger application and jisql utility should know from where to pick the 
> certificates which can be set in the System properties like this :
> -Djavax.net.ssl.keyStore=path_to_keystore_file
> -Djavax.net.ssl.keyStorePassword=password
> -Djavax.net.ssl.trustStore=path_to_truststore_file
> -Djavax.net.ssl.trustStorePassword=password
> 
> 
> Diffs
> -----
> 
>   kms/scripts/db_setup.py a431b60 
>   kms/scripts/dba_script.py bcd4aa2 
>   kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca 
>   security-admin/scripts/db_setup.py b8664d2 
>   security-admin/scripts/dba_script.py 69fff41 
>   security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java 
> edd9d36 
> 
> 
> Diff: https://reviews.apache.org/r/66504/diff/1/
> 
> 
> Testing
> -------
> 
> **Steps Performed(with patch):**
> Installed Postgres and enabled SSL with the help of doc : 
> https://www.postgresql.org/docs/9.5/static/ssl-tcp.html
> 
> Untar ranger-admin from Build having changes of proposed patch.
> Provided ranger db root and admin db details in install.properties.
> Provided values for below properties of install.properties file.
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> db_ssl_auth_type=1-way
> javax_net_ssl_keyStore=/root/keystore
> javax_net_ssl_keyStorePassword=secret
> javax_net_ssl_trustStore=/root/truststore
> javax_net_ssl_trustStorePassword=secret
> 
> Executed setup.sh script.
> 
> Tried to start ranger admin service.
> 
> **Expected behaviour :** Ranger admin should start normally and User should 
> able to see Dashboard page after login.
> 
> **Actual behaviour :** Ranger admin was started and was able to login and see 
> Ranger UI.
> 
> **Note :** 
> Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and 
> two-way ssl configurations.
> Tried below combination of SSL properties also with different ranger db 
> combination to install ranger admin and ranger kms.
> 
> db_ssl_enabled|db_ssl_required|db_ssl_verifyServerCertificate|db_ssl_auth_type|javax_net_ssl_keyStore
>  javax_net_ssl_trustStore
> TRUE  TRUE    TRUE    2-way   provided        provided
> TRUE  TRUE    TRUE    2-way   provided        not provided
> TRUE  TRUE    TRUE    2-way   not provided    provided
> TRUE  TRUE    TRUE    2-way   not provided    not provided
> TRUE  TRUE    TRUE    1-way   provided        provided
> TRUE  TRUE    TRUE    1-way   provided        not provided
> TRUE  TRUE    TRUE    1-way   not provided    provided
> TRUE  TRUE    TRUE    1-way   not provided    not provided
> TRUE  TRUE    FALSE   2-way   provided        provided
> TRUE  TRUE    FALSE   2-way   provided        not provided
> TRUE  TRUE    FALSE   2-way   not provided    provided
> TRUE  TRUE    FALSE   2-way   not provided    not provided
> TRUE  TRUE    FALSE   1-way   provided        provided
> TRUE  TRUE    FALSE   1-way   provided        not provided
> TRUE  TRUE    FALSE   1-way   not provided    provided
> TRUE  TRUE    FALSE   1-way   not provided    not provided
> TRUE  FALSE   TRUE    2-way   provided        provided
> TRUE  FALSE   TRUE    2-way   provided        not provided
> TRUE  FALSE   TRUE    2-way   not provided    provided
> TRUE  FALSE   TRUE    2-way   not provided    not provided
> TRUE  FALSE   TRUE    1-way   provided        provided
> TRUE  FALSE   TRUE    1-way   provided        not provided
> TRUE  FALSE   TRUE    1-way   not provided    provided
> TRUE  FALSE   TRUE    1-way   not provided    not provided
> TRUE  FALSE   FALSE   2-way   provided        provided
> TRUE  FALSE   FALSE   2-way   provided        not provided
> TRUE  FALSE   FALSE   2-way   not provided    provided
> TRUE  FALSE   FALSE   2-way   not provided    not provided
> TRUE  FALSE   FALSE   1-way   provided        provided
> TRUE  FALSE   FALSE   1-way   provided        not provided
> TRUE  FALSE   FALSE   1-way   not provided    provided
> TRUE  FALSE   FALSE   1-way   not provided    not provided
> FALSE TRUE    TRUE    2-way   provided        provided
> FALSE TRUE    TRUE    2-way   provided        not provided
> FALSE TRUE    TRUE    2-way   not provided    provided
> FALSE TRUE    TRUE    2-way   not provided    not provided
> FALSE TRUE    TRUE    1-way   provided        provided
> FALSE TRUE    TRUE    1-way   provided        not provided
> FALSE TRUE    TRUE    1-way   not provided    provided
> FALSE TRUE    TRUE    1-way   not provided    not provided
> FALSE TRUE    FALSE   2-way   provided        provided
> FALSE TRUE    FALSE   2-way   provided        not provided
> FALSE TRUE    FALSE   2-way   not provided    provided
> FALSE TRUE    FALSE   2-way   not provided    not provided
> FALSE TRUE    FALSE   1-way   provided        provided
> FALSE TRUE    FALSE   1-way   provided        not provided
> FALSE TRUE    FALSE   1-way   not provided    provided
> FALSE TRUE    FALSE   1-way   not provided    not provided
> FALSE FALSE   TRUE    2-way   provided        provided
> FALSE FALSE   TRUE    2-way   provided        not provided
> FALSE FALSE   TRUE    2-way   not provided    provided
> FALSE FALSE   TRUE    2-way   not provided    not provided
> FALSE FALSE   TRUE    1-way   provided        provided
> FALSE FALSE   TRUE    1-way   provided        not provided
> FALSE FALSE   TRUE    1-way   not provided    provided
> FALSE FALSE   TRUE    1-way   not provided    not provided
> FALSE FALSE   FALSE   2-way   provided        provided
> FALSE FALSE   FALSE   2-way   provided        not provided
> FALSE FALSE   FALSE   2-way   not provided    provided
> FALSE FALSE   FALSE   2-way   not provided    not provided
> FALSE FALSE   FALSE   1-way   provided        provided
> FALSE FALSE   FALSE   1-way   provided        not provided
> FALSE FALSE   FALSE   1-way   not provided    provided
> FALSE FALSE   FALSE   1-way   not provided    not provided
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Reply via email to