----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/66504/ -----------------------------------------------------------
(Updated April 11, 2018, 12:49 p.m.) Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. Changes ------- Addressed review comment and removed optional verify-ca url parameter. Bugs: RANGER-2058 https://issues.apache.org/jira/browse/RANGER-2058 Repository: ranger Description (updated) ------- **Problem Statement:** Ranger can not communicate to ssl enabled Postgres server **Proposed Solution:** To connect to a SSL Enabled Postgres Server JDBC connection string could be : =>For validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true". =>For Non validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&org.postgresql.ssl.NonValidatingFactory". The 'ssl=true' property is added to the JDBC URL to attempt to communicate via SSL. The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to bypass certificate validation. --- Following properties of install.properties file can be used to provide the SSL config options, keystore and truststore path to connect to SSL enabled Postgres server: db_ssl_enabled= db_ssl_required= db_ssl_verifyServerCertificate= db_ssl_auth_type= javax_net_ssl_keyStore= javax_net_ssl_keyStorePassword= javax_net_ssl_trustStore= javax_net_ssl_trustStorePassword= --- **Rules:** 1. if [db_ssl_enabled=true] then ranger admin/kms JDBC URL will attempt to communicate to postgres via SSL. 2. if [db_ssl_enabled=true and [db_ssl_required=false and db_ssl_verifyServerCertificate=false]] then JDBC url will have parameter 'sslfactory=org.postgresql.ssl.NonValidatingFactory' in it and CA validation will be skipped. 3. if [db_ssl_enabled=true and [db_ssl_required=true or db_ssl_verifyServerCertificate=true]] then CA validation will be mandatory. 3.1) if [db_ssl_auth_type=1-way] then User have to provide the certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword) 3.2) if [db_ssl_auth_type=2-way] then User have to provide the keystore and password through keystore properties(javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword) and CA certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword). **Note:** Ranger application and jisql utility should know from where to pick the certificates which can be set in the System properties like this : -Djavax.net.ssl.keyStore=path_to_keystore_file -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=path_to_truststore_file -Djavax.net.ssl.trustStorePassword=password Diffs (updated) ----- kms/scripts/db_setup.py a431b60 kms/scripts/dba_script.py bcd4aa2 kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca security-admin/scripts/db_setup.py b8664d2 security-admin/scripts/dba_script.py 69fff41 security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java edd9d36 Diff: https://reviews.apache.org/r/66504/diff/2/ Changes: https://reviews.apache.org/r/66504/diff/1-2/ Testing ------- **Steps Performed(with patch):** Installed Postgres and enabled SSL with the help of doc : https://www.postgresql.org/docs/9.5/static/ssl-tcp.html Untar ranger-admin from Build having changes of proposed patch. Provided ranger db root and admin db details in install.properties. Provided values for below properties of install.properties file. db_ssl_enabled=true db_ssl_required=true db_ssl_verifyServerCertificate=true db_ssl_auth_type=1-way javax_net_ssl_keyStore=/root/keystore javax_net_ssl_keyStorePassword=secret javax_net_ssl_trustStore=/root/truststore javax_net_ssl_trustStorePassword=secret Executed setup.sh script. Tried to start ranger admin service. **Expected behaviour :** Ranger admin should start normally and User should able to see Dashboard page after login. **Actual behaviour :** Ranger admin was started and was able to login and see Ranger UI. **Note :** Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and two-way ssl configurations. Tried below combination of SSL properties also with different ranger db combination to install ranger admin and ranger kms. db_ssl_enabled|db_ssl_required|db_ssl_verifyServerCertificate|db_ssl_auth_type|javax_net_ssl_keyStore javax_net_ssl_trustStore TRUE TRUE TRUE 2-way provided provided TRUE TRUE TRUE 2-way provided not provided TRUE TRUE TRUE 2-way not provided provided TRUE TRUE TRUE 2-way not provided not provided TRUE TRUE TRUE 1-way provided provided TRUE TRUE TRUE 1-way provided not provided TRUE TRUE TRUE 1-way not provided provided TRUE TRUE TRUE 1-way not provided not provided TRUE TRUE FALSE 2-way provided provided TRUE TRUE FALSE 2-way provided not provided TRUE TRUE FALSE 2-way not provided provided TRUE TRUE FALSE 2-way not provided not provided TRUE TRUE FALSE 1-way provided provided TRUE TRUE FALSE 1-way provided not provided TRUE TRUE FALSE 1-way not provided provided TRUE TRUE FALSE 1-way not provided not provided TRUE FALSE TRUE 2-way provided provided TRUE FALSE TRUE 2-way provided not provided TRUE FALSE TRUE 2-way not provided provided TRUE FALSE TRUE 2-way not provided not provided TRUE FALSE TRUE 1-way provided provided TRUE FALSE TRUE 1-way provided not provided TRUE FALSE TRUE 1-way not provided provided TRUE FALSE TRUE 1-way not provided not provided TRUE FALSE FALSE 2-way provided provided TRUE FALSE FALSE 2-way provided not provided TRUE FALSE FALSE 2-way not provided provided TRUE FALSE FALSE 2-way not provided not provided TRUE FALSE FALSE 1-way provided provided TRUE FALSE FALSE 1-way provided not provided TRUE FALSE FALSE 1-way not provided provided TRUE FALSE FALSE 1-way not provided not provided FALSE TRUE TRUE 2-way provided provided FALSE TRUE TRUE 2-way provided not provided FALSE TRUE TRUE 2-way not provided provided FALSE TRUE TRUE 2-way not provided not provided FALSE TRUE TRUE 1-way provided provided FALSE TRUE TRUE 1-way provided not provided FALSE TRUE TRUE 1-way not provided provided FALSE TRUE TRUE 1-way not provided not provided FALSE TRUE FALSE 2-way provided provided FALSE TRUE FALSE 2-way provided not provided FALSE TRUE FALSE 2-way not provided provided FALSE TRUE FALSE 2-way not provided not provided FALSE TRUE FALSE 1-way provided provided FALSE TRUE FALSE 1-way provided not provided FALSE TRUE FALSE 1-way not provided provided FALSE TRUE FALSE 1-way not provided not provided FALSE FALSE TRUE 2-way provided provided FALSE FALSE TRUE 2-way provided not provided FALSE FALSE TRUE 2-way not provided provided FALSE FALSE TRUE 2-way not provided not provided FALSE FALSE TRUE 1-way provided provided FALSE FALSE TRUE 1-way provided not provided FALSE FALSE TRUE 1-way not provided provided FALSE FALSE TRUE 1-way not provided not provided FALSE FALSE FALSE 2-way provided provided FALSE FALSE FALSE 2-way provided not provided FALSE FALSE FALSE 2-way not provided provided FALSE FALSE FALSE 2-way not provided not provided FALSE FALSE FALSE 1-way provided provided FALSE FALSE FALSE 1-way provided not provided FALSE FALSE FALSE 1-way not provided provided FALSE FALSE FALSE 1-way not provided not provided Thanks, Pradeep Agrawal