-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66504/
-----------------------------------------------------------
(Updated April 11, 2018, 12:49 p.m.)
Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan
Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan
Periasamy.
Changes
-------
Addressed review comment and removed optional verify-ca url parameter.
Bugs: RANGER-2058
https://issues.apache.org/jira/browse/RANGER-2058
Repository: ranger
Description (updated)
-------
**Problem Statement:** Ranger can not communicate to ssl enabled Postgres server
**Proposed Solution:**
To connect to a SSL Enabled Postgres Server JDBC connection string could be :
=>For validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true".
=>For Non validating CA:
"jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&org.postgresql.ssl.NonValidatingFactory".
The 'ssl=true' property is added to the JDBC URL to attempt to communicate via
SSL.
The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to
bypass certificate validation.
---
Following properties of install.properties file can be used to provide the SSL
config options, keystore and truststore path to connect to SSL enabled Postgres
server:
db_ssl_enabled=
db_ssl_required=
db_ssl_verifyServerCertificate=
db_ssl_auth_type=
javax_net_ssl_keyStore=
javax_net_ssl_keyStorePassword=
javax_net_ssl_trustStore=
javax_net_ssl_trustStorePassword=
---
**Rules:**
1. if [db_ssl_enabled=true] then ranger admin/kms JDBC URL will attempt to
communicate to postgres via SSL.
2. if [db_ssl_enabled=true and [db_ssl_required=false and
db_ssl_verifyServerCertificate=false]] then JDBC url will have parameter
'sslfactory=org.postgresql.ssl.NonValidatingFactory' in it and CA validation
will be skipped.
3. if [db_ssl_enabled=true and [db_ssl_required=true or
db_ssl_verifyServerCertificate=true]] then CA validation will be mandatory.
3.1) if [db_ssl_auth_type=1-way] then User have to provide the certificate
and password through truststore
properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
3.2) if [db_ssl_auth_type=2-way] then User have to provide the keystore and
password through keystore
properties(javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword) and CA
certificate and password through truststore
properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword).
**Note:**
Ranger application and jisql utility should know from where to pick the
certificates which can be set in the System properties like this :
-Djavax.net.ssl.keyStore=path_to_keystore_file
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=path_to_truststore_file
-Djavax.net.ssl.trustStorePassword=password
Diffs (updated)
-----
kms/scripts/db_setup.py a431b60
kms/scripts/dba_script.py bcd4aa2
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca
security-admin/scripts/db_setup.py b8664d2
security-admin/scripts/dba_script.py 69fff41
security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
edd9d36
Diff: https://reviews.apache.org/r/66504/diff/2/
Changes: https://reviews.apache.org/r/66504/diff/1-2/
Testing
-------
**Steps Performed(with patch):**
Installed Postgres and enabled SSL with the help of doc :
https://www.postgresql.org/docs/9.5/static/ssl-tcp.html
Untar ranger-admin from Build having changes of proposed patch.
Provided ranger db root and admin db details in install.properties.
Provided values for below properties of install.properties file.
db_ssl_enabled=true
db_ssl_required=true
db_ssl_verifyServerCertificate=true
db_ssl_auth_type=1-way
javax_net_ssl_keyStore=/root/keystore
javax_net_ssl_keyStorePassword=secret
javax_net_ssl_trustStore=/root/truststore
javax_net_ssl_trustStorePassword=secret
Executed setup.sh script.
Tried to start ranger admin service.
**Expected behaviour :** Ranger admin should start normally and User should
able to see Dashboard page after login.
**Actual behaviour :** Ranger admin was started and was able to login and see
Ranger UI.
**Note :**
Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and
two-way ssl configurations.
Tried below combination of SSL properties also with different ranger db
combination to install ranger admin and ranger kms.
db_ssl_enabled|db_ssl_required|db_ssl_verifyServerCertificate|db_ssl_auth_type|javax_net_ssl_keyStore
javax_net_ssl_trustStore
TRUE TRUE TRUE 2-way provided provided
TRUE TRUE TRUE 2-way provided not provided
TRUE TRUE TRUE 2-way not provided provided
TRUE TRUE TRUE 2-way not provided not provided
TRUE TRUE TRUE 1-way provided provided
TRUE TRUE TRUE 1-way provided not provided
TRUE TRUE TRUE 1-way not provided provided
TRUE TRUE TRUE 1-way not provided not provided
TRUE TRUE FALSE 2-way provided provided
TRUE TRUE FALSE 2-way provided not provided
TRUE TRUE FALSE 2-way not provided provided
TRUE TRUE FALSE 2-way not provided not provided
TRUE TRUE FALSE 1-way provided provided
TRUE TRUE FALSE 1-way provided not provided
TRUE TRUE FALSE 1-way not provided provided
TRUE TRUE FALSE 1-way not provided not provided
TRUE FALSE TRUE 2-way provided provided
TRUE FALSE TRUE 2-way provided not provided
TRUE FALSE TRUE 2-way not provided provided
TRUE FALSE TRUE 2-way not provided not provided
TRUE FALSE TRUE 1-way provided provided
TRUE FALSE TRUE 1-way provided not provided
TRUE FALSE TRUE 1-way not provided provided
TRUE FALSE TRUE 1-way not provided not provided
TRUE FALSE FALSE 2-way provided provided
TRUE FALSE FALSE 2-way provided not provided
TRUE FALSE FALSE 2-way not provided provided
TRUE FALSE FALSE 2-way not provided not provided
TRUE FALSE FALSE 1-way provided provided
TRUE FALSE FALSE 1-way provided not provided
TRUE FALSE FALSE 1-way not provided provided
TRUE FALSE FALSE 1-way not provided not provided
FALSE TRUE TRUE 2-way provided provided
FALSE TRUE TRUE 2-way provided not provided
FALSE TRUE TRUE 2-way not provided provided
FALSE TRUE TRUE 2-way not provided not provided
FALSE TRUE TRUE 1-way provided provided
FALSE TRUE TRUE 1-way provided not provided
FALSE TRUE TRUE 1-way not provided provided
FALSE TRUE TRUE 1-way not provided not provided
FALSE TRUE FALSE 2-way provided provided
FALSE TRUE FALSE 2-way provided not provided
FALSE TRUE FALSE 2-way not provided provided
FALSE TRUE FALSE 2-way not provided not provided
FALSE TRUE FALSE 1-way provided provided
FALSE TRUE FALSE 1-way provided not provided
FALSE TRUE FALSE 1-way not provided provided
FALSE TRUE FALSE 1-way not provided not provided
FALSE FALSE TRUE 2-way provided provided
FALSE FALSE TRUE 2-way provided not provided
FALSE FALSE TRUE 2-way not provided provided
FALSE FALSE TRUE 2-way not provided not provided
FALSE FALSE TRUE 1-way provided provided
FALSE FALSE TRUE 1-way provided not provided
FALSE FALSE TRUE 1-way not provided provided
FALSE FALSE TRUE 1-way not provided not provided
FALSE FALSE FALSE 2-way provided provided
FALSE FALSE FALSE 2-way provided not provided
FALSE FALSE FALSE 2-way not provided provided
FALSE FALSE FALSE 2-way not provided not provided
FALSE FALSE FALSE 1-way provided provided
FALSE FALSE FALSE 1-way provided not provided
FALSE FALSE FALSE 1-way not provided provided
FALSE FALSE FALSE 1-way not provided not provided
Thanks,
Pradeep Agrawal
