----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/66504/#review200951 -----------------------------------------------------------
Ship it! Ship It! - Velmurugan Periasamy On April 11, 2018, 12:49 p.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/66504/ > ----------------------------------------------------------- > > (Updated April 11, 2018, 12:49 p.m.) > > > Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan > Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan > Periasamy. > > > Bugs: RANGER-2058 > https://issues.apache.org/jira/browse/RANGER-2058 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Ranger can not communicate to ssl enabled Postgres > server > > > **Proposed Solution:** > To connect to a SSL Enabled Postgres Server JDBC connection string could be : > =>For validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true". > =>For Non validating CA: > "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&org.postgresql.ssl.NonValidatingFactory". > > The 'ssl=true' property is added to the JDBC URL to attempt to communicate > via SSL. > The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to > bypass certificate validation. > --- > Following properties of install.properties file can be used to provide the > SSL config options, keystore and truststore path to connect to SSL enabled > Postgres server: > > db_ssl_enabled= > db_ssl_required= > db_ssl_verifyServerCertificate= > db_ssl_auth_type= > javax_net_ssl_keyStore= > javax_net_ssl_keyStorePassword= > javax_net_ssl_trustStore= > javax_net_ssl_trustStorePassword= > --- > **Rules:** > 1. if [db_ssl_enabled=true] then ranger admin/kms JDBC URL will attempt to > communicate to postgres via SSL. > 2. if [db_ssl_enabled=true and [db_ssl_required=false and > db_ssl_verifyServerCertificate=false]] then JDBC url will have parameter > 'sslfactory=org.postgresql.ssl.NonValidatingFactory' in it and CA validation > will be skipped. > 3. if [db_ssl_enabled=true and [db_ssl_required=true or > db_ssl_verifyServerCertificate=true]] then CA validation will be mandatory. > 3.1) if [db_ssl_auth_type=1-way] then User have to provide the certificate > and password through truststore > properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword) > 3.2) if [db_ssl_auth_type=2-way] then User have to provide the keystore > and password through keystore > properties(javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword) and CA > certificate and password through truststore > properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword). > > **Note:** > Ranger application and jisql utility should know from where to pick the > certificates which can be set in the System properties like this : > -Djavax.net.ssl.keyStore=path_to_keystore_file > -Djavax.net.ssl.keyStorePassword=password > -Djavax.net.ssl.trustStore=path_to_truststore_file > -Djavax.net.ssl.trustStorePassword=password > > > Diffs > ----- > > kms/scripts/db_setup.py a431b60 > kms/scripts/dba_script.py bcd4aa2 > kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca > security-admin/scripts/db_setup.py b8664d2 > security-admin/scripts/dba_script.py 69fff41 > security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java > edd9d36 > > > Diff: https://reviews.apache.org/r/66504/diff/2/ > > > Testing > ------- > > **Steps Performed(with patch):** > Installed Postgres and enabled SSL with the help of doc : > https://www.postgresql.org/docs/9.5/static/ssl-tcp.html > > Untar ranger-admin from Build having changes of proposed patch. > Provided ranger db root and admin db details in install.properties. > Provided values for below properties of install.properties file. > db_ssl_enabled=true > db_ssl_required=true > db_ssl_verifyServerCertificate=true > db_ssl_auth_type=1-way > javax_net_ssl_keyStore=/root/keystore > javax_net_ssl_keyStorePassword=secret > javax_net_ssl_trustStore=/root/truststore > javax_net_ssl_trustStorePassword=secret > > Executed setup.sh script. > > Tried to start ranger admin service. > > **Expected behaviour :** Ranger admin should start normally and User should > able to see Dashboard page after login. > > **Actual behaviour :** Ranger admin was started and was able to login and see > Ranger UI. > > **Note :** > Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and > two-way ssl configurations. > Tried below combination of SSL properties also with different ranger db > combination to install ranger admin and ranger kms. > > db_ssl_enabled|db_ssl_required|db_ssl_verifyServerCertificate|db_ssl_auth_type|javax_net_ssl_keyStore > javax_net_ssl_trustStore > TRUE TRUE TRUE 2-way provided provided > TRUE TRUE TRUE 2-way provided not provided > TRUE TRUE TRUE 2-way not provided provided > TRUE TRUE TRUE 2-way not provided not provided > TRUE TRUE TRUE 1-way provided provided > TRUE TRUE TRUE 1-way provided not provided > TRUE TRUE TRUE 1-way not provided provided > TRUE TRUE TRUE 1-way not provided not provided > TRUE TRUE FALSE 2-way provided provided > TRUE TRUE FALSE 2-way provided not provided > TRUE TRUE FALSE 2-way not provided provided > TRUE TRUE FALSE 2-way not provided not provided > TRUE TRUE FALSE 1-way provided provided > TRUE TRUE FALSE 1-way provided not provided > TRUE TRUE FALSE 1-way not provided provided > TRUE TRUE FALSE 1-way not provided not provided > TRUE FALSE TRUE 2-way provided provided > TRUE FALSE TRUE 2-way provided not provided > TRUE FALSE TRUE 2-way not provided provided > TRUE FALSE TRUE 2-way not provided not provided > TRUE FALSE TRUE 1-way provided provided > TRUE FALSE TRUE 1-way provided not provided > TRUE FALSE TRUE 1-way not provided provided > TRUE FALSE TRUE 1-way not provided not provided > TRUE FALSE FALSE 2-way provided provided > TRUE FALSE FALSE 2-way provided not provided > TRUE FALSE FALSE 2-way not provided provided > TRUE FALSE FALSE 2-way not provided not provided > TRUE FALSE FALSE 1-way provided provided > TRUE FALSE FALSE 1-way provided not provided > TRUE FALSE FALSE 1-way not provided provided > TRUE FALSE FALSE 1-way not provided not provided > FALSE TRUE TRUE 2-way provided provided > FALSE TRUE TRUE 2-way provided not provided > FALSE TRUE TRUE 2-way not provided provided > FALSE TRUE TRUE 2-way not provided not provided > FALSE TRUE TRUE 1-way provided provided > FALSE TRUE TRUE 1-way provided not provided > FALSE TRUE TRUE 1-way not provided provided > FALSE TRUE TRUE 1-way not provided not provided > FALSE TRUE FALSE 2-way provided provided > FALSE TRUE FALSE 2-way provided not provided > FALSE TRUE FALSE 2-way not provided provided > FALSE TRUE FALSE 2-way not provided not provided > FALSE TRUE FALSE 1-way provided provided > FALSE TRUE FALSE 1-way provided not provided > FALSE TRUE FALSE 1-way not provided provided > FALSE TRUE FALSE 1-way not provided not provided > FALSE FALSE TRUE 2-way provided provided > FALSE FALSE TRUE 2-way provided not provided > FALSE FALSE TRUE 2-way not provided provided > FALSE FALSE TRUE 2-way not provided not provided > FALSE FALSE TRUE 1-way provided provided > FALSE FALSE TRUE 1-way provided not provided > FALSE FALSE TRUE 1-way not provided provided > FALSE FALSE TRUE 1-way not provided not provided > FALSE FALSE FALSE 2-way provided provided > FALSE FALSE FALSE 2-way provided not provided > FALSE FALSE FALSE 2-way not provided provided > FALSE FALSE FALSE 2-way not provided not provided > FALSE FALSE FALSE 1-way provided provided > FALSE FALSE FALSE 1-way provided not provided > FALSE FALSE FALSE 1-way not provided provided > FALSE FALSE FALSE 1-way not provided not provided > > > Thanks, > > Pradeep Agrawal > >