-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55135/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay
Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj,
Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-1288
https://issues.apache.org/jira/browse/RANGER-1288
Repository: ranger
Description
-------
**Problem Statement:** Ranger can not communicate to ssl enabled MySQL server
**Proposed Solution:**
To connect to a SSL Enabled MySQL Server JDBC connection string could be :
"jdbc:mysql://127.0.0.1:3306/ranger?verifyServerCertificate=false&useSSL=true&requireSSL=true".
The 'useSSL=true' property is added to the JDBC URL to attempt to communicate
via SSL.
The 'verifyServerCerticate=false' property is set to bypass certificate
validation.
The 'requireSSL=true' property is set to refuse to connect if the MySQL server
does not support SSL. If user want to connect using truststore then he can
configure truststore files(certificate information for the mysql server and
client both).
Ranger application and jisql utility should know from where to pick the
certificates which can be set in System properties like this :
-Djavax.net.ssl.keyStore=path_to_keystore_file
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=path_to_truststore_file
-Djavax.net.ssl.trustStorePassword=password
Following properties have been added in install.properties to add SSL enabled
MySQL configuration in ranger admin:
db_ssl_enabled=false
db_ssl_required=false
db_ssl_verifyServerCertificate=false
javax_net_ssl_keyStore=/etc/mysql/keystore
javax_net_ssl_keyStorePassword=secret
javax_net_ssl_trustStore=/etc/mysql/truststore
javax_net_ssl_trustStorePassword=secret
Diffs
-----
embeddedwebserver/scripts/ranger-admin-services.sh c19598a
kms/config/kms-webapp/dbks-site.xml ebf06d7
kms/scripts/db_setup.py f1342fd
kms/scripts/dba_script.py 4366743
kms/scripts/install.properties d07dc2c
kms/scripts/setup.sh 568350b
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java f350dce
plugin-kms/scripts/enable-kms-plugin.sh b2701a8
security-admin/scripts/db_setup.py 430aa47
security-admin/scripts/dba_script.py 1b29c75
security-admin/scripts/install.properties 693129f
security-admin/scripts/setup.sh 82250b1
security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
5636ed3
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
e73b6c6
Diff: https://reviews.apache.org/r/55135/diff/
Testing
-------
**Steps Performed(with patch):**
1. Installed MySQL and enabled SSL with the help of doc :
http://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html
2. Untar ranger-admin from Build having changes of proposed patch.
3. Provided ranger db root and admin db details in install.properties.
4. Provided values in below introduced properties of install.properties file.
db_ssl_enabled=true
db_ssl_required=true
db_ssl_verifyServerCertificate=true
javax_net_ssl_keyStore=/root/keystore
javax_net_ssl_keyStorePassword=secret
javax_net_ssl_trustStore=/root/truststore
javax_net_ssl_trustStorePassword=secret
5. Executed setup.sh script.
6. Tried to start ranger admin service.
**Expected behaviour :** Ranger admin should start normally and User should
able to see Dashboard page after login.
**Actual behaviour :** Ranger admin was started and was able to login and see
Ranger UI.
**Note :** Tried below combination of SSL properties also with different ranger
db combination to install ranger.
**db_ssl_enabled | db_ssl_required | db_ssl_verifyServerCertificate**
true |true |true
true |true |false
true |false |true
true |false |false
Thanks,
Pradeep Agrawal
