Repository: accumulo Updated Branches: refs/heads/master 1c5bef324 -> 76ce7d926
ACCUMULO-3606 make keystore and truststore types configurable for monitor SSL Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/76ce7d92 Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/76ce7d92 Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/76ce7d92 Branch: refs/heads/master Commit: 76ce7d9264addffcb940bbda000bf03efc95197f Parents: 1c5bef3 Author: Billie Rinaldi <billie.rina...@gmail.com> Authored: Mon Mar 2 16:34:17 2015 -0800 Committer: Billie Rinaldi <billie.rina...@gmail.com> Committed: Tue Mar 3 15:13:40 2015 -0800 ---------------------------------------------------------------------- .../org/apache/accumulo/core/conf/Property.java | 2 + .../accumulo/monitor/EmbeddedWebServer.java | 2 + .../accumulo/test/functional/MonitorSslIT.java | 128 +++++++++++++++++++ 3 files changed, 132 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/accumulo/blob/76ce7d92/core/src/main/java/org/apache/accumulo/core/conf/Property.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/accumulo/core/conf/Property.java b/core/src/main/java/org/apache/accumulo/core/conf/Property.java index 01f03cf..9ceebed 100644 --- a/core/src/main/java/org/apache/accumulo/core/conf/Property.java +++ b/core/src/main/java/org/apache/accumulo/core/conf/Property.java @@ -355,9 +355,11 @@ public enum Property { MONITOR_SSL_KEYSTORE("monitor.ssl.keyStore", "", PropertyType.PATH, "The keystore for enabling monitor SSL."), @Sensitive MONITOR_SSL_KEYSTOREPASS("monitor.ssl.keyStorePassword", "", PropertyType.STRING, "The keystore password for enabling monitor SSL."), + MONITOR_SSL_KEYSTORETYPE("monitor.ssl.keyStoreType", "", PropertyType.STRING, "Type of SSL keystore"), MONITOR_SSL_TRUSTSTORE("monitor.ssl.trustStore", "", PropertyType.PATH, "The truststore for enabling monitor SSL."), @Sensitive MONITOR_SSL_TRUSTSTOREPASS("monitor.ssl.trustStorePassword", "", PropertyType.STRING, "The truststore password for enabling monitor SSL."), + MONITOR_SSL_TRUSTSTORETYPE("monitor.ssl.trustStoreType", "", PropertyType.STRING, "Type of SSL truststore"), MONITOR_SSL_INCLUDE_CIPHERS("monitor.ssl.include.ciphers", "", PropertyType.STRING, "A comma-separated list of allows SSL Ciphers, see monitor.ssl.exclude.ciphers to disallow ciphers"), MONITOR_SSL_EXCLUDE_CIPHERS("monitor.ssl.exclude.ciphers", "", PropertyType.STRING, http://git-wip-us.apache.org/repos/asf/accumulo/blob/76ce7d92/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java ---------------------------------------------------------------------- diff --git a/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java b/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java index 7142ef1..8c23a16 100644 --- a/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java +++ b/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java @@ -51,8 +51,10 @@ public class EmbeddedWebServer { SslContextFactory sslContextFactory = new SslContextFactory(); sslContextFactory.setKeyStorePath(conf.get(Property.MONITOR_SSL_KEYSTORE)); sslContextFactory.setKeyStorePassword(conf.get(Property.MONITOR_SSL_KEYSTOREPASS)); + sslContextFactory.setKeyStoreType(conf.get(Property.MONITOR_SSL_KEYSTORETYPE)); sslContextFactory.setTrustStorePath(conf.get(Property.MONITOR_SSL_TRUSTSTORE)); sslContextFactory.setTrustStorePassword(conf.get(Property.MONITOR_SSL_TRUSTSTOREPASS)); + sslContextFactory.setTrustStoreType(conf.get(Property.MONITOR_SSL_TRUSTSTORETYPE)); final String includedCiphers = conf.get(Property.MONITOR_SSL_INCLUDE_CIPHERS); if (!Property.MONITOR_SSL_INCLUDE_CIPHERS.getDefaultValue().equals(includedCiphers)) { http://git-wip-us.apache.org/repos/asf/accumulo/blob/76ce7d92/test/src/test/java/org/apache/accumulo/test/functional/MonitorSslIT.java ---------------------------------------------------------------------- diff --git a/test/src/test/java/org/apache/accumulo/test/functional/MonitorSslIT.java b/test/src/test/java/org/apache/accumulo/test/functional/MonitorSslIT.java new file mode 100644 index 0000000..c112139 --- /dev/null +++ b/test/src/test/java/org/apache/accumulo/test/functional/MonitorSslIT.java @@ -0,0 +1,128 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.accumulo.test.functional; + +import org.apache.accumulo.core.conf.Property; +import org.apache.accumulo.core.util.MonitorUtil; +import org.apache.accumulo.minicluster.ServerType; +import org.apache.accumulo.minicluster.impl.MiniAccumuloConfigImpl; +import org.apache.hadoop.conf.Configuration; +import org.junit.BeforeClass; +import org.junit.Test; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; +import javax.net.ssl.TrustManager; +import javax.net.ssl.X509TrustManager; +import java.net.URL; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Map; + +import static org.junit.Assert.assertTrue; + +/** + * Check SSL for the Monitor + * + */ +public class MonitorSslIT extends ConfigurableMacIT { + @BeforeClass + public static void initHttps() throws NoSuchAlgorithmException, KeyManagementException { + SSLContext ctx = SSLContext.getInstance("SSL"); + TrustManager[] tm = new TrustManager[]{ + new TestTrustManager() + }; + ctx.init(new KeyManager[0], tm, new SecureRandom()); + SSLContext.setDefault(ctx); + HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory()); + HttpsURLConnection.setDefaultHostnameVerifier(new TestHostnameVerifier()); + } + + private static class TestTrustManager implements X509TrustManager { + @Override + public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} + + @Override + public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} + + @Override + public X509Certificate[] getAcceptedIssuers() { + return null; + } + } + + private static class TestHostnameVerifier implements HostnameVerifier { + public boolean verify(String hostname, SSLSession session) { + return true; + } + } + + @Override + public int defaultTimeoutSeconds() { + return 6 * 60; + } + + @Override + public void configure(MiniAccumuloConfigImpl cfg, Configuration hadoopCoreSite) { + super.configure(cfg, hadoopCoreSite); + configureForSsl(cfg, createSharedTestDir(this.getClass().getName() + "-ssl")); + Map<String,String> siteConfig = cfg.getSiteConfig(); + siteConfig.put(Property.MONITOR_SSL_KEYSTORE.getKey(), siteConfig.get(Property.RPC_SSL_KEYSTORE_PATH.getKey())); + siteConfig.put(Property.MONITOR_SSL_KEYSTOREPASS.getKey(), siteConfig.get(Property.RPC_SSL_KEYSTORE_PASSWORD.getKey())); + if (siteConfig.containsKey(Property.RPC_SSL_KEYSTORE_TYPE.getKey())) { + siteConfig.put(Property.MONITOR_SSL_KEYSTORETYPE.getKey(), siteConfig.get(Property.RPC_SSL_KEYSTORE_TYPE.getKey())); + } else { + siteConfig.put(Property.MONITOR_SSL_KEYSTORETYPE.getKey(), Property.RPC_SSL_KEYSTORE_TYPE.getDefaultValue()); + } + siteConfig.put(Property.MONITOR_SSL_TRUSTSTORE.getKey(), siteConfig.get(Property.RPC_SSL_TRUSTSTORE_PATH.getKey())); + siteConfig.put(Property.MONITOR_SSL_TRUSTSTOREPASS.getKey(), siteConfig.get(Property.RPC_SSL_TRUSTSTORE_PASSWORD.getKey())); + if (siteConfig.containsKey(Property.RPC_SSL_TRUSTSTORE_TYPE.getKey())) { + siteConfig.put(Property.MONITOR_SSL_TRUSTSTORETYPE.getKey(), siteConfig.get(Property.RPC_SSL_TRUSTSTORE_TYPE.getKey())); + } else { + siteConfig.put(Property.MONITOR_SSL_TRUSTSTORETYPE.getKey(), Property.RPC_SSL_TRUSTSTORE_TYPE.getDefaultValue()); + } + cfg.setSiteConfig(siteConfig); + } + + @Test + public void test() throws Exception { + log.debug("Starting Monitor"); + cluster.getClusterControl().startAllServers(ServerType.MONITOR); + String monitorLocation = null; + while (null == monitorLocation) { + try { + monitorLocation = MonitorUtil.getLocation(getConnector().getInstance()); + } catch (Exception e) {} + if (null == monitorLocation) { + log.debug("Could not fetch monitor HTTP address from zookeeper"); + Thread.sleep(2000); + } + } + URL url = new URL("https://" + monitorLocation); + log.debug("Fetching web page " + url); + String result = FunctionalTestUtils.readAll(url.openStream()); + assertTrue(result.length() > 100); + assertTrue(result.indexOf("Accumulo Overview") >= 0); + } + +}