This is an automated email from the ASF dual-hosted git repository. mgaido pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-livy.git
The following commit(s) were added to refs/heads/master by this push: new 9042ff5 [LIVY-705][THRIFT] Support getting keystore password from Hadoop credential provider 9042ff5 is described below commit 9042ff5b4a03cd302a884b5a74280d4b476792b7 Author: Wing Yew Poon <wyp...@cloudera.com> AuthorDate: Wed Nov 6 10:54:42 2019 +0100 [LIVY-705][THRIFT] Support getting keystore password from Hadoop credential provider ## What changes were proposed in this pull request? https://issues.apache.org/jira/browse/LIVY-705 LIVY-475 added support for getting the keystore password and key password from a Hadoop credential provider file. The keystore password is also needed for SSL/TLS support in the Thrift server. In this change, we extend the support for getting the keystore password from the Hadoop credential provider to the Thrift server as well. ## How was this patch tested? Manually tested a Livy Thrift server that has livy.server.thrift.use.SSL=true, using both binary and http mode. Configured keystore password in a Hadoop credential provider file and provided the path to this file in livy.hadoop.security.credential.provider.path. Author: Wing Yew Poon <wyp...@cloudera.com> Closes #253 from wypoon/wypoon_LIVY-705. --- .../livy/thriftserver/cli/ThriftBinaryCLIService.scala | 2 +- .../apache/livy/thriftserver/cli/ThriftCLIService.scala | 14 ++++++++++++++ .../livy/thriftserver/cli/ThriftHttpCLIService.scala | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala index e16313d..734768f 100644 --- a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala +++ b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala @@ -76,7 +76,7 @@ class ThriftBinaryCLIService(override val cliService: LivyCLIService, val oomHoo throw new IllegalArgumentException( s"${LivyConf.SSL_KEYSTORE.key} Not configured for SSL connection") } - val keyStorePassword = livyConf.get(LivyConf.SSL_KEYSTORE_PASSWORD) + val keyStorePassword = getKeyStorePassword() val params = new TSSLTransportFactory.TSSLTransportParameters params.setKeyStore(keyStorePath, keyStorePassword) serverSocket = diff --git a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftCLIService.scala b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftCLIService.scala index 9cced79..30e1f28 100644 --- a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftCLIService.scala +++ b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftCLIService.scala @@ -26,6 +26,7 @@ import javax.security.auth.login.LoginException import scala.collection.JavaConverters._ import com.google.common.base.Preconditions.checkArgument +import org.apache.hadoop.conf.Configuration import org.apache.hadoop.security.UserGroupInformation import org.apache.hadoop.security.authentication.util.KerberosName import org.apache.hadoop.security.authorize.ProxyUsers @@ -83,6 +84,19 @@ abstract class ThriftCLIService(val cliService: LivyCLIService, val serviceName: super.init(livyConf) } + protected def getKeyStorePassword(): String = + Option(livyConf.get(LivyConf.SSL_KEYSTORE_PASSWORD)).orElse { + val credentialProviderPath = livyConf.get(LivyConf.HADOOP_CREDENTIAL_PROVIDER_PATH) + val hadoopConf = new Configuration() + if (credentialProviderPath != null) { + hadoopConf.set("hadoop.security.credential.provider.path", credentialProviderPath) + } + Option(hadoopConf.getPassword(LivyConf.SSL_KEYSTORE_PASSWORD.key)).map(_.mkString) + }.getOrElse { + throw new IllegalArgumentException( + "Livy keystore password not configured for SSL connection") + } + protected def initServer(): Unit override def start(): Unit = { diff --git a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala index 8a3d439..80122dc 100644 --- a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala +++ b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala @@ -83,11 +83,11 @@ class ThriftHttpCLIService( // Change connector if SSL is used val connector = if (useSsl) { val keyStorePath = livyConf.get(LivyConf.SSL_KEYSTORE).trim - val keyStorePassword = livyConf.get(LivyConf.SSL_KEYSTORE_PASSWORD) if (keyStorePath.isEmpty) { throw new IllegalArgumentException( s"${LivyConf.SSL_KEYSTORE.key} Not configured for SSL connection") } + val keyStorePassword = getKeyStorePassword() val sslContextFactory = new SslContextFactory val excludedProtocols = livyConf.get(LivyConf.THRIFT_SSL_PROTOCOL_BLACKLIST).split(",") info(s"HTTP Server SSL: adding excluded protocols: $excludedProtocols")