[incubator-livy] branch master updated: [LIVY-705][THRIFT] Support getting keystore password from Hadoop credential provider

Wed, 06 Nov 2019 01:55:05 -0800 

This is an automated email from the ASF dual-hosted git repository.

mgaido pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-livy.git


The following commit(s) were added to refs/heads/master by this push:
     new 9042ff5  [LIVY-705][THRIFT] Support getting keystore password from 
Hadoop credential provider
9042ff5 is described below

commit 9042ff5b4a03cd302a884b5a74280d4b476792b7
Author: Wing Yew Poon <wyp...@cloudera.com>
AuthorDate: Wed Nov 6 10:54:42 2019 +0100

    [LIVY-705][THRIFT] Support getting keystore password from Hadoop credential 
provider
    
    ## What changes were proposed in this pull request?
    
    https://issues.apache.org/jira/browse/LIVY-705
    
    LIVY-475 added support for getting the keystore password and key password 
from a Hadoop credential provider file. The keystore password is also needed 
for SSL/TLS support in the Thrift server. In this change, we extend the support 
for getting the keystore password from the Hadoop credential provider to the 
Thrift server as well.
    
    ## How was this patch tested?
    
    Manually tested a Livy Thrift server that has 
livy.server.thrift.use.SSL=true, using both binary and http mode. Configured 
keystore password in a Hadoop credential provider file and provided the path to 
this file in livy.hadoop.security.credential.provider.path.
    
    Author: Wing Yew Poon <wyp...@cloudera.com>
    
    Closes #253 from wypoon/wypoon_LIVY-705.
---
 .../livy/thriftserver/cli/ThriftBinaryCLIService.scala     |  2 +-
 .../apache/livy/thriftserver/cli/ThriftCLIService.scala    | 14 ++++++++++++++
 .../livy/thriftserver/cli/ThriftHttpCLIService.scala       |  2 +-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git 
a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala
 
b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala
index e16313d..734768f 100644
--- 
a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala
+++ 
b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala
@@ -76,7 +76,7 @@ class ThriftBinaryCLIService(override val cliService: 
LivyCLIService, val oomHoo
           throw new IllegalArgumentException(
             s"${LivyConf.SSL_KEYSTORE.key} Not configured for SSL connection")
         }
-        val keyStorePassword = livyConf.get(LivyConf.SSL_KEYSTORE_PASSWORD)
+        val keyStorePassword = getKeyStorePassword()
         val params = new TSSLTransportFactory.TSSLTransportParameters
         params.setKeyStore(keyStorePath, keyStorePassword)
         serverSocket =
diff --git 
a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftCLIService.scala
 
b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftCLIService.scala
index 9cced79..30e1f28 100644
--- 
a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftCLIService.scala
+++ 
b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftCLIService.scala
@@ -26,6 +26,7 @@ import javax.security.auth.login.LoginException
 import scala.collection.JavaConverters._
 
 import com.google.common.base.Preconditions.checkArgument
+import org.apache.hadoop.conf.Configuration
 import org.apache.hadoop.security.UserGroupInformation
 import org.apache.hadoop.security.authentication.util.KerberosName
 import org.apache.hadoop.security.authorize.ProxyUsers
@@ -83,6 +84,19 @@ abstract class ThriftCLIService(val cliService: 
LivyCLIService, val serviceName:
     super.init(livyConf)
   }
 
+  protected def getKeyStorePassword(): String =
+    Option(livyConf.get(LivyConf.SSL_KEYSTORE_PASSWORD)).orElse {
+      val credentialProviderPath = 
livyConf.get(LivyConf.HADOOP_CREDENTIAL_PROVIDER_PATH)
+      val hadoopConf = new Configuration()
+      if (credentialProviderPath != null) {
+        hadoopConf.set("hadoop.security.credential.provider.path", 
credentialProviderPath)
+      }
+      
Option(hadoopConf.getPassword(LivyConf.SSL_KEYSTORE_PASSWORD.key)).map(_.mkString)
+    }.getOrElse {
+      throw new IllegalArgumentException(
+        "Livy keystore password not configured for SSL connection")
+    }
+
   protected def initServer(): Unit
 
   override def start(): Unit = {
diff --git 
a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala
 
b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala
index 8a3d439..80122dc 100644
--- 
a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala
+++ 
b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala
@@ -83,11 +83,11 @@ class ThriftHttpCLIService(
       // Change connector if SSL is used
       val connector = if (useSsl) {
           val keyStorePath = livyConf.get(LivyConf.SSL_KEYSTORE).trim
-          val keyStorePassword = livyConf.get(LivyConf.SSL_KEYSTORE_PASSWORD)
           if (keyStorePath.isEmpty) {
             throw new IllegalArgumentException(
               s"${LivyConf.SSL_KEYSTORE.key} Not configured for SSL 
connection")
           }
+          val keyStorePassword = getKeyStorePassword()
           val sslContextFactory = new SslContextFactory
           val excludedProtocols = 
livyConf.get(LivyConf.THRIFT_SSL_PROTOCOL_BLACKLIST).split(",")
           info(s"HTTP Server SSL: adding excluded protocols: 
$excludedProtocols")

Reply via email to