Repository: oozie Updated Branches: refs/heads/master acdf291ae -> ef6d0af5e
OOZIE-3157 Setup truststore so that it also works in HTTP only mode (kmarton via asasvari) Project: http://git-wip-us.apache.org/repos/asf/oozie/repo Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/ef6d0af5 Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/ef6d0af5 Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/ef6d0af5 Branch: refs/heads/master Commit: ef6d0af5edeb18fbc0259d1962ac70f8ad7c2a0c Parents: acdf291 Author: Attila Sasvari <asasv...@cloudera.com> Authored: Fri Jan 26 16:52:56 2018 +0100 Committer: Attila Sasvari <asasv...@cloudera.com> Committed: Fri Jan 26 16:52:56 2018 +0100 ---------------------------------------------------------------------- core/src/main/resources/oozie-default.xml | 8 ----- docs/src/site/twiki/AG_Install.twiki | 6 ++-- docs/src/site/twiki/DG_QuickStart.twiki | 5 +++ release-log.txt | 1 + .../oozie/server/EmbeddedOozieServer.java | 18 +++++++++++ .../oozie/server/SSLServerConnectorFactory.java | 19 +----------- .../oozie/server/TestEmbeddedOozieServer.java | 32 +++++++++++++++++++- .../server/TestSSLServerConnectorFactory.java | 6 ---- 8 files changed, 60 insertions(+), 35 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/core/src/main/resources/oozie-default.xml ---------------------------------------------------------------------- diff --git a/core/src/main/resources/oozie-default.xml b/core/src/main/resources/oozie-default.xml index 5b5e34f..e53b17b 100644 --- a/core/src/main/resources/oozie-default.xml +++ b/core/src/main/resources/oozie-default.xml @@ -2645,14 +2645,6 @@ will be the requeue interval for the actions which are waiting for a long time w </property> <property> - <name>oozie.https.truststore.pass</name> - <value></value> - <description> - Password to the TrustStore. - </description> - </property> - - <property> <name>oozie.https.keystore.file</name> <value></value> <description> http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/docs/src/site/twiki/AG_Install.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/AG_Install.twiki b/docs/src/site/twiki/AG_Install.twiki index 8f331e4..1504215 100644 --- a/docs/src/site/twiki/AG_Install.twiki +++ b/docs/src/site/twiki/AG_Install.twiki @@ -763,8 +763,10 @@ The keystore file will be named =.keystore= and located in the Oozie user's home 2. Configure settings necessary for enabling SSL/TLS support in =oozie-site.xml=. 2a. Set =oozie.https.enabled= to =true=. To revert back to HTTP, set =oozie.https.enabled= to =false=. -2b. Set location and password for both the keystore and truststore by setting =oozie.https.keystore.file=, -=oozie.https.keystore.pass=, =oozie.https.truststore.file= and =oozie.https.truststore.pass=. +2b. Set location and password for the keystore and location for truststore by setting =oozie.https.keystore.file=, +=oozie.https.keystore.pass=, =oozie.https.truststore.file=. + +*Note:* =oozie.https.truststore.file= can be overridden by setting =javax.net.ssl.trustStore= system property. The default HTTPS port Oozie listens on for secure connections is 11443; it can be changed via =oozie.https.port=. http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/docs/src/site/twiki/DG_QuickStart.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/DG_QuickStart.twiki b/docs/src/site/twiki/DG_QuickStart.twiki index 08b574f..e3bdf32 100644 --- a/docs/src/site/twiki/DG_QuickStart.twiki +++ b/docs/src/site/twiki/DG_QuickStart.twiki @@ -146,6 +146,11 @@ $ bin/oozie-setup.sh sharelib create -fs <FS_URI> [-locallib <PATH>] db create|upgrade|postupgrade -run [-sqlfile <FILE>] </verbatim> +*IMPORTANT*: If the Oozie server needs to establish secure connection with an external server with a self-signed certificate, +make sure you specify the location of a truststore that contains required certificates. It can be done by configuring +=oozie.https.truststore.file= in =oozie-site.xml=, or by setting the =javax.net.ssl.trustStore= system property. +If it is set in both places, the value passed as system property will be used. + The =-secure= option will configure Oozie to use HTTP (SSL); refer to [[AG_Install#Setting_Up_Oozie_with_HTTPS_SSL][Setting Up Oozie with HTTPS (SSL)]] for more details. http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 7e42c7f..59c4d9b 100644 --- a/release-log.txt +++ b/release-log.txt @@ -1,5 +1,6 @@ -- Oozie 5.0.0 release (trunk - unreleased) +OOZIE-3157 Setup truststore so that it also works in HTTP only mode (kmarton via asasvari) OOZIE-3166 Remove tomcat alias from AG_Install.twiki: To use a Self-Signed Certificate part (kmarton via andras.piros) OOZIE-2775 Oozie server does not stop if there is an exception during service initalization at startup (asasvari) OOZIE-3145 >git status< should be clean after >mvn test< was called (kmarton via gezapeti) http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java ---------------------------------------------------------------------- diff --git a/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java b/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java index a0c27b8..e2bb730 100644 --- a/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java +++ b/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java @@ -51,6 +51,8 @@ import java.net.URISyntaxException; */ public class EmbeddedOozieServer { private static final Logger LOG = LoggerFactory.getLogger(EmbeddedOozieServer.class); + protected static final String OOZIE_HTTPS_TRUSTSTORE_FILE = "oozie.https.truststore.file"; + protected static final String TRUSTSTORE_PATH_SYSTEM_PROPERTY = "javax.net.ssl.trustStore"; private static String contextPath; protected Server server; private int httpPort; @@ -119,6 +121,7 @@ public class EmbeddedOozieServer { connector.setHost(conf.get(ConfigUtils.OOZIE_HTTP_HOSTNAME)); HandlerCollection handlerCollection = new HandlerCollection(); + setTrustStore(); if (isSecured()) { httpsPort = getConfigPort(ConfigUtils.OOZIE_HTTPS_PORT); @@ -145,6 +148,21 @@ public class EmbeddedOozieServer { server.setHandler(handlerCollection); } + /** + * set the truststore path from the config file, if is not set by the user + */ + private void setTrustStore() { + if (System.getProperty(TRUSTSTORE_PATH_SYSTEM_PROPERTY) == null) { + final String trustStorePath = conf.get(OOZIE_HTTPS_TRUSTSTORE_FILE); + if (trustStorePath != null) { + LOG.info("Setting javax.net.ssl.trustStore from config file"); + System.setProperty(TRUSTSTORE_PATH_SYSTEM_PROPERTY, trustStorePath); + } + } else { + LOG.info("javax.net.ssl.trustStore is already set. The value from config file will be ignored"); + } + } + private void addErrorHandler() { ErrorPageErrorHandler errorHandler = new ErrorPageErrorHandler(); errorHandler.addErrorPage(HttpServletResponse.SC_BAD_REQUEST, "/error"); http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java ---------------------------------------------------------------------- diff --git a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java index 0b024e8..466cefc 100644 --- a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java +++ b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java @@ -41,8 +41,6 @@ import java.util.Arrays; */ class SSLServerConnectorFactory { private static final Logger LOG = LoggerFactory.getLogger(SSLServerConnectorFactory.class); - public static final String OOZIE_HTTPS_TRUSTSTORE_FILE = "oozie.https.truststore.file"; - public static final String OOZIE_HTTPS_TRUSTSTORE_PASS = "oozie.https.truststore.pass"; public static final String OOZIE_HTTPS_KEYSTORE_PASS = "oozie.https.keystore.pass"; public static final String OOZIE_HTTPS_KEYSTORE_FILE = "oozie.https.keystore.file"; public static final String OOZIE_HTTPS_EXCLUDE_PROTOCOLS = "oozie.https.exclude.protocols"; @@ -79,9 +77,6 @@ class SSLServerConnectorFactory { setIncludeCipherSuites(); setExludeCipherSuites(); - setTrustStorePath(); - setTrustStorePass(); - setKeyStoreFile(); setKeystorePass(); @@ -134,20 +129,8 @@ class SSLServerConnectorFactory { LOG.info(String.format("SSL context - excluding protocols: %s", Arrays.toString(excludedProtocols))); } - private void setTrustStorePath() { - String trustStorePath = conf.get(OOZIE_HTTPS_TRUSTSTORE_FILE); - Preconditions.checkNotNull(trustStorePath, "trustStorePath is null"); - sslContextFactory.setTrustStorePath(trustStorePath); - } - - private void setTrustStorePass() { - String trustStorePass = ConfigurationService.getPassword(conf, OOZIE_HTTPS_TRUSTSTORE_PASS).trim(); - Preconditions.checkNotNull(trustStorePass, "setTrustStorePass is null"); - sslContextFactory.setTrustStorePassword(trustStorePass); - } - private void setKeystorePass() { - String keystorePass = ConfigurationService.getPassword(conf, OOZIE_HTTPS_KEYSTORE_PASS).trim(); + String keystorePass = ConfigurationService.getPassword(conf, OOZIE_HTTPS_KEYSTORE_PASS); Preconditions.checkNotNull(keystorePass, "keystorePass is null"); sslContextFactory.setKeyManagerPassword(keystorePass); } http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java ---------------------------------------------------------------------- diff --git a/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java b/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java index b72247e..58543e6 100644 --- a/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java +++ b/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java @@ -31,6 +31,7 @@ import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.util.ssl.SslContextFactory; import org.eclipse.jetty.webapp.WebAppContext; import org.junit.After; +import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; @@ -47,6 +48,7 @@ import static org.mockito.Matchers.anyObject; import static org.mockito.Matchers.isA; import static org.mockito.Mockito.doNothing; import static org.mockito.Mockito.doReturn; +import static org.mockito.Mockito.never; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoMoreInteractions; @@ -69,8 +71,10 @@ public class TestEmbeddedOozieServer { @Mock private FilterMapper oozieFilterMapper; @Mock private ConstraintSecurityHandler constraintSecurityHandler; private EmbeddedOozieServer embeddedOozieServer; + private String confTruststoreFile = "oozie.truststore"; - @Before public void setUp() { + + @Before public void setUp() throws IOException { embeddedOozieServer = new EmbeddedOozieServer(mockServer, mockJspHandler, mockServices, mockSSLServerConnectorFactory, mockOozieRewriteHandler, servletContextHandler, oozieServletMapper, oozieFilterMapper, constraintSecurityHandler); @@ -87,9 +91,13 @@ public class TestEmbeddedOozieServer { doReturn(new Handler[0]).when(mockOozieRewriteHandler).getChildHandlers(); doReturn(new Handler[0]).when(servletContextHandler).getChildHandlers(); doReturn(new Handler[0]).when(constraintSecurityHandler).getChildHandlers(); + doReturn(confTruststoreFile).when(mockConfiguration).get(EmbeddedOozieServer.OOZIE_HTTPS_TRUSTSTORE_FILE); + System.clearProperty(EmbeddedOozieServer.TRUSTSTORE_PATH_SYSTEM_PROPERTY); } @After public void tearDown() { + System.clearProperty(EmbeddedOozieServer.TRUSTSTORE_PATH_SYSTEM_PROPERTY); + verify(mockServices).get(ConfigurationService.class); verifyNoMoreInteractions( @@ -105,8 +113,29 @@ public class TestEmbeddedOozieServer { embeddedOozieServer.setup(); verify(mockJspHandler).setupWebAppContext(isA(WebAppContext.class)); + + // trustore parameters will have to be set even in case of an insecure setup + Assert.assertEquals(confTruststoreFile, System.getProperty("javax.net.ssl.trustStore")); } + /** + * test case for when the trustore path is set via system property + * expected result: the path is used from the system property and the value is not even retrieved from the config file + */ + @Test + public void testServerSetupTruststorePathSetViaSystemProperty() throws Exception { + final String truststorePath2 = "truststore.jks"; + doReturn(String.valueOf(false)).when(mockConfiguration).get("oozie.https.enabled"); + System.setProperty(EmbeddedOozieServer.TRUSTSTORE_PATH_SYSTEM_PROPERTY, truststorePath2); + + embeddedOozieServer.setup(); + verify(mockJspHandler).setupWebAppContext(isA(WebAppContext.class)); + + Assert.assertEquals(truststorePath2, System.getProperty("javax.net.ssl.trustStore")); + verify(mockConfiguration, never()).get(EmbeddedOozieServer.OOZIE_HTTPS_TRUSTSTORE_FILE); + } + + @Test public void testSecureServerSetup() throws Exception { doReturn("true").when(mockConfiguration).get("oozie.https.enabled"); @@ -121,6 +150,7 @@ public class TestEmbeddedOozieServer { verify(mockJspHandler).setupWebAppContext(isA(WebAppContext.class)); verify(mockSSLServerConnectorFactory).createSecureServerConnector( isA(Integer.class), isA(Configuration.class), isA(Server.class)); + Assert.assertEquals(confTruststoreFile, System.getProperty("javax.net.ssl.trustStore")); } @Test(expected=NumberFormatException.class) http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java ---------------------------------------------------------------------- diff --git a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java index 2b48f7f..f926a09 100644 --- a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java +++ b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java @@ -39,8 +39,6 @@ import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_INCL import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_INCLUDE_PROTOCOLS; import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_KEYSTORE_FILE; import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_KEYSTORE_PASS; -import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_TRUSTSTORE_FILE; -import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_TRUSTSTORE_PASS; import static org.apache.oozie.util.ConfigUtils.OOZIE_HTTP_PORT; import static org.mockito.Matchers.anyString; import static org.mockito.Mockito.never; @@ -62,8 +60,6 @@ public class TestSSLServerConnectorFactory { @Before public void setUp() { testConfig = new Configuration(); - testConfig.set(OOZIE_HTTPS_TRUSTSTORE_FILE, "test_truststore_file"); - testConfig.set(OOZIE_HTTPS_TRUSTSTORE_PASS, "trustpass"); testConfig.set(OOZIE_HTTPS_KEYSTORE_FILE, "test_keystore_file"); testConfig.set(OOZIE_HTTPS_KEYSTORE_PASS, "keypass"); testConfig.set(OOZIE_HTTP_PORT, "11000"); @@ -81,8 +77,6 @@ public class TestSSLServerConnectorFactory { @After public void tearDown() { - verify(mockSSLContextFactory).setTrustStorePath(anyString()); - verify(mockSSLContextFactory).setTrustStorePassword(anyString()); verify(mockSSLContextFactory).setKeyStorePath(anyString()); verify(mockSSLContextFactory).setKeyManagerPassword(anyString()); verifyNoMoreInteractions(