STORM-721.Storm UI server should support SSL. Added client side auth configs.
Project: http://git-wip-us.apache.org/repos/asf/storm/repo Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/cc2520a0 Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/cc2520a0 Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/cc2520a0 Branch: refs/heads/master Commit: cc2520a07c2c5005e14dddd21663d14dc3867bc2 Parents: 604026f Author: Sriharsha Chintalapani <m...@harsha.io> Authored: Wed Apr 1 13:54:44 2015 -0700 Committer: Sriharsha Chintalapani <m...@harsha.io> Committed: Wed Apr 1 13:54:44 2015 -0700 ---------------------------------------------------------------------- SECURITY.md | 27 ++++++++++ .../src/clj/backtype/storm/daemon/drpc.clj | 14 ++++- storm-core/src/clj/backtype/storm/ui/core.clj | 14 ++++- .../src/clj/backtype/storm/ui/helpers.clj | 15 ++++-- storm-core/src/jvm/backtype/storm/Config.java | 55 ++++++++++++++++++++ 5 files changed, 118 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/storm/blob/cc2520a0/SECURITY.md ---------------------------------------------------------------------- diff --git a/SECURITY.md b/SECURITY.md index 6b73254..7133003 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -34,6 +34,7 @@ IPsec to encrypt all traffic being sent between the hosts in the cluster. | 3774 | `drpc.http.port` | External HTTP DRPC Clients | DRPC | | 670{0,1,2,3} | `supervisor.slots.ports` | Worker Processes | Worker Processes | + ### UI/Logviewer The UI and logviewer processes provide a way to not only see what a cluster is @@ -78,6 +79,32 @@ curl -i --negotiate -u:anyUser -b ~/cookiejar.txt -c ~/cookiejar.txt http://s **Caution**: In AD MIT Keberos setup the key size is bigger than the default UI jetty server request header size. Make sure you set ui.header.buffer.bytes to 65536 in storm.yaml. More details are on [STORM-633](https://issues.apache.org/jira/browse/STORM-633) + +## UI / DRPC SSL + +Both UI and DRPC allows users to configure ssl . + +### UI + +For UI users needs to set following config in storm.yaml. Generating keystores with proper keys and certs should be taken care by the user before this step. + +1. ui.https.port +2. ui.https.keystore.type (example "jks") +3. ui.https.keystore.path (example "/etc/ssl/storm_keystore.jks") +4. ui.https.keystore.password (keystore password) +5. ui.https.key.password (private key password) + +### DRPC +similarly to UI users need to configure following + +1. drpc.https.port +2. drpc.https.keystore.type (example "jks") +3. drpc.https.keystore.path (example "/etc/ssl/storm_keystore.jks") +4. drpc.https.keystore.password (keystore password) +5. drpc.https.key.password (private key password) + + + ## Authentication (Kerberos) Storm offers pluggable authentication support through thrift and SASL. This http://git-wip-us.apache.org/repos/asf/storm/blob/cc2520a0/storm-core/src/clj/backtype/storm/daemon/drpc.clj ---------------------------------------------------------------------- diff --git a/storm-core/src/clj/backtype/storm/daemon/drpc.clj b/storm-core/src/clj/backtype/storm/daemon/drpc.clj index 2ab3cce..eae16a1 100644 --- a/storm-core/src/clj/backtype/storm/daemon/drpc.clj +++ b/storm-core/src/clj/backtype/storm/daemon/drpc.clj @@ -226,7 +226,12 @@ https-ks-path (conf DRPC-HTTPS-KEYSTORE-PATH) https-ks-password (conf DRPC-HTTPS-KEYSTORE-PASSWORD) https-ks-type (conf DRPC-HTTPS-KEYSTORE-TYPE) - https-key-password (conf DRPC-HTTPS-KEY-PASSWORD)] + https-key-password (conf DRPC-HTTPS-KEY-PASSWORD) + https-ts-path (conf DRPC-HTTPS-TRUSTSTORE-PATH) + https-ts-password (conf DRPC-HTTPS-TRUSTSTORE-PASSWORD) + https-ts-type (conf DRPC-HTTPS-TRUSTSTORE-TYPE) + https-want-client-auth (conf DRPC-HTTPS-WANT-CLIENT-AUTH) + https-need-client-auth (conf DRPC-HTTPS-NEED-CLIENT-AUTH)] (storm-run-jetty {:port drpc-http-port @@ -236,7 +241,12 @@ https-ks-path https-ks-password https-ks-type - https-key-password) + https-key-password + https-ts-path + https-ts-password + https-ts-type + https-need-client-auth + https-want-client-auth) (config-filter server app filters-confs))}))) (when handler-server (.serve handler-server))))) http://git-wip-us.apache.org/repos/asf/storm/blob/cc2520a0/storm-core/src/clj/backtype/storm/ui/core.clj ---------------------------------------------------------------------- diff --git a/storm-core/src/clj/backtype/storm/ui/core.clj b/storm-core/src/clj/backtype/storm/ui/core.clj index 42cb920..23cde65 100644 --- a/storm-core/src/clj/backtype/storm/ui/core.clj +++ b/storm-core/src/clj/backtype/storm/ui/core.clj @@ -1083,7 +1083,12 @@ https-ks-path (conf UI-HTTPS-KEYSTORE-PATH) https-ks-password (conf UI-HTTPS-KEYSTORE-PASSWORD) https-ks-type (conf UI-HTTPS-KEYSTORE-TYPE) - https-key-password (conf UI-HTTPS-KEY-PASSWORD)] + https-key-password (conf UI-HTTPS-KEY-PASSWORD) + https-ts-path (conf UI-HTTPS-TRUSTSTORE-PATH) + https-ts-password (conf UI-HTTPS-TRUSTSTORE-PASSWORD) + https-ts-type (conf UI-HTTPS-TRUSTSTORE-TYPE) + https-want-client-auth (conf UI-HTTPS-WANT-CLIENT-AUTH) + https-need-client-auth (conf UI-HTTPS-NEED-CLIENT-AUTH)] (storm-run-jetty {:port (conf UI-PORT) :host (conf UI-HOST) :https-port https-port @@ -1093,7 +1098,12 @@ https-ks-path https-ks-password https-ks-type - https-key-password) + https-key-password + https-ts-path + https-ts-password + https-ts-type + https-need-client-auth + https-want-client-auth) (doseq [connector (.getConnectors server)] (.setRequestHeaderSize connector header-buffer-size)) (config-filter server app filters-confs))})) http://git-wip-us.apache.org/repos/asf/storm/blob/cc2520a0/storm-core/src/clj/backtype/storm/ui/helpers.clj ---------------------------------------------------------------------- diff --git a/storm-core/src/clj/backtype/storm/ui/helpers.clj b/storm-core/src/clj/backtype/storm/ui/helpers.clj index 1eae3ac..70ef179 100644 --- a/storm-core/src/clj/backtype/storm/ui/helpers.clj +++ b/storm-core/src/clj/backtype/storm/ui/helpers.clj @@ -136,7 +136,8 @@ (defn unauthorized-user-html [user] [[:h2 "User '" (escape-html user) "' is not authorized."]]) -(defn- mk-ssl-connector [port ks-path ks-password ks-type key-password] +(defn- mk-ssl-connector [port ks-path ks-password ks-type key-password + ts-path ts-password ts-type need-client-auth want-client-auth] (let [sslContextFactory (doto (SslContextFactory.) (.setExcludeCipherSuites (into-array String ["SSL_RSA_WITH_RC4_128_MD5" "SSL_RSA_WITH_RC4_128_SHA"])) (.setExcludeProtocols (into-array String ["SSLv3"])) @@ -145,13 +146,21 @@ (.setKeyStoreType ks-type) (.setKeyStorePassword ks-password) (.setKeyManagerPassword key-password))] + (if (and (not-nil? ts-path) (not-nil? ts-password) (not-nil? ts-type)) + ((.setTrustStore sslContextFactory ts-path) + (.setTrustStoreType sslContextFactory ts-type) + (.setTrustStoreType sslContextFactory ts-password))) + (if (need-client-auth) (.setNeedClientAuth sslContextFactory true) + (if (want-client-auth) (.setWantClientAuth sslContextFactory true))) (doto (SslSocketConnector. sslContextFactory) (.setPort port)))) -(defn config-ssl [server port ks-path ks-password ks-type key-password] +(defn config-ssl [server port ks-path ks-password ks-type key-password + ts-path ts-password ts-type need-client-auth want-client-auth] (when (> port 0) - (.addConnector server (mk-ssl-connector port ks-path ks-password ks-type key-password)))) + (.addConnector server (mk-ssl-connector port ks-path ks-password ks-type key-password + ts-path ts-password ts-type need-client-auth want-client-auth)))) (defn cors-filter-handler [] http://git-wip-us.apache.org/repos/asf/storm/blob/cc2520a0/storm-core/src/jvm/backtype/storm/Config.java ---------------------------------------------------------------------- diff --git a/storm-core/src/jvm/backtype/storm/Config.java b/storm-core/src/jvm/backtype/storm/Config.java index a1bc419..d7f715b 100644 --- a/storm-core/src/jvm/backtype/storm/Config.java +++ b/storm-core/src/jvm/backtype/storm/Config.java @@ -597,6 +597,33 @@ public class Config extends HashMap<String, Object> { public static final String UI_HTTPS_KEY_PASSWORD = "ui.https.key.password"; public static final Object UI_HTTPS_KEY_PASSWORD_SCHEMA = String.class; + /** + * Path to the truststore used by Storm UI settting up HTTPS (SSL). + */ + public static final String UI_HTTPS_TRUSTSTORE_PATH = "ui.https.truststore.path"; + public static final Object UI_HTTPS_TRUSTSTORE_PATH_SCHEMA = String.class; + + /** + * Password to the truststore used by Storm UI settting up HTTPS (SSL). + */ + public static final String UI_HTTPS_TRUSTSTORE_PASSWORD = "ui.https.truststore.password"; + public static final Object UI_HTTPS_TRUSTSTORE_PASSWORD_SCHEMA = String.class; + + /** + * Type of truststore used by Storm UI for setting up HTTPS (SSL). + * see http://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html for more details. + */ + public static final String UI_HTTPS_TRUSTSTORE_TYPE = "ui.https.truststore.type"; + public static final Object UI_HTTPS_TRUSTSTORE_TYPE_SCHEMA = String.class; + + /** + * Password to the truststore used by Storm DRPC settting up HTTPS (SSL). + */ + public static final String UI_HTTPS_WANT_CLIENT_AUTH = "ui.https.want.client.auth"; + public static final Object UI_HTTPS_WANT_CLIENT_AUTH_SCHEMA = Boolean.class; + + public static final String UI_HTTPS_NEED_CLIENT_AUTH = "ui.https.need.client.auth"; + public static final Object UI_HTTPS_NEED_CLIENT_AUTH_SCHEMA = Boolean.class; /** @@ -643,6 +670,34 @@ public class Config extends HashMap<String, Object> { public static final Object DRPC_HTTPS_KEY_PASSWORD_SCHEMA = String.class; /** + * Path to the truststore used by Storm DRPC settting up HTTPS (SSL). + */ + public static final String DRPC_HTTPS_TRUSTSTORE_PATH = "drpc.https.truststore.path"; + public static final Object DRPC_HTTPS_TRUSTSTORE_PATH_SCHEMA = String.class; + + /** + * Password to the truststore used by Storm DRPC settting up HTTPS (SSL). + */ + public static final String DRPC_HTTPS_TRUSTSTORE_PASSWORD = "drpc.https.truststore.password"; + public static final Object DRPC_HTTPS_TRUSTSTORE_PASSWORD_SCHEMA = String.class; + + /** + * Type of truststore used by Storm DRPC for setting up HTTPS (SSL). + * see http://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html for more details. + */ + public static final String DRPC_HTTPS_TRUSTSTORE_TYPE = "drpc.https.truststore.type"; + public static final Object DRPC_HTTPS_TRUSTSTORE_TYPE_SCHEMA = String.class; + + /** + * Password to the truststore used by Storm DRPC settting up HTTPS (SSL). + */ + public static final String DRPC_HTTPS_WANT_CLIENT_AUTH = "drpc.https.want.client.auth"; + public static final Object DRPC_HTTPS_WANT_CLIENT_AUTH_SCHEMA = Boolean.class; + + public static final String DRPC_HTTPS_NEED_CLIENT_AUTH = "drpc.https.need.client.auth"; + public static final Object DRPC_HTTPS_NEED_CLIENT_AUTH_SCHEMA = Boolean.class; + + /** * The DRPC transport plug-in for Thrift client/server communication */ public static final String DRPC_THRIFT_TRANSPORT_PLUGIN = "drpc.thrift.transport";
