HADOOP-11300. KMS startup scripts must not display the keystore / truststore passwords. Contributed by Arun Suresh.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/56f3eecc Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/56f3eecc Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/56f3eecc Branch: refs/heads/HDFS-EC Commit: 56f3eecc129486d3297d082d9b97f26b40d0a2c6 Parents: 78f7cdb Author: Andrew Wang <w...@apache.org> Authored: Tue Nov 25 15:12:04 2014 -0800 Committer: Andrew Wang <w...@apache.org> Committed: Tue Nov 25 15:12:04 2014 -0800 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 3 + hadoop-common-project/hadoop-kms/pom.xml | 4 +- .../hadoop-kms/src/main/libexec/kms-config.sh | 5 +- .../hadoop-kms/src/main/sbin/kms.sh | 17 ++- .../hadoop-kms/src/main/tomcat/ssl-server.xml | 135 ------------------ .../src/main/tomcat/ssl-server.xml.conf | 136 +++++++++++++++++++ 6 files changed, 158 insertions(+), 142 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/56f3eecc/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 5540e51..1419f25 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -465,6 +465,9 @@ Release 2.7.0 - UNRELEASED HADOOP-11322. key based ACL check in KMS always check KeyOpType.MANAGEMENT even actual KeyOpType is not MANAGEMENT. (Dian Fu via yliu) + HADOOP-11300. KMS startup scripts must not display the keystore / + truststore passwords. (Arun Suresh via wang) + Release 2.6.0 - 2014-11-18 INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/56f3eecc/hadoop-common-project/hadoop-kms/pom.xml ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/pom.xml b/hadoop-common-project/hadoop-kms/pom.xml index fda25aa..c33b33e 100644 --- a/hadoop-common-project/hadoop-kms/pom.xml +++ b/hadoop-common-project/hadoop-kms/pom.xml @@ -397,8 +397,8 @@ <delete file="${kms.tomcat.dist.dir}/conf/server.xml"/> <copy file="${basedir}/src/main/tomcat/server.xml" toDir="${kms.tomcat.dist.dir}/conf"/> - <delete file="${kms.tomcat.dist.dir}/conf/ssl-server.xml"/> - <copy file="${basedir}/src/main/tomcat/ssl-server.xml" + <delete file="${kms.tomcat.dist.dir}/conf/ssl-server.xml.conf"/> + <copy file="${basedir}/src/main/tomcat/ssl-server.xml.conf" toDir="${kms.tomcat.dist.dir}/conf"/> <delete file="${kms.tomcat.dist.dir}/conf/logging.properties"/> http://git-wip-us.apache.org/repos/asf/hadoop/blob/56f3eecc/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh index dc603d4..d36ab4d 100644 --- a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh +++ b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh @@ -152,9 +152,10 @@ fi if [ "${KMS_SSL_KEYSTORE_PASS}" = "" ]; then export KMS_SSL_KEYSTORE_PASS=password - print "Setting KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS}" + print "Setting KMS_SSL_KEYSTORE_PASS: ********" else - print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS}" + KMS_SSL_KEYSTORE_PASS_DISP=`echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'` + print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS_DISP}" fi if [ "${CATALINA_BASE}" = "" ]; then http://git-wip-us.apache.org/repos/asf/hadoop/blob/56f3eecc/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh index b43225f..1e40e10 100644 --- a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh +++ b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh @@ -36,7 +36,11 @@ source ${HADOOP_LIBEXEC_DIR:-${BASEDIR}/libexec}/kms-config.sh # The Java System property 'kms.http.port' it is not used by Kms, # it is used in Tomcat's server.xml configuration file # -print "Using CATALINA_OPTS: ${CATALINA_OPTS}" + +# Mask the trustStorePassword +KMS_SSL_TRUSTSTORE_PASS=`echo $CATALINA_OPTS | grep -o 'trustStorePassword=[^ ]*' | awk -F'=' '{print $2}'` +CATALINA_OPTS_DISP=`echo ${CATALINA_OPTS} | sed -e 's/trustStorePassword=[^ ]*/trustStorePassword=***/'` +print "Using CATALINA_OPTS: ${CATALINA_OPTS_DISP}" catalina_opts="-Dkms.home.dir=${KMS_HOME}"; catalina_opts="${catalina_opts} -Dkms.config.dir=${KMS_CONFIG}"; @@ -46,11 +50,11 @@ catalina_opts="${catalina_opts} -Dkms.admin.port=${KMS_ADMIN_PORT}"; catalina_opts="${catalina_opts} -Dkms.http.port=${KMS_HTTP_PORT}"; catalina_opts="${catalina_opts} -Dkms.max.threads=${KMS_MAX_THREADS}"; catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}"; -catalina_opts="${catalina_opts} -Dkms.ssl.keystore.pass=${KMS_SSL_KEYSTORE_PASS}"; print "Adding to CATALINA_OPTS: ${catalina_opts}" +print "Found KMS_SSL_KEYSTORE_PASS: `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`" -export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}" +export CATALINA_OPTS="${CATALINA_OPTS_DISP} ${catalina_opts}" # A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server # @@ -58,4 +62,11 @@ if [ "${1}" = "stop" ]; then export JAVA_OPTS=${CATALINA_OPTS} fi +# If ssl, the populate the passwords into ssl-server.xml before starting tomcat +if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "" ]; then + cat ${CATALINA_BASE}/conf/ssl-server.xml.conf \ + | sed 's/_kms_ssl_keystore_pass_/'${KMS_SSL_KEYSTORE_PASS}'/g' \ + | sed 's/_kms_ssl_truststore_pass_/'${KMS_SSL_TRUSTSTORE_PASS}'/g' > ${CATALINA_BASE}/conf/ssl-server.xml +fi + exec ${KMS_CATALINA_HOME}/bin/catalina.sh "$@" http://git-wip-us.apache.org/repos/asf/hadoop/blob/56f3eecc/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml deleted file mode 100644 index 5215ded..0000000 --- a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml +++ /dev/null @@ -1,135 +0,0 @@ -<?xml version='1.0' encoding='utf-8'?> -<!-- - - All Rights Reserved. - - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<!-- Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" at this level. - Documentation at /docs/config/server.html - --> -<Server port="${kms.admin.port}" shutdown="SHUTDOWN"> - - <!--APR library loader. Documentation at /docs/apr.html --> - <Listener className="org.apache.catalina.core.AprLifecycleListener" - SSLEngine="on"/> - <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> - <Listener className="org.apache.catalina.core.JasperListener"/> - <!-- Prevent memory leaks due to use of particular java/javax APIs--> - <Listener - className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> - <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> - <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"/> - <Listener - className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> - - <!-- Global JNDI resources - Documentation at /docs/jndi-resources-howto.html - --> - <GlobalNamingResources> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users - --> - <Resource name="UserDatabase" auth="Container" - type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml"/> - </GlobalNamingResources> - - <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" Note: A "Service" is not itself a "Container", - so you may not define subcomponents such as "Valves" at this level. - Documentation at /docs/config/service.html - --> - <Service name="Catalina"> - - <!--The connectors can use a shared executor, you can define one or more named thread pools--> - <!-- - <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" - maxThreads="150" minSpareThreads="4"/> - --> - - <!-- Define a SSL HTTP/1.1 Connector on port 8443 - This connector uses the JSSE configuration, when using APR, the - connector should be using the OpenSSL style configuration - described in the APR documentation --> - <Connector port="${kms.http.port}" protocol="HTTP/1.1" SSLEnabled="true" - maxThreads="${kms.max.threads}" scheme="https" secure="true" - clientAuth="false" sslEnabledProtocols="TLSv1,SSLv2Hello" - keystoreFile="${kms.ssl.keystore.file}" - keystorePass="${kms.ssl.keystore.pass}"/> - - <!-- Define an AJP 1.3 Connector on port 8009 --> - - - <!-- An Engine represents the entry point (within Catalina) that processes - every request. The Engine implementation for Tomcat stand alone - analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). - Documentation at /docs/config/engine.html --> - - <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> - --> - <Engine name="Catalina" defaultHost="localhost"> - - <!--For clustering, please take a look at documentation at: - /docs/cluster-howto.html (simple how to) - /docs/config/cluster.html (reference documentation) --> - <!-- - <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> - --> - - <!-- The request dumper valve dumps useful debugging information about - the request and response data received and sent by Tomcat. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.RequestDumperValve"/> - --> - - <!-- This Realm uses the UserDatabase configured in the global JNDI - resources under the key "UserDatabase". Any edits - that are performed against this UserDatabase are immediately - available for use by the Realm. --> - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <!-- Define the default virtual host - Note: XML Schema validation will not work with Xerces 2.2. - --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="true" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- SingleSignOn valve, share authentication between web applications - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> - --> - - <!-- Access log processes all example. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" - prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> - --> - - </Host> - </Engine> - </Service> -</Server> http://git-wip-us.apache.org/repos/asf/hadoop/blob/56f3eecc/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf new file mode 100644 index 0000000..b60da47 --- /dev/null +++ b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf @@ -0,0 +1,136 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- + + All Rights Reserved. + + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" at this level. + Documentation at /docs/config/server.html + --> +<Server port="${kms.admin.port}" shutdown="SHUTDOWN"> + + <!--APR library loader. Documentation at /docs/apr.html --> + <Listener className="org.apache.catalina.core.AprLifecycleListener" + SSLEngine="on"/> + <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> + <Listener className="org.apache.catalina.core.JasperListener"/> + <!-- Prevent memory leaks due to use of particular java/javax APIs--> + <Listener + className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> + <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> + <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"/> + <Listener + className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> + + <!-- Global JNDI resources + Documentation at /docs/jndi-resources-howto.html + --> + <GlobalNamingResources> + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users + --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml"/> + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" Note: A "Service" is not itself a "Container", + so you may not define subcomponents such as "Valves" at this level. + Documentation at /docs/config/service.html + --> + <Service name="Catalina"> + + <!--The connectors can use a shared executor, you can define one or more named thread pools--> + <!-- + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" + maxThreads="150" minSpareThreads="4"/> + --> + + <!-- Define a SSL HTTP/1.1 Connector on port 8443 + This connector uses the JSSE configuration, when using APR, the + connector should be using the OpenSSL style configuration + described in the APR documentation --> + <Connector port="${kms.http.port}" protocol="HTTP/1.1" SSLEnabled="true" + maxThreads="${kms.max.threads}" scheme="https" secure="true" + clientAuth="false" sslEnabledProtocols="TLSv1,SSLv2Hello" + truststorePass="_kms_ssl_truststore_pass_" + keystoreFile="${kms.ssl.keystore.file}" + keystorePass="_kms_ssl_keystore_pass_"/> + + <!-- Define an AJP 1.3 Connector on port 8009 --> + + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). + Documentation at /docs/config/engine.html --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> + --> + <Engine name="Catalina" defaultHost="localhost"> + + <!--For clustering, please take a look at documentation at: + /docs/cluster-howto.html (simple how to) + /docs/config/cluster.html (reference documentation) --> + <!-- + <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> + --> + + <!-- The request dumper valve dumps useful debugging information about + the request and response data received and sent by Tomcat. + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.valves.RequestDumperValve"/> + --> + + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + + <!-- Define the default virtual host + Note: XML Schema validation will not work with Xerces 2.2. + --> + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="true" + xmlValidation="false" xmlNamespaceAware="false"> + + <!-- SingleSignOn valve, share authentication between web applications + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Access log processes all example. + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" + prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> + --> + + </Host> + </Engine> + </Service> +</Server>