Home Explore Help
Register Sign In
apache
/
hadoop
mirror of https://github.com/apache/hadoop.git
2
0
Fork 1
Files Issues 0 Wiki
Browse Source

HADOOP-14341. Support multi-line value for ssl.server.exclude.cipher.list. Contributed by John Zhuge.

(cherry picked from commit 9ccb849eb69f05bccc3435306ec4bde104e411bf)

Conflicts:
	hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
	hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
John Zhuge 8 years ago
parent
5ceb61cb43
commit
1e60cfed7e
6 changed files with 37 additions and 32 deletions
Split View Show Diff Stats
  1. 3 1
      hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfigRedactor.java
  2. 3 1
      hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
  3. 9 12
      hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
  4. 5 4
      hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/StringUtils.java
  5. 11 10
      hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java
  6. 6 4
      hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java

+ 3 - 1
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfigRedactor.java
View File 

@@ -25,6 +25,8 @@ import java.util.regex.Pattern;
 
 
 import static org.apache.hadoop.fs.CommonConfigurationKeys.*;
 
 
+import org.apache.hadoop.util.StringUtils;
 
+
 
 /**
 
  * Tool for redacting sensitive information when displaying config parameters.
 
  *
 
@@ -43,7 +45,7 @@ public class ConfigRedactor {
 
         HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS,
 
         HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS_DEFAULT);
 
     List<String> sensitiveRegexes =
 
-        Arrays.asList(sensitiveRegexList.trim().split("[,\\s]+"));
 
+        Arrays.asList(StringUtils.getTrimmedStrings(sensitiveRegexList));
 
     compiledPatterns = new ArrayList<Pattern>();
 
     for (String regex : sensitiveRegexes) {
 
       Pattern p = Pattern.compile(regex);

+ 3 - 1
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
View File 

@@ -67,6 +67,7 @@ import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 
 import org.apache.hadoop.security.authorize.AccessControlList;
 
 import org.apache.hadoop.util.ReflectionUtils;
 
 import org.apache.hadoop.util.Shell;
 
+import org.apache.hadoop.util.StringUtils;
 
 import org.mortbay.io.Buffer;
 
 import org.mortbay.jetty.Connector;
 
 import org.mortbay.jetty.Handler;
 
@@ -377,7 +378,8 @@ public final class HttpServer2 implements FilterContainer {
 
       }
 
 
       if(null != excludeCiphers && !excludeCiphers.isEmpty()) {
 
-        c.setExcludeCipherSuites(excludeCiphers.split(","));
 
+        c.setExcludeCipherSuites(
 
+            StringUtils.getTrimmedStrings(excludeCiphers));
 
         LOG.info("Excluded Cipher List:" + excludeCiphers);
 
       }
 
       return c;

+ 9 - 12
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
View File 

@@ -39,7 +39,6 @@ import java.security.GeneralSecurityException;
 
 import java.util.ArrayList;
 
 import java.util.Arrays;
 
 import java.util.Iterator;
 
-import java.util.LinkedList;
 
 import java.util.List;
 
 
 /**
 
@@ -75,9 +74,9 @@ public class SSLFactory implements ConnectionConfigurator {
 
   public static final String KEYSTORES_FACTORY_CLASS_KEY =
 
     "hadoop.ssl.keystores.factory.class";
 
 
-  public static final String SSL_ENABLED_PROTOCOLS =
 
+  public static final String SSL_ENABLED_PROTOCOLS_KEY =
 
       "hadoop.ssl.enabled.protocols";
 
-  public static final String DEFAULT_SSL_ENABLED_PROTOCOLS =
 
+  public static final String SSL_ENABLED_PROTOCOLS_DEFAULT =
 
       "TLSv1,SSLv2Hello,TLSv1.1,TLSv1.2";
 
   public static final String SSL_SERVER_EXCLUDE_CIPHER_LIST =
 
       "ssl.server.exclude.cipher.list";
 
@@ -114,15 +113,13 @@ public class SSLFactory implements ConnectionConfigurator {
 
                       FileBasedKeyStoresFactory.class, KeyStoresFactory.class);
 
     keystoresFactory = ReflectionUtils.newInstance(klass, sslConf);
 
 
-    enabledProtocols = conf.getStrings(SSL_ENABLED_PROTOCOLS,
 
-        DEFAULT_SSL_ENABLED_PROTOCOLS);
 
-    String excludeCiphersConf =
 
-        sslConf.get(SSL_SERVER_EXCLUDE_CIPHER_LIST, "");
 
-    if (excludeCiphersConf.isEmpty()) {
 
-      excludeCiphers = new LinkedList<String>();
 
-    } else {
 
-      LOG.debug("will exclude cipher suites: {}", excludeCiphersConf);
 
-      excludeCiphers = Arrays.asList(excludeCiphersConf.split(","));
 
+    enabledProtocols = conf.getStrings(SSL_ENABLED_PROTOCOLS_KEY,
 
+        SSL_ENABLED_PROTOCOLS_DEFAULT);
 
+    excludeCiphers = Arrays.asList(
 
+        sslConf.getTrimmedStrings(SSL_SERVER_EXCLUDE_CIPHER_LIST));
 
+    if (LOG.isDebugEnabled()) {
 
+      LOG.debug("will exclude cipher suites: {}",
 
+          StringUtils.join(",", excludeCiphers));
 
     }
 
   }

+ 5 - 4
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/StringUtils.java
View File 

@@ -429,10 +429,11 @@ public class StringUtils {
 
   }
 
   
   /**
 
-   * Splits a comma separated value <code>String</code>, trimming leading and
 
-   * trailing whitespace on each value.
 
+   * Splits a comma or newline separated value <code>String</code>, trimming
 
+   * leading and trailing whitespace on each value.
 
    *
 
-   * @param str a comma separated <code>String</code> with values, may be null
 
+   * @param str a comma or newline separated <code>String</code> with values,
 
+   *            may be null
 
    * @return an array of <code>String</code> values, empty array if null String
 
    *         input
 
    */
 
@@ -441,7 +442,7 @@ public class StringUtils {
 
       return emptyStringArray;
 
     }
 
 
-    return str.trim().split("\\s*,\\s*");
 
+    return str.trim().split("\\s*[,\n]\\s*");
 
   }
 
 
   final public static String[] emptyStringArray = {};

+ 11 - 10
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java
View File 

@@ -41,6 +41,7 @@ import org.apache.hadoop.net.NetUtils;
 
 import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
 
 import org.apache.hadoop.security.ssl.SSLFactory;
 
 import org.apache.hadoop.test.GenericTestUtils;
 
+import org.apache.hadoop.util.StringUtils;
 
 import org.junit.AfterClass;
 
 import org.junit.BeforeClass;
 
 import org.junit.Test;
 
@@ -62,21 +63,21 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
 
   private static String sslConfDir;
 
   private static SSLFactory clientSslFactory;
 
   private static final String excludeCiphers = "TLS_ECDHE_RSA_WITH_RC4_128_SHA,"
 
-      + "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,"
 
+      + "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, \n"
 
       + "SSL_RSA_WITH_DES_CBC_SHA,"
 
-      + "SSL_DHE_RSA_WITH_DES_CBC_SHA,"
 
-      + "SSL_RSA_EXPORT_WITH_RC4_40_MD5,"
 
+      + "SSL_DHE_RSA_WITH_DES_CBC_SHA,  "
 
+      + "SSL_RSA_EXPORT_WITH_RC4_40_MD5,\t \n"
 
       + "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,"
 
-      + "SSL_RSA_WITH_RC4_128_MD5";
 
+      + "SSL_RSA_WITH_RC4_128_MD5 \t";
 
   private static final String oneEnabledCiphers = excludeCiphers
 
       + ",TLS_RSA_WITH_AES_128_CBC_SHA";
 
   private static final String exclusiveEnabledCiphers
 
-      = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,"
 
+      = "\tTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \n"
 
       + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,"
 
       + "TLS_RSA_WITH_AES_128_CBC_SHA,"
 
-      + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,"
 
+      + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,  "
 
       + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,"
 
-      + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA,"
 
+      + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\t\n "
 
       + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
 
 
   @BeforeClass
 
@@ -169,7 +170,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
 
     SSLSocketFactory sslSocketF = clientSslFactory.createSSLSocketFactory();
 
     PrefferedCipherSSLSocketFactory testPreferredCipherSSLSocketF
 
         = new PrefferedCipherSSLSocketFactory(sslSocketF,
 
-            excludeCiphers.split(","));
 
+        StringUtils.getTrimmedStrings(excludeCiphers));
 
     conn.setSSLSocketFactory(testPreferredCipherSSLSocketF);
 
     assertFalse("excludedCipher list is empty", excludeCiphers.isEmpty());
 
     try {
 
@@ -193,7 +194,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
 
     SSLSocketFactory sslSocketF = clientSslFactory.createSSLSocketFactory();
 
     PrefferedCipherSSLSocketFactory testPreferredCipherSSLSocketF
 
         = new PrefferedCipherSSLSocketFactory(sslSocketF,
 
-            oneEnabledCiphers.split(","));
 
+        StringUtils.getTrimmedStrings(oneEnabledCiphers));
 
     conn.setSSLSocketFactory(testPreferredCipherSSLSocketF);
 
     assertFalse("excludedCipher list is empty", oneEnabledCiphers.isEmpty());
 
     try {
 
@@ -219,7 +220,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
 
     SSLSocketFactory sslSocketF = clientSslFactory.createSSLSocketFactory();
 
     PrefferedCipherSSLSocketFactory testPreferredCipherSSLSocketF
 
         = new PrefferedCipherSSLSocketFactory(sslSocketF,
 
-            exclusiveEnabledCiphers.split(","));
 
+        StringUtils.getTrimmedStrings(exclusiveEnabledCiphers));
 
     conn.setSSLSocketFactory(testPreferredCipherSSLSocketF);
 
     assertFalse("excludedCipher list is empty",
 
         exclusiveEnabledCiphers.isEmpty());

+ 6 - 4
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java
View File 

@@ -25,6 +25,7 @@ import org.apache.hadoop.fs.Path;
 
 import org.apache.hadoop.security.alias.CredentialProviderFactory;
 
 import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
 
 import org.apache.hadoop.test.GenericTestUtils;
 
+import org.apache.hadoop.util.StringUtils;
 
 import org.apache.log4j.Level;
 
 import org.junit.After;
 
 import org.junit.Assert;
 
@@ -57,10 +58,10 @@ public class TestSSLFactory {
 
     new File(BASEDIR).getAbsolutePath();
 
   private String sslConfsDir;
 
   private static final String excludeCiphers = "TLS_ECDHE_RSA_WITH_RC4_128_SHA,"
 
-      + "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,"
 
+      + "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,  \n"
 
       + "SSL_RSA_WITH_DES_CBC_SHA,"
 
-      + "SSL_DHE_RSA_WITH_DES_CBC_SHA,"
 
-      + "SSL_RSA_EXPORT_WITH_RC4_40_MD5,"
 
+      + "SSL_DHE_RSA_WITH_DES_CBC_SHA,  "
 
+      + "SSL_RSA_EXPORT_WITH_RC4_40_MD5,\t \n"
 
       + "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,"
 
       + "SSL_RSA_WITH_RC4_128_MD5";
 
 
@@ -190,7 +191,8 @@ public class TestSSLFactory {
 
     SSLEngine serverSSLEngine = serverSSLFactory.createSSLEngine();
 
     SSLEngine clientSSLEngine = clientSSLFactory.createSSLEngine();
 
     // client selects cipher suites excluded by server
 
-    clientSSLEngine.setEnabledCipherSuites(excludeCiphers.split(","));
 
+    clientSSLEngine.setEnabledCipherSuites(
 
+        StringUtils.getTrimmedStrings(excludeCiphers));
 
 
     // use the same buffer size for server and client.
 
     SSLSession session = clientSSLEngine.getSession();