Home Explore Help
Register Sign In
apache
/
hadoop
mirror of https://github.com/apache/hadoop.git
2
0
Fork 1
Files Issues 0 Wiki
Browse Source

HADOOP-14083. KMS should support old SSL clients. (John Zhuge via Lei Xu)

Lei Xu 8 years ago
parent
1eec911cd9
commit
d440ad46b5
6 changed files with 84 additions and 16 deletions
Unified View Show Diff Stats
  1. 3 0
      hadoop-common-project/hadoop-kms/pom.xml
  2. 4 0
      hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
  3. 33 2
      hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
  4. 38 13
      hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
  5. 1 0
      hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
  6. 5 1
      hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm

+ 3 - 0
hadoop-common-project/hadoop-kms/pom.xml
View File 

@@ -394,6 +394,9 @@
 
                     <delete dir="${project.build.directory}/tomcat.exp"/>
 
                     <delete dir="${project.build.directory}/tomcat.exp"/>
 
                     <delete dir="${kms.tomcat.dist.dir}/webapps"/>
 
                     <delete dir="${kms.tomcat.dist.dir}/webapps"/>
 
                     <mkdir dir="${kms.tomcat.dist.dir}/webapps"/>
 
                     <mkdir dir="${kms.tomcat.dist.dir}/webapps"/>
 
+                    <delete file="${kms.tomcat.dist.dir}/conf/catalina-default.properties"/>
 
+                    <copy file="${basedir}/src/main/tomcat/catalina-default.properties"
 
+                          toDir="${kms.tomcat.dist.dir}/conf"/>
 
                     <delete file="${kms.tomcat.dist.dir}/conf/server.xml"/>
 
                     <delete file="${kms.tomcat.dist.dir}/conf/server.xml"/>
 
                     <copy file="${basedir}/src/main/tomcat/server.xml"
 
                     <copy file="${basedir}/src/main/tomcat/server.xml"
 
                           toDir="${kms.tomcat.dist.dir}/conf"/>
 
                           toDir="${kms.tomcat.dist.dir}/conf"/>

+ 4 - 0
hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
View File 

@@ -66,6 +66,10 @@
 
 #
 
 #
 
 # export KMS_MAX_HTTP_HEADER_SIZE=65536
 
 # export KMS_MAX_HTTP_HEADER_SIZE=65536
 
 
 
+# The comma separated list of encryption ciphers for SSL
 
+#
 
+# export KMS_SSL_CIPHERS=
 
+
 
 # The location of the SSL keystore if using SSL
 
 # The location of the SSL keystore if using SSL
 
 #
 
 #
 
 # export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore
 
 # export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore

+ 33 - 2
hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
View File 

@@ -56,7 +56,10 @@ print "Setting KMS_HOME:          ${KMS_HOME}"
 
 if [ -e "${KMS_HOME}/bin/kms-env.sh" ]; then
 
 if [ -e "${KMS_HOME}/bin/kms-env.sh" ]; then
 
   print "Sourcing:                    ${KMS_HOME}/bin/kms-env.sh"
 
   print "Sourcing:                    ${KMS_HOME}/bin/kms-env.sh"
 
   source ${KMS_HOME}/bin/kms-env.sh
 
   source ${KMS_HOME}/bin/kms-env.sh
 
-  grep "^ *export " ${KMS_HOME}/bin/kms-env.sh | sed 's/ *export/  setting/'
 
+  if [ "${KMS_SILENT}" != "true" ]; then
 
+    grep "^ *export " "${KMS_HOME}/bin/kms-env.sh" |
 
+      sed 's/ *export/  setting/'
 
+  fi
 
 fi
 
 fi
 
 
 
 # verify that the sourced env file didn't change KMS_HOME
 
 # verify that the sourced env file didn't change KMS_HOME
 
@@ -81,7 +84,10 @@ kms_config=${KMS_CONFIG}
 
 if [ -e "${KMS_CONFIG}/kms-env.sh" ]; then
 
 if [ -e "${KMS_CONFIG}/kms-env.sh" ]; then
 
   print "Sourcing:                    ${KMS_CONFIG}/kms-env.sh"
 
   print "Sourcing:                    ${KMS_CONFIG}/kms-env.sh"
 
   source ${KMS_CONFIG}/kms-env.sh
 
   source ${KMS_CONFIG}/kms-env.sh
 
-  grep "^ *export " ${KMS_CONFIG}/kms-env.sh | sed 's/ *export/  setting/'
 
+  if [ "${KMS_SILENT}" != "true" ]; then
 
+    grep "^ *export " "${KMS_CONFIG}/kms-env.sh" |
 
+      sed 's/ *export/  setting/'
 
+  fi
 
 fi
 
 fi
 
 
 
 # verify that the sourced env file didn't change KMS_HOME
 
 # verify that the sourced env file didn't change KMS_HOME
 
@@ -171,6 +177,31 @@ else
 
   print "Using   KMS_MAX_HTTP_HEADER_SIZE:     ${KMS_MAX_HTTP_HEADER_SIZE}"
 
   print "Using   KMS_MAX_HTTP_HEADER_SIZE:     ${KMS_MAX_HTTP_HEADER_SIZE}"
 
 fi
 
 fi
 
 
 
+if [ "${KMS_SSL_CIPHERS}" = "" ]; then
 
+  export KMS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
 
+  KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
 
+  KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
 
+  KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
 
+  KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"
 
+  KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"
 
+  KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"
 
+  KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
 
+  KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"
 
+  KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_256_CBC_SHA256"
 
+  KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_256_CBC_SHA"
 
+  KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_128_CBC_SHA256"
 
+  KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_128_CBC_SHA"
 
+  KMS_SSL_CIPHERS+=",TLS_RSA_WITH_3DES_EDE_CBC_SHA"
 
+  KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
 
+  KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
 
+  KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
 
+  KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
 
+  KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
 
+  print "Setting KMS_SSL_CIPHERS:           ${KMS_SSL_CIPHERS}"
 
+else
 
+  print "Using   KMS_SSL_CIPHERS:           ${KMS_SSL_CIPHERS}"
 
+fi
 
+
 
 if [ "${KMS_SSL_KEYSTORE_FILE}" = "" ]; then
 
 if [ "${KMS_SSL_KEYSTORE_FILE}" = "" ]; then
 
   export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore
 
   export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore
 
   print "Setting KMS_SSL_KEYSTORE_FILE:     ${KMS_SSL_KEYSTORE_FILE}"
 
   print "Setting KMS_SSL_KEYSTORE_FILE:     ${KMS_SSL_KEYSTORE_FILE}"

+ 38 - 13
hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
View File 

@@ -59,18 +59,6 @@ CATALINA_OPTS_DISP=`echo ${CATALINA_OPTS} | sed -e 's/trustStorePassword=[^ ]*/t
 
 print "Using   CATALINA_OPTS:       ${CATALINA_OPTS_DISP}"
 
 print "Using   CATALINA_OPTS:       ${CATALINA_OPTS_DISP}"
 
 
 
 catalina_opts="-Dproc_kms"
 
 catalina_opts="-Dproc_kms"
 
-catalina_opts="${catalina_opts} -Dkms.home.dir=${KMS_HOME}";
 
-catalina_opts="${catalina_opts} -Dkms.config.dir=${KMS_CONFIG}";
 
-catalina_opts="${catalina_opts} -Dkms.log.dir=${KMS_LOG}";
 
-catalina_opts="${catalina_opts} -Dkms.temp.dir=${KMS_TEMP}";
 
-catalina_opts="${catalina_opts} -Dkms.admin.port=${KMS_ADMIN_PORT}";
 
-catalina_opts="${catalina_opts} -Dkms.http.port=${KMS_HTTP_PORT}";
 
-catalina_opts="${catalina_opts} -Dkms.protocol=${KMS_PROTOCOL}";
 
-catalina_opts="${catalina_opts} -Dkms.max.threads=${KMS_MAX_THREADS}";
 
-catalina_opts="${catalina_opts} -Dkms.accept.count=${KMS_ACCEPT_COUNT}";
 
-catalina_opts="${catalina_opts} -Dkms.acceptor.thread.count=${KMS_ACCEPTOR_THREAD_COUNT}";
 
-catalina_opts="${catalina_opts} -Dkms.max.http.header.size=${KMS_MAX_HTTP_HEADER_SIZE}";
 
-catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}";
 
 catalina_opts="${catalina_opts} -Djava.library.path=${JAVA_LIBRARY_PATH}";
 
 catalina_opts="${catalina_opts} -Djava.library.path=${JAVA_LIBRARY_PATH}";
 
 
 
 print "Adding to CATALINA_OPTS:     ${catalina_opts}"
 
 print "Adding to CATALINA_OPTS:     ${catalina_opts}"
 
@@ -78,6 +66,39 @@ print "Found KMS_SSL_KEYSTORE_PASS:     `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/
 
 
 
 export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}"
 
 export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}"
 
 
 
+catalina_init_properties() {
 
+  cp "${CATALINA_BASE}/conf/catalina-default.properties" \
 
+    "${CATALINA_BASE}/conf/catalina.properties"
 
+}
 
+
 
+catalina_set_property() {
 
+  local key=$1
 
+  local value=$2
 
+  [[ -z "${value}" ]] && return
 
+  local disp_value="${3:-${value}}"
 
+  print "Setting catalina property ${key} to ${disp_value}"
 
+  echo "${key}=${value}" >> "${CATALINA_BASE}/conf/catalina.properties"
 
+}
 
+
 
+if [[ "${1}" = "start" || "${1}" = "run" ]]; then
 
+  catalina_init_properties
 
+  catalina_set_property "kms.home.dir" "${KMS_HOME}"
 
+  catalina_set_property "kms.config.dir" "${KMS_CONFIG}"
 
+  catalina_set_property "kms.log.dir" "${KMS_LOG}"
 
+  catalina_set_property "kms.temp.dir" "${KMS_TEMP}"
 
+  catalina_set_property "kms.admin.port" "${KMS_ADMIN_PORT}"
 
+  catalina_set_property "kms.http.port" "${KMS_HTTP_PORT}"
 
+  catalina_set_property "kms.protocol" "${KMS_PROTOCOL}"
 
+  catalina_set_property "kms.max.threads" "${KMS_MAX_THREADS}"
 
+  catalina_set_property "kms.accept.count" "${KMS_ACCEPT_COUNT}"
 
+  catalina_set_property "kms.acceptor.thread.count" \
 
+    "${KMS_ACCEPTOR_THREAD_COUNT}"
 
+  catalina_set_property "kms.max.http.header.size" \
 
+    "${KMS_MAX_HTTP_HEADER_SIZE}"
 
+  catalina_set_property "kms.ssl.ciphers" "${KMS_SSL_CIPHERS}"
 
+  catalina_set_property "kms.ssl.keystore.file" "${KMS_SSL_KEYSTORE_FILE}"
 
+fi
 
+
 
 # A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server
 
 # A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server
 
 #
 
 #
 
 if [ "${1}" = "stop" ]; then
 
 if [ "${1}" = "stop" ]; then
 
@@ -95,4 +116,8 @@ if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "
 
     | sed 's/"_kms_ssl_truststore_pass_"/'"\"${KMS_SSL_TRUSTSTORE_PASS_ESCAPED}\""'/g' > ${CATALINA_BASE}/conf/ssl-server.xml
 
     | sed 's/"_kms_ssl_truststore_pass_"/'"\"${KMS_SSL_TRUSTSTORE_PASS_ESCAPED}\""'/g' > ${CATALINA_BASE}/conf/ssl-server.xml
 
 fi 
 fi 
 
 
-exec ${KMS_CATALINA_HOME}/bin/catalina.sh "$@"
 
+if [ "${KMS_SILENT}" != "true" ]; then
 
+  exec "${KMS_CATALINA_HOME}/bin/catalina.sh" "$@"
 
+else
 
+  exec "${KMS_CATALINA_HOME}/bin/catalina.sh" "$@" > /dev/null
 
+fi

+ 1 - 0
hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
View File 

@@ -74,6 +74,7 @@
 
                acceptorThreadCount="${kms.acceptor.thread.count}"
 
                acceptorThreadCount="${kms.acceptor.thread.count}"
 
                maxHttpHeaderSize="${kms.max.http.header.size}"
 
                maxHttpHeaderSize="${kms.max.http.header.size}"
 
                clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
 
                clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
 
+               ciphers="${kms.ssl.ciphers}"
 
                truststorePass="_kms_ssl_truststore_pass_"
 
                truststorePass="_kms_ssl_truststore_pass_"
 
                keystoreFile="${kms.ssl.keystore.file}"
 
                keystoreFile="${kms.ssl.keystore.file}"
 
                keystorePass="_kms_ssl_keystore_pass_"/>
 
                keystorePass="_kms_ssl_keystore_pass_"/>

+ 5 - 1
hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
View File 

@@ -301,7 +301,11 @@ The answer to "What is your first and last name?" (i.e. "CN") must be the hostna
 
 
 
 NOTE: You need to restart the KMS for the configuration changes to take effect.
 
 NOTE: You need to restart the KMS for the configuration changes to take effect.
 
 
 
-NOTE: Some old SSL clients may use weak ciphers that are not supported by the KMS server. It is recommended to upgrade the SSL client.
 
+In order to support some old SSL clients, the default encryption ciphers
 
+include a few relatively weaker ciphers. Set environment variable
 
+`KMS_SSL_CIPHERS` or property `kms.ssl.ciphers` to override. The value is a
 
+comma separated list of ciphers documented in this
 
+[Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
 
 
 
 $H4 ACLs (Access Control Lists)
 
 $H4 ACLs (Access Control Lists)