Github user parthchandra commented on a diff in the pull request:
https://github.com/apache/drill/pull/950#discussion_r142827719
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/ssl/SSLConfigServer.java ---
@@ -0,0 +1,331 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.ssl;
+
+import com.google.common.base.Preconditions;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslProvider;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.common.exceptions.DrillException;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.memory.BufferAllocator;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.ssl.SSLFactory;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManagerFactory;
+import java.text.MessageFormat;
+
+public class SSLConfigServer extends SSLConfig {
+
+ private static final org.slf4j.Logger logger =
org.slf4j.LoggerFactory.getLogger(SSLConfigServer.class);
+
+ private final DrillConfig config;
+ private final Configuration hadoopConfig;
+ private final boolean userSslEnabled;
+ private final boolean httpsEnabled;
+ private final String keyStoreType;
+ private final String keyStorePath;
+ private final String keyStorePassword;
+ private final String keyPassword;
+ private final String trustStoreType;
+ private final String trustStorePath;
+ private final String trustStorePassword;
+ private final String protocol;
+ private final String provider;
+
+ public SSLConfigServer(DrillConfig config, Configuration hadoopConfig)
throws DrillException {
+ this.config = config;
+ SSLFactory.Mode mode = SSLFactory.Mode.SERVER;
+ httpsEnabled =
+ config.hasPath(ExecConstants.HTTP_ENABLE_SSL) &&
config.getBoolean(ExecConstants.HTTP_ENABLE_SSL);
+ // For testing we will mock up a hadoop configuration, however for
regular use, we find the actual hadoop config.
+ boolean enableHadoopConfig =
config.getBoolean(ExecConstants.SSL_USE_HADOOP_CONF);
+ if (enableHadoopConfig) {
+ if (hadoopConfig == null) {
+ this.hadoopConfig = new Configuration(); // get hadoop
configuration
+ } else {
+ this.hadoopConfig = hadoopConfig;
+ }
+ String hadoopSSLConfigFile =
+
this.hadoopConfig.get(resolveHadoopPropertyName(HADOOP_SSL_CONF_TPL_KEY,
getMode()));
+ logger.debug("Using Hadoop configuration for SSL");
+ logger.debug("Hadoop SSL configuration file: {}",
hadoopSSLConfigFile);
+ this.hadoopConfig.addResource(hadoopSSLConfigFile);
+ } else {
+ this.hadoopConfig = null;
+ }
+ userSslEnabled =
+ config.hasPath(ExecConstants.USER_SSL_ENABLED) &&
config.getBoolean(ExecConstants.USER_SSL_ENABLED);
+ trustStoreType = getConfigParam(ExecConstants.SSL_TRUSTSTORE_TYPE,
+ resolveHadoopPropertyName(HADOOP_SSL_TRUSTSTORE_TYPE_TPL_KEY,
mode));
+ trustStorePath = getConfigParam(ExecConstants.SSL_TRUSTSTORE_PATH,
+ resolveHadoopPropertyName(HADOOP_SSL_TRUSTSTORE_LOCATION_TPL_KEY,
mode));
+ trustStorePassword =
getConfigParam(ExecConstants.SSL_TRUSTSTORE_PASSWORD,
+ resolveHadoopPropertyName(HADOOP_SSL_TRUSTSTORE_PASSWORD_TPL_KEY,
mode));
+ keyStoreType = getConfigParam(ExecConstants.SSL_KEYSTORE_TYPE,
+ resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_TYPE_TPL_KEY, mode));
+ keyStorePath = getConfigParam(ExecConstants.SSL_KEYSTORE_PATH,
+ resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_LOCATION_TPL_KEY,
mode));
+ keyStorePassword = getConfigParam(ExecConstants.SSL_KEYSTORE_PASSWORD,
+ resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_PASSWORD_TPL_KEY,
mode));
+ // if no keypassword specified, use keystore password
+ String keyPass = getConfigParam(ExecConstants.SSL_KEY_PASSWORD,
+ resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_KEYPASSWORD_TPL_KEY,
mode));
+ keyPassword = keyPass.isEmpty() ? keyStorePassword : keyPass;
+ protocol = getConfigParamWithDefault(ExecConstants.SSL_PROTOCOL,
DEFAULT_SSL_PROTOCOL);
+ provider = getConfigParamWithDefault(ExecConstants.SSL_PROVIDER,
DEFAULT_SSL_PROVIDER);
+ }
+
+ public void validateKeyStore() throws DrillException {
+ //HTTPS validates the keystore is not empty. User Server SSL context
initialization also validates keystore, but
+ // much more strictly. User Client context initialization does not
validate keystore.
+ /*If keystorePath or keystorePassword is provided in the configuration
file use that*/
+ if ((isUserSslEnabled() || isHttpsEnabled())) {
+ if (!keyStorePath.isEmpty() || !keyStorePassword.isEmpty()) {
+ if (keyStorePath.isEmpty()) {
+ throw new DrillException(
+ " *.ssl.keyStorePath in the configuration file is empty, but
*.ssl.keyStorePassword is set");
+ } else if (keyStorePassword.isEmpty()) {
+ throw new DrillException(
+ " *.ssl.keyStorePassword in the configuration file is empty,
but *.ssl.keyStorePath is set ");
+ }
+ }
+ }
+ }
+
+ @Override
+ public SslContext initNettySslContext() throws DrillException {
+ final SslContext sslCtx;
+
+ if (!userSslEnabled) {
+ return null;
+ }
+
+ KeyManagerFactory kmf;
+ TrustManagerFactory tmf;
+ try {
+ if (keyStorePath.isEmpty()) {
+ throw new DrillException("No Keystore provided.");
+ }
+ kmf = initializeKeyManagerFactory();
+ tmf = initializeTrustManagerFactory();
+ sslCtx = SslContextBuilder.forServer(kmf)
+ .trustManager(tmf)
+ .protocols(protocol)
+ .sslProvider(getProvider())
+ .build(); // Will throw an exception if the key password is not
correct
+ } catch (Exception e) {
+ // Catch any SSL initialization Exceptions here and abort.
+ throw new DrillException(new StringBuilder()
+ .append("SSL is enabled but cannot be initialized - ")
+ .append("[ ")
+ .append(e.getMessage())
+ .append("]. ")
+ .toString());
+ }
+ this.nettySslContext = sslCtx;
+ return sslCtx;
+ }
+
+ @Override
+ public SSLContext initJDKSSLContext() throws DrillException {
+ final SSLContext sslCtx;
+
+ if (!userSslEnabled) {
+ return null;
+ }
+
+ KeyManagerFactory kmf;
+ TrustManagerFactory tmf;
+ try {
+ if (keyStorePath.isEmpty()) {
+ throw new DrillException("No Keystore provided.");
+ }
+ kmf = initializeKeyManagerFactory();
+ tmf = initializeTrustManagerFactory();
+ sslCtx = SSLContext.getInstance(protocol);
+ sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+ } catch (Exception e) {
+ // Catch any SSL initialization Exceptions here and abort.
+ throw new DrillException(
+ new StringBuilder().append("SSL is enabled but cannot be
initialized - ")
+ .append("[ ")
+ .append(e.getMessage())
+ .append("]. ")
+ .toString());
+ }
+ this.jdkSSlContext = sslCtx;
+ return sslCtx;
+ }
+
+ @Override
+ public SSLEngine createSSLEngine(BufferAllocator allocator, String
peerHost, int peerPort) {
+ SSLEngine engine = super.createSSLEngine(allocator, peerHost,
peerPort);
+
+ engine.setUseClientMode(false);
+
+ // No need for client side authentication (HTTPS like behaviour)
+ engine.setNeedClientAuth(false);
+
+ try {
+ engine.setEnableSessionCreation(true);
+ } catch (Exception e) {
+ // Openssl implementation may throw this.
+ logger.debug("Session creation not enabled. Exception: {}",
e.getMessage());
+ }
+
+ return engine;
+ }
+
+ private String getConfigParam(String name, String hadoopName) {
+ String value = "";
+ if (hadoopConfig != null) {
+ value = getHadoopConfigParam(hadoopName);
+ }
+ if (value.isEmpty() && config.hasPath(name)) {
+ value = config.getString(name);
+ }
+ value = value.trim();
+ return value;
+ }
+
+ private String getHadoopConfigParam(String name) {
+ Preconditions.checkArgument(this.hadoopConfig != null);
+ String value = "";
--- End diff --
OK
---
