Github user parthchandra commented on a diff in the pull request: https://github.com/apache/drill/pull/950#discussion_r142827719 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/ssl/SSLConfigServer.java --- @@ -0,0 +1,331 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.drill.exec.ssl; + +import com.google.common.base.Preconditions; +import io.netty.handler.ssl.SslContext; +import io.netty.handler.ssl.SslContextBuilder; +import io.netty.handler.ssl.SslProvider; +import org.apache.drill.common.config.DrillConfig; +import org.apache.drill.common.exceptions.DrillException; +import org.apache.drill.exec.ExecConstants; +import org.apache.drill.exec.memory.BufferAllocator; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.ssl.SSLFactory; + +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.TrustManagerFactory; +import java.text.MessageFormat; + +public class SSLConfigServer extends SSLConfig { + + private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(SSLConfigServer.class); + + private final DrillConfig config; + private final Configuration hadoopConfig; + private final boolean userSslEnabled; + private final boolean httpsEnabled; + private final String keyStoreType; + private final String keyStorePath; + private final String keyStorePassword; + private final String keyPassword; + private final String trustStoreType; + private final String trustStorePath; + private final String trustStorePassword; + private final String protocol; + private final String provider; + + public SSLConfigServer(DrillConfig config, Configuration hadoopConfig) throws DrillException { + this.config = config; + SSLFactory.Mode mode = SSLFactory.Mode.SERVER; + httpsEnabled = + config.hasPath(ExecConstants.HTTP_ENABLE_SSL) && config.getBoolean(ExecConstants.HTTP_ENABLE_SSL); + // For testing we will mock up a hadoop configuration, however for regular use, we find the actual hadoop config. + boolean enableHadoopConfig = config.getBoolean(ExecConstants.SSL_USE_HADOOP_CONF); + if (enableHadoopConfig) { + if (hadoopConfig == null) { + this.hadoopConfig = new Configuration(); // get hadoop configuration + } else { + this.hadoopConfig = hadoopConfig; + } + String hadoopSSLConfigFile = + this.hadoopConfig.get(resolveHadoopPropertyName(HADOOP_SSL_CONF_TPL_KEY, getMode())); + logger.debug("Using Hadoop configuration for SSL"); + logger.debug("Hadoop SSL configuration file: {}", hadoopSSLConfigFile); + this.hadoopConfig.addResource(hadoopSSLConfigFile); + } else { + this.hadoopConfig = null; + } + userSslEnabled = + config.hasPath(ExecConstants.USER_SSL_ENABLED) && config.getBoolean(ExecConstants.USER_SSL_ENABLED); + trustStoreType = getConfigParam(ExecConstants.SSL_TRUSTSTORE_TYPE, + resolveHadoopPropertyName(HADOOP_SSL_TRUSTSTORE_TYPE_TPL_KEY, mode)); + trustStorePath = getConfigParam(ExecConstants.SSL_TRUSTSTORE_PATH, + resolveHadoopPropertyName(HADOOP_SSL_TRUSTSTORE_LOCATION_TPL_KEY, mode)); + trustStorePassword = getConfigParam(ExecConstants.SSL_TRUSTSTORE_PASSWORD, + resolveHadoopPropertyName(HADOOP_SSL_TRUSTSTORE_PASSWORD_TPL_KEY, mode)); + keyStoreType = getConfigParam(ExecConstants.SSL_KEYSTORE_TYPE, + resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_TYPE_TPL_KEY, mode)); + keyStorePath = getConfigParam(ExecConstants.SSL_KEYSTORE_PATH, + resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_LOCATION_TPL_KEY, mode)); + keyStorePassword = getConfigParam(ExecConstants.SSL_KEYSTORE_PASSWORD, + resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_PASSWORD_TPL_KEY, mode)); + // if no keypassword specified, use keystore password + String keyPass = getConfigParam(ExecConstants.SSL_KEY_PASSWORD, + resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_KEYPASSWORD_TPL_KEY, mode)); + keyPassword = keyPass.isEmpty() ? keyStorePassword : keyPass; + protocol = getConfigParamWithDefault(ExecConstants.SSL_PROTOCOL, DEFAULT_SSL_PROTOCOL); + provider = getConfigParamWithDefault(ExecConstants.SSL_PROVIDER, DEFAULT_SSL_PROVIDER); + } + + public void validateKeyStore() throws DrillException { + //HTTPS validates the keystore is not empty. User Server SSL context initialization also validates keystore, but + // much more strictly. User Client context initialization does not validate keystore. + /*If keystorePath or keystorePassword is provided in the configuration file use that*/ + if ((isUserSslEnabled() || isHttpsEnabled())) { + if (!keyStorePath.isEmpty() || !keyStorePassword.isEmpty()) { + if (keyStorePath.isEmpty()) { + throw new DrillException( + " *.ssl.keyStorePath in the configuration file is empty, but *.ssl.keyStorePassword is set"); + } else if (keyStorePassword.isEmpty()) { + throw new DrillException( + " *.ssl.keyStorePassword in the configuration file is empty, but *.ssl.keyStorePath is set "); + } + } + } + } + + @Override + public SslContext initNettySslContext() throws DrillException { + final SslContext sslCtx; + + if (!userSslEnabled) { + return null; + } + + KeyManagerFactory kmf; + TrustManagerFactory tmf; + try { + if (keyStorePath.isEmpty()) { + throw new DrillException("No Keystore provided."); + } + kmf = initializeKeyManagerFactory(); + tmf = initializeTrustManagerFactory(); + sslCtx = SslContextBuilder.forServer(kmf) + .trustManager(tmf) + .protocols(protocol) + .sslProvider(getProvider()) + .build(); // Will throw an exception if the key password is not correct + } catch (Exception e) { + // Catch any SSL initialization Exceptions here and abort. + throw new DrillException(new StringBuilder() + .append("SSL is enabled but cannot be initialized - ") + .append("[ ") + .append(e.getMessage()) + .append("]. ") + .toString()); + } + this.nettySslContext = sslCtx; + return sslCtx; + } + + @Override + public SSLContext initJDKSSLContext() throws DrillException { + final SSLContext sslCtx; + + if (!userSslEnabled) { + return null; + } + + KeyManagerFactory kmf; + TrustManagerFactory tmf; + try { + if (keyStorePath.isEmpty()) { + throw new DrillException("No Keystore provided."); + } + kmf = initializeKeyManagerFactory(); + tmf = initializeTrustManagerFactory(); + sslCtx = SSLContext.getInstance(protocol); + sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); + } catch (Exception e) { + // Catch any SSL initialization Exceptions here and abort. + throw new DrillException( + new StringBuilder().append("SSL is enabled but cannot be initialized - ") + .append("[ ") + .append(e.getMessage()) + .append("]. ") + .toString()); + } + this.jdkSSlContext = sslCtx; + return sslCtx; + } + + @Override + public SSLEngine createSSLEngine(BufferAllocator allocator, String peerHost, int peerPort) { + SSLEngine engine = super.createSSLEngine(allocator, peerHost, peerPort); + + engine.setUseClientMode(false); + + // No need for client side authentication (HTTPS like behaviour) + engine.setNeedClientAuth(false); + + try { + engine.setEnableSessionCreation(true); + } catch (Exception e) { + // Openssl implementation may throw this. + logger.debug("Session creation not enabled. Exception: {}", e.getMessage()); + } + + return engine; + } + + private String getConfigParam(String name, String hadoopName) { + String value = ""; + if (hadoopConfig != null) { + value = getHadoopConfigParam(hadoopName); + } + if (value.isEmpty() && config.hasPath(name)) { + value = config.getString(name); + } + value = value.trim(); + return value; + } + + private String getHadoopConfigParam(String name) { + Preconditions.checkArgument(this.hadoopConfig != null); + String value = ""; --- End diff -- OK
---