-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66504/
-----------------------------------------------------------
Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan
Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan
Periasamy.
Bugs: RANGER-2058
https://issues.apache.org/jira/browse/RANGER-2058
Repository: ranger
Description
-------
**Problem Statement:** Ranger can not communicate to ssl enabled Postgres server
**Proposed Solution:**
To connect to a SSL Enabled Postgres Server JDBC connection string could be :
"jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&sslmode=verify-ca".
The 'ssl=true' property is added to the JDBC URL to attempt to communicate via
SSL.
The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to
bypass certificate validation.
The 'sslmode=verify-ca' property is set to connect only if the Postgres server
trust certificate is available. If user want to connect using truststore then
he can configure truststore files(certificate information for the postgres
server and client both).
Ranger application and jisql utility should know from where to pick the
certificates which can be set in the System properties like this :
-Djavax.net.ssl.keyStore=path_to_keystore_file
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=path_to_truststore_file
-Djavax.net.ssl.trustStorePassword=password
Following properties of install.properties file can be use to provide the SSL
config options, keystore and truststore path to connect to SSL enabled Postgres
server:
db_ssl_enabled=false
db_ssl_required=false
db_ssl_verifyServerCertificate=false
javax_net_ssl_keyStore=/etc/postgres/keystore
javax_net_ssl_keyStorePassword=secret
javax_net_ssl_trustStore=/etc/postgres/truststore
javax_net_ssl_trustStorePassword=secret
Diffs
-----
kms/scripts/db_setup.py a431b60
kms/scripts/dba_script.py bcd4aa2
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca
security-admin/scripts/db_setup.py b8664d2
security-admin/scripts/dba_script.py 69fff41
security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
edd9d36
Diff: https://reviews.apache.org/r/66504/diff/1/
Testing
-------
**Steps Performed(with patch):**
1. Installed Postgres and enabled SSL with the help of doc :
Untar ranger-admin from Build having changes of proposed patch.
Provided ranger db root and admin db details in install.properties.
Provided values for below properties of install.properties file.
db_ssl_enabled=true
db_ssl_required=true
db_ssl_verifyServerCertificate=true
javax_net_ssl_keyStore=/root/keystore
javax_net_ssl_keyStorePassword=secret
javax_net_ssl_trustStore=/root/truststore
javax_net_ssl_trustStorePassword=secret
Executed setup.sh script.
Tried to start ranger admin service.
**Expected behaviour :** Ranger admin should start normally and User should
able to see Dashboard page after login.
**Actual behaviour :** Ranger admin was started and was able to login and see
Ranger UI.
**Note :**
Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and
two-way ssl configurations.
Tried below combination of SSL properties also with different ranger db
combination to install ranger admin and ranger kms.
db_ssl_enabled | db_ssl_required | db_ssl_verifyServerCertificate
true |true |true
true |true |false
true |false |true
true |false |false
Thanks,
Pradeep Agrawal
