This is an automated email from the ASF dual-hosted git repository. sarath pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/atlas.git
The following commit(s) were added to refs/heads/master by this push: new 85a5eeb ATLAS-3481 - Fix for trustore.password for Kafka in SSL 85a5eeb is described below commit 85a5eeba1701abf6ff8f852174194307f4a892ae Author: nixonrodrigues <ni...@apache.org> AuthorDate: Mon Oct 21 17:08:04 2019 +0530 ATLAS-3481 - Fix for trustore.password for Kafka in SSL Change-Id: I9908e250afa98d7469e7f4b629e9cfab5923aff3 Signed-off-by: Sarath Subramanian <sar...@apache.org> --- .../org/apache/atlas/security/SecurityUtil.java | 68 ++++++++++++++++++++++ .../org/apache/atlas/kafka/KafkaNotification.java | 15 +++++ .../atlas/web/service/SecureEmbeddedServer.java | 33 +---------- 3 files changed, 85 insertions(+), 31 deletions(-) diff --git a/intg/src/main/java/org/apache/atlas/security/SecurityUtil.java b/intg/src/main/java/org/apache/atlas/security/SecurityUtil.java new file mode 100644 index 0000000..082c637 --- /dev/null +++ b/intg/src/main/java/org/apache/atlas/security/SecurityUtil.java @@ -0,0 +1,68 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.atlas.security; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.alias.CredentialProvider; +import org.apache.hadoop.security.alias.CredentialProviderFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; + +import static org.apache.atlas.security.SecurityProperties.CERT_STORES_CREDENTIAL_PROVIDER_PATH; + +public class SecurityUtil { + + public static final Logger LOG = LoggerFactory.getLogger(SecurityUtil.class); + + /** + * Retrieves a password from a configured credential provider or prompts for the password and stores it in the + * configured credential provider. + * @param config application configuration + * @param key the key/alias for the password. + * @return the password. + * @throws IOException + */ + public static String getPassword(org.apache.commons.configuration.Configuration config, String key) throws IOException { + + String password; + + String provider = config.getString(CERT_STORES_CREDENTIAL_PROVIDER_PATH); + if (provider != null) { + LOG.info("Attempting to retrieve password for key {} from configured credential provider path {}", key, provider); + Configuration c = new Configuration(); + c.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, provider); + CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(c).get(0); + CredentialProvider.CredentialEntry entry = credentialProvider.getCredentialEntry(key); + if (entry == null) { + throw new IOException(String.format("No credential entry found for %s. " + + "Please create an entry in the configured credential provider", key)); + } else { + password = String.valueOf(entry.getCredential()); + } + + } else { + throw new IOException("No credential provider path configured for storage of certificate store passwords"); + } + + return password; + } + + +} diff --git a/notification/src/main/java/org/apache/atlas/kafka/KafkaNotification.java b/notification/src/main/java/org/apache/atlas/kafka/KafkaNotification.java index 46c68be..11a29b9 100644 --- a/notification/src/main/java/org/apache/atlas/kafka/KafkaNotification.java +++ b/notification/src/main/java/org/apache/atlas/kafka/KafkaNotification.java @@ -28,6 +28,8 @@ import org.apache.atlas.service.Service; import org.apache.commons.configuration.Configuration; import org.apache.commons.configuration.ConfigurationConverter; import org.apache.commons.lang.StringUtils; +import org.apache.hadoop.security.alias.CredentialProvider; +import org.apache.hadoop.security.alias.CredentialProviderFactory; import org.apache.kafka.clients.consumer.ConsumerConfig; import org.apache.kafka.clients.producer.KafkaProducer; import org.apache.kafka.clients.producer.Producer; @@ -41,9 +43,14 @@ import org.springframework.core.annotation.Order; import org.springframework.stereotype.Component; import javax.inject.Inject; +import java.io.IOException; import java.util.*; import java.util.concurrent.Future; +import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_PASSWORD_KEY; +import static org.apache.atlas.security.SecurityProperties.TLS_ENABLED; +import static org.apache.atlas.security.SecurityUtil.getPassword; + /** * Kafka specific access point to the Atlas notification framework. */ @@ -116,6 +123,14 @@ public class KafkaNotification extends AbstractNotification implements Service { properties.put("enable.auto.commit", kafkaConf.getBoolean("enable.auto.commit", oldApiCommitEnableFlag)); properties.put("session.timeout.ms", kafkaConf.getString("session.timeout.ms", "30000")); + if(applicationProperties.getBoolean(TLS_ENABLED, false)) { + try { + properties.put("ssl.truststore.password", getPassword(applicationProperties, TRUSTSTORE_PASSWORD_KEY)); + } catch (Exception e) { + LOG.error("Exception while getpassword truststore.password ", e); + } + } + // if no value is specified for max.poll.records, set to 1 properties.put("max.poll.records", kafkaConf.getInt("max.poll.records", 1)); diff --git a/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java b/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java index 4ee8526..34086ae 100755 --- a/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java +++ b/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java @@ -21,6 +21,7 @@ package org.apache.atlas.web.service; import org.apache.atlas.ApplicationProperties; import org.apache.atlas.AtlasConfiguration; import org.apache.atlas.AtlasException; +import org.apache.atlas.security.SecurityUtil; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.alias.CredentialProvider; @@ -68,6 +69,7 @@ import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_FILE_KEY; import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_PASSWORD_KEY; import static org.apache.atlas.security.SecurityProperties.ATLAS_SSL_EXCLUDE_PROTOCOLS; import static org.apache.atlas.security.SecurityProperties.DEFAULT_EXCLUDE_PROTOCOLS; +import static org.apache.atlas.security.SecurityUtil.getPassword; /** @@ -142,38 +144,7 @@ public class SecureEmbeddedServer extends EmbeddedServer { return sslConnector; } - /** - * Retrieves a password from a configured credential provider or prompts for the password and stores it in the - * configured credential provider. - * @param config application configuration - * @param key the key/alias for the password. - * @return the password. - * @throws IOException - */ - private String getPassword(org.apache.commons.configuration.Configuration config, String key) throws IOException { - - String password; - - String provider = config.getString(CERT_STORES_CREDENTIAL_PROVIDER_PATH); - if (provider != null) { - LOG.info("Attempting to retrieve password from configured credential provider path"); - Configuration c = new Configuration(); - c.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, provider); - CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(c).get(0); - CredentialProvider.CredentialEntry entry = credentialProvider.getCredentialEntry(key); - if (entry == null) { - throw new IOException(String.format("No credential entry found for %s. " - + "Please create an entry in the configured credential provider", key)); - } else { - password = String.valueOf(entry.getCredential()); - } - } else { - throw new IOException("No credential provider path configured for storage of certificate store passwords"); - } - - return password; - } /** * Returns the application configuration.