KNOX-1046 - Add Client Cert Wanted Capability with Configurable Validation that Checks for It
Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/5432c872 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/5432c872 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/5432c872 Branch: refs/heads/KNOX-1049 Commit: 5432c872271e42d1ba8981e5f5de2059d5509ba2 Parents: 8537d42 Author: Larry McCay <lmc...@hortonworks.com> Authored: Fri Sep 22 13:40:18 2017 -0400 Committer: Larry McCay <lmc...@hortonworks.com> Committed: Fri Sep 22 13:40:31 2017 -0400 ---------------------------------------------------------------------- .../hadoop/gateway/config/impl/GatewayConfigImpl.java | 10 ++++++++++ .../gateway/services/security/impl/JettySSLService.java | 11 +++++++++-- .../org/apache/hadoop/gateway/config/GatewayConfig.java | 2 ++ .../org/apache/hadoop/gateway/GatewayTestConfig.java | 5 +++++ 4 files changed, 26 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/5432c872/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java index 3b7d19e..0956a4a 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java @@ -118,6 +118,7 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig { public static final String FRONTEND_URL = GATEWAY_CONFIG_FILE_PREFIX + ".frontend.url"; private static final String TRUST_ALL_CERTS = GATEWAY_CONFIG_FILE_PREFIX + ".trust.all.certs"; private static final String CLIENT_AUTH_NEEDED = GATEWAY_CONFIG_FILE_PREFIX + ".client.auth.needed"; + private static final String CLIENT_AUTH_WANTED = GATEWAY_CONFIG_FILE_PREFIX + ".client.auth.wanted"; private static final String TRUSTSTORE_PATH = GATEWAY_CONFIG_FILE_PREFIX + ".truststore.path"; private static final String TRUSTSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".truststore.type"; private static final String KEYSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".keystore.type"; @@ -535,6 +536,15 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig { } /* (non-Javadoc) + * @see org.apache.hadoop.gateway.config.GatewayConfig#isClientAuthWanted() + */ + @Override + public boolean isClientAuthWanted() { + String clientAuthWanted = get( CLIENT_AUTH_WANTED, "false" ); + return "true".equals(clientAuthWanted); + } + + /* (non-Javadoc) * @see org.apache.hadoop.gateway.config.GatewayConfig#getTruststorePath() */ @Override http://git-wip-us.apache.org/repos/asf/knox/blob/5432c872/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java index ac4bfa3..52c06d9 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java @@ -63,6 +63,7 @@ public class JettySSLService implements SSLService { private String truststorePath; private String keystoreType; private String trustStoreType; + private boolean clientAuthWanted; public void setMasterService(MasterService ms) { this.ms = ms; @@ -126,6 +127,7 @@ public class JettySSLService implements SSLService { sslExcludeCiphers = config.getExcludedSSLCiphers(); sslExcludeProtocols = config.getExcludedSSLProtocols(); clientAuthNeeded = config.isClientAuthNeeded(); + clientAuthWanted = config.isClientAuthWanted(); truststorePath = config.getTruststorePath(); trustAllCerts = config.getTrustAllCerts(); trustStoreType = config.getTruststoreType(); @@ -186,7 +188,7 @@ public class JettySSLService implements SSLService { sslContextFactory.setKeyManagerPassword(new String(keypass)); String truststorePassword = null; - if (clientAuthNeeded) { + if (clientAuthNeeded || clientAuthWanted) { if (truststorePath != null) { sslContextFactory.setTrustStore(loadKeyStore(keystoreFileName, keystoreType, master)); char[] truststorePwd = null; @@ -212,7 +214,12 @@ public class JettySSLService implements SSLService { sslContextFactory.setTrustStoreType(keystoreType); } } - sslContextFactory.setNeedClientAuth( clientAuthNeeded ); + if (clientAuthNeeded) { + sslContextFactory.setNeedClientAuth( clientAuthNeeded ); + } + else { + sslContextFactory.setWantClientAuth( clientAuthWanted ); + } sslContextFactory.setTrustAll( trustAllCerts ); if (sslIncludeCiphers != null && !sslIncludeCiphers.isEmpty()) { sslContextFactory.setIncludeCipherSuites( sslIncludeCiphers.toArray(new String[sslIncludeCiphers.size()]) ); http://git-wip-us.apache.org/repos/asf/knox/blob/5432c872/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java index 506c31e..66fb83c 100644 --- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java @@ -108,6 +108,8 @@ public interface GatewayConfig { boolean isClientAuthNeeded(); + boolean isClientAuthWanted(); + String getTruststorePath(); boolean getTrustAllCerts(); http://git-wip-us.apache.org/repos/asf/knox/blob/5432c872/gateway-test-release-utils/src/main/java/org/apache/hadoop/gateway/GatewayTestConfig.java ---------------------------------------------------------------------- diff --git a/gateway-test-release-utils/src/main/java/org/apache/hadoop/gateway/GatewayTestConfig.java b/gateway-test-release-utils/src/main/java/org/apache/hadoop/gateway/GatewayTestConfig.java index 09b0d94..ff9a877 100644 --- a/gateway-test-release-utils/src/main/java/org/apache/hadoop/gateway/GatewayTestConfig.java +++ b/gateway-test-release-utils/src/main/java/org/apache/hadoop/gateway/GatewayTestConfig.java @@ -609,4 +609,9 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig { public boolean isGatewayServerHeaderEnabled() { return false; } + + @Override + public boolean isClientAuthWanted() { + return false; + } }