RANGER-3084: Ranger database connection fails when postgres is SSL en…

…abled & postgresql-42.2.14 driver jar is used Signed-off-by: Velmurugan Periasamy <vel@apache.org>
apache · Nov 23, 2020 · 3a21d6a · 3a21d6a
1 parent 7cfc706
commit 3a21d6a
Show file tree

Hide file tree

Showing 10 changed files with 233 additions and 67 deletions.
diff --git a/kms/config/kms-webapp/dbks-site.xml b/kms/config/kms-webapp/dbks-site.xml
@@ -341,4 +341,16 @@
 	<name>ranger.ks.db.ssl.auth.type</name>
 	<value>2-way</value>
   </property>
+  <property>
+	<name>ranger.ks.db.ssl.certificateFile</name>
+	<value></value>
+  </property>
+  <property>
+	<name>ranger.truststore.file.type</name>
+	<value>jks</value>
+  </property>
+  <property>
+	<name>ranger.keystore.file.type</name>
+	<value>jks</value>
+  </property>
 </configuration>
diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py
@@ -292,18 +292,21 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME):
 
 class PostgresConf(BaseDB):
 	# Constructor
-	def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
+	def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type,db_ssl_certificate_file,javax_net_ssl_trustStore_type,javax_net_ssl_keyStore_type):
 		self.host = host
 		self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
 		self.JAVA_BIN = JAVA_BIN
 		self.db_ssl_enabled=db_ssl_enabled.lower()
 		self.db_ssl_required=db_ssl_required.lower()
 		self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
 		self.db_ssl_auth_type=db_ssl_auth_type.lower()
+		self.db_ssl_certificate_file=db_ssl_certificate_file
 		self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
 		self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
+		self.javax_net_ssl_keyStore_type=javax_net_ssl_keyStore_type.lower()
 		self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
 		self.javax_net_ssl_trustStorePassword=javax_net_ssl_trustStorePassword
+		self.javax_net_ssl_trustStore_type=javax_net_ssl_trustStore_type.lower()
 
 	def get_jisql_cmd(self, user, password, db_name):
 		#TODO: User array for forming command
@@ -312,15 +315,16 @@ def get_jisql_cmd(self, user, password, db_name):
 		db_ssl_param=''
 		db_ssl_cert_param=''
 		if self.db_ssl_enabled == 'true':
-			db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
-			if self.db_ssl_verifyServerCertificate == 'true' or self.db_ssl_required == 'true':
-				db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
+			if self.db_ssl_certificate_file != "":
+				db_ssl_param="?ssl=%s&sslmode=verify-full&sslrootcert=%s" %(self.db_ssl_enabled,self.db_ssl_certificate_file)
+			elif self.db_ssl_verifyServerCertificate == 'true' or self.db_ssl_required == 'true':
+				db_ssl_param="?ssl=%s&sslmode=verify-full&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory" %(self.db_ssl_enabled)
 				if self.db_ssl_auth_type == '1-way':
-					db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+					db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s  -Djavax.net.ssl.trustStoreType=%s" %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword,self.javax_net_ssl_trustStore_type)
 				else:
-					db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+					db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s -Djavax.net.ssl.trustStoreType=%s -Djavax.net.ssl.keyStoreType=%s" %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword,self.javax_net_ssl_trustStore_type,self.javax_net_ssl_keyStore_type)
 			else:
-				db_ssl_param="?ssl=%s&sslfactory=org.postgresql.ssl.NonValidatingFactory" %(self.db_ssl_enabled)
+				db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
 		if is_unix:
 			jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path, self.host, db_name, db_ssl_param,user, password)
 		elif os_name == "WINDOWS":
@@ -602,6 +606,9 @@ def main(argv):
 	javax_net_ssl_keyStorePassword=''
 	javax_net_ssl_trustStore=''
 	javax_net_ssl_trustStorePassword=''
+	db_ssl_certificate_file=''
+	javax_net_ssl_trustStore_type='bcfks'
+	javax_net_ssl_keyStore_type='bcfks'
 
 	if XA_DB_FLAVOR == "MYSQL" or XA_DB_FLAVOR == "POSTGRES":
 		if 'db_ssl_enabled' in globalDict:
@@ -613,26 +620,37 @@ def main(argv):
 					db_ssl_verifyServerCertificate=globalDict['db_ssl_verifyServerCertificate'].lower()
 				if 'db_ssl_auth_type' in globalDict:
 					db_ssl_auth_type=globalDict['db_ssl_auth_type'].lower()
+				if 'db_ssl_certificate_file' in globalDict:
+					db_ssl_certificate_file=globalDict['db_ssl_certificate_file']
+				if 'javax_net_ssl_trustStore' in globalDict:
+					javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore']
+				if 'javax_net_ssl_trustStorePassword' in globalDict:
+					javax_net_ssl_trustStorePassword=globalDict['javax_net_ssl_trustStorePassword']
+				if 'javax_net_ssl_trustStore_type' in globalDict:
+					javax_net_ssl_trustStore_type=globalDict['javax_net_ssl_trustStore_type']
 				if db_ssl_verifyServerCertificate == 'true':
-					if 'javax_net_ssl_trustStore' in globalDict:
-						javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore']
-					if 'javax_net_ssl_trustStorePassword' in globalDict:
-						javax_net_ssl_trustStorePassword=globalDict['javax_net_ssl_trustStorePassword']
-					if not os.path.exists(javax_net_ssl_trustStore):
-						log("[E] Invalid file Name! Unable to find truststore file:"+javax_net_ssl_trustStore,"error")
-						sys.exit(1)
-					if javax_net_ssl_trustStorePassword is None or javax_net_ssl_trustStorePassword =="":
-						log("[E] Invalid ssl truststore password!","error")
-						sys.exit(1)
+					if  db_ssl_certificate_file != "":
+						if not os.path.exists(db_ssl_certificate_file):
+							log("[E] Invalid file Name! Unable to find certificate file:"+db_ssl_certificate_file,"error")
+							sys.exit(1)
+					elif db_ssl_auth_type == '1-way' and db_ssl_certificate_file == "" :
+						if not os.path.exists(javax_net_ssl_trustStore):
+							log("[E] Invalid file Name! Unable to find truststore file:"+javax_net_ssl_trustStore,"error")
+							sys.exit(1)
+						if javax_net_ssl_trustStorePassword =="":
+							log("[E] Invalid ssl truststore password!","error")
+							sys.exit(1)
 					if db_ssl_auth_type == '2-way':
 						if 'javax_net_ssl_keyStore' in globalDict:
 							javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
 						if 'javax_net_ssl_keyStorePassword' in globalDict:
 							javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
+						if 'javax_net_ssl_keyStore_type' in globalDict:
+							javax_net_ssl_keyStore_type=globalDict['javax_net_ssl_keyStore_type']
 						if not os.path.exists(javax_net_ssl_keyStore):
 							log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
 							sys.exit(1)
-						if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
+						if javax_net_ssl_keyStorePassword =="":
 							log("[E] Invalid ssl keystore password!","error")
 							sys.exit(1)
 
@@ -650,7 +668,7 @@ def main(argv):
 		db_user=db_user.lower()
 		db_name=db_name.lower()
 		POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR']
-		xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
+		xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type,db_ssl_certificate_file,javax_net_ssl_trustStore_type,javax_net_ssl_keyStore_type)
 		xa_db_core_file = os.path.join(RANGER_KMS_HOME , postgres_core_file)
 
 	elif XA_DB_FLAVOR == "MSSQL":

diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties
@@ -52,6 +52,7 @@ SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
 db_root_user=root
 db_root_password=
 db_host=localhost
+#SSL config
 db_ssl_enabled=false
 db_ssl_required=false
 db_ssl_verifyServerCertificate=false
@@ -61,6 +62,12 @@ javax_net_ssl_keyStore=
 javax_net_ssl_keyStorePassword=
 javax_net_ssl_trustStore=
 javax_net_ssl_trustStorePassword=
+javax_net_ssl_trustStore_type=jks
+javax_net_ssl_keyStore_type=jks
+
+# For postgresql db
+db_ssl_certificate_file=
+
 #
 # DB UserId used for the Ranger KMS schema
 #

diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh
@@ -60,6 +60,9 @@ db_ssl_enabled=$(get_prop 'db_ssl_enabled' $PROPFILE)
 db_ssl_required=$(get_prop 'db_ssl_required' $PROPFILE)
 db_ssl_verifyServerCertificate=$(get_prop 'db_ssl_verifyServerCertificate' $PROPFILE)
 db_ssl_auth_type=$(get_prop 'db_ssl_auth_type' $PROPFILE)
+db_ssl_certificate_file=$(get_prop 'db_ssl_certificate_file' $PROPFILE)
+javax_net_ssl_trustStore_type=$(get_prop 'javax_net_ssl_trustStore_type' $PROPFILE)
+javax_net_ssl_keyStore_type=$(get_prop 'javax_net_ssl_keyStore_type' $PROPFILE)
 KMS_MASTER_KEY_PASSWD=$(get_prop 'KMS_MASTER_KEY_PASSWD' $PROPFILE)
 unix_user=$(get_prop 'unix_user' $PROPFILE)
 unix_user_pwd=$(get_prop 'unix_user_pwd' $PROPFILE)
@@ -282,12 +285,17 @@ init_variables(){
 		db_ssl_required="false"
 		db_ssl_verifyServerCertificate="false"
 		db_ssl_auth_type="2-way"
+		db_ssl_certificate_file=''
+		javax_net_ssl_trustStore_type='jks'
+		javax_net_ssl_keyStore_type='jks'
 	fi
 	if [ "${db_ssl_enabled}" == "true" ]
 	then
 		db_ssl_required=`echo $db_ssl_required | tr '[:upper:]' '[:lower:]'`
 		db_ssl_verifyServerCertificate=`echo $db_ssl_verifyServerCertificate | tr '[:upper:]' '[:lower:]'`
 		db_ssl_auth_type=`echo $db_ssl_auth_type | tr '[:upper:]' '[:lower:]'`
+		javax_net_ssl_trustStore_type=`echo $javax_net_ssl_trustStore_type | tr '[:upper:]' '[:lower:]'`
+		javax_net_ssl_keyStore_type=`echo $javax_net_ssl_keyStore_type | tr '[:upper:]' '[:lower:]'`
 		if [ "${db_ssl_required}" != "true" ]
 		then
 			db_ssl_required="false"
@@ -300,6 +308,14 @@ init_variables(){
 		then
 			db_ssl_auth_type="2-way"
 		fi
+		if [ "${javax_net_ssl_trustStore_type}" == "" ]
+		then
+			javax_net_ssl_trustStore_type="jks"
+		fi
+		if [ "${javax_net_ssl_keyStore_type}" == "" ]
+		then
+			javax_net_ssl_keyStore_type="jks"
+		fi
 	fi
 }
 
@@ -466,7 +482,7 @@ update_properties() {
 		log "[I] $to_file file found"
 	else
 		log "[E] $to_file does not exists" ; exit 1;
-    fi
+	fi
 
 	if [ "${db_ssl_enabled}" != "" ]
 	then
@@ -485,6 +501,18 @@ update_properties() {
 		propertyName=ranger.ks.db.ssl.auth.type
 		newPropertyValue="${db_ssl_auth_type}"
 		updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+		propertyName=ranger.ks.db.ssl.certificateFile
+		newPropertyValue="${db_ssl_certificate_file}"
+		updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+		propertyName=ranger.truststore.file.type
+		newPropertyValue="${javax_net_ssl_trustStore_type}"
+		updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+		propertyName=ranger.keystore.file.type
+		newPropertyValue="${javax_net_ssl_keyStore_type}"
+		updatePropertyToFilePy $propertyName $newPropertyValue $to_file
 	fi
 
 	if [ "${DB_FLAVOR}" == "MYSQL" ]
@@ -530,9 +558,22 @@ update_properties() {
 		db_name=`echo ${db_name} | tr '[:upper:]' '[:lower:]'`
 		db_user=`echo ${db_user} | tr '[:upper:]' '[:lower:]'`
 
-		propertyName=ranger.ks.jpa.jdbc.url
-		newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}"
-		updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+		if [ "${db_ssl_enabled}" == "true" ]
+		then
+			if test -f $db_ssl_certificate_file; then
+				propertyName=ranger.ks.jpa.jdbc.url
+				newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}?ssl=true&sslmode=verify-full&sslrootcert=${db_ssl_certificate_file}"
+				updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+			else
+				propertyName=ranger.ks.jpa.jdbc.url
+				newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}?ssl=true&sslmode=verify-full&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory"
+				updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+			fi
+		else
+			propertyName=ranger.ks.jpa.jdbc.url
+			newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}"
+			updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+		fi
 
 		propertyName=ranger.ks.jpa.jdbc.dialect
 		newPropertyValue="org.eclipse.persistence.platform.database.PostgreSQLPlatform"
@@ -1083,9 +1124,9 @@ setup_install_files(){
 	then
 		if [ "${db_ssl_auth_type}" == "1-way" ]
 		then
-			DB_SSL_PARAM="' -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+			DB_SSL_PARAM="' -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} -Djavax.net.ssl.trustStoreType=${javax_net_ssl_trustStore_type} '"
 		else
-			DB_SSL_PARAM="' -Djavax.net.ssl.keyStore=${javax_net_ssl_keyStore} -Djavax.net.ssl.keyStorePassword=${javax_net_ssl_keyStorePassword} -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+			DB_SSL_PARAM="' -Djavax.net.ssl.keyStore=${javax_net_ssl_keyStore} -Djavax.net.ssl.keyStorePassword=${javax_net_ssl_keyStorePassword} -Djavax.net.ssl.keyStoreType={javax_net_ssl_keyStore_type} -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} -Djavax.net.ssl.trustStoreType=${javax_net_ssl_trustStore_type} '"
 		fi
 		echo "export DB_SSL_PARAM=${DB_SSL_PARAM}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-dbsslparam.sh
         chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-dbsslparam.sh

diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
@@ -62,6 +62,7 @@ public class RangerKMSDB {
 	private static final String DB_SSL_KEYSTORE_PASSWORD="keystore.password";
 	private static final String DB_SSL_TRUSTSTORE="truststore.file";
 	private static final String DB_SSL_TRUSTSTORE_PASSWORD="truststore.password";
+	private static final String DB_SSL_CERTIFICATE_FILE="db.ssl.certificateFile";
 
     public static final int DB_FLAVOR_UNKNOWN = 0;
 	public static final int DB_FLAVOR_MYSQL = 1;
@@ -184,24 +185,24 @@ private void updateDBSSLURL(){
 				conf.set(PROPERTY_PREFIX+DB_SSL_VerifyServerCertificate, db_ssl_verifyServerCertificate);
 				conf.set(PROPERTY_PREFIX+DB_SSL_AUTH_TYPE, db_ssl_auth_type);
 				String ranger_jpa_jdbc_url=conf.get(PROPERTY_PREFIX+DB_URL);
-				if(!StringUtils.isEmpty(ranger_jpa_jdbc_url)){
-					if(ranger_jpa_jdbc_url.contains("?")) {
-						ranger_jpa_jdbc_url=ranger_jpa_jdbc_url.substring(0,ranger_jpa_jdbc_url.indexOf("?"));
-					}
+				if(StringUtils.isNotEmpty(ranger_jpa_jdbc_url) && !ranger_jpa_jdbc_url.contains("?")){
 					StringBuffer ranger_jpa_jdbc_url_ssl=new StringBuffer(ranger_jpa_jdbc_url);
 					if(getDBFlavor(conf)==DB_FLAVOR_MYSQL){
 						ranger_jpa_jdbc_url_ssl.append("?useSSL="+db_ssl_enabled+"&requireSSL="+db_ssl_required+"&verifyServerCertificate="+db_ssl_verifyServerCertificate);
 					}else if(getDBFlavor(conf)==DB_FLAVOR_POSTGRES){
-						if("true".equalsIgnoreCase(db_ssl_verifyServerCertificate) || "true".equalsIgnoreCase(db_ssl_required)){
+						String db_ssl_certificate_file = conf.get(PROPERTY_PREFIX+DB_SSL_CERTIFICATE_FILE);
+						if(StringUtils.isNotEmpty(db_ssl_certificate_file)) {
+							ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled+"&sslmode=verify-full"+"&sslrootcert="+db_ssl_certificate_file);
+						} else if ("true".equalsIgnoreCase(db_ssl_verifyServerCertificate) || "true".equalsIgnoreCase(db_ssl_required)) {
+							ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled+"&sslmode=verify-full"+"&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory");
+						} else {
 							ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled);
-						}else{
-							ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled+"&sslfactory=org.postgresql.ssl.NonValidatingFactory");
 						}
 					}
 					conf.set(PROPERTY_PREFIX+DB_URL, ranger_jpa_jdbc_url_ssl.toString());
-					jpaProperties.put(JPA_DB_URL, conf.get(PROPERTY_PREFIX+DB_URL));
-					logger.info(PROPERTY_PREFIX+DB_URL+"="+ranger_jpa_jdbc_url_ssl.toString());
 				}
+				jpaProperties.put(JPA_DB_URL, conf.get(PROPERTY_PREFIX+DB_URL));
+				logger.info(PROPERTY_PREFIX+DB_URL+"="+conf.get(PROPERTY_PREFIX+DB_URL));
 
 				if("true".equalsIgnoreCase(db_ssl_verifyServerCertificate) || "true".equalsIgnoreCase(db_ssl_required)){
 					if(!"1-way".equalsIgnoreCase((db_ssl_auth_type))){