Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fedramp issues #10092

Merged
merged 9 commits into from Nov 7, 2023
Merged

fix: fedramp issues #10092

merged 9 commits into from Nov 7, 2023

Conversation

aliehsaeedii
Copy link
Contributor

@aliehsaeedii aliehsaeedii commented Oct 16, 2023
edited

KSE-1768
This PR intends to fix the following issues:

  1. enable ksql to accept BCFKS keystore type
  2. making ssl.cipher.suites as optional config

Sample fips compliant config:

security.providers=io.confluent.kafka.security.fips.provider.BcFipsProviderCreator,io.confluent.kafka.security.fips.provider.BcFipsJsseProviderCreator
ssl.enabled.protocols=TLSv1.2
ssl.key.password=${file:/mnt/sslcerts/jksPassword.txt:jksPassword}
ssl.keymanager.algorithm=PKIX
ssl.keystore.location=/mnt/sslcerts/keystore.bcfks
ssl.keystore.password=${file:/mnt/sslcerts/jksPassword.txt:jksPassword}
ssl.keystore.type=BCFKS
ssl.trustmanager.algorithm=PKIX
ssl.truststore.location=/mnt/sslcerts/truststore.bcfks
ssl.truststore.password=${file:/mnt/sslcerts/jksPassword.txt:jksPassword}
ssl.truststore.type=BCFKS

Description

What behavior do you want to change, why, how does your patch achieve the changes?

Testing done

Describe the testing strategy. Unit and integration tests are expected for any behavior changes.

Reviewer checklist

  • Ensure docs are updated if necessary. (eg. if a user visible feature is being added or changed).
  • Ensure relevant issues are linked (description should include text like "Fixes #")
  • Do these changes have compatibility implications for rollback? If so, ensure that the ksql command version is bumped.

@aliehsaeedii aliehsaeedii requested a review from a team as a code owner October 16, 2023 11:03
@cla-assistant
Copy link

cla-assistant bot commented Oct 16, 2023
edited

CLA assistant check
All committers have signed the CLA.

cadonna
cadonna reviewed Oct 16, 2023
View reviewed changes
Copy link
Member

@cadonna cadonna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aliehsaeedii Thanks for the PR!

Here my comments!

ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/server/KsqlServerMain.java
Comment on lines -223 to -229
if (cipherSuites.isEmpty()) {
final String errorMsg = "No cipher suites "
+ "('"
+ KsqlRestConfig.SSL_CIPHER_SUITES_CONFIG
+ "') is specified.";
log.error(errorMsg);
throw new SecurityException(errorMsg);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you remove this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you remove this?

Based on info form CP team, ssl.cipher.suites must be an optional parameter.

ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/server/KsqlRestConfig.java
Comment on lines 131 to +135
public static final ConfigDef.ValidString SSL_STORE_TYPE_VALIDATOR =
ConfigDef.ValidString.in(
SSL_STORE_TYPE_JKS,
SSL_STORE_TYPE_PKCS12
SSL_STORE_TYPE_PKCS12,
SSL_STORE_TYPE_BCFKS
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't there a unit test you need to adapt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't there a unit test you need to adapt?

For the other two we don't have any.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

I think you need to adapt SSL_KEYSTORE_TYPE_DOC and SSL_TRUSTSTORE_TYPE_DOC, though.

cadonna
cadonna reviewed Oct 16, 2023
View reviewed changes
...ackDump-io.confluent.ksql.cli.BasicAuthFunctionalTest-shouldBeAbleToUseCliWithValidCreds.log Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These logs are not needed, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These logs are not needed, right?

Right. Strange that they have been added!

spena
spena reviewed Oct 16, 2023
View reviewed changes
ksqldb-common/src/main/java/io/confluent/ksql/util/VertxSslOptionsFactory.java Outdated
private static KeyStoreOptions buildBcfksOptions(final String password) {
return new KeyStoreOptions()
.setType("BCFKS")
.setProvider("/opt/confluent/confluent-7.4.0/share/java/kafka/bc-fips-1.0.2.3.jar")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if this JAR appears in a different location and/or different version? Can this location be configurable? or why is it hard-coded?

ksqldb-common/src/main/java/io/confluent/ksql/util/VertxSslOptionsFactory.java Outdated

final String password = getTrustStorePassword(props);

if (!Strings.isNullOrEmpty(password)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't you need the location obtained like getPfxTrustStoreOptions? I see the location is hard-coded in buildBcvfksOptions.

spena
spena reviewed Oct 17, 2023
View reviewed changes
ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/server/KsqlRestConfig.java Outdated
@@ -115,21 +115,24 @@ public class KsqlRestConfig extends AbstractConfig {

public static final String SSL_KEYSTORE_TYPE_CONFIG = "ssl.keystore.type";
protected static final String SSL_KEYSTORE_TYPE_DOC =
"The type of keystore file. Must be either 'JKS' or 'PKCS12'.";
"The type of keystore file. Must be either 'JKS' or 'PKCS12' or 'BCFKS'.";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"The type of keystore file. Must be either 'JKS' or 'PKCS12' or 'BCFKS'.";
"The type of keystore file. Must be either 'JKS', 'PKCS12' or 'BCFKS'.";

ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/server/KsqlRestConfig.java Outdated

protected static final String SSL_TRUSTSTORE_LOCATION_DEFAULT = "";
protected static final String SSL_TRUSTSTORE_PASSWORD_DEFAULT = "";

public static final String SSL_TRUSTSTORE_TYPE_CONFIG = "ssl.truststore.type";
protected static final String SSL_TRUSTSTORE_TYPE_DOC =
"The type of trust store file. Must be either 'JKS' or 'PKCS12'.";
"The type of trust store file. Must be either 'JKS' or 'PKCS12' or 'BCFKS'.";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"The type of trust store file. Must be either 'JKS' or 'PKCS12' or 'BCFKS'.";
"The type of trust store file. Must be either 'JKS', 'PKCS12' or 'BCFKS'.";

spena
spena reviewed Oct 17, 2023
View reviewed changes
ksqldb-common/src/main/java/io/confluent/ksql/util/VertxSslOptionsFactory.java Outdated
@@ -59,6 +60,13 @@ private static JksOptions buildJksOptions(final Buffer buffer, final String pass
return new JksOptions().setValue(buffer).setPassword(Strings.nullToEmpty(password));
}

private static KeyStoreOptions buildBcfksOptions(final String password) {
return new KeyStoreOptions()
.setType("BCFKS")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to follow the code in this file, could you add a constant, like the SSL_STORE_TYPE_JKS for this too?

spena
spena reviewed Nov 1, 2023
View reviewed changes
...ackDump-io.confluent.ksql.cli.BasicAuthFunctionalTest-shouldBeAbleToUseCliWithValidCreds.log Outdated
@@ -0,0 +1,1355 @@
Thread: 496 - ksql-workers-0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This and the other *.log files were accidentally committed, right?

ksqldb-common/src/main/java/io/confluent/ksql/util/VertxSslOptionsFactory.java Outdated
public static Optional<KeyStoreOptions> getBcfksTrustStoreOptions(
final String location,
final String password,
final String keyPassword) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is the keyPassword needed for truststores? My understanding is that truststores only stores certificates while keystores stores keys. So, truststores don't require a key password, right?

ksqldb-common/src/main/java/io/confluent/ksql/util/VertxSslOptionsFactory.java Outdated
final String providers = getSecurityProviders(props);
final String location = getTrustStoreLocation(props);
final String password = getTrustStorePassword(props);
final String keyPassword = getKeyPassword(props);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Truststores don't require a key password, do they?

spena
spena previously approved these changes Nov 6, 2023
View reviewed changes
@aliehsaeedii aliehsaeedii merged commit 127f223 into master Nov 7, 2023
4 checks passed
@aliehsaeedii aliehsaeedii deleted the fix-fedramp-issues branch November 7, 2023 21:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cadonna cadonna cadonna left review comments

@spena spena spena approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@aliehsaeedii @cadonna @spena