Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,7 @@ public final class OzoneConfigKeys {
"ozone.http.policy";
public static final String OZONE_HTTP_POLICY_DEFAULT =
HttpConfig.Policy.HTTP_ONLY.name();
public static final String OZONE_SSL_ENABLED_PROTOCOLS = "ozone.ssl.enabled.protocols";
public static final String OZONE_SERVER_HTTPS_KEYSTORE_RESOURCE_KEY =
"ozone.https.server.keystore.resource";
public static final String OZONE_SERVER_HTTPS_KEYSTORE_RESOURCE_DEFAULT =
Expand Down
9 changes: 9 additions & 0 deletions hadoop-hdds/common/src/main/resources/ozone-default.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3747,6 +3747,15 @@
<description>Keystore key password for HTTPS SSL configuration
</description>
</property>
<property>
<name>ozone.ssl.enabled.protocols</name>
<tag>OZONE,SECURITY,CRYPTO_COMPLIANCE</tag>
<value/>
<description>
The supported SSL protocols used to restrict connections towards the WebUI of different components,
and the S3 GateWay.
</description>
</property>
<property>
<name>ssl.server.keystore.location</name>
<tag>OZONE, SECURITY, MANAGEMENT</tag>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@
import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.eclipse.jetty.webapp.WebAppContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand Down Expand Up @@ -370,23 +371,28 @@ public void updateConnectorAddress() {
}
}

public static HttpServer2.Builder loadSslConfToHttpServerBuilder(
HttpServer2.Builder builder, ConfigurationSource sslConf) {
return builder
public static void loadSslConfToHttpServerBuilder(HttpServer2.Builder builder, ConfigurationSource sslConf) {
builder
.needsClientAuth(
sslConf.getBoolean(OZONE_CLIENT_HTTPS_NEED_AUTH_KEY,
OZONE_CLIENT_HTTPS_NEED_AUTH_DEFAULT))
.keyPassword(getPassword(sslConf, OZONE_SERVER_HTTPS_KEYPASSWORD_KEY))
.keyStore(sslConf.get("ssl.server.keystore.location"),
.keyStore(
sslConf.get(SSLFactory.SSL_SERVER_KEYSTORE_LOCATION),
getPassword(sslConf, OZONE_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY),
sslConf.get(HddsConfigKeys.HDDS_HTTP_SERVER_KEYSTORE_TYPE,
HddsConfigKeys.HDDS_HTTP_SERVER_KEYSTORE_TYPE_DEFAULT))
.trustStore(sslConf.get("ssl.server.truststore.location"),
sslConf.get(
HddsConfigKeys.HDDS_HTTP_SERVER_KEYSTORE_TYPE,
HddsConfigKeys.HDDS_HTTP_SERVER_KEYSTORE_TYPE_DEFAULT)
)
.trustStore(
sslConf.get(SSLFactory.SSL_SERVER_TRUSTSTORE_LOCATION),
getPassword(sslConf, OZONE_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY),
sslConf.get(HddsConfigKeys.HDDS_HTTP_SERVER_TRUSTSTORE_TYPE,
HddsConfigKeys.HDDS_HTTP_SERVER_TRUSTSTORE_TYPE_DEFAULT))
.excludeCiphers(
sslConf.get("ssl.server.exclude.cipher.list"));
sslConf.get(
HddsConfigKeys.HDDS_HTTP_SERVER_TRUSTSTORE_TYPE,
HddsConfigKeys.HDDS_HTTP_SERVER_TRUSTSTORE_TYPE_DEFAULT)
)
.includeCiphers(sslConf.get(SSLFactory.SSL_SERVER_INCLUDE_CIPHER_LIST))
.excludeCiphers(sslConf.get(SSLFactory.SSL_SERVER_EXCLUDE_CIPHER_LIST));
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
Expand Down Expand Up @@ -250,6 +251,7 @@ public static class Builder {
private String authFilterConfigurationPrefix =
"hadoop.http.authentication.";
private String excludeCiphers;
private String includeCiphers;

private boolean xFrameEnabled;
private XFrameOption xFrameOption = XFrameOption.SAMEORIGIN;
Expand Down Expand Up @@ -377,6 +379,11 @@ public Builder excludeCiphers(String pExcludeCiphers) {
return this;
}

public Builder includeCiphers(String pIncludeCiphers) {
this.includeCiphers = pIncludeCiphers;
return this;
}

/**
* Adds the ability to control X_FRAME_OPTIONS on HttpServer2.
* @param enabled - True enables X_FRAME_OPTIONS false disables it.
Expand Down Expand Up @@ -448,6 +455,7 @@ private void loadSSLConfiguration() throws IOException {
trustStoreType = sslConf.get(SSLFactory.SSL_SERVER_TRUSTSTORE_TYPE,
SSLFactory.SSL_SERVER_TRUSTSTORE_TYPE_DEFAULT);
excludeCiphers = sslConf.get(SSLFactory.SSL_SERVER_EXCLUDE_CIPHER_LIST);
includeCiphers = sslConf.get(SSLFactory.SSL_SERVER_INCLUDE_CIPHER_LIST);
}

public Builder withoutDefaultApps() {
Expand Down Expand Up @@ -565,17 +573,42 @@ private ServerConnector createHttpsChannelConnector(
sslContextFactory.setTrustStorePassword(trustStorePassword);
}
}
if (null != excludeCiphers && !excludeCiphers.isEmpty()) {
if (excludeCiphers != null && !excludeCiphers.isEmpty()) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: unnecessary change

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I respectfully disagree, this is the only condition which uses the yoda style, I think this is a better way as it conforms with the rest of the surrounding code.

sslContextFactory.setExcludeCipherSuites(
StringUtils.getTrimmedStrings(excludeCiphers));
LOG.info("Excluded Cipher List: {}", excludeCiphers);
}

if (includeCiphers != null && !includeCiphers.isEmpty()) {
sslContextFactory.setIncludeCipherSuites(
StringUtils.getTrimmedStrings(includeCiphers));
LOG.info("Included Cipher List: {}", includeCiphers);
}

setEnabledProtocols(sslContextFactory);

conn.addFirstConnectionFactory(new SslConnectionFactory(sslContextFactory,
HttpVersion.HTTP_1_1.asString()));

return conn;
}

private void setEnabledProtocols(SslContextFactory sslContextFactory) {
String enabledProtocols = conf.get(OzoneConfigKeys.OZONE_SSL_ENABLED_PROTOCOLS,
conf.get(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT));
if (!enabledProtocols.equals(SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT)) {
List<String> originalExcludedProtocols = Arrays.asList(sslContextFactory.getExcludeProtocols());
String[] enabledProtocolsArray = StringUtils.getTrimmedStrings(enabledProtocols);

List<String> finalExcludedProtocols = new ArrayList<>(originalExcludedProtocols);
finalExcludedProtocols.removeAll(Arrays.asList(enabledProtocolsArray));

sslContextFactory.setExcludeProtocols(finalExcludedProtocols.toArray(new String[0]));
LOG.info("Disabled protocols: {}", finalExcludedProtocols);
sslContextFactory.setIncludeProtocols(enabledProtocolsArray);
LOG.info("Enabled protocols: {}", enabledProtocols);
}
}
}

private HttpServer2(final Builder b) throws IOException {
Expand Down
Loading
Loading