From 3d48ad7eb424206dd1528179b35de4cdf51afdf3 Mon Sep 17 00:00:00 2001 From: Andrew Wang Date: Tue, 2 Dec 2014 19:04:20 -0800 Subject: [PATCH] HADOOP-11344. KMS kms-config.sh sets a default value for the keystore password even in non-ssl setup. Contributed by Arun Suresh. --- hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../hadoop-kms/src/main/libexec/kms-config.sh | 9 +++++++-- hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh | 4 +++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 5e4caa0da9..10c6d76319 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -487,6 +487,9 @@ Release 2.7.0 - UNRELEASED HADOOP-11337. KeyAuthorizationKeyProvider access checks need to be done atomically. (Dian Fu via wang) + HADOOP-11344. KMS kms-config.sh sets a default value for the keystore + password even in non-ssl setup. (Arun Suresh via wang) + Release 2.6.0 - 2014-11-18 INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh index d36ab4d94f..3ac929a2fc 100644 --- a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh +++ b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh @@ -150,9 +150,14 @@ else print "Using KMS_SSL_KEYSTORE_FILE: ${KMS_SSL_KEYSTORE_FILE}" fi +# If KMS_SSL_KEYSTORE_PASS is explicitly set to "" +# then reset to "password". DO NOT set to "password" if +# variable is NOT defined. if [ "${KMS_SSL_KEYSTORE_PASS}" = "" ]; then - export KMS_SSL_KEYSTORE_PASS=password - print "Setting KMS_SSL_KEYSTORE_PASS: ********" + if [ -n "${KMS_SSL_KEYSTORE_PASS+1}" ]; then + export KMS_SSL_KEYSTORE_PASS=password + print "Setting KMS_SSL_KEYSTORE_PASS: ********" + fi else KMS_SSL_KEYSTORE_PASS_DISP=`echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'` print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS_DISP}" diff --git a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh index 1e40e10ef8..24a1f54f96 100644 --- a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh +++ b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh @@ -54,7 +54,7 @@ catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE} print "Adding to CATALINA_OPTS: ${catalina_opts}" print "Found KMS_SSL_KEYSTORE_PASS: `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`" -export CATALINA_OPTS="${CATALINA_OPTS_DISP} ${catalina_opts}" +export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}" # A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server # @@ -64,6 +64,8 @@ fi # If ssl, the populate the passwords into ssl-server.xml before starting tomcat if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "" ]; then + # Set a KEYSTORE_PASS if not already set + KMS_SSL_KEYSTORE_PASS=${KMS_SSL_KEYSTORE_PASS:-password} cat ${CATALINA_BASE}/conf/ssl-server.xml.conf \ | sed 's/_kms_ssl_keystore_pass_/'${KMS_SSL_KEYSTORE_PASS}'/g' \ | sed 's/_kms_ssl_truststore_pass_/'${KMS_SSL_TRUSTSTORE_PASS}'/g' > ${CATALINA_BASE}/conf/ssl-server.xml