HADOOP-11344. KMS kms-config.sh sets a default value for the keystore password even in non-ssl setup. Contributed by Arun Suresh.

This commit is contained in:
Andrew Wang 2014-12-02 19:04:20 -08:00
parent 392c3aaea8
commit 3d48ad7eb4
3 changed files with 13 additions and 3 deletions

View File

@ -487,6 +487,9 @@ Release 2.7.0 - UNRELEASED
HADOOP-11337. KeyAuthorizationKeyProvider access checks need to be done HADOOP-11337. KeyAuthorizationKeyProvider access checks need to be done
atomically. (Dian Fu via wang) atomically. (Dian Fu via wang)
HADOOP-11344. KMS kms-config.sh sets a default value for the keystore
password even in non-ssl setup. (Arun Suresh via wang)
Release 2.6.0 - 2014-11-18 Release 2.6.0 - 2014-11-18
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -150,9 +150,14 @@ else
print "Using KMS_SSL_KEYSTORE_FILE: ${KMS_SSL_KEYSTORE_FILE}" print "Using KMS_SSL_KEYSTORE_FILE: ${KMS_SSL_KEYSTORE_FILE}"
fi fi
# If KMS_SSL_KEYSTORE_PASS is explicitly set to ""
# then reset to "password". DO NOT set to "password" if
# variable is NOT defined.
if [ "${KMS_SSL_KEYSTORE_PASS}" = "" ]; then if [ "${KMS_SSL_KEYSTORE_PASS}" = "" ]; then
export KMS_SSL_KEYSTORE_PASS=password if [ -n "${KMS_SSL_KEYSTORE_PASS+1}" ]; then
print "Setting KMS_SSL_KEYSTORE_PASS: ********" export KMS_SSL_KEYSTORE_PASS=password
print "Setting KMS_SSL_KEYSTORE_PASS: ********"
fi
else else
KMS_SSL_KEYSTORE_PASS_DISP=`echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'` KMS_SSL_KEYSTORE_PASS_DISP=`echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`
print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS_DISP}" print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS_DISP}"

View File

@ -54,7 +54,7 @@ catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}
print "Adding to CATALINA_OPTS: ${catalina_opts}" print "Adding to CATALINA_OPTS: ${catalina_opts}"
print "Found KMS_SSL_KEYSTORE_PASS: `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`" print "Found KMS_SSL_KEYSTORE_PASS: `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`"
export CATALINA_OPTS="${CATALINA_OPTS_DISP} ${catalina_opts}" export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}"
# A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server # A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server
# #
@ -64,6 +64,8 @@ fi
# If ssl, the populate the passwords into ssl-server.xml before starting tomcat # If ssl, the populate the passwords into ssl-server.xml before starting tomcat
if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "" ]; then if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "" ]; then
# Set a KEYSTORE_PASS if not already set
KMS_SSL_KEYSTORE_PASS=${KMS_SSL_KEYSTORE_PASS:-password}
cat ${CATALINA_BASE}/conf/ssl-server.xml.conf \ cat ${CATALINA_BASE}/conf/ssl-server.xml.conf \
| sed 's/_kms_ssl_keystore_pass_/'${KMS_SSL_KEYSTORE_PASS}'/g' \ | sed 's/_kms_ssl_keystore_pass_/'${KMS_SSL_KEYSTORE_PASS}'/g' \
| sed 's/_kms_ssl_truststore_pass_/'${KMS_SSL_TRUSTSTORE_PASS}'/g' > ${CATALINA_BASE}/conf/ssl-server.xml | sed 's/_kms_ssl_truststore_pass_/'${KMS_SSL_TRUSTSTORE_PASS}'/g' > ${CATALINA_BASE}/conf/ssl-server.xml