HADOOP-11300. KMS startup scripts must not display the keystore / truststore passwords. Contributed by Arun Suresh.
This commit is contained in:
parent
78f7cdbfd6
commit
56f3eecc12
@ -465,6 +465,9 @@ Release 2.7.0 - UNRELEASED
|
||||
HADOOP-11322. key based ACL check in KMS always check KeyOpType.MANAGEMENT
|
||||
even actual KeyOpType is not MANAGEMENT. (Dian Fu via yliu)
|
||||
|
||||
HADOOP-11300. KMS startup scripts must not display the keystore /
|
||||
truststore passwords. (Arun Suresh via wang)
|
||||
|
||||
Release 2.6.0 - 2014-11-18
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
@ -397,8 +397,8 @@
|
||||
<delete file="${kms.tomcat.dist.dir}/conf/server.xml"/>
|
||||
<copy file="${basedir}/src/main/tomcat/server.xml"
|
||||
toDir="${kms.tomcat.dist.dir}/conf"/>
|
||||
<delete file="${kms.tomcat.dist.dir}/conf/ssl-server.xml"/>
|
||||
<copy file="${basedir}/src/main/tomcat/ssl-server.xml"
|
||||
<delete file="${kms.tomcat.dist.dir}/conf/ssl-server.xml.conf"/>
|
||||
<copy file="${basedir}/src/main/tomcat/ssl-server.xml.conf"
|
||||
toDir="${kms.tomcat.dist.dir}/conf"/>
|
||||
<delete
|
||||
file="${kms.tomcat.dist.dir}/conf/logging.properties"/>
|
||||
|
@ -152,9 +152,10 @@ fi
|
||||
|
||||
if [ "${KMS_SSL_KEYSTORE_PASS}" = "" ]; then
|
||||
export KMS_SSL_KEYSTORE_PASS=password
|
||||
print "Setting KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS}"
|
||||
print "Setting KMS_SSL_KEYSTORE_PASS: ********"
|
||||
else
|
||||
print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS}"
|
||||
KMS_SSL_KEYSTORE_PASS_DISP=`echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`
|
||||
print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS_DISP}"
|
||||
fi
|
||||
|
||||
if [ "${CATALINA_BASE}" = "" ]; then
|
||||
|
@ -36,7 +36,11 @@ source ${HADOOP_LIBEXEC_DIR:-${BASEDIR}/libexec}/kms-config.sh
|
||||
# The Java System property 'kms.http.port' it is not used by Kms,
|
||||
# it is used in Tomcat's server.xml configuration file
|
||||
#
|
||||
print "Using CATALINA_OPTS: ${CATALINA_OPTS}"
|
||||
|
||||
# Mask the trustStorePassword
|
||||
KMS_SSL_TRUSTSTORE_PASS=`echo $CATALINA_OPTS | grep -o 'trustStorePassword=[^ ]*' | awk -F'=' '{print $2}'`
|
||||
CATALINA_OPTS_DISP=`echo ${CATALINA_OPTS} | sed -e 's/trustStorePassword=[^ ]*/trustStorePassword=***/'`
|
||||
print "Using CATALINA_OPTS: ${CATALINA_OPTS_DISP}"
|
||||
|
||||
catalina_opts="-Dkms.home.dir=${KMS_HOME}";
|
||||
catalina_opts="${catalina_opts} -Dkms.config.dir=${KMS_CONFIG}";
|
||||
@ -46,11 +50,11 @@ catalina_opts="${catalina_opts} -Dkms.admin.port=${KMS_ADMIN_PORT}";
|
||||
catalina_opts="${catalina_opts} -Dkms.http.port=${KMS_HTTP_PORT}";
|
||||
catalina_opts="${catalina_opts} -Dkms.max.threads=${KMS_MAX_THREADS}";
|
||||
catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}";
|
||||
catalina_opts="${catalina_opts} -Dkms.ssl.keystore.pass=${KMS_SSL_KEYSTORE_PASS}";
|
||||
|
||||
print "Adding to CATALINA_OPTS: ${catalina_opts}"
|
||||
print "Found KMS_SSL_KEYSTORE_PASS: `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`"
|
||||
|
||||
export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}"
|
||||
export CATALINA_OPTS="${CATALINA_OPTS_DISP} ${catalina_opts}"
|
||||
|
||||
# A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server
|
||||
#
|
||||
@ -58,4 +62,11 @@ if [ "${1}" = "stop" ]; then
|
||||
export JAVA_OPTS=${CATALINA_OPTS}
|
||||
fi
|
||||
|
||||
# If ssl, the populate the passwords into ssl-server.xml before starting tomcat
|
||||
if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "" ]; then
|
||||
cat ${CATALINA_BASE}/conf/ssl-server.xml.conf \
|
||||
| sed 's/_kms_ssl_keystore_pass_/'${KMS_SSL_KEYSTORE_PASS}'/g' \
|
||||
| sed 's/_kms_ssl_truststore_pass_/'${KMS_SSL_TRUSTSTORE_PASS}'/g' > ${CATALINA_BASE}/conf/ssl-server.xml
|
||||
fi
|
||||
|
||||
exec ${KMS_CATALINA_HOME}/bin/catalina.sh "$@"
|
||||
|
@ -71,8 +71,9 @@
|
||||
<Connector port="${kms.http.port}" protocol="HTTP/1.1" SSLEnabled="true"
|
||||
maxThreads="${kms.max.threads}" scheme="https" secure="true"
|
||||
clientAuth="false" sslEnabledProtocols="TLSv1,SSLv2Hello"
|
||||
truststorePass="_kms_ssl_truststore_pass_"
|
||||
keystoreFile="${kms.ssl.keystore.file}"
|
||||
keystorePass="${kms.ssl.keystore.pass}"/>
|
||||
keystorePass="_kms_ssl_keystore_pass_"/>
|
||||
|
||||
<!-- Define an AJP 1.3 Connector on port 8009 -->
|
||||
|
Loading…
Reference in New Issue
Block a user