Example 11 with SSLContext
use of javax.net.ssl.SSLContext in project flink by apache.
the class SSLUtilsTest method testCreateSSLClientContextWithSSLDisabled.
/**
* Tests if SSL Client Context is not created if SSL is not configured
*/
@Test
public void testCreateSSLClientContextWithSSLDisabled() throws Exception {
Configuration clientConfig = new Configuration();
clientConfig.setBoolean(ConfigConstants.SECURITY_SSL_ENABLED, false);
SSLContext clientContext = SSLUtils.createSSLClientContext(clientConfig);
Assert.assertNull(clientContext);
}
Also used :
Configuration(org.apache.flink.configuration.Configuration)
SSLContext(javax.net.ssl.SSLContext)
Test(org.junit.Test)
Example 12 with SSLContext
use of javax.net.ssl.SSLContext in project flink by apache.
the class SSLUtilsTest method testCreateSSLClientContext.
/**
* Tests if SSL Client Context is created given a valid SSL configuration
*/
@Test
public void testCreateSSLClientContext() throws Exception {
Configuration clientConfig = new Configuration();
clientConfig.setBoolean(ConfigConstants.SECURITY_SSL_ENABLED, true);
clientConfig.setString(ConfigConstants.SECURITY_SSL_TRUSTSTORE, "src/test/resources/local127.truststore");
clientConfig.setString(ConfigConstants.SECURITY_SSL_TRUSTSTORE_PASSWORD, "password");
SSLContext clientContext = SSLUtils.createSSLClientContext(clientConfig);
Assert.assertNotNull(clientContext);
}
Also used :
Configuration(org.apache.flink.configuration.Configuration)
SSLContext(javax.net.ssl.SSLContext)
Test(org.junit.Test)
Example 13 with SSLContext
use of javax.net.ssl.SSLContext in project flink by apache.
the class SSLUtilsTest method testCreateSSLClientContextMisconfiguration.
/**
* Tests if SSL Client Context creation fails with bad SSL configuration
*/
@Test
public void testCreateSSLClientContextMisconfiguration() {
Configuration clientConfig = new Configuration();
clientConfig.setBoolean(ConfigConstants.SECURITY_SSL_ENABLED, true);
clientConfig.setString(ConfigConstants.SECURITY_SSL_TRUSTSTORE, "src/test/resources/local127.truststore");
clientConfig.setString(ConfigConstants.SECURITY_SSL_TRUSTSTORE_PASSWORD, "badpassword");
try {
SSLContext clientContext = SSLUtils.createSSLClientContext(clientConfig);
Assert.fail("SSL client context created even with bad SSL configuration ");
} catch (Exception e) {
// Exception here is valid
}
}
Also used :
Configuration(org.apache.flink.configuration.Configuration)
SSLContext(javax.net.ssl.SSLContext)
Test(org.junit.Test)
Example 14 with SSLContext
use of javax.net.ssl.SSLContext in project flink by apache.
the class SSLUtils method createSSLServerContext.
/**
* Creates the SSL Context for the server if SSL is configured
*
* @param sslConfig
* The application configuration
* @return The SSLContext object which can be used by the ssl transport server
* Returns null if SSL is disabled
* @throws Exception
* Thrown if there is any misconfiguration
*/
public static SSLContext createSSLServerContext(Configuration sslConfig) throws Exception {
Preconditions.checkNotNull(sslConfig);
SSLContext serverSSLContext = null;
if (getSSLEnabled(sslConfig)) {
LOG.debug("Creating server SSL context from configuration");
String keystoreFilePath = sslConfig.getString(ConfigConstants.SECURITY_SSL_KEYSTORE, null);
String keystorePassword = sslConfig.getString(ConfigConstants.SECURITY_SSL_KEYSTORE_PASSWORD, null);
String certPassword = sslConfig.getString(ConfigConstants.SECURITY_SSL_KEY_PASSWORD, null);
String sslProtocolVersion = sslConfig.getString(ConfigConstants.SECURITY_SSL_PROTOCOL, ConfigConstants.DEFAULT_SECURITY_SSL_PROTOCOL);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream keyStoreFile = null;
try {
keyStoreFile = new FileInputStream(new File(keystoreFilePath));
ks.load(keyStoreFile, keystorePassword.toCharArray());
} finally {
if (keyStoreFile != null) {
keyStoreFile.close();
}
}
// Set up key manager factory to use the server key store
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, certPassword.toCharArray());
// Initialize the SSLContext
serverSSLContext = SSLContext.getInstance(sslProtocolVersion);
serverSSLContext.init(kmf.getKeyManagers(), null, null);
}
return serverSSLContext;
}
Also used :
SSLContext(javax.net.ssl.SSLContext)
KeyStore(java.security.KeyStore)
File(java.io.File)
FileInputStream(java.io.FileInputStream)
KeyManagerFactory(javax.net.ssl.KeyManagerFactory)
Example 15 with SSLContext
use of javax.net.ssl.SSLContext in project hive by apache.
the class HiveConnection method getHttpClient.
private CloseableHttpClient getHttpClient(Boolean useSsl) throws SQLException {
boolean isCookieEnabled = sessConfMap.get(JdbcConnectionParams.COOKIE_AUTH) == null || (!JdbcConnectionParams.COOKIE_AUTH_FALSE.equalsIgnoreCase(sessConfMap.get(JdbcConnectionParams.COOKIE_AUTH)));
String cookieName = sessConfMap.get(JdbcConnectionParams.COOKIE_NAME) == null ? JdbcConnectionParams.DEFAULT_COOKIE_NAMES_HS2 : sessConfMap.get(JdbcConnectionParams.COOKIE_NAME);
CookieStore cookieStore = isCookieEnabled ? new BasicCookieStore() : null;
HttpClientBuilder httpClientBuilder;
// Request interceptor for any request pre-processing logic
HttpRequestInterceptor requestInterceptor;
Map<String, String> additionalHttpHeaders = new HashMap<String, String>();
// Retrieve the additional HttpHeaders
for (Map.Entry<String, String> entry : sessConfMap.entrySet()) {
String key = entry.getKey();
if (key.startsWith(JdbcConnectionParams.HTTP_HEADER_PREFIX)) {
additionalHttpHeaders.put(key.substring(JdbcConnectionParams.HTTP_HEADER_PREFIX.length()), entry.getValue());
}
}
// Configure http client for kerberos/password based authentication
if (isKerberosAuthMode()) {
/**
* Add an interceptor which sets the appropriate header in the request.
* It does the kerberos authentication and get the final service ticket,
* for sending to the server before every request.
* In https mode, the entire information is encrypted
*/
requestInterceptor = new HttpKerberosRequestInterceptor(sessConfMap.get(JdbcConnectionParams.AUTH_PRINCIPAL), host, getServerHttpUrl(useSsl), assumeSubject, cookieStore, cookieName, useSsl, additionalHttpHeaders);
} else {
// Check for delegation token, if present add it in the header
String tokenStr = getClientDelegationToken(sessConfMap);
if (tokenStr != null) {
requestInterceptor = new HttpTokenAuthInterceptor(tokenStr, cookieStore, cookieName, useSsl, additionalHttpHeaders);
} else {
/**
* Add an interceptor to pass username/password in the header.
* In https mode, the entire information is encrypted
*/
requestInterceptor = new HttpBasicAuthInterceptor(getUserName(), getPassword(), cookieStore, cookieName, useSsl, additionalHttpHeaders);
}
}
// Configure http client for cookie based authentication
if (isCookieEnabled) {
// Create a http client with a retry mechanism when the server returns a status code of 401.
httpClientBuilder = HttpClients.custom().setServiceUnavailableRetryStrategy(new ServiceUnavailableRetryStrategy() {
@Override
public boolean retryRequest(final HttpResponse response, final int executionCount, final HttpContext context) {
int statusCode = response.getStatusLine().getStatusCode();
boolean ret = statusCode == 401 && executionCount <= 1;
// interceptor
if (ret) {
context.setAttribute(Utils.HIVE_SERVER2_RETRY_KEY, Utils.HIVE_SERVER2_RETRY_TRUE);
}
return ret;
}
@Override
public long getRetryInterval() {
// Immediate retry
return 0;
}
});
} else {
httpClientBuilder = HttpClientBuilder.create();
}
// Add the request interceptor to the client builder
httpClientBuilder.addInterceptorFirst(requestInterceptor);
// Add an interceptor to add in an XSRF header
httpClientBuilder.addInterceptorLast(new XsrfHttpRequestInterceptor());
// Configure http client for SSL
if (useSsl) {
String useTwoWaySSL = sessConfMap.get(JdbcConnectionParams.USE_TWO_WAY_SSL);
String sslTrustStorePath = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
String sslTrustStorePassword = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
KeyStore sslTrustStore;
SSLConnectionSocketFactory socketFactory;
SSLContext sslContext;
/**
* The code within the try block throws: SSLInitializationException, KeyStoreException,
* IOException, NoSuchAlgorithmException, CertificateException, KeyManagementException &
* UnrecoverableKeyException. We don't want the client to retry on any of these,
* hence we catch all and throw a SQLException.
*/
try {
if (useTwoWaySSL != null && useTwoWaySSL.equalsIgnoreCase(JdbcConnectionParams.TRUE)) {
socketFactory = getTwoWaySSLSocketFactory();
} else if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) {
// Create a default socket factory based on standard JSSE trust material
socketFactory = SSLConnectionSocketFactory.getSocketFactory();
} else {
// Pick trust store config from the given path
sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE);
try (FileInputStream fis = new FileInputStream(sslTrustStorePath)) {
sslTrustStore.load(fis, sslTrustStorePassword.toCharArray());
}
sslContext = SSLContexts.custom().loadTrustMaterial(sslTrustStore, null).build();
socketFactory = new SSLConnectionSocketFactory(sslContext, new DefaultHostnameVerifier(null));
}
final Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create().register("https", socketFactory).build();
httpClientBuilder.setConnectionManager(new BasicHttpClientConnectionManager(registry));
} catch (Exception e) {
String msg = "Could not create an https connection to " + jdbcUriString + ". " + e.getMessage();
throw new SQLException(msg, " 08S01", e);
}
}
return httpClientBuilder.build();
}
Also used :
HashMap(java.util.HashMap)
SQLException(java.sql.SQLException)
HttpClientBuilder(org.apache.http.impl.client.HttpClientBuilder)
ServiceUnavailableRetryStrategy(org.apache.http.client.ServiceUnavailableRetryStrategy)
SSLConnectionSocketFactory(org.apache.http.conn.ssl.SSLConnectionSocketFactory)
SSLConnectionSocketFactory(org.apache.http.conn.ssl.SSLConnectionSocketFactory)
ConnectionSocketFactory(org.apache.http.conn.socket.ConnectionSocketFactory)
DefaultHostnameVerifier(org.apache.http.conn.ssl.DefaultHostnameVerifier)
BasicHttpClientConnectionManager(org.apache.http.impl.conn.BasicHttpClientConnectionManager)
HttpContext(org.apache.http.protocol.HttpContext)
HttpResponse(org.apache.http.HttpResponse)
SSLContext(javax.net.ssl.SSLContext)
KeyStore(java.security.KeyStore)
Savepoint(java.sql.Savepoint)
FileInputStream(java.io.FileInputStream)
TTransportException(org.apache.thrift.transport.TTransportException)
SQLFeatureNotSupportedException(java.sql.SQLFeatureNotSupportedException)
SaslException(javax.security.sasl.SaslException)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
SQLClientInfoException(java.sql.SQLClientInfoException)
SQLException(java.sql.SQLException)
TException(org.apache.thrift.TException)
IOException(java.io.IOException)
CookieStore(org.apache.http.client.CookieStore)
BasicCookieStore(org.apache.http.impl.client.BasicCookieStore)
BasicCookieStore(org.apache.http.impl.client.BasicCookieStore)
HttpRequestInterceptor(org.apache.http.HttpRequestInterceptor)
Map(java.util.Map)
HashMap(java.util.HashMap)
Aggregations
SSLContext (javax.net.ssl.SSLContext)660
IOException (java.io.IOException)136
TrustManager (javax.net.ssl.TrustManager)116
KeyStore (java.security.KeyStore)112
SecureRandom (java.security.SecureRandom)97
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)96
X509TrustManager (javax.net.ssl.X509TrustManager)87
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)83
KeyManagerFactory (javax.net.ssl.KeyManagerFactory)81
KeyManagementException (java.security.KeyManagementException)73
X509Certificate (java.security.cert.X509Certificate)68
CertificateException (java.security.cert.CertificateException)66
Test (org.junit.Test)61
SSLSocketFactory (javax.net.ssl.SSLSocketFactory)60
SSLSocket (javax.net.ssl.SSLSocket)59
SSLEngine (javax.net.ssl.SSLEngine)51
FileInputStream (java.io.FileInputStream)48
InputStream (java.io.InputStream)48
KeyManager (javax.net.ssl.KeyManager)43
GeneralSecurityException (java.security.GeneralSecurityException)41
