public static void provisionPasswordsToCredentialProvider() throws Exception { File testDir = new File(System.getProperty("test.build.data", "target/test-dir")); Configuration conf = new Configuration(); final Path jksPath = new Path(testDir.toString(), "test.jks"); final String ourUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri(); File file = new File(testDir, "test.jks"); file.delete(); conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl); CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0); char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'}; // create new aliases try { provider.createCredentialEntry( FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, FileBasedKeyStoresFactory.SSL_KEYSTORE_PASSWORD_TPL_KEY), storepass); provider.createCredentialEntry( FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, FileBasedKeyStoresFactory.SSL_KEYSTORE_KEYPASSWORD_TPL_KEY), keypass); // write out so that it can be found in checks provider.flush(); } catch (Exception e) { e.printStackTrace(); throw e; } }
@Test public void testCredentialProvider() throws Exception { // set up conf to have a cred provider final Configuration conf = new Configuration(); final File file = tempDir.newFile("test.jks"); final URI jks = ProviderUtils.nestURIForLocalJavaKeyStoreProvider( file.toURI()); conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, jks.toString()); // add our creds to the provider final CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0); provider.createCredentialEntry("fs.s3.awsSecretAccessKey", EXAMPLE_KEY.toCharArray()); provider.flush(); // make sure S3Creds can retrieve things. S3Credentials s3Credentials = new S3Credentials(); conf.set("fs.s3.awsAccessKeyId", EXAMPLE_ID); s3Credentials.initialize(new URI("s3://foobar"), conf); assertEquals("Could not retrieve proper access key", EXAMPLE_ID, s3Credentials.getAccessKey()); assertEquals("Could not retrieve proper secret", EXAMPLE_KEY, s3Credentials.getSecretAccessKey()); }
/** * Retrieves a password from a configured credential provider or prompts for the password and stores it in the * configured credential provider. * @param config application configuration * @param key the key/alias for the password. * @return the password. * @throws IOException */ private String getPassword(org.apache.commons.configuration.Configuration config, String key) throws IOException { String password; String provider = config.getString(CERT_STORES_CREDENTIAL_PROVIDER_PATH); if (provider != null) { LOG.info("Attempting to retrieve password from configured credential provider path"); Configuration c = new Configuration(); c.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, provider); CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(c).get(0); CredentialProvider.CredentialEntry entry = credentialProvider.getCredentialEntry(key); if (entry == null) { throw new IOException(String.format("No credential entry found for %s. " + "Please create an entry in the configured credential provider", key)); } else { password = String.valueOf(entry.getCredential()); } } else { throw new IOException("No credential provider path configured for storage of certificate store passwords"); } return password; }
private String getSystemPassword() { String password = ""; if (StringUtils.isEmpty(this.hadoopSecurityCredentialPath)) { password = this.systemPassword; } else { try { Configuration configuration = new Configuration(); configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, this.hadoopSecurityCredentialPath); CredentialProvider provider = CredentialProviderFactory.getProviders(configuration).get(0); CredentialProvider.CredentialEntry credEntry = provider.getCredentialEntry( KEYSTORE_PASS); if (credEntry != null) { password = new String(credEntry.getCredential()); } } catch (Exception e) { } } return password; }
private void checkForCredentials(Configuration conf, ConfTree tree) throws IOException { if (tree.credentials == null || tree.credentials.size()==0) { log.info("No credentials requested"); return; } for (Entry<String, List<String>> cred : tree.credentials.entrySet()) { String provider = cred.getKey(); List<String> aliases = cred.getValue(); if (aliases == null || aliases.size()==0) { continue; } Configuration c = new Configuration(conf); c.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, provider); CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(c).get(0); Set<String> existingAliases = new HashSet<String>(credentialProvider.getAliases()); for (String alias : aliases) { if (!existingAliases.contains(alias.toLowerCase(Locale.ENGLISH))) { throw new IOException("Specified credentials have not been " + "initialized in provider " + provider + ": " + alias); } } } }
@BeforeClass public static void setup() throws Exception { conf = new Configuration(false); final String ourUrl = UserProvider.SCHEME_NAME + ":///"; conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl); CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0); provider.createCredentialEntry(ServerConfig. SENTRY_STORE_JDBC_PASS, passwd); provider.flush(); dataDir = new File(Files.createTempDir(), "sentry_policy_db"); conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + dataDir.getPath() + ";create=true"); conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy"); conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups); conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING); policyFilePath = new File(dataDir, "local_policy_file.ini"); conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, policyFilePath.getPath()); sentryStore = new SentryStore(conf); }
/** * Fallback to clear text passwords in configuration. * @param name * @return clear text password or null */ protected char[] getPasswordFromConfig(String name) { char[] pass = null; if (getBoolean(CredentialProvider.CLEAR_TEXT_FALLBACK, true)) { String passStr = get(name); if (passStr != null) { pass = passStr.toCharArray(); } } return pass; }
@Test public void testConfGetPassword() throws Exception { File testDir = new File(System.getProperty("test.build.data", "target/test-dir")); Configuration conf = new Configuration(); final Path jksPath = new Path(testDir.toString(), "test.jks"); final String ourUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri(); File file = new File(testDir, "test.jks"); file.delete(); conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl); CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0); char[] bindpass = {'b', 'i', 'n', 'd', 'p', 'a', 's', 's'}; char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'}; // ensure that we get nulls when the key isn't there assertEquals(null, provider.getCredentialEntry( LdapGroupsMapping.BIND_PASSWORD_KEY)); assertEquals(null, provider.getCredentialEntry (LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY)); // create new aliases try { provider.createCredentialEntry( LdapGroupsMapping.BIND_PASSWORD_KEY, bindpass); provider.createCredentialEntry( LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY, storepass); provider.flush(); } catch (Exception e) { e.printStackTrace(); throw e; } // make sure we get back the right key assertArrayEquals(bindpass, provider.getCredentialEntry( LdapGroupsMapping.BIND_PASSWORD_KEY).getCredential()); assertArrayEquals(storepass, provider.getCredentialEntry( LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY).getCredential()); LdapGroupsMapping mapping = new LdapGroupsMapping(); Assert.assertEquals("bindpass", mapping.getPassword(conf, LdapGroupsMapping.BIND_PASSWORD_KEY, "")); Assert.assertEquals("storepass", mapping.getPassword(conf, LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY, "")); // let's make sure that a password that doesn't exist returns an // empty string as currently expected and used to trigger a call to // extract password Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", "")); }
protected Configuration provisionCredentialsForSSL() throws IOException, Exception { File testDir = new File(System.getProperty("test.build.data", "target/test-dir")); Configuration conf = new Configuration(); final Path jksPath = new Path(testDir.toString(), "test.jks"); final String ourUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri(); File file = new File(testDir, "test.jks"); file.delete(); conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl); CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0); char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'}; char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'}; // ensure that we get nulls when the key isn't there assertEquals(null, provider.getCredentialEntry( WebAppUtils.WEB_APP_KEY_PASSWORD_KEY)); assertEquals(null, provider.getCredentialEntry( WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY)); assertEquals(null, provider.getCredentialEntry( WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY)); // create new aliases try { provider.createCredentialEntry( WebAppUtils.WEB_APP_KEY_PASSWORD_KEY, keypass); provider.createCredentialEntry( WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY, storepass); provider.createCredentialEntry( WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY, trustpass); // write out so that it can be found in checks provider.flush(); } catch (Exception e) { e.printStackTrace(); throw e; } // make sure we get back the right key directly from api assertArrayEquals(keypass, provider.getCredentialEntry( WebAppUtils.WEB_APP_KEY_PASSWORD_KEY).getCredential()); assertArrayEquals(storepass, provider.getCredentialEntry( WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY).getCredential()); assertArrayEquals(trustpass, provider.getCredentialEntry( WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY).getCredential()); return conf; }
@Test public void testGetPassword() throws Exception { File testDir = new File(System.getProperty("test.build.data", "target/test-dir")); Configuration conf = new Configuration(); final Path jksPath = new Path(testDir.toString(), "test.jks"); final String ourUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri(); File file = new File(testDir, "test.jks"); file.delete(); conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl); CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0); char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'}; char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'}; // ensure that we get nulls when the key isn't there assertEquals(null, provider.getCredentialEntry( DFS_SERVER_HTTPS_KEYPASSWORD_KEY)); assertEquals(null, provider.getCredentialEntry( DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY)); assertEquals(null, provider.getCredentialEntry( DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY)); // create new aliases try { provider.createCredentialEntry( DFS_SERVER_HTTPS_KEYPASSWORD_KEY, keypass); provider.createCredentialEntry( DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY, storepass); provider.createCredentialEntry( DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY, trustpass); // write out so that it can be found in checks provider.flush(); } catch (Exception e) { e.printStackTrace(); throw e; } // make sure we get back the right key directly from api assertArrayEquals(keypass, provider.getCredentialEntry( DFS_SERVER_HTTPS_KEYPASSWORD_KEY).getCredential()); assertArrayEquals(storepass, provider.getCredentialEntry( DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY).getCredential()); assertArrayEquals(trustpass, provider.getCredentialEntry( DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY).getCredential()); // use WebAppUtils as would be used by loadSslConfiguration Assert.assertEquals("keypass", DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYPASSWORD_KEY)); Assert.assertEquals("storepass", DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY)); Assert.assertEquals("trustpass", DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY)); // let's make sure that a password that doesn't exist returns null Assert.assertEquals(null, DFSUtil.getPassword(conf,"invalid-alias")); }
public static void main(String[] args) throws IOException { // prompt for the provider name CredentialProvider provider = getCredentialProvider(textDevice); if(provider != null) { char[] cred; for (String key : KEYS) { cred = getPassword(textDevice, key); // create a credential entry and store it boolean overwrite = true; if (provider.getCredentialEntry(key) != null) { String choice = textDevice.readLine("Entry for %s already exists. Overwrite? (y/n) [y]:", key); overwrite = StringUtils.isEmpty(choice) || choice.equalsIgnoreCase("y"); if (overwrite) { provider.deleteCredentialEntry(key); provider.flush(); provider.createCredentialEntry(key, cred); provider.flush(); textDevice.printf("Entry for %s was overwritten with the new value.\n", key); } else { textDevice.printf("Entry for %s was not overwritten.\n", key); } } else { provider.createCredentialEntry(key, cred); provider.flush(); } } } }
/**\ * Returns a credential provider for the entered JKS path. * @param textDevice the system console. * @return the Credential provider * @throws IOException */ private static CredentialProvider getCredentialProvider(TextDevice textDevice) throws IOException { String providerPath = textDevice.readLine("Please enter the full path to the credential provider:"); if (providerPath != null) { Configuration conf = new Configuration(false); conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, providerPath); return CredentialProviderFactory.getProviders(conf).get(0); } return null; }
protected void setupCredentials() throws Exception { Configuration conf = new Configuration(false); File file = new File(jksPath.toUri().getPath()); file.delete(); conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, providerUrl); CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0); // create new aliases try { char[] storepass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; provider.createCredentialEntry(KEYSTORE_PASSWORD_KEY, storepass); char[] trustpass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; provider.createCredentialEntry(TRUSTSTORE_PASSWORD_KEY, trustpass); char[] trustpass2 = {'k', 'e', 'y', 'p', 'a', 's', 's'}; provider.createCredentialEntry("ssl.client.truststore.password", trustpass2); char[] certpass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; provider.createCredentialEntry(SERVER_CERT_PASSWORD_KEY, certpass); // write out so that it can be found in checks provider.flush(); } catch (Exception e) { e.printStackTrace(); throw e; } }
protected void setupCredentials() throws Exception { Configuration conf = new Configuration(false); File file = new File(jksPath.toUri().getPath()); file.delete(); conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, providerUrl); CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0); // create new aliases try { char[] storepass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; provider.createCredentialEntry(SecurityProperties.KEYSTORE_PASSWORD_KEY, storepass); char[] trustpass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; provider.createCredentialEntry(SecurityProperties.TRUSTSTORE_PASSWORD_KEY, trustpass); char[] trustpass2 = {'k', 'e', 'y', 'p', 'a', 's', 's'}; provider.createCredentialEntry("ssl.client.truststore.password", trustpass2); char[] certpass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; provider.createCredentialEntry(SecurityProperties.SERVER_CERT_PASSWORD_KEY, certpass); // write out so that it can be found in checks provider.flush(); } catch (Exception e) { e.printStackTrace(); throw e; } }
protected void setupCredentials() throws Exception { Configuration conf = new Configuration(false); File file = new File(jksPath.toUri().getPath()); file.delete(); conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, providerUrl); CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0); // create new aliases try { char[] storepass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; provider.createCredentialEntry(KEYSTORE_PASSWORD_KEY, storepass); char[] trustpass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; provider.createCredentialEntry(TRUSTSTORE_PASSWORD_KEY, trustpass); char[] certpass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; provider.createCredentialEntry(SERVER_CERT_PASSWORD_KEY, certpass); // write out so that it can be found in checks provider.flush(); } catch (Exception e) { e.printStackTrace(); throw e; } }
private String getPassword(Properties properties) throws IOException, InterpreterException { if (isNotEmpty(properties.getProperty(PASSWORD_KEY))) { return properties.getProperty(PASSWORD_KEY); } else if (isNotEmpty(properties.getProperty(JDBC_JCEKS_FILE)) && isNotEmpty(properties.getProperty(JDBC_JCEKS_CREDENTIAL_KEY))) { try { Configuration configuration = new Configuration(); configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, properties.getProperty(JDBC_JCEKS_FILE)); CredentialProvider provider = CredentialProviderFactory.getProviders(configuration).get(0); CredentialProvider.CredentialEntry credEntry = provider.getCredentialEntry(properties.getProperty(JDBC_JCEKS_CREDENTIAL_KEY)); if (credEntry != null) { return new String(credEntry.getCredential()); } else { throw new InterpreterException("Failed to retrieve password from JCEKS from key: " + properties.getProperty(JDBC_JCEKS_CREDENTIAL_KEY)); } } catch (Exception e) { logger.error("Failed to retrieve password from JCEKS \n" + "For file: " + properties.getProperty(JDBC_JCEKS_FILE) + "\nFor key: " + properties.getProperty(JDBC_JCEKS_CREDENTIAL_KEY), e); throw e; } } return null; }
public static void provisionPasswordsToCredentialProvider() throws Exception { File testDir = GenericTestUtils.getTestDir(); Configuration conf = new Configuration(); final Path jksPath = new Path(testDir.toString(), "test.jks"); final String ourUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri(); File file = new File(testDir, "test.jks"); file.delete(); conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl); CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0); char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'}; char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'}; // create new aliases try { provider.createCredentialEntry( FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, FileBasedKeyStoresFactory.SSL_KEYSTORE_PASSWORD_TPL_KEY), storepass); provider.createCredentialEntry( FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, FileBasedKeyStoresFactory.SSL_KEYSTORE_KEYPASSWORD_TPL_KEY), keypass); // write out so that it can be found in checks provider.flush(); } catch (Exception e) { e.printStackTrace(); throw e; } }
@Test public void testEnterValidValues() throws Exception { Path testPath = null; try { testPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks"); } catch (IOException e) { e.printStackTrace(); } new File(testPath.toUri().getPath()).delete(); final Path finalTestPath = testPath; CredentialProviderUtility.textDevice = new CredentialProviderUtility.TextDevice() { @Override public void printf(String fmt, Object... params) { System.out.print(String.format(fmt, params)); } public String readLine(String fmt, Object... args) { return JavaKeyStoreProvider.SCHEME_NAME + "://file/" + finalTestPath.toString(); } @Override public char[] readPassword(String fmt, Object... args) { return defaultPass; } }; CredentialProviderUtility.main(new String[]{}); String providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + testPath.toUri(); Configuration conf = new Configuration(false); conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, providerUrl); CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0); CredentialProvider.CredentialEntry entry = provider.getCredentialEntry(SecurityProperties.KEYSTORE_PASSWORD_KEY); assertCredentialEntryCorrect(entry); entry = provider.getCredentialEntry(SecurityProperties.TRUSTSTORE_PASSWORD_KEY); assertCredentialEntryCorrect(entry); entry = provider.getCredentialEntry(SecurityProperties.SERVER_CERT_PASSWORD_KEY); assertCredentialEntryCorrect(entry); }
protected void assertCredentialEntryCorrect(CredentialProvider.CredentialEntry entry) { assertCredentialEntryCorrect(entry, defaultPass); }
