ATLAS-3481 - Fix for trustore.password for Kafka in SSL

Change-Id: I9908e250afa98d7469e7f4b629e9cfab5923aff3 Signed-off-by: Sarath Subramanian <sarath@apache.org>

ATLAS-3481 - Fix for trustore.password for Kafka in SSL
85a5eeba · nixonrodrigues · Sarath Subramanian · e0afb12d · 85a5eeba · 85a5eeba
Commit 85a5eeba authored 5 years ago by nixonrodrigues Committed by Sarath Subramanian 5 years ago
3 changed files
--- a/intg/src/main/java/org/apache/atlas/security/SecurityUtil.java
+++ b/intg/src/main/java/org/apache/atlas/security/SecurityUtil.java
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.security;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.alias.CredentialProvider;
+import org.apache.hadoop.security.alias.CredentialProviderFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import java.io.IOException;
+import static org.apache.atlas.security.SecurityProperties.CERT_STORES_CREDENTIAL_PROVIDER_PATH;
+public class SecurityUtil {
+    public static final Logger LOG = LoggerFactory.getLogger(SecurityUtil.class);
+    /**
+     * Retrieves a password from a configured credential provider or prompts for the password and stores it in the
+     * configured credential provider.
+     * @param config application configuration
+     * @param key the key/alias for the password.
+     * @return the password.
+     * @throws IOException
+     */
+    public static String getPassword(org.apache.commons.configuration.Configuration config, String key) throws IOException {
+        String password;
+        String provider = config.getString(CERT_STORES_CREDENTIAL_PROVIDER_PATH);
+        if (provider != null) {
+            LOG.info("Attempting to retrieve password for key {} from configured credential provider path {}", key, provider);
+            Configuration c = new Configuration();
+            c.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, provider);
+            CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(c).get(0);
+            CredentialProvider.CredentialEntry entry = credentialProvider.getCredentialEntry(key);
+            if (entry == null) {
+                throw new IOException(String.format("No credential entry found for %s. "
+                        + "Please create an entry in the configured credential provider", key));
+            } else {
+                password = String.valueOf(entry.getCredential());
+            }
+        } else {
+            throw new IOException("No credential provider path configured for storage of certificate store passwords");
+        }
+        return password;
+    }
+}
--- a/notification/src/main/java/org/apache/atlas/kafka/KafkaNotification.java
+++ b/notification/src/main/java/org/apache/atlas/kafka/KafkaNotification.java
@@ -28,6 +28,8 @@ import org.apache.atlas.service.Service;
 import org.apache.commons.configuration.Configuration;
 import org.apache.commons.configuration.ConfigurationConverter;
 import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.security.alias.CredentialProvider;
+import org.apache.hadoop.security.alias.CredentialProviderFactory;
 import org.apache.kafka.clients.consumer.ConsumerConfig;
 import org.apache.kafka.clients.producer.KafkaProducer;
 import org.apache.kafka.clients.producer.Producer;
@@ -41,9 +43,14 @@ import org.springframework.core.annotation.Order;
 import org.springframework.stereotype.Component;
 import javax.inject.Inject;
+import java.io.IOException;
 import java.util.*;
 import java.util.concurrent.Future;
+import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_PASSWORD_KEY;
+import static org.apache.atlas.security.SecurityProperties.TLS_ENABLED;
+import static org.apache.atlas.security.SecurityUtil.getPassword;
 /**
 * Kafka specific access point to the Atlas notification framework.
 */
@@ -116,6 +123,14 @@ public class KafkaNotification extends AbstractNotification implements Service {
        properties.put("enable.auto.commit", kafkaConf.getBoolean("enable.auto.commit", oldApiCommitEnableFlag));
        properties.put("session.timeout.ms", kafkaConf.getString("session.timeout.ms", "30000"));
+        if(applicationProperties.getBoolean(TLS_ENABLED, false)) {
+            try {
+                properties.put("ssl.truststore.password", getPassword(applicationProperties, TRUSTSTORE_PASSWORD_KEY));
+            } catch (Exception e) {
+                LOG.error("Exception while getpassword truststore.password ", e);
+            }
+        }
        // if no value is specified for max.poll.records, set to 1
        properties.put("max.poll.records", kafkaConf.getInt("max.poll.records", 1));

--- a/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java
+++ b/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java
@@ -21,6 +21,7 @@ package org.apache.atlas.web.service;
 import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.AtlasConfiguration;
 import org.apache.atlas.AtlasException;
+import org.apache.atlas.security.SecurityUtil;
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.alias.CredentialProvider;
@@ -68,6 +69,7 @@ import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_FILE_KEY;
 import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_PASSWORD_KEY;
 import static org.apache.atlas.security.SecurityProperties.ATLAS_SSL_EXCLUDE_PROTOCOLS;
 import static org.apache.atlas.security.SecurityProperties.DEFAULT_EXCLUDE_PROTOCOLS;
+import static org.apache.atlas.security.SecurityUtil.getPassword;
 /**
@@ -142,38 +144,7 @@ public class SecureEmbeddedServer extends EmbeddedServer {
        return sslConnector;
    }
-    /**
-     * Retrieves a password from a configured credential provider or prompts for the password and stores it in the
-     * configured credential provider.
-     * @param config application configuration
-     * @param key the key/alias for the password.
-     * @return the password.
-     * @throws IOException
-     */
-    private String getPassword(org.apache.commons.configuration.Configuration config, String key) throws IOException {
-        String password;
-        String provider = config.getString(CERT_STORES_CREDENTIAL_PROVIDER_PATH);
-        if (provider != null) {
-            LOG.info("Attempting to retrieve password from configured credential provider path");
-            Configuration c = new Configuration();
-            c.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, provider);
-            CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(c).get(0);
-            CredentialProvider.CredentialEntry entry = credentialProvider.getCredentialEntry(key);
-            if (entry == null) {
-                throw new IOException(String.format("No credential entry found for %s. "
-                        + "Please create an entry in the configured credential provider", key));
-            } else {
-                password = String.valueOf(entry.getCredential());
-            }
-        } else {
-            throw new IOException("No credential provider path configured for storage of certificate store passwords");
-        }
-        return password;
-    }
    /**
     * Returns the application configuration.