Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RANGER-4776: SolrAuditDestination uses local SSLContext instead of se… #310

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

RANGER-4776: SolrAuditDestination uses local SSLContext instead of se… #310

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 67 additions & 5 deletions agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@
package org.apache.ranger.audit.destination;

import org.apache.commons.lang.StringUtils;
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.socket.ConnectionSocketFactory;
import org.apache.http.conn.socket.PlainConnectionSocketFactory;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.ranger.audit.model.AuditEventBase;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.audit.provider.MiscUtil;
Expand All @@ -44,7 +50,6 @@
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
Expand All @@ -55,7 +60,6 @@
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Properties;

Expand Down Expand Up @@ -131,9 +135,7 @@ synchronized void connect() {
KeyManager[] kmList = getKeyManagers();
TrustManager[] tmList = getTrustManagers();
SSLContext sslContext = getSSLContext(kmList, tmList);
if(sslContext != null) {
SSLContext.setDefault(sslContext);
}

String urls = MiscUtil.getStringProperty(props, propPrefix
+ "." + PROP_SOLR_URLS);
if (urls != null) {
Expand Down Expand Up @@ -168,6 +170,7 @@ synchronized void connect() {
Krb5HttpClientBuilder krbBuild = new Krb5HttpClientBuilder();
SolrHttpClientBuilder kb = krbBuild.getBuilder();
HttpClientUtil.setHttpClientBuilder(kb);
HttpClientUtil.setSocketFactoryRegistryProvider(new SolrSocketFactoryRegistryProvider(sslContext));

final List<String> zkhosts = new ArrayList<String>(Arrays.asList(zkHosts.split(",")));
final CloudSolrClient solrCloudClient = MiscUtil.executePrivilegedAction(new PrivilegedExceptionAction<CloudSolrClient>() {
Expand All @@ -190,6 +193,8 @@ public CloudSolrClient run() throws Exception {
Krb5HttpClientBuilder krbBuild = new Krb5HttpClientBuilder();
SolrHttpClientBuilder kb = krbBuild.getBuilder();
HttpClientUtil.setHttpClientBuilder(kb);
HttpClientUtil.setSocketFactoryRegistryProvider(new SolrSocketFactoryRegistryProvider(sslContext));

final List<String> solrUrls = solrURLs;
final LBHttpSolrClient lbSolrClient = MiscUtil.executePrivilegedAction(new PrivilegedExceptionAction<LBHttpSolrClient>() {
@Override
Expand Down Expand Up @@ -492,4 +497,61 @@ private void close(InputStream str, String filename) {
}
}
}

/**
* Same as {@link org.apache.solr.client.solrj.impl.HttpClientUtil.DefaultSocketFactoryRegistryProvider}
* except using the specified SSLContext instead of the default one.
*/
static final class SolrSocketFactoryRegistryProvider extends HttpClientUtil.SocketFactoryRegistryProvider {

private final SSLContext sslContext;

SolrSocketFactoryRegistryProvider(SSLContext sslContext) {
this.sslContext = sslContext;
}

@Override
public Registry<ConnectionSocketFactory> getSocketFactoryRegistry() {
RegistryBuilder<ConnectionSocketFactory> builder = RegistryBuilder.<ConnectionSocketFactory> create();
builder.register("http", PlainConnectionSocketFactory.getSocketFactory());

SSLConnectionSocketFactory sslConnectionSocketFactory = null;
boolean sslCheckPeerName = toBooleanDefaultIfNull(
toBooleanObject(System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME)), true);
if (sslCheckPeerName) {
sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext);
} else {
sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
NoopHostnameVerifier.INSTANCE);
LOG.debug("{} is false, hostname checks disabled.", HttpClientUtil.SYS_PROP_CHECK_PEER_NAME);
}
builder.register("https", sslConnectionSocketFactory);

return builder.build();
}

/**
* Same as {@link org.apache.solr.client.solrj.impl.HttpClientUtil#toBooleanDefaultIfNull(Boolean, boolean)}
*/
private static boolean toBooleanDefaultIfNull(Boolean bool, boolean valueIfNull) {
if (bool == null) {
return valueIfNull;
}
return bool.booleanValue() ? true : false;
}

/**
* Same as {@link org.apache.solr.client.solrj.impl.HttpClientUtil#toBooleanObject(String)}
*/
private static Boolean toBooleanObject(String str) {
if ("true".equalsIgnoreCase(str)) {
return Boolean.TRUE;
} else if ("false".equalsIgnoreCase(str)) {
return Boolean.FALSE;
}
// no match
return null;
}
}

}