Repository: accumulo Updated Branches: refs/heads/1.6.1-SNAPSHOT cc30021c2 -> 20aecf7d6 refs/heads/master dbcf984b2 -> 4bb28faaf
ACCUMULO-3052 Allow configuration of SSL cipher suites Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/20aecf7d Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/20aecf7d Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/20aecf7d Branch: refs/heads/1.6.1-SNAPSHOT Commit: 20aecf7d6feced222995b013f58c654fdba42db6 Parents: cc30021 Author: Josh Elser <els...@apache.org> Authored: Wed Aug 6 22:21:16 2014 -0400 Committer: Josh Elser <els...@apache.org> Committed: Wed Aug 6 22:21:16 2014 -0400 ---------------------------------------------------------------------- .../org/apache/accumulo/core/conf/Property.java | 2 ++ .../accumulo/core/util/SslConnectionParams.java | 17 ++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/accumulo/blob/20aecf7d/core/src/main/java/org/apache/accumulo/core/conf/Property.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/accumulo/core/conf/Property.java b/core/src/main/java/org/apache/accumulo/core/conf/Property.java index 3a794a4..54d13e6 100644 --- a/core/src/main/java/org/apache/accumulo/core/conf/Property.java +++ b/core/src/main/java/org/apache/accumulo/core/conf/Property.java @@ -98,6 +98,8 @@ public enum Property { RPC_SSL_TRUSTSTORE_TYPE("rpc.javax.net.ssl.trustStoreType", "jks", PropertyType.STRING, "Type of SSL truststore"), RPC_USE_JSSE("rpc.useJsse", "false", PropertyType.BOOLEAN, "Use JSSE system properties to configure SSL rather than the " + RPC_PREFIX.getKey() + "javax.net.ssl.* Accumulo properties"), + RPC_SSL_CIPHER_SUITES("rpc.ssl.cipher.suites", "", PropertyType.STRING, "Comma separated list of cipher suites that can be used by accepted connections"), + // instance properties (must be the same for every node in an instance) INSTANCE_PREFIX("instance.", null, PropertyType.PREFIX, "Properties in this category must be consistent throughout a cloud. This is enforced and servers won't be able to communicate if these differ."), http://git-wip-us.apache.org/repos/asf/accumulo/blob/20aecf7d/core/src/main/java/org/apache/accumulo/core/util/SslConnectionParams.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/accumulo/core/util/SslConnectionParams.java b/core/src/main/java/org/apache/accumulo/core/util/SslConnectionParams.java index 6fde38a..652f768 100644 --- a/core/src/main/java/org/apache/accumulo/core/util/SslConnectionParams.java +++ b/core/src/main/java/org/apache/accumulo/core/util/SslConnectionParams.java @@ -22,6 +22,7 @@ import java.net.URL; import org.apache.accumulo.core.conf.AccumuloConfiguration; import org.apache.accumulo.core.conf.Property; +import org.apache.hadoop.util.StringUtils; import org.apache.log4j.Logger; import org.apache.thrift.transport.TSSLTransportFactory.TSSLTransportParameters; @@ -41,6 +42,8 @@ public class SslConnectionParams { private String trustStorePass; private String trustStoreType; + private String[] cipherSuites; + public static SslConnectionParams forConfig(AccumuloConfiguration conf, boolean server) { if (!conf.getBoolean(Property.INSTANCE_RPC_SSL_ENABLED)) return null; @@ -66,6 +69,11 @@ public class SslConnectionParams { throw new IllegalArgumentException("Could not load configured keystore file", e); } + String ciphers = conf.get(Property.RPC_SSL_CIPHER_SUITES); + if (null != ciphers && !ciphers.isEmpty()) { + result.cipherSuites = StringUtils.split(ciphers, ','); + } + return result; } @@ -145,7 +153,14 @@ public class SslConnectionParams { public TSSLTransportParameters getTTransportParams() { if (useJsse) throw new IllegalStateException("Cannot get TTransportParams for JSEE configuration."); - TSSLTransportParameters params = new TSSLTransportParameters(); + TSSLTransportParameters params; + if (null != cipherSuites) { + // TLS is the default value used in thrift 0.9.1 + params = new TSSLTransportParameters("TLS", cipherSuites); + } else { + params = new TSSLTransportParameters(); + } + params.requireClientAuth(clientAuth); if (keyStoreSet) { params.setKeyStore(keyStorePath, keyStorePass, null, keyStoreType);
