From b1d8f56f50c7d190847ba88ad899cb19d4acd896 Mon Sep 17 00:00:00 2001 From: Atul Mohan Date: Tue, 28 Nov 2017 12:55:02 -0600 Subject: [PATCH 1/9] Encrypting MySQL connections --- .../development/extensions-core/mysql.md | 19 +++ .../storage/mysql/MySQLConnector.java | 67 ++++++++++- .../storage/mysql/MySQLConnectorConfig.java | 113 ++++++++++++++++++ .../mysql/MySQLMetadataStorageModule.java | 3 + 4 files changed, 198 insertions(+), 4 deletions(-) create mode 100644 extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java diff --git a/docs/content/development/extensions-core/mysql.md b/docs/content/development/extensions-core/mysql.md index eb03af6af867..ed0935f2225a 100644 --- a/docs/content/development/extensions-core/mysql.md +++ b/docs/content/development/extensions-core/mysql.md @@ -53,3 +53,22 @@ Make sure to [include](../../operations/including-extensions.html) `mysql-metada packaged in a separate tarball that can be downloaded from [here](http://druid.io/downloads.html). You can also get it using [pull-deps](../../operations/pull-deps.html), or you can build it from source code; see [Build from Source](../build.html). + + +## Encrypting MySQL connections + This extension provides support for encrypting MySQL connections. To get more information about encrypting MySQL connections using TLS/SSL in general, please refer to this [guide](https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html). + +# Configuration + +|Property|Description|Default|Required| +|--------|-----------|-------|--------| +|`druid.metadata.mysql.ssl.useSSL`|Enable SSL|`false`|no| +|`druid.metadata.mysql.ssl.trustCertificateKeyStoreUrl`|The file path to the trusted root certificate key store.|none|no| +|`druid.metadata.mysql.ssl.trustCertificateKeyStoreType`|The type of the key store where trusted root certificates are stored.|none|no| +|`druid.metadata.mysql.ssl.trustCertificateKeyStorePassword`|Password for the trust store.|none|no| +|`druid.metadata.mysql.ssl.clientCertificateKeyStoreUrl`|The file path URL to the client certificate key store.|none|no| +|`druid.metadata.mysql.ssl.clientCertificateKeyStoreType`|The type of the key store where the client certificate is stored.|none|no| +|`druid.metadata.mysql.ssl.clientCertificateKeyStorePassword`|Password for the client key store.|none|no| +|`druid.metadata.mysql.ssl.enabledSSLCipherSuites`|Overrides the existing cipher suites with these cipher suites.|none|no| +|`druid.metadata.mysql.ssl.enabledTLSProtocols`|Overrides the TLS protocols with these protocols.|none|no| + diff --git a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java index 3079ad427eac..61539eb2ea71 100644 --- a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java +++ b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java @@ -19,6 +19,7 @@ package io.druid.metadata.storage.mysql; +import com.google.common.base.Joiner; import com.google.common.base.Supplier; import com.google.common.collect.ImmutableList; import com.google.inject.Inject; @@ -36,6 +37,7 @@ import org.skife.jdbi.v2.tweak.HandleCallback; import org.skife.jdbi.v2.util.BooleanMapper; +import java.io.File; import java.sql.SQLException; public class MySQLConnector extends SQLMetadataConnector @@ -48,7 +50,11 @@ public class MySQLConnector extends SQLMetadataConnector private final DBI dbi; @Inject - public MySQLConnector(Supplier config, Supplier dbTables) + public MySQLConnector( + Supplier config, + Supplier dbTables, + MySQLConnectorConfig connectorConfig + ) { super(config, dbTables); @@ -57,6 +63,59 @@ public MySQLConnector(Supplier config, Supplier< // so we need to help JDBC find the driver datasource.setDriverClassLoader(getClass().getClassLoader()); datasource.setDriverClassName("com.mysql.jdbc.Driver"); + datasource.addConnectionProperty("useSSL", String.valueOf(connectorConfig.isUseSSL())); + if (connectorConfig.isUseSSL()) { + log.info("SSL is enabled on this MySQL connection. "); + + // Server certificate verification is enabled by default + datasource.addConnectionProperty("verifyServerCertificate", String.valueOf(true)); + if (connectorConfig.getTrustCertificateKeyStoreUrl() != null) { + datasource.addConnectionProperty( + "trustCertificateKeyStoreUrl", + new File(connectorConfig.getTrustCertificateKeyStoreUrl()).toURI().toString() + ); + } + if (connectorConfig.getTrustCertificateKeyStoreType() != null) { + datasource.addConnectionProperty( + "trustCertificateKeyStoreType", + connectorConfig.getTrustCertificateKeyStoreType() + ); + } + if (connectorConfig.getTrustCertificateKeyStorePassword() != null) { + datasource.addConnectionProperty( + "trustCertificateKeyStorePassword", + connectorConfig.getTrustCertificateKeyStorePassword() + ); + } + if (connectorConfig.getClientCertificateKeyStoreUrl() != null) { + datasource.addConnectionProperty( + "clientCertificateKeyStoreUrl", + new File(connectorConfig.getClientCertificateKeyStoreUrl()).toURI().toString() + ); + } + if (connectorConfig.getClientCertificateKeyStoreType() != null) { + datasource.addConnectionProperty( + "clientCertificateKeyStoreType", + connectorConfig.getClientCertificateKeyStoreType() + ); + } + if (connectorConfig.getClientCertificateKeyStorePassword() != null) { + datasource.addConnectionProperty( + "clientCertificateKeyStorePassword", + connectorConfig.getClientCertificateKeyStorePassword() + ); + } + Joiner joiner = Joiner.on(",").skipNulls(); + if (connectorConfig.getEnabledSSLCipherSuites() != null) { + datasource.addConnectionProperty( + "enabledSSLCipherSuites", + joiner.join(connectorConfig.getEnabledSSLCipherSuites()) + ); + } + if (connectorConfig.getEnabledTLSProtocols() != null) { + datasource.addConnectionProperty("enabledTLSProtocols", joiner.join(connectorConfig.getEnabledTLSProtocols())); + } + } // use double-quotes for quoting columns, so we can write SQL that works with most databases datasource.setConnectionInitSqls(ImmutableList.of("SET sql_mode='ANSI_QUOTES'")); @@ -97,9 +156,9 @@ public boolean tableExists(Handle handle, String tableName) { // ensure database defaults to utf8, otherwise bail boolean isUtf8 = handle - .createQuery("SELECT @@character_set_database = 'utf8'") - .map(BooleanMapper.FIRST) - .first(); + .createQuery("SELECT @@character_set_database = 'utf8'") + .map(BooleanMapper.FIRST) + .first(); if (!isUtf8) { throw new ISE( diff --git a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java new file mode 100644 index 000000000000..93a90ba81cb1 --- /dev/null +++ b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java @@ -0,0 +1,113 @@ +/* + * Licensed to Metamarkets Group Inc. (Metamarkets) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. Metamarkets licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package io.druid.metadata.storage.mysql; + +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.List; + +public class MySQLConnectorConfig +{ + @JsonProperty + private boolean useSSL = false; + + @JsonProperty + private String trustCertificateKeyStoreUrl; + + @JsonProperty + private String trustCertificateKeyStoreType; + + @JsonProperty + private String trustCertificateKeyStorePassword; + + @JsonProperty + private String clientCertificateKeyStoreUrl; + + @JsonProperty + private String clientCertificateKeyStoreType; + + @JsonProperty + private String clientCertificateKeyStorePassword; + + @JsonProperty + private List enabledSSLCipherSuites; + + @JsonProperty + private List enabledTLSProtocols; + + public boolean isUseSSL() + { + return useSSL; + } + + public String getTrustCertificateKeyStoreUrl() + { + return trustCertificateKeyStoreUrl; + } + + public String getTrustCertificateKeyStoreType() + { + return trustCertificateKeyStoreType; + } + + public String getTrustCertificateKeyStorePassword() + { + return trustCertificateKeyStorePassword; + } + + public String getClientCertificateKeyStoreUrl() + { + return clientCertificateKeyStoreUrl; + } + + public String getClientCertificateKeyStoreType() + { + return clientCertificateKeyStoreType; + } + + public String getClientCertificateKeyStorePassword() + { + return clientCertificateKeyStorePassword; + } + + public List getEnabledSSLCipherSuites() + { + return enabledSSLCipherSuites; + } + + public List getEnabledTLSProtocols() + { + return enabledTLSProtocols; + } + + @Override + public String toString() + { + return "MySQLConnectorConfig{" + + "useSSL='" + useSSL + '\'' + + ", trustCertificateKeyStoreUrl='" + trustCertificateKeyStoreUrl + '\'' + + ", trustCertificateKeyStoreType='" + trustCertificateKeyStoreType + '\'' + + ", clientCertificateKeyStoreUrl='" + clientCertificateKeyStoreUrl + '\'' + + ", clientCertificateKeyStoreType='" + clientCertificateKeyStoreType + '\'' + + ", enabledSSLCipherSuites=" + enabledSSLCipherSuites + + ", enabledTLSProtocols=" + enabledTLSProtocols + + '}'; + } +} diff --git a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLMetadataStorageModule.java b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLMetadataStorageModule.java index 1aad097dc772..bc0274f80115 100644 --- a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLMetadataStorageModule.java +++ b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLMetadataStorageModule.java @@ -23,6 +23,7 @@ import com.google.common.collect.ImmutableList; import com.google.inject.Binder; import com.google.inject.Key; +import io.druid.guice.JsonConfigProvider; import io.druid.guice.LazySingleton; import io.druid.guice.PolyBind; import io.druid.guice.SQLMetadataStorageDruidModule; @@ -54,6 +55,8 @@ public void configure(Binder binder) { super.configure(binder); + JsonConfigProvider.bind(binder, "druid.metadata.mysql.ssl", MySQLConnectorConfig.class); + PolyBind .optionBinder(binder, Key.get(MetadataStorageProvider.class)) .addBinding(TYPE) From fca1f6202a047fc7f1674f6d5c315213f352ea01 Mon Sep 17 00:00:00 2001 From: Atul Mohan Date: Tue, 28 Nov 2017 12:57:12 -0600 Subject: [PATCH 2/9] Update docs --- docs/content/development/extensions-core/mysql.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/development/extensions-core/mysql.md b/docs/content/development/extensions-core/mysql.md index ed0935f2225a..0e756bc6a0f5 100644 --- a/docs/content/development/extensions-core/mysql.md +++ b/docs/content/development/extensions-core/mysql.md @@ -58,7 +58,7 @@ Make sure to [include](../../operations/including-extensions.html) `mysql-metada ## Encrypting MySQL connections This extension provides support for encrypting MySQL connections. To get more information about encrypting MySQL connections using TLS/SSL in general, please refer to this [guide](https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html). -# Configuration +## Configuration |Property|Description|Default|Required| |--------|-----------|-------|--------| From e283edfd4028fdfabb25cc10844f0b1c0b6bebcc Mon Sep 17 00:00:00 2001 From: Atul Mohan Date: Tue, 28 Nov 2017 16:37:27 -0600 Subject: [PATCH 3/9] Make verifyServerCertificate a configurable parameter --- .../storage/mysql/MySQLConnector.java | 40 ++++++++++--------- .../storage/mysql/MySQLConnectorConfig.java | 8 ++++ 2 files changed, 29 insertions(+), 19 deletions(-) diff --git a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java index 61539eb2ea71..bebabc14b8c4 100644 --- a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java +++ b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java @@ -67,25 +67,27 @@ public MySQLConnector( if (connectorConfig.isUseSSL()) { log.info("SSL is enabled on this MySQL connection. "); - // Server certificate verification is enabled by default - datasource.addConnectionProperty("verifyServerCertificate", String.valueOf(true)); - if (connectorConfig.getTrustCertificateKeyStoreUrl() != null) { - datasource.addConnectionProperty( - "trustCertificateKeyStoreUrl", - new File(connectorConfig.getTrustCertificateKeyStoreUrl()).toURI().toString() - ); - } - if (connectorConfig.getTrustCertificateKeyStoreType() != null) { - datasource.addConnectionProperty( - "trustCertificateKeyStoreType", - connectorConfig.getTrustCertificateKeyStoreType() - ); - } - if (connectorConfig.getTrustCertificateKeyStorePassword() != null) { - datasource.addConnectionProperty( - "trustCertificateKeyStorePassword", - connectorConfig.getTrustCertificateKeyStorePassword() - ); + datasource.addConnectionProperty("verifyServerCertificate", String.valueOf(connectorConfig.isVerifyServerCertificate())); + if (connectorConfig.isVerifyServerCertificate()) { + log.info("Server certificate verification is enabled. "); + if (connectorConfig.getTrustCertificateKeyStoreUrl() != null) { + datasource.addConnectionProperty( + "trustCertificateKeyStoreUrl", + new File(connectorConfig.getTrustCertificateKeyStoreUrl()).toURI().toString() + ); + } + if (connectorConfig.getTrustCertificateKeyStoreType() != null) { + datasource.addConnectionProperty( + "trustCertificateKeyStoreType", + connectorConfig.getTrustCertificateKeyStoreType() + ); + } + if (connectorConfig.getTrustCertificateKeyStorePassword() != null) { + datasource.addConnectionProperty( + "trustCertificateKeyStorePassword", + connectorConfig.getTrustCertificateKeyStorePassword() + ); + } } if (connectorConfig.getClientCertificateKeyStoreUrl() != null) { datasource.addConnectionProperty( diff --git a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java index 93a90ba81cb1..1f16db8ac060 100644 --- a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java +++ b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java @@ -52,6 +52,9 @@ public class MySQLConnectorConfig @JsonProperty private List enabledTLSProtocols; + @JsonProperty + private boolean verifyServerCertificate = true; + public boolean isUseSSL() { return useSSL; @@ -97,6 +100,11 @@ public List getEnabledTLSProtocols() return enabledTLSProtocols; } + public boolean isVerifyServerCertificate() + { + return verifyServerCertificate; + } + @Override public String toString() { From 66271c9cd097c5be56096819b789f8c90669da14 Mon Sep 17 00:00:00 2001 From: Atul Mohan Date: Tue, 28 Nov 2017 16:58:23 -0600 Subject: [PATCH 4/9] Change password parameter and doc update --- docs/content/development/extensions-core/mysql.md | 5 +++-- .../storage/mysql/MySQLConnectorConfig.java | 13 +++++++------ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/docs/content/development/extensions-core/mysql.md b/docs/content/development/extensions-core/mysql.md index 0e756bc6a0f5..ff4559317753 100644 --- a/docs/content/development/extensions-core/mysql.md +++ b/docs/content/development/extensions-core/mysql.md @@ -65,10 +65,11 @@ Make sure to [include](../../operations/including-extensions.html) `mysql-metada |`druid.metadata.mysql.ssl.useSSL`|Enable SSL|`false`|no| |`druid.metadata.mysql.ssl.trustCertificateKeyStoreUrl`|The file path to the trusted root certificate key store.|none|no| |`druid.metadata.mysql.ssl.trustCertificateKeyStoreType`|The type of the key store where trusted root certificates are stored.|none|no| -|`druid.metadata.mysql.ssl.trustCertificateKeyStorePassword`|Password for the trust store.|none|no| +|`druid.metadata.mysql.ssl.trustCertificateKeyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the trust store.|none|no| |`druid.metadata.mysql.ssl.clientCertificateKeyStoreUrl`|The file path URL to the client certificate key store.|none|no| |`druid.metadata.mysql.ssl.clientCertificateKeyStoreType`|The type of the key store where the client certificate is stored.|none|no| -|`druid.metadata.mysql.ssl.clientCertificateKeyStorePassword`|Password for the client key store.|none|no| +|`druid.metadata.mysql.ssl.clientCertificateKeyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the client key store.|none|no| |`druid.metadata.mysql.ssl.enabledSSLCipherSuites`|Overrides the existing cipher suites with these cipher suites.|none|no| |`druid.metadata.mysql.ssl.enabledTLSProtocols`|Overrides the TLS protocols with these protocols.|none|no| +|`druid.metadata.mysql.ssl.verifyServerCertificate`|Enables server certificate verification.|true|no| diff --git a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java index 1f16db8ac060..c4774ad8ec71 100644 --- a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java +++ b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java @@ -20,6 +20,7 @@ package io.druid.metadata.storage.mysql; import com.fasterxml.jackson.annotation.JsonProperty; +import io.druid.metadata.PasswordProvider; import java.util.List; @@ -34,8 +35,8 @@ public class MySQLConnectorConfig @JsonProperty private String trustCertificateKeyStoreType; - @JsonProperty - private String trustCertificateKeyStorePassword; + @JsonProperty("trustCertificateKeyStorePassword") + private PasswordProvider trustCertificateKeyStorePasswordProvider; @JsonProperty private String clientCertificateKeyStoreUrl; @@ -43,8 +44,8 @@ public class MySQLConnectorConfig @JsonProperty private String clientCertificateKeyStoreType; - @JsonProperty - private String clientCertificateKeyStorePassword; + @JsonProperty("clientCertificateKeyStorePassword") + private PasswordProvider clientCertificateKeyStorePasswordProvider; @JsonProperty private List enabledSSLCipherSuites; @@ -72,7 +73,7 @@ public String getTrustCertificateKeyStoreType() public String getTrustCertificateKeyStorePassword() { - return trustCertificateKeyStorePassword; + return trustCertificateKeyStorePasswordProvider == null ? null : trustCertificateKeyStorePasswordProvider.getPassword(); } public String getClientCertificateKeyStoreUrl() @@ -87,7 +88,7 @@ public String getClientCertificateKeyStoreType() public String getClientCertificateKeyStorePassword() { - return clientCertificateKeyStorePassword; + return clientCertificateKeyStorePasswordProvider == null ? null : clientCertificateKeyStorePasswordProvider.getPassword(); } public List getEnabledSSLCipherSuites() From 2ba830a54c6333bf31c290b95834d561d54c355a Mon Sep 17 00:00:00 2001 From: Atul Mohan Date: Thu, 7 Dec 2017 14:41:00 -0800 Subject: [PATCH 5/9] Make server certificate verification disabled by default --- docs/content/development/extensions-core/mysql.md | 8 ++++---- .../metadata/storage/mysql/MySQLConnectorConfig.java | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/content/development/extensions-core/mysql.md b/docs/content/development/extensions-core/mysql.md index ff4559317753..51a6b32ab400 100644 --- a/docs/content/development/extensions-core/mysql.md +++ b/docs/content/development/extensions-core/mysql.md @@ -63,13 +63,13 @@ Make sure to [include](../../operations/including-extensions.html) `mysql-metada |Property|Description|Default|Required| |--------|-----------|-------|--------| |`druid.metadata.mysql.ssl.useSSL`|Enable SSL|`false`|no| -|`druid.metadata.mysql.ssl.trustCertificateKeyStoreUrl`|The file path to the trusted root certificate key store.|none|no| -|`druid.metadata.mysql.ssl.trustCertificateKeyStoreType`|The type of the key store where trusted root certificates are stored.|none|no| -|`druid.metadata.mysql.ssl.trustCertificateKeyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the trust store.|none|no| |`druid.metadata.mysql.ssl.clientCertificateKeyStoreUrl`|The file path URL to the client certificate key store.|none|no| |`druid.metadata.mysql.ssl.clientCertificateKeyStoreType`|The type of the key store where the client certificate is stored.|none|no| |`druid.metadata.mysql.ssl.clientCertificateKeyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the client key store.|none|no| +|`druid.metadata.mysql.ssl.verifyServerCertificate`|Enables server certificate verification.|false|no| +|`druid.metadata.mysql.ssl.trustCertificateKeyStoreUrl`|The file path to the trusted root certificate key store.|none|yes if `verifyServerCertificate` is set to true| +|`druid.metadata.mysql.ssl.trustCertificateKeyStoreType`|The type of the key store where trusted root certificates are stored.|none|yes if `verifyServerCertificate` is set to true| +|`druid.metadata.mysql.ssl.trustCertificateKeyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the trust store.|none|yes if `verifyServerCertificate` is set to true| |`druid.metadata.mysql.ssl.enabledSSLCipherSuites`|Overrides the existing cipher suites with these cipher suites.|none|no| |`druid.metadata.mysql.ssl.enabledTLSProtocols`|Overrides the TLS protocols with these protocols.|none|no| -|`druid.metadata.mysql.ssl.verifyServerCertificate`|Enables server certificate verification.|true|no| diff --git a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java index c4774ad8ec71..cb408a8c4317 100644 --- a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java +++ b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java @@ -54,7 +54,7 @@ public class MySQLConnectorConfig private List enabledTLSProtocols; @JsonProperty - private boolean verifyServerCertificate = true; + private boolean verifyServerCertificate = false; public boolean isUseSSL() { From dc187aecbb1793ef32b59e23471bd5123ae047c8 Mon Sep 17 00:00:00 2001 From: Atul Mohan Date: Thu, 7 Dec 2017 14:45:16 -0800 Subject: [PATCH 6/9] Update tostring --- .../druid/metadata/storage/mysql/MySQLConnectorConfig.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java index cb408a8c4317..77fc9dcd60b6 100644 --- a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java +++ b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnectorConfig.java @@ -111,10 +111,11 @@ public String toString() { return "MySQLConnectorConfig{" + "useSSL='" + useSSL + '\'' + - ", trustCertificateKeyStoreUrl='" + trustCertificateKeyStoreUrl + '\'' + - ", trustCertificateKeyStoreType='" + trustCertificateKeyStoreType + '\'' + ", clientCertificateKeyStoreUrl='" + clientCertificateKeyStoreUrl + '\'' + ", clientCertificateKeyStoreType='" + clientCertificateKeyStoreType + '\'' + + ", verifyServerCertificate='" + verifyServerCertificate + '\'' + + ", trustCertificateKeyStoreUrl='" + trustCertificateKeyStoreUrl + '\'' + + ", trustCertificateKeyStoreType='" + trustCertificateKeyStoreType + '\'' + ", enabledSSLCipherSuites=" + enabledSSLCipherSuites + ", enabledTLSProtocols=" + enabledTLSProtocols + '}'; From f218bebd7cb3cd2d925b43a7456a09bdd0039054 Mon Sep 17 00:00:00 2001 From: Atul Mohan Date: Tue, 9 Jan 2018 11:19:26 -0600 Subject: [PATCH 7/9] Update docs --- docs/content/development/extensions-core/mysql.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/development/extensions-core/mysql.md b/docs/content/development/extensions-core/mysql.md index 51a6b32ab400..0940775a378e 100644 --- a/docs/content/development/extensions-core/mysql.md +++ b/docs/content/development/extensions-core/mysql.md @@ -67,9 +67,9 @@ Make sure to [include](../../operations/including-extensions.html) `mysql-metada |`druid.metadata.mysql.ssl.clientCertificateKeyStoreType`|The type of the key store where the client certificate is stored.|none|no| |`druid.metadata.mysql.ssl.clientCertificateKeyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the client key store.|none|no| |`druid.metadata.mysql.ssl.verifyServerCertificate`|Enables server certificate verification.|false|no| -|`druid.metadata.mysql.ssl.trustCertificateKeyStoreUrl`|The file path to the trusted root certificate key store.|none|yes if `verifyServerCertificate` is set to true| -|`druid.metadata.mysql.ssl.trustCertificateKeyStoreType`|The type of the key store where trusted root certificates are stored.|none|yes if `verifyServerCertificate` is set to true| -|`druid.metadata.mysql.ssl.trustCertificateKeyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the trust store.|none|yes if `verifyServerCertificate` is set to true| +|`druid.metadata.mysql.ssl.trustCertificateKeyStoreUrl`|The file path to the trusted root certificate key store.|none|yes if `verifyServerCertificate` is set to true and a custom trust certificate is used| +|`druid.metadata.mysql.ssl.trustCertificateKeyStoreType`|The type of the key store where trusted root certificates are stored.|none|yes if `verifyServerCertificate` is set to true and keystore type is not JKS| +|`druid.metadata.mysql.ssl.trustCertificateKeyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the trust store.|none|yes if `verifyServerCertificate` is set to true and password is not null| |`druid.metadata.mysql.ssl.enabledSSLCipherSuites`|Overrides the existing cipher suites with these cipher suites.|none|no| |`druid.metadata.mysql.ssl.enabledTLSProtocols`|Overrides the TLS protocols with these protocols.|none|no| From 408e74d8a6a1cdc20c44f78e22fcc9d1eeec8bf6 Mon Sep 17 00:00:00 2001 From: Atul Mohan Date: Tue, 9 Jan 2018 16:04:48 -0600 Subject: [PATCH 8/9] Add check for trust store passwords --- .../development/extensions-core/mysql.md | 4 ++-- .../storage/mysql/MySQLConnector.java | 20 ++++++++++++------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/docs/content/development/extensions-core/mysql.md b/docs/content/development/extensions-core/mysql.md index 0940775a378e..5314c07eef59 100644 --- a/docs/content/development/extensions-core/mysql.md +++ b/docs/content/development/extensions-core/mysql.md @@ -67,8 +67,8 @@ Make sure to [include](../../operations/including-extensions.html) `mysql-metada |`druid.metadata.mysql.ssl.clientCertificateKeyStoreType`|The type of the key store where the client certificate is stored.|none|no| |`druid.metadata.mysql.ssl.clientCertificateKeyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the client key store.|none|no| |`druid.metadata.mysql.ssl.verifyServerCertificate`|Enables server certificate verification.|false|no| -|`druid.metadata.mysql.ssl.trustCertificateKeyStoreUrl`|The file path to the trusted root certificate key store.|none|yes if `verifyServerCertificate` is set to true and a custom trust certificate is used| -|`druid.metadata.mysql.ssl.trustCertificateKeyStoreType`|The type of the key store where trusted root certificates are stored.|none|yes if `verifyServerCertificate` is set to true and keystore type is not JKS| +|`druid.metadata.mysql.ssl.trustCertificateKeyStoreUrl`|The file path to the trusted root certificate key store.|Default trust store provided by MySQL|yes if `verifyServerCertificate` is set to true and a custom trust store is used| +|`druid.metadata.mysql.ssl.trustCertificateKeyStoreType`|The type of the key store where trusted root certificates are stored.|JKS|yes if `verifyServerCertificate` is set to true and keystore type is not JKS| |`druid.metadata.mysql.ssl.trustCertificateKeyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the trust store.|none|yes if `verifyServerCertificate` is set to true and password is not null| |`druid.metadata.mysql.ssl.enabledSSLCipherSuites`|Overrides the existing cipher suites with these cipher suites.|none|no| |`druid.metadata.mysql.ssl.enabledTLSProtocols`|Overrides the TLS protocols with these protocols.|none|no| diff --git a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java index bebabc14b8c4..c4dbbe75ffca 100644 --- a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java +++ b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java @@ -20,6 +20,7 @@ package io.druid.metadata.storage.mysql; import com.google.common.base.Joiner; +import com.google.common.base.Preconditions; import com.google.common.base.Supplier; import com.google.common.collect.ImmutableList; import com.google.inject.Inject; @@ -67,9 +68,16 @@ public MySQLConnector( if (connectorConfig.isUseSSL()) { log.info("SSL is enabled on this MySQL connection. "); - datasource.addConnectionProperty("verifyServerCertificate", String.valueOf(connectorConfig.isVerifyServerCertificate())); + datasource.addConnectionProperty( + "verifyServerCertificate", + String.valueOf(connectorConfig.isVerifyServerCertificate()) + ); if (connectorConfig.isVerifyServerCertificate()) { log.info("Server certificate verification is enabled. "); + Preconditions.checkNotNull( + connectorConfig.getTrustCertificateKeyStorePassword(), + "Trust certificate keystore password cannot be null when server certificate verification is enabled." + ); if (connectorConfig.getTrustCertificateKeyStoreUrl() != null) { datasource.addConnectionProperty( "trustCertificateKeyStoreUrl", @@ -82,12 +90,10 @@ public MySQLConnector( connectorConfig.getTrustCertificateKeyStoreType() ); } - if (connectorConfig.getTrustCertificateKeyStorePassword() != null) { - datasource.addConnectionProperty( - "trustCertificateKeyStorePassword", - connectorConfig.getTrustCertificateKeyStorePassword() - ); - } + datasource.addConnectionProperty( + "trustCertificateKeyStorePassword", + connectorConfig.getTrustCertificateKeyStorePassword() + ); } if (connectorConfig.getClientCertificateKeyStoreUrl() != null) { datasource.addConnectionProperty( From a4faa7057c2197c43d4fea94b310f4b3580845e9 Mon Sep 17 00:00:00 2001 From: Atul Mohan Date: Tue, 9 Jan 2018 16:37:21 -0600 Subject: [PATCH 9/9] Add warning for null password --- .../storage/mysql/MySQLConnector.java | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java index c4dbbe75ffca..910f397f447b 100644 --- a/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java +++ b/extensions-core/mysql-metadata-storage/src/main/java/io/druid/metadata/storage/mysql/MySQLConnector.java @@ -20,7 +20,6 @@ package io.druid.metadata.storage.mysql; import com.google.common.base.Joiner; -import com.google.common.base.Preconditions; import com.google.common.base.Supplier; import com.google.common.collect.ImmutableList; import com.google.inject.Inject; @@ -74,10 +73,7 @@ public MySQLConnector( ); if (connectorConfig.isVerifyServerCertificate()) { log.info("Server certificate verification is enabled. "); - Preconditions.checkNotNull( - connectorConfig.getTrustCertificateKeyStorePassword(), - "Trust certificate keystore password cannot be null when server certificate verification is enabled." - ); + if (connectorConfig.getTrustCertificateKeyStoreUrl() != null) { datasource.addConnectionProperty( "trustCertificateKeyStoreUrl", @@ -90,10 +86,15 @@ public MySQLConnector( connectorConfig.getTrustCertificateKeyStoreType() ); } - datasource.addConnectionProperty( - "trustCertificateKeyStorePassword", - connectorConfig.getTrustCertificateKeyStorePassword() - ); + if (connectorConfig.getTrustCertificateKeyStorePassword() == null) { + log.warn( + "Trust store password is empty. Ensure that the trust store has been configured with an empty password."); + } else { + datasource.addConnectionProperty( + "trustCertificateKeyStorePassword", + connectorConfig.getTrustCertificateKeyStorePassword() + ); + } } if (connectorConfig.getClientCertificateKeyStoreUrl() != null) { datasource.addConnectionProperty(