cdap-security.xml is missing properties when ssl is enabled

Description

When 'ssl.enabled' is true, the following properties need to be set in cdap-security.xml. The entire cdap-security.xml file was missing from /etc/cdap/conf.

1. security.auth.server.ssl.keystore.path
2. security.auth.server.ssl.keystore.password
3. security.auth.server.ssl.keystore.keypassword
4. router.ssl.keystore.path
5. router.ssl.keystore.password
6. router.ssl.keystore.keypassword
7. dashboard.ssl.cert
8. dashboard.ssl.key

Note: the 4th, 5th, 7th, and 8th configurations were present in the cdap-site.xml.

For more details about the cdap-security.xml file, see:
http://docs.cdap.io/cdap/current/en/admin-manual/installation/security.html
Specifically, "It should be owned and readable only by the CDAP user."

Release Notes

None

Activity

Show:

Chris Gianelloni

October 8, 2015, 4:40 PM

Copy link to comment

The cookbook's had cdap-security.xml support for a while.

https://github.com/caskdata/cdap_cookbook/blob/v2.16.0/recipes/config.rb#L44-L56

We need to modify the logic that creates the certificates and also populate the properties with defaults. This needs to be done for Auth Server, Router, and UI.

Chris Gianelloni

October 8, 2015, 4:43 PM

Copy link to comment

Workaround, but with lower security:
Duplicate properties for both cdap-site.xml and cdap-security.xml when passing to Chef. For Coopr, this would be adding duplicate entries under cdap for cdap_site and cdap_security.

Chris Gianelloni

March 15, 2017, 7:12 PM

Copy link to comment

PR: https://github.com/caskdata/cdap_cookbook/pull/222

Fixed

Assignee

Chris Gianelloni

Reporter

Ali Anwar

Labels

None

Docs Impact

None

UX Impact

None

Components

cdap

Priority

Major

Configure