RANGER-3673 : Need to enable cipher configuration for Usersync

Issue: Currently Ranger Usersync support enabling of TLS, but does not allow cipher suites to be configurable. Need to provide a property to configure the same. Changes: Made ciphers configurable for Ranger Usersync.
apache · Mar 22, 2022 · f66c559 · f66c559
1 parent 34fd0e7
commit f66c559
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/...authservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java b/...authservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -79,6 +79,7 @@ public class UnixAuthenticationService {
 	private String keyStorePath;
 	private String keyStoreType;
 	private List<String> enabledProtocolsList;
+	private List<String> enabledCipherSuiteList;
 	private String keyStorePathPassword;
 	private String trustStorePath;
 	private String trustStorePathPassword;
@@ -227,7 +228,9 @@ private void init() throws Throwable {
 		SSLEnabled = (SSLEnabledProp != null &&  (SSLEnabledProp.equalsIgnoreCase("true")));
 		String defaultEnabledProtocols = "TLSv1.2";
 		String enabledProtocols = prop.getProperty("ranger.usersync.https.ssl.enabled.protocols", defaultEnabledProtocols);
+		String enabledCipherSuites = prop.getProperty("ranger.usersync.https.ssl.enabled.cipher.suites", "");
 		enabledProtocolsList=new ArrayList<String>(Arrays.asList(enabledProtocols.toUpperCase().trim().split("\\s*,\\s*")));
+		enabledCipherSuiteList = new ArrayList<String>(Arrays.asList(enabledCipherSuites.toUpperCase().trim().split("\\s*,\\s*")));
 //		LOG.info("Key:" + keyStorePath);
 //		LOG.info("KeyPassword:" + keyStorePathPassword);
 //		LOG.info("TrustStore:" + trustStorePath);
@@ -321,6 +324,23 @@ public void startService() throws Throwable {
 			if (!allowedProtocols.isEmpty()) {
 				secureSocket.setEnabledProtocols(allowedProtocols.toArray(new String[0]));
 			}
+			String[] enabledCipherSuites = secureSocket.getEnabledCipherSuites();
+			Set<String> allowedCipherSuites = new HashSet<String>();
+			for(String enabledCipherSuite : enabledCipherSuites) {
+				if (enabledCipherSuiteList.contains(enabledCipherSuite)) {
+					if(LOG.isDebugEnabled()) {
+						LOG.debug("Enabling CipherSuite : [" + enabledCipherSuite + "]");
+					}
+					allowedCipherSuites.add(enabledCipherSuite);
+				} else {
+					if(LOG.isDebugEnabled()) {
+						LOG.debug("Disabling CipherSuite : [" + enabledCipherSuite + "]");
+					}
+				}
+			}
+			if (!allowedCipherSuites.isEmpty()) {
+				secureSocket.setEnabledCipherSuites(allowedCipherSuites.toArray(new String[0]));
+			}
 		}