diff --git a/storm-client/src/jvm/org/apache/storm/security/auth/tls/TlsTransportPlugin.java b/storm-client/src/jvm/org/apache/storm/security/auth/tls/TlsTransportPlugin.java index 665d9f1fcb8..e260c4d0fe9 100644 --- a/storm-client/src/jvm/org/apache/storm/security/auth/tls/TlsTransportPlugin.java +++ b/storm-client/src/jvm/org/apache/storm/security/auth/tls/TlsTransportPlugin.java @@ -37,18 +37,17 @@ import org.apache.storm.thrift.protocol.TProtocol; import org.apache.storm.thrift.server.TServer; import org.apache.storm.thrift.server.TThreadPoolServer; -import org.apache.storm.thrift.transport.TSSLTransportFactory; import org.apache.storm.thrift.transport.TServerSocket; import org.apache.storm.thrift.transport.TSocket; import org.apache.storm.thrift.transport.TTransport; import org.apache.storm.thrift.transport.TTransportException; import org.apache.storm.utils.ExtendedThreadPoolExecutor; -import org.apache.storm.utils.SecurityUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class TlsTransportPlugin implements ITransportPlugin { private static final Logger LOG = LoggerFactory.getLogger(TlsTransportPlugin.class); + private static final String ANONYMOUS_PRINCIPAL_NAME = "CN=ANONYMOUS"; protected ThriftConnectionType type; protected Map conf; private int port; @@ -71,22 +70,13 @@ public TServer getServer(TProcessor processor) throws IOException, TTransportExc int configuredPort = type.getPort(conf); Integer socketTimeout = type.getSocketTimeOut(conf); - TSSLTransportFactory.TSSLTransportParameters params = new TSSLTransportFactory.TSSLTransportParameters(); - if (type.getServerKeyStorePath(conf) != null && type.getServerKeyStorePassword(conf) != null) { - params.setKeyStore(type.getServerKeyStorePath(conf), type.getServerKeyStorePassword(conf), null, - SecurityUtils.inferKeyStoreTypeFromPath(type.getServerKeyStorePath(conf))); - } else { + if (type.getServerKeyStorePath(conf) == null || type.getServerKeyStorePassword(conf) == null) { throw new IllegalArgumentException("The server keystore is not configured properly"); } - if (type.isClientAuthRequired(conf)) { - if (type.getServerTrustStorePath(conf) != null && type.getServerTrustStorePassword(conf) != null) { - params.setTrustStore(type.getServerTrustStorePath(conf), type.getServerTrustStorePassword(conf), null, - SecurityUtils.inferKeyStoreTypeFromPath(type.getServerTrustStorePath(conf))); - params.requireClientAuth(true); - } else { - throw new IllegalArgumentException("The server truststore is not configured properly"); - } + if (type.isClientAuthRequired(conf) + && (type.getServerTrustStorePath(conf) == null || type.getServerTrustStorePassword(conf) == null)) { + throw new IllegalArgumentException("The server truststore is not configured properly"); } int clientTimeout = (socketTimeout == null ? 0 : socketTimeout); @@ -152,7 +142,7 @@ public void process(final TProtocol inProt, final TProtocol outProt) throws TExc TSocket tsocket = (TSocket) trans; SSLSocket socket = (SSLSocket) tsocket.getSocket(); - String principalName = "CN=ANONYMOUS"; + String principalName = ANONYMOUS_PRINCIPAL_NAME; try { for (X509Certificate cert: socket.getSession().getPeerCertificateChain()) { Principal principal = cert.getSubjectDN(); @@ -160,7 +150,7 @@ public void process(final TProtocol inProt, final TProtocol outProt) throws TExc break; } } catch (SSLPeerUnverifiedException e) { - LOG.debug("Client cert is not verified. Set principalName={}.", principalName, e); + LOG.warn("Client cert is not verified. Set principalName={}.", principalName, e); } LOG.debug("principalName : {} ", principalName); ReqContext reqContext = ReqContext.context();