Bug 734848 - Need feature for Query Server SSL
Summary: Need feature for Query Server SSL
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: condor-wallaby-base-db
Version: Development
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: 2.1
: ---
Assignee: Robert Rati
QA Contact: Lubos Trilety
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-31 15:45 UTC by Robert Rati
Modified: 2012-03-01 11:27 UTC (History)
4 users (show)

Fixed In Version: condor-wallaby-base-db-1.16-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-27 19:12:45 UTC


Attachments (Terms of Use)

Description Robert Rati 2011-08-31 15:45:54 UTC
Description of problem:
The Query Server also needs a feature for enabling ssl support.  Since it uses the same params as aviary for ssl, the ssl params will need to be scope to the subsystem (subsys.ssl_param).

In addition to the new feature, the SecureAviaryScheduler should be renamed to allow other means to secure Aviary.  Something like SSLEnabledAviaryScheduler and SSLEnabledQueryServer.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Robert Rati 2011-08-31 18:40:48 UTC
Proposed changes:
SSLEnabledQueryServer
  name:  "SSLEnabledQueryServer"
  params:  {"QUERY_SERVER.AVIARY_SSL_CA_DIR"=>"", "QUERY_SERVER.AVIARY_SSL"=>"True", "QUERY_SERVER.AVIARY_SSL_SERVER_KEY"=>"", "QUERY_SERVER.AVIARY_SSL_SERVER_CERT"=>"", "QUERY_SERVER.AVIARY_SSL_CA_FILE"=>""}
  depends:  []
  conflicts:  []
  included_features:  ["QueryServer"]

SSLEnabledAviaryScheduler
  name:  "SSLEnabledAviaryScheduler"
  params:  {"SCHEDD.AVIARY_SSL_SERVER_KEY"=>"", "SCHEDD.AVIARY_SSL_SERVER_CERT"=>"", "SCHEDD.AVIARY_SSL_CA_FILE"=>"", "SCHEDD.AVIARY_SSL"=>"True", "SCHEDD.AVIARY_SSL_CA_DIR"=>""}
  depends:  []
  conflicts:  []
  included_features:  ["AviaryScheduler"]

QUERY_SERVER.AVIARY_SSL_CA_DIR
  kind:  "String"
  default:  ""
  description:  "Path to Aviary SSL CA directory used by the Query Server"
  must_change:  true
  requires_restart:  true
  visibility_level:  0
  depends:  []
  conflicts:  []

QUERY_SERVER.AVIARY_SSL
  kind:  "Boolean"
  default:  "False"
  description:  "Enable HTTPS mutual authentication for Aviary in the Query Server"
  must_change:  false
  requires_restart:  true
  visibility_level:  0
  depends:  []
  conflicts:  []

QUERY_SERVER.AVIARY_SSL_SERVER_KEY
  kind:  "String"
  default:  ""
  description:  "Path to Aviary SSL server private key used by the Query Server"
  must_change:  true
  requires_restart:  true
  visibility_level:  0
  depends:  []
  conflicts:  []

QUERY_SERVER.AVIARY_SSL_SERVER_CERT
  kind:  "String"
  default:  ""
  description:  "Path to Aviary SSL server certificate used by the Query Server"
  must_change:  true
  requires_restart:  true
  visibility_level:  0
  depends:  []
  conflicts:  []

QUERY_SERVER.AVIARY_SSL_CA_FILE
  kind:  "String"
  default:  ""
  description:  "Path to Aviary SSL CA file used by the Query Server"
  must_change:  true
  requires_restart:  true
  visibility_level:  0
  depends:  []
  conflicts:  []

SCHEDD.AVIARY_SSL_SERVER_KEY
  kind:  "String"
  default:  ""
  description:  "Path to Aviary SSL server private key used by the Scheduler"
  must_change:  true
  requires_restart:  true
  visibility_level:  0
  depends:  []
  conflicts:  []

SCHEDD.AVIARY_SSL_SERVER_CERT
  kind:  "String"
  default:  ""
  description:  "Path to Aviary SSL server certificate used by the Scheduler"
  must_change:  true
  requires_restart:  true
  visibility_level:  0
  depends:  []
  conflicts:  []

SCHEDD.AVIARY_SSL_CA_FILE
  kind:  "String"
  default:  ""
  description:  "Path to Aviary SSL CA file used by the Scheduler"
  must_change:  true
  requires_restart:  true
  visibility_level:  0
  depends:  []
  conflicts:  []

SCHEDD.AVIARY_SSL
  kind:  "Boolean"
  default:  "False"
  description:  "Enable HTTPS mutual authentication for Aviary in the Scheduler"
  must_change:  false
  requires_restart:  true
  visibility_level:  0
  depends:  []
  conflicts:  []

SCHEDD.AVIARY_SSL_CA_DIR
  kind:  "String"
  default:  ""
  description:  "Path to Aviary SSL CA directory used by the Scheduler"
  must_change:  true
  requires_restart:  true
  visibility_level:  0
  depends:  []
  conflicts:  []

Removed Params:
AVIARY_SSL_SERVER_KEY
AVIARY_SSL_SERVER_CERT
AVIARY_SSL_CA_FILE
AVIARY_SSL
AVIARY_SSL_CA_DIR

Comment 2 Robert Rati 2011-09-06 18:38:10 UTC
Fixed on:
BZ734848-QueryServer-SSL

Comment 3 Lubos Trilety 2011-11-04 15:45:31 UTC
Tested with:
condor-wallaby-base-db-1.16-2

Tested on:
RHEL6 x86_64, i386
RHEL5 x86_64, i386

- !ruby/object:Mrg::Grid::SerializedConfigs::Feature
  conflicts: []

  depends: []

  included:
  - AviaryScheduler
  name: SSLEnabledAviaryScheduler
  params:
    SCHEDD.AVIARY_SSL_SERVER_KEY: 0
    SCHEDD.AVIARY_SSL_SERVER_CERT: 0
    SCHEDD.AVIARY_SSL_CA_FILE: 0
    SCHEDD.AVIARY_SSL: "True"
    SCHEDD.AVIARY_SSL_CA_DIR: 0

- !ruby/object:Mrg::Grid::SerializedConfigs::Feature
  conflicts: []

  depends: []

  included:
  - QueryServer
  name: SSLEnabledQueryServer
  params:
    QUERY_SERVER.AVIARY_SSL_CA_DIR: 0
    QUERY_SERVER.AVIARY_SSL: "True"
    QUERY_SERVER.AVIARY_SSL_SERVER_KEY: 0
    QUERY_SERVER.AVIARY_SSL_SERVER_CERT: 0
    QUERY_SERVER.AVIARY_SSL_CA_FILE: 0

- !ruby/object:Mrg::Grid::SerializedConfigs::Parameter
  conflicts: []

  default_val: ""
  depends: []

  description: Path to Aviary SSL CA directory used by the Scheduler
  kind: String
  level: 0
  must_change: true
  name: SCHEDD.AVIARY_SSL_CA_DIR
  needs_restart: true

- !ruby/object:Mrg::Grid::SerializedConfigs::Parameter
  conflicts: []

  default_val: "False"
  depends: []

  description: Enable HTTPS mutual authentication for Aviary in the Query Server
  kind: Boolean
  level: 0
  must_change: false
  name: QUERY_SERVER.AVIARY_SSL
  needs_restart: true

- !ruby/object:Mrg::Grid::SerializedConfigs::Parameter
  conflicts: []

  default_val: ""
  depends: []

  description: Path to Aviary SSL CA directory used by the Query Server
  kind: String
  level: 0
  must_change: true
  name: QUERY_SERVER.AVIARY_SSL_CA_DIR
  needs_restart: true

- !ruby/object:Mrg::Grid::SerializedConfigs::Parameter
  conflicts: []

  default_val: ""
  depends: []

  description: Path to Aviary SSL CA file used by the Query Server
  kind: String
  level: 0
  must_change: true
  name: QUERY_SERVER.AVIARY_SSL_CA_FILE
  needs_restart: true

- !ruby/object:Mrg::Grid::SerializedConfigs::Parameter
  conflicts: []

  default_val: ""
  depends: []

  description: Path to Aviary SSL server certificate used by the Query Server
  kind: String
  level: 0
  must_change: true
  name: QUERY_SERVER.AVIARY_SSL_SERVER_CERT
  needs_restart: true

- !ruby/object:Mrg::Grid::SerializedConfigs::Parameter
  conflicts: []

  default_val: ""
  depends: []

  description: Path to Aviary SSL server private key used by the Query Server
  kind: String
  level: 0
  must_change: true
  name: QUERY_SERVER.AVIARY_SSL_SERVER_KEY
  needs_restart: true

- !ruby/object:Mrg::Grid::SerializedConfigs::Parameter
  conflicts: []

  default_val: "False"
  depends: []

  description: Enable HTTPS mutual authentication for Aviary in the Scheduler
  kind: Boolean
  level: 0
  must_change: false
  name: SCHEDD.AVIARY_SSL
  needs_restart: true

- !ruby/object:Mrg::Grid::SerializedConfigs::Parameter
  conflicts: []

  default_val: ""
  depends: []

  description: Path to Aviary SSL CA file used by the Scheduler
  kind: String
  level: 0
  must_change: true
  name: SCHEDD.AVIARY_SSL_CA_FILE
  needs_restart: true

- !ruby/object:Mrg::Grid::SerializedConfigs::Parameter
  conflicts: []

  default_val: ""
  depends: []

  description: Path to Aviary SSL server certificate used by the Scheduler
  kind: String
  level: 0
  must_change: true
  name: SCHEDD.AVIARY_SSL_SERVER_CERT
  needs_restart: true

- !ruby/object:Mrg::Grid::SerializedConfigs::Parameter
  conflicts: []

  default_val: ""
  depends: []

  description: Path to Aviary SSL server private key used by the Scheduler
  kind: String
  level: 0
  must_change: true
  name: SCHEDD.AVIARY_SSL_SERVER_KEY
  needs_restart: true

All features and parameters were checked in configuration store snapshot file. No AVIARY_SSL* parameters without 'SCHEDD.' or 'QUERY_SERVER.' present.

>>> VERIFIED


Note You need to log in before you can comment on or make changes to this bug.