From 86a6cc5501bc183773f6df85e7b7407ca46419cc Mon Sep 17 00:00:00 2001 From: tyoushinya Date: Thu, 19 Sep 2024 11:04:18 +0800 Subject: [PATCH] AMBARI-26137:Add whitelist setting for host access control --- .../server/configuration/Configuration.java | 15 +++++++++++++++ .../ambari/server/controller/AmbariServer.java | 12 ++++++++++++ 2 files changed, 27 insertions(+) diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 83a4655cc7e..d4085ea70b0 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -705,6 +705,15 @@ public class Configuration { public static final ConfigurationProperty SRVR_DISABLED_PROTOCOLS = new ConfigurationProperty<>( "security.server.disabled.protocols", ""); + /** + * The list of hosts which will be allowed to access Ambari server. + */ + @Markdown( + description = "The list of hosts which will be allowed to access this server.", + examples = { "192.168.0.118-168,192.168.1.5" }) + public static final ConfigurationProperty SRVR_ACCESS_WHITELIST = new ConfigurationProperty<>( + "security.server.access.whitelist", ""); + /** * The location on the Ambari Server where all resources exist, including common services, stacks, and scripts. */ @@ -2899,6 +2908,7 @@ public Configuration(Properties properties) { configsMap.put(SRVR_CRT_PASS_LEN.getKey(), getProperty(SRVR_CRT_PASS_LEN)); configsMap.put(SRVR_DISABLED_CIPHERS.getKey(), getProperty(SRVR_DISABLED_CIPHERS)); configsMap.put(SRVR_DISABLED_PROTOCOLS.getKey(), getProperty(SRVR_DISABLED_PROTOCOLS)); + configsMap.put(SRVR_ACCESS_WHITELIST.getKey(), getProperty(SRVR_ACCESS_WHITELIST)); configsMap.put(CLIENT_API_SSL_KSTR_DIR_NAME.getKey(), properties.getProperty(CLIENT_API_SSL_KSTR_DIR_NAME.getKey(), @@ -4340,6 +4350,11 @@ public String getSrvrDisabledProtocols() { return disabledProtocols.trim(); } + public String getSrvrAccessWhiteList() { + String whiteLists = getProperty(SRVR_ACCESS_WHITELIST); + return whiteLists.trim(); + } + public int getOneWayAuthPort() { return Integer.parseInt(getProperty(SRVR_ONE_WAY_SSL_PORT)); } diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java index 6ac11c42e3a..b44002c00e9 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java @@ -25,6 +25,7 @@ import java.net.BindException; import java.net.PasswordAuthentication; import java.net.URL; +import java.util.Arrays; import java.util.EnumSet; import java.util.Enumeration; import java.util.Map; @@ -140,6 +141,7 @@ import org.eclipse.jetty.server.SessionIdManager; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.server.handler.HandlerCollection; +import org.eclipse.jetty.server.handler.InetAccessHandler; import org.eclipse.jetty.server.handler.RequestLogHandler; import org.eclipse.jetty.server.handler.gzip.GzipHandler; import org.eclipse.jetty.server.session.DefaultSessionIdManager; @@ -486,6 +488,16 @@ public void run() throws Exception { server.setHandler(handlerList); + String srvrAccessWhiteList = configs.getSrvrAccessWhiteList(); + if (!srvrAccessWhiteList.isEmpty()) + { + String[] whiteListHosts = srvrAccessWhiteList.split(","); + InetAccessHandler inetAccessHandler = new InetAccessHandler(); + Arrays.asList(whiteListHosts).forEach(host -> inetAccessHandler.include(host.trim())); + inetAccessHandler.setHandler(server.getHandler()); + server.setHandler(inetAccessHandler); + } + ServletHolder agent = new ServletHolder(ServletContainer.class); agent.setInitParameter("com.sun.jersey.config.property.resourceConfigClass", "com.sun.jersey.api.core.PackagesResourceConfig");