From b54ac9a6350687bfb511a3cb1002212ad2a94501 Mon Sep 17 00:00:00 2001 From: Rajani Karuturi Date: Fri, 13 Dec 2013 17:43:48 +0530 Subject: [PATCH] CLOUDSTACK-5483 : Failed to start management server when db encryption is enabled When db encryption is enabled, the server expects all secure,hidden fields in encrypted form. moved the insert statements which has dafault values to java and populated encrypted values if encryption is enabled. --- .../cloud/upgrade/dao/Upgrade421to430.java | 47 +++++++++++++++++++ setup/db/db/schema-421to430.sql | 7 --- 2 files changed, 47 insertions(+), 7 deletions(-) diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java index 0673c576bc2..6df44ec7011 100644 --- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java +++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java @@ -18,10 +18,14 @@ package com.cloud.upgrade.dao; import java.io.File; +import java.io.UnsupportedEncodingException; import java.sql.Connection; +import java.sql.PreparedStatement; +import java.sql.SQLException; import org.apache.log4j.Logger; +import com.cloud.utils.crypt.DBEncryptionUtil; import com.cloud.utils.exception.CloudRuntimeException; import com.cloud.utils.script.Script; @@ -55,6 +59,49 @@ public class Upgrade421to430 implements DbUpgrade { @Override public void performDataMigration(Connection conn) { + encryptLdapConfigParams(conn); + } + + private void encryptLdapConfigParams(Connection conn) { + PreparedStatement pstmt = null; + + String[][] ldapParams = { {"ldap.user.object", "inetOrgPerson", "Sets the object type of users within LDAP"}, + {"ldap.username.attribute", "uid", "Sets the username attribute used within LDAP"}, {"ldap.email.attribute", "mail", "Sets the email attribute used within LDAP"}, + {"ldap.firstname.attribute", "givenname", "Sets the firstname attribute used within LDAP"}, + {"ldap.lastname.attribute", "sn", "Sets the lastname attribute used within LDAP"}, + {"ldap.group.object", "groupOfUniqueNames", "Sets the object type of groups within LDAP"}, + {"ldap.group.user.uniquemember", "uniquemember", "Sets the attribute for uniquemembers within a group"}}; + + String insertSql = "INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description) VALUES ('Secure', 'DEFAULT', 'management-server', ?, ?, " + + "?) ON DUPLICATE KEY UPDATE category='Secure';"; + + try { + + for (String[] ldapParam : ldapParams) { + String name = ldapParam[0]; + String value = ldapParam[1]; + String desc = ldapParam[2]; + String encryptedValue = DBEncryptionUtil.encrypt(value); + pstmt = conn.prepareStatement(insertSql); + pstmt.setString(1, name); + pstmt.setBytes(2, encryptedValue.getBytes("UTF-8")); + pstmt.setString(3, desc); + pstmt.executeUpdate(); + } + } catch (SQLException e) { + throw new CloudRuntimeException("Unable to insert ldap configuration values ", e); + } catch (UnsupportedEncodingException e) { + throw new CloudRuntimeException("Unable to insert ldap configuration values ", e); + } finally { + try { + if (pstmt != null) { + pstmt.close(); + } + } catch (SQLException e) { + } + } + s_logger.debug("Done encrypting ldap Config values"); + } @Override diff --git a/setup/db/db/schema-421to430.sql b/setup/db/db/schema-421to430.sql index b1b378b7ef6..7cc0d4d4c7c 100644 --- a/setup/db/db/schema-421to430.sql +++ b/setup/db/db/schema-421to430.sql @@ -603,17 +603,10 @@ UPDATE `cloud`.`configuration` SET name='ldap.truststore.password' WHERE name='l INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.bind.principal', NULL, 'Specifies the bind principal to use for bind to LDAP', NULL) ON DUPLICATE KEY UPDATE category='Secure'; INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.bind.password', NULL, 'Specifies the password to use for binding to LDAP', NULL) ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.username.attribute', 'uid', 'Sets the username attribute used within LDAP', 'uid') ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.email.attribute', 'mail', 'Sets the email attribute used within LDAP', 'mail') ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.firstname.attribute', 'givenname', 'Sets the firstname attribute used within LDAP', 'givenname') ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.lastname.attribute', 'sn', 'Sets the lastname attribute used within LDAP', 'sn') ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.user.object', 'inetOrgPerson', 'Sets the object type of users within LDAP', 'inetOrgPerson') ON DUPLICATE KEY UPDATE category='Secure'; INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.basedn', NULL, 'Sets the basedn for LDAP', NULL) ON DUPLICATE KEY UPDATE category='Secure'; INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.search.group.principle', NULL, 'Sets the principle of the group that users must be a member of', NULL) ON DUPLICATE KEY UPDATE category='Secure'; INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.truststore', NULL, 'Sets the path to the truststore to use for LDAP SSL', NULL) ON DUPLICATE KEY UPDATE category='Secure'; INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.truststore.password', NULL, 'Sets the password for the truststore', NULL) ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.group.object', 'groupOfUniqueNames', 'Sets the object type of groups within LDAP', 'groupOfUniqueNames') ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.group.user.uniquemember', 'uniquemember', 'Sets the attribute for uniquemembers within a group','uniquemember') ON DUPLICATE KEY UPDATE category='Secure'; CREATE TABLE `cloud`.`ldap_configuration` ( `id` bigint unsigned NOT NULL auto_increment COMMENT 'id',