From ef9fc95e8775457d126a37f8e0cb35c613c9c581 Mon Sep 17 00:00:00 2001 From: Rajani Karuturi Date: Fri, 13 Dec 2013 17:11:41 +0530 Subject: [PATCH] CLOUDSTACK-5483 : Failed to start management server when db encryption is enabled When db encryption is enabled, the server expects all secure,hidden fields in encrypted form. moved the insert statements which has dafault values to java and populated encrypted values if encryption is enabled. --- .../cloud/upgrade/dao/Upgrade421to430.java | 53 ++++++++++++++++++- setup/db/db/schema-421to430.sql | 7 --- 2 files changed, 51 insertions(+), 9 deletions(-) diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java index 5647289f489..471307a658c 100644 --- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java +++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java @@ -18,10 +18,16 @@ package com.cloud.upgrade.dao; import java.io.File; +import java.io.UnsupportedEncodingException; import java.sql.Connection; +import java.sql.PreparedStatement; +import java.sql.SQLException; +import java.util.Properties; +import com.cloud.utils.db.DbProperties; import org.apache.log4j.Logger; +import com.cloud.utils.crypt.DBEncryptionUtil; import com.cloud.utils.exception.CloudRuntimeException; import com.cloud.utils.script.Script; @@ -50,11 +56,54 @@ public class Upgrade421to430 implements DbUpgrade { throw new CloudRuntimeException("Unable to find db/schema-421to430.sql"); } - return new File[] { new File(script) }; + return new File[] {new File(script)}; } @Override public void performDataMigration(Connection conn) { + encryptLdapConfigParams(conn); + } + + private void encryptLdapConfigParams(Connection conn) { + PreparedStatement pstmt = null; + + String[][] ldapParams = { {"ldap.user.object", "inetOrgPerson", "Sets the object type of users within LDAP"}, + {"ldap.username.attribute", "uid", "Sets the username attribute used within LDAP"}, {"ldap.email.attribute", "mail", "Sets the email attribute used within LDAP"}, + {"ldap.firstname.attribute", "givenname", "Sets the firstname attribute used within LDAP"}, + {"ldap.lastname.attribute", "sn", "Sets the lastname attribute used within LDAP"}, + {"ldap.group.object", "groupOfUniqueNames", "Sets the object type of groups within LDAP"}, + {"ldap.group.user.uniquemember", "uniquemember", "Sets the attribute for uniquemembers within a group"}}; + + String insertSql = "INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description) VALUES ('Secure', 'DEFAULT', 'management-server', ?, ?, " + + "?) ON DUPLICATE KEY UPDATE category='Secure';"; + + try { + + for (String[] ldapParam : ldapParams) { + String name = ldapParam[0]; + String value = ldapParam[1]; + String desc = ldapParam[2]; + String encryptedValue = DBEncryptionUtil.encrypt(value); + pstmt = conn.prepareStatement(insertSql); + pstmt.setString(1, name); + pstmt.setBytes(2, encryptedValue.getBytes("UTF-8")); + pstmt.setString(3, desc); + pstmt.executeUpdate(); + } + } catch (SQLException e) { + throw new CloudRuntimeException("Unable to insert ldap configuration values ", e); + } catch (UnsupportedEncodingException e) { + throw new CloudRuntimeException("Unable to insert ldap configuration values ", e); + } finally { + try { + if (pstmt != null) { + pstmt.close(); + } + } catch (SQLException e) { + } + } + s_logger.debug("Done encrypting ldap Config values"); + } @Override @@ -64,7 +113,7 @@ public class Upgrade421to430 implements DbUpgrade { throw new CloudRuntimeException("Unable to find db/schema-421to430-cleanup.sql"); } - return new File[] { new File(script) }; + return new File[] {new File(script)}; } } diff --git a/setup/db/db/schema-421to430.sql b/setup/db/db/schema-421to430.sql index bcc827ba037..d9cdfe6b6b8 100644 --- a/setup/db/db/schema-421to430.sql +++ b/setup/db/db/schema-421to430.sql @@ -603,17 +603,10 @@ UPDATE `cloud`.`configuration` SET name='ldap.truststore.password' WHERE name='l INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.bind.principal', NULL, 'Specifies the bind principal to use for bind to LDAP', NULL) ON DUPLICATE KEY UPDATE category='Secure'; INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.bind.password', NULL, 'Specifies the password to use for binding to LDAP', NULL) ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.username.attribute', 'uid', 'Sets the username attribute used within LDAP', 'uid') ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.email.attribute', 'mail', 'Sets the email attribute used within LDAP', 'mail') ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.firstname.attribute', 'givenname', 'Sets the firstname attribute used within LDAP', 'givenname') ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.lastname.attribute', 'sn', 'Sets the lastname attribute used within LDAP', 'sn') ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.user.object', 'inetOrgPerson', 'Sets the object type of users within LDAP', 'inetOrgPerson') ON DUPLICATE KEY UPDATE category='Secure'; INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.basedn', NULL, 'Sets the basedn for LDAP', NULL) ON DUPLICATE KEY UPDATE category='Secure'; INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.search.group.principle', NULL, 'Sets the principle of the group that users must be a member of', NULL) ON DUPLICATE KEY UPDATE category='Secure'; INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.truststore', NULL, 'Sets the path to the truststore to use for LDAP SSL', NULL) ON DUPLICATE KEY UPDATE category='Secure'; INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.truststore.password', NULL, 'Sets the password for the truststore', NULL) ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.group.object', 'groupOfUniqueNames', 'Sets the object type of groups within LDAP', 'groupOfUniqueNames') ON DUPLICATE KEY UPDATE category='Secure'; -INSERT INTO `cloud`.`configuration`(category, instance, component, name, value, description, default_value) VALUES ('Secure', 'DEFAULT', 'management-server', 'ldap.group.user.uniquemember', 'uniquemember', 'Sets the attribute for uniquemembers within a group','uniquemember') ON DUPLICATE KEY UPDATE category='Secure'; CREATE TABLE `cloud`.`ldap_configuration` ( `id` bigint unsigned NOT NULL auto_increment COMMENT 'id',