Return-Path: X-Original-To: apmail-ambari-commits-archive@www.apache.org Delivered-To: apmail-ambari-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4682417D17 for ; Mon, 6 Oct 2014 19:25:56 +0000 (UTC) Received: (qmail 27043 invoked by uid 500); 6 Oct 2014 19:25:56 -0000 Delivered-To: apmail-ambari-commits-archive@ambari.apache.org Received: (qmail 27014 invoked by uid 500); 6 Oct 2014 19:25:56 -0000 Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-dev@ambari.apache.org Delivered-To: mailing list commits@ambari.apache.org Received: (qmail 27005 invoked by uid 99); 6 Oct 2014 19:25:56 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Oct 2014 19:25:56 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id E63208B3285; Mon, 6 Oct 2014 19:25:55 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: dmitriusan@apache.org To: commits@ambari.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: git commit: AMBARI-7658. Fix warning when using HTTPS_ONLY for secured DN (dlysnichenko) Date: Mon, 6 Oct 2014 19:25:55 +0000 (UTC) Repository: ambari Updated Branches: refs/heads/branch-1.7.0 df0f496a7 -> 3a2039166 AMBARI-7658. Fix warning when using HTTPS_ONLY for secured DN (dlysnichenko) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/3a203916 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/3a203916 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/3a203916 Branch: refs/heads/branch-1.7.0 Commit: 3a2039166800cfd74c3e3c8d67b1eaa570e26657 Parents: df0f496 Author: Lisnichenko Dmitro Authored: Mon Oct 6 19:17:46 2014 +0300 Committer: Lisnichenko Dmitro Committed: Mon Oct 6 22:25:40 2014 +0300 ---------------------------------------------------------------------- .../stacks/HDP/2.2/services/stack_advisor.py | 5 +- .../stacks/2.2/common/test_stack_advisor.py | 137 ++++++++++++++++--- 2 files changed, 121 insertions(+), 21 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/3a203916/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py index 3f1faf7..19b1065 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py @@ -101,10 +101,9 @@ class HDP22StackAdvisor(HDP21StackAdvisor): # determine whether we use secure ports address_properties_with_warnings = [] if dfs_http_policy_value == HTTPS_ONLY: - any_privileged_ports_are_in_use = privileged_dfs_dn_port or privileged_dfs_https_port - if any_privileged_ports_are_in_use: + if not privileged_dfs_dn_port and (privileged_dfs_https_port or datanode_https_address not in hdfs_site): important_properties = [dfs_datanode_address, datanode_https_address] - message = "You set up datanode to use some non-secure ports, but {0} is set to {1}. " \ + message = "You set up datanode to use some non-secure ports. " \ "If you want to run Datanode under non-root user in a secure cluster, " \ "you should set all these properties {2} " \ "to use non-secure ports (if property {3} does not exist, " \ http://git-wip-us.apache.org/repos/asf/ambari/blob/3a203916/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py index 7d29ca8..3d6b2e6 100644 --- a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py +++ b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py @@ -113,12 +113,64 @@ class TestHDP22StackAdvisor(TestCase): validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) self.assertEquals(validation_problems, expected) - # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, secure ports + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, https address not defined + properties = { # hdfs-site + 'dfs.http.policy': 'HTTPS_ONLY', + 'dfs.datanode.address': '0.0.0.0:1019', + } + configurations = { + 'hdfs-site': { + 'properties': properties, + }, + 'core-site': { + 'properties': secure_cluster_core_site + } + } + expected = [ ] + validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) + self.assertEquals(validation_problems, expected) + + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, https address defined and secure + properties = { # hdfs-site + 'dfs.http.policy': 'HTTPS_ONLY', + 'dfs.datanode.address': '0.0.0.0:1019', + 'dfs.datanode.https.address': '0.0.0.0:1022', + } + configurations = { + 'hdfs-site': { + 'properties': properties, + }, + 'core-site': { + 'properties': secure_cluster_core_site + } + } + expected = [] + validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) + self.assertEquals(validation_problems, expected) + + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, https address defined and non secure properties = { # hdfs-site 'dfs.http.policy': 'HTTPS_ONLY', 'dfs.datanode.address': '0.0.0.0:1019', 'dfs.datanode.https.address': '0.0.0.0:50475', + } + configurations = { + 'hdfs-site': { + 'properties': properties, + }, + 'core-site': { + 'properties': secure_cluster_core_site + } } + expected = [] + validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) + self.assertEquals(validation_problems, expected) + + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, non secure dfs port, https property not defined + properties = { # hdfs-site + 'dfs.http.policy': 'HTTPS_ONLY', + 'dfs.datanode.address': '0.0.0.0:50010', + } configurations = { 'hdfs-site': { 'properties': properties, @@ -130,31 +182,80 @@ class TestHDP22StackAdvisor(TestCase): expected = [{'config-name': 'dfs.datanode.address', 'config-type': 'hdfs-site', 'level': 'WARN', - 'message': "You set up datanode to use some non-secure ports, " - "but dfs.http.policy is set to HTTPS_ONLY. If you " - "want to run Datanode under non-root user in a secure" - " cluster, you should set all these properties ['dfs.datanode.address', 'dfs.datanode.https.address'] " - "to use non-secure ports (if property dfs.datanode.https.address does not exist, just add it)." - " You may also set up property dfs.data.transfer.protection ('authentication' is a good default value). " - "Also, set up WebHDFS with SSL as described in manual in order to be able to use HTTPS.", + 'message': "You set up datanode to use some non-secure ports. " + "If you want to run Datanode under non-root user in " + "a secure cluster, you should set all these properties " + "['dfs.datanode.address', 'dfs.datanode.https.address'] " + "to use non-secure ports (if property " + "dfs.datanode.https.address does not exist, just add it). " + "You may also set up property dfs.data.transfer.protection " + "('authentication' is a good default value). Also, set up " + "WebHDFS with SSL as described in manual in order to " + "be able to use HTTPS.", 'type': 'configuration'}, {'config-name': 'dfs.datanode.https.address', 'config-type': 'hdfs-site', 'level': 'WARN', - 'message': "You set up datanode to use some non-secure ports, " - "but dfs.http.policy is set to HTTPS_ONLY. If you " - "want to run Datanode under non-root user in a secure" - " cluster, you should set all these properties ['dfs.datanode.address', 'dfs.datanode.https.address'] " - "to use non-secure ports (if property dfs.datanode.https.address does not exist, just add it)." - " You may also set up property dfs.data.transfer.protection ('authentication' is a good default value). " - "Also, set up WebHDFS with SSL as described in manual in order to be able to use HTTPS.", + 'message': "You set up datanode to use some non-secure ports. " + "If you want to run Datanode under non-root user in " + "a secure cluster, you should set all these properties " + "['dfs.datanode.address', 'dfs.datanode.https.address'] " + "to use non-secure ports (if property dfs.datanode.https.address " + "does not exist, just add it). You may also set up property " + "dfs.data.transfer.protection ('authentication' is a good default value). " + "Also, set up WebHDFS with SSL as described in manual in " + "order to be able to use HTTPS.", 'type': 'configuration'} - ] + ] validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) self.assertEquals(validation_problems, expected) - # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, valid configuration + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, non secure dfs port, https defined and secure + properties = { # hdfs-site + 'dfs.http.policy': 'HTTPS_ONLY', + 'dfs.datanode.address': '0.0.0.0:50010', + 'dfs.datanode.https.address': '0.0.0.0:1022', + } + configurations = { + 'hdfs-site': { + 'properties': properties, + }, + 'core-site': { + 'properties': secure_cluster_core_site + } + } + expected = [{'config-name': 'dfs.datanode.address', + 'config-type': 'hdfs-site', + 'level': 'WARN', + 'message': "You set up datanode to use some non-secure ports. " + "If you want to run Datanode under non-root user in " + "a secure cluster, you should set all these properties " + "['dfs.datanode.address', 'dfs.datanode.https.address'] " + "to use non-secure ports (if property dfs.datanode.https.address " + "does not exist, just add it). You may also set up property " + "dfs.data.transfer.protection ('authentication' is a good " + "default value). Also, set up WebHDFS with SSL as described " + "in manual in order to be able to use HTTPS.", + 'type': 'configuration'}, + {'config-name': 'dfs.datanode.https.address', + 'config-type': 'hdfs-site', + 'level': 'WARN', + 'message': "You set up datanode to use some non-secure ports. " + "If you want to run Datanode under non-root user in " + "a secure cluster, you should set all these properties " + "['dfs.datanode.address', 'dfs.datanode.https.address'] " + "to use non-secure ports (if property dfs.datanode.https.address " + "does not exist, just add it). You may also set up property " + "dfs.data.transfer.protection ('authentication' is a good default value). " + "Also, set up WebHDFS with SSL as described in manual in order to be " + "able to use HTTPS.", + 'type': 'configuration'} + ] + validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) + self.assertEquals(validation_problems, expected) + + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, valid non-root configuration properties = { # hdfs-site 'dfs.http.policy': 'HTTPS_ONLY', 'dfs.datanode.address': '0.0.0.0:50010', @@ -173,7 +274,7 @@ class TestHDP22StackAdvisor(TestCase): validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) self.assertEquals(validation_problems, expected) - # TEST CASE: Secure cluster, dfs.http.policy=HTTP_ONLY, insecure ports + # TEST CASE: Secure cluster, dfs.http.policy=HTTP_ONLY, insecure port properties = { # hdfs-site 'dfs.http.policy': 'HTTP_ONLY', 'dfs.datanode.address': '0.0.0.0:1019',