ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jspei...@apache.org
Subject ambari git commit: AMBARI-8725. Inject Clusters object into KerberosServerAction
Date Tue, 16 Dec 2014 17:45:25 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk 828dc79fa -> 254280c3c


AMBARI-8725. Inject Clusters object into KerberosServerAction


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/254280c3
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/254280c3
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/254280c3

Branch: refs/heads/trunk
Commit: 254280c3cf6f0f78bc178ad10b8c7ec563e656b3
Parents: 828dc79
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Tue Dec 16 12:42:39 2014 -0500
Committer: John Speidel <jspeidel@hortonworks.com>
Committed: Tue Dec 16 12:45:16 2014 -0500

----------------------------------------------------------------------
 .../kerberos/KerberosServerAction.java          | 68 +++++++-------
 .../kerberos/KerberosServerActionTest.java      | 96 ++++++++++++--------
 2 files changed, 92 insertions(+), 72 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/254280c3/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
index 832602f..a3a1b5b 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
@@ -18,10 +18,13 @@
 
 package org.apache.ambari.server.serveraction.kerberos;
 
+import com.google.inject.Inject;
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.actionmanager.HostRoleStatus;
 import org.apache.ambari.server.agent.CommandReport;
 import org.apache.ambari.server.serveraction.AbstractServerAction;
+import org.apache.ambari.server.state.Cluster;
+import org.apache.ambari.server.state.Clusters;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -49,23 +52,10 @@ public abstract class KerberosServerAction extends AbstractServerAction
{
   public static final String DATA_DIRECTORY = "data_directory";
 
   /**
-   * A (command parameter) property name used to hold the KDC administrator's principal value.
-   * TODO (rlevas): For security purposes, this data should be moved to an encrypted storage
facility.
+   * A (command parameter) property name used to hold encrypted data representing the KDC
+   * administrator credentials
    */
-  public static final String ADMINISTRATOR_PRINCIPAL = "admin_principal";
-
-  /**
-   * A (command parameter) property name used to hold the KDC administrator's password value.
-   * TODO (rlevas): For security purposes, this data should be moved to an encrypted storage
facility.
-   */
-  public static final String ADMINISTRATOR_PASSWORD = "admin_password";
-
-  /**
-   * A (command parameter) property name used to hold the KDC administrator's (base64-encoded)
keytab
-   * value.
-   * TODO (rlevas): For security purposes, this data should be moved to an encrypted storage
facility.
-   */
-  public static final String ADMINISTRATOR_KEYTAB = "admin_keytab";
+  public static final String ADMINISTRATOR_CREDENTIAL = "kerberos_admin_credential";
 
   /**
    * A (command parameter) property name used to hold the default Kerberos realm value.
@@ -86,6 +76,12 @@ public abstract class KerberosServerAction extends AbstractServerAction
{
   private static final Logger LOG = LoggerFactory.getLogger(KerberosServerAction.class);
 
   /**
+   * The Cluster that this ServerAction implementation is executing on
+   */
+  @Inject
+  private Clusters clusters = null;
+
+  /**
    * Given a (command parameter) Map and a property name, attempts to safely retrieve the
requested
    * data.
    *
@@ -135,25 +131,6 @@ public abstract class KerberosServerAction extends AbstractServerAction
{
   }
 
   /**
-   * Given a (command parameter) Map, attempts to safely retrieve the data needed to create
a
-   * {@link org.apache.ambari.server.serveraction.kerberos.KerberosCredential} representing
a KDC
-   * administrator.
-   * <p/>
-   * TODO (rlevas): For security purposes, this data should be moved to an encrypted storage
facility.
-   *
-   * @param commandParameters a Map containing the dictionary of data to interrogate
-   * @return a KerberosCredential or null if commandParameters is null
-   */
-  protected static KerberosCredential getAdministratorCredential(Map<String, String>
commandParameters) {
-    return (commandParameters == null)
-        ? null
-        : new KerberosCredential(
-        commandParameters.get(ADMINISTRATOR_PRINCIPAL),
-        commandParameters.get(ADMINISTRATOR_PASSWORD),
-        commandParameters.get(ADMINISTRATOR_KEYTAB));
-  }
-
-  /**
    * Sets the shared principal-to-password Map used to store principals and generated password
for
    * use within the current request context.
    *
@@ -195,6 +172,23 @@ public abstract class KerberosServerAction extends AbstractServerAction
{
   }
 
   /**
+   * Given a (command parameter) Map, attempts to safely retrieve the "data_directory" property.
+   *
+   * @param commandParameters a Map containing the dictionary of data to interrogate
+   * @return a String indicating the data directory or null (if not found or set)
+   */
+  protected KerberosCredential getAdministratorCredential(Map<String, String> commandParameters)
throws AmbariException {
+    Cluster cluster = clusters.getCluster(getExecutionCommand().getClusterName());
+
+    if(cluster == null)
+      throw new AmbariException("Failed get the Cluster object");
+
+    // Create the key like we did when we encrypted the data, based on the Cluster objects
hashcode.
+    byte[] key = Integer.toHexString(cluster.hashCode()).getBytes();
+    return KerberosCredential.decrypt(getCommandParameterValue(commandParameters, ADMINISTRATOR_CREDENTIAL),
key);
+  }
+
+  /**
    * Attempts to safely retrieve a property with the specified name from the this action's
relevant
    * command parameters Map.
    *
@@ -285,6 +279,10 @@ public abstract class KerberosServerAction extends AbstractServerAction
{
               break;
             }
           }
+        } catch (AmbariException e) {
+          // Catch this separately from IOException since the reason it was thrown was not
the same
+          // Note: AmbariException is an IOException, so there may be some confusion
+          throw new AmbariException(e.getMessage(), e);
         } catch (IOException e) {
           String message = String.format("Failed to process the identities, cannot read the
index file: %s",
               indexFile.getAbsolutePath());

http://git-wip-us.apache.org/repos/asf/ambari/blob/254280c3/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java
index 65e5cd6..fd1017b 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java
@@ -18,12 +18,17 @@
 
 package org.apache.ambari.server.serveraction.kerberos;
 
+import com.google.inject.AbstractModule;
+import com.google.inject.Guice;
+import com.google.inject.Injector;
 import junit.framework.Assert;
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.actionmanager.HostRoleCommand;
 import org.apache.ambari.server.actionmanager.HostRoleStatus;
 import org.apache.ambari.server.agent.CommandReport;
 import org.apache.ambari.server.agent.ExecutionCommand;
+import org.apache.ambari.server.state.Cluster;
+import org.apache.ambari.server.state.Clusters;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -34,20 +39,60 @@ import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 
+import static org.mockito.Matchers.anyString;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 public class KerberosServerActionTest {
 
+
   Map<String, String> commandParams = new HashMap<String, String>();
   File temporaryDirectory;
+  private Injector injector;
   private KerberosServerAction action;
 
   @Before
   public void setUp() throws Exception {
+    final Cluster cluster = mock(Cluster.class);
+
+    final Clusters clusters = mock(Clusters.class);
+    when(clusters.getCluster(anyString())).thenReturn(cluster);
+
     final ExecutionCommand mockExecutionCommand = mock(ExecutionCommand.class);
     final HostRoleCommand mockHostRoleCommand = mock(HostRoleCommand.class);
 
+    injector = Guice.createInjector(new AbstractModule() {
+
+      @Override
+      protected void configure() {
+        bind(KerberosServerAction.class).toInstance(new KerberosServerAction() {
+
+          @Override
+          protected CommandReport processIdentity(Map<String, String> identityRecord,
String evaluatedPrincipal,
+                                                  KerberosOperationHandler operationHandler,
+                                                  Map<String, Object> requestSharedDataContext)
+              throws AmbariException {
+            Assert.assertNotNull(requestSharedDataContext);
+
+            if (requestSharedDataContext.get("FAIL") != null) {
+              return createCommandReport(1, HostRoleStatus.FAILED, "{}", "ERROR", "ERROR");
+            } else {
+              requestSharedDataContext.put(identityRecord.get(KerberosActionDataFile.PRINCIPAL),
evaluatedPrincipal);
+              return null;
+            }
+          }
+
+          @Override
+          public CommandReport execute(ConcurrentMap<String, Object> requestSharedDataContext)
+              throws AmbariException, InterruptedException {
+            return processIdentities(requestSharedDataContext);
+          }
+        });
+
+        bind(Clusters.class).toInstance(clusters);
+      }
+    });
+
     temporaryDirectory = File.createTempFile("ambari_ut_", ".d");
 
     Assert.assertTrue(temporaryDirectory.delete());
@@ -65,39 +110,17 @@ public class KerberosServerActionTest {
     }
     builder.close();
 
+
     commandParams.put(KerberosServerAction.DATA_DIRECTORY, temporaryDirectory.getAbsolutePath());
     commandParams.put(KerberosServerAction.DEFAULT_REALM, "REALM.COM");
     commandParams.put(KerberosServerAction.KDC_TYPE, KDCType.MIT_KDC.toString());
-    commandParams.put(KerberosServerAction.ADMINISTRATOR_PRINCIPAL, "principal");
-    commandParams.put(KerberosServerAction.ADMINISTRATOR_PASSWORD, "password");
-    commandParams.put(KerberosServerAction.ADMINISTRATOR_KEYTAB, "keytab");
+    commandParams.put(KerberosServerAction.ADMINISTRATOR_CREDENTIAL,
+        new KerberosCredential("principal", "password", "keytab")
+            .encrypt(Integer.toHexString(cluster.hashCode()).getBytes()));
 
     when(mockExecutionCommand.getCommandParams()).thenReturn(commandParams);
 
-    action = new KerberosServerAction() {
-
-      @Override
-      protected CommandReport processIdentity(Map<String, String> identityRecord, String
evaluatedPrincipal,
-                                              KerberosOperationHandler operationHandler,
-                                              Map<String, Object> requestSharedDataContext)
-          throws AmbariException {
-        Assert.assertNotNull(requestSharedDataContext);
-
-        if (requestSharedDataContext.get("FAIL") != null) {
-          return createCommandReport(1, HostRoleStatus.FAILED, "{}", "ERROR", "ERROR");
-        } else {
-          requestSharedDataContext.put(identityRecord.get(KerberosActionDataFile.PRINCIPAL),
evaluatedPrincipal);
-          return null;
-        }
-      }
-
-      @Override
-      public CommandReport execute(ConcurrentMap<String, Object> requestSharedDataContext)
-          throws AmbariException, InterruptedException {
-        return processIdentities(requestSharedDataContext);
-      }
-    };
-
+    action = injector.getInstance(KerberosServerAction.class);
 
     action.setExecutionCommand(mockExecutionCommand);
     action.setHostRoleCommand(mockHostRoleCommand);
@@ -134,16 +157,6 @@ public class KerberosServerActionTest {
   }
 
   @Test
-  public void testCreateAdministratorCredentialStatic() throws Exception {
-    KerberosCredential credential1 = new KerberosCredential("principal", "password", "keytab");
-    KerberosCredential credential2 = KerberosServerAction.getAdministratorCredential(commandParams);
-
-    Assert.assertEquals(credential1.getPrincipal(), credential2.getPrincipal());
-    Assert.assertEquals(credential1.getPassword(), credential2.getPassword());
-    Assert.assertEquals(credential1.getKeytab(), credential2.getKeytab());
-  }
-
-  @Test
   public void testSetPrincipalPasswordMapStatic() throws Exception {
     ConcurrentMap<String, Object> sharedMap = new ConcurrentHashMap<String, Object>();
     Map<String, String> dataMap = new HashMap<String, String>();
@@ -192,4 +205,13 @@ public class KerberosServerActionTest {
     Assert.assertNotNull(report);
     Assert.assertEquals(HostRoleStatus.FAILED.toString(), report.getStatus());
   }
+
+  @Test
+  public void testGetAdministrativeCredentials() throws AmbariException {
+    KerberosCredential credentials = action.getAdministratorCredential(commandParams);
+    Assert.assertNotNull(credentials);
+    Assert.assertEquals("principal", credentials.getPrincipal());
+    Assert.assertEquals("password", credentials.getPassword());
+    Assert.assertEquals("keytab", credentials.getKeytab());
+  }
 }
\ No newline at end of file


Mime
View raw message