ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject ambari git commit: AMBARI-13060. Kerberos: Allow user to specify additional realms for auth-to-local rules (rlevas)
Date Mon, 14 Sep 2015 21:57:28 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk c6e61d8bb -> 9b6d33d0c


AMBARI-13060. Kerberos: Allow user to specify additional realms for auth-to-local rules (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/9b6d33d0
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/9b6d33d0
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/9b6d33d0

Branch: refs/heads/trunk
Commit: 9b6d33d0cb8635ca13f23b468c32bb31c30bd966
Parents: c6e61d8
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Mon Sep 14 17:57:15 2015 -0400
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Mon Sep 14 17:57:26 2015 -0400

----------------------------------------------------------------------
 .../server/controller/AuthToLocalBuilder.java   | 33 +++++++-
 .../server/controller/KerberosHelperImpl.java   |  5 +-
 .../HDFS/2.1.0.2.0/kerberos.json                |  1 -
 .../resources/stacks/HDP/2.0.6/kerberos.json    |  3 +-
 .../server/api/services/AmbariMetaInfoTest.java |  2 +-
 .../controller/AuthToLocalBuilderTest.java      | 85 +++++++++++++++++++-
 .../server/controller/KerberosHelperTest.java   |  1 +
 .../resources/stacks/HDP/2.0.8/kerberos.json    |  3 +-
 .../app/mixins/wizard/addSecurityConfigs.js     |  1 +
 9 files changed, 126 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
index 00e8291..a8fc487 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
@@ -20,6 +20,7 @@ package org.apache.ambari.server.controller;
 
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import java.util.TreeSet;
@@ -66,14 +67,36 @@ public class AuthToLocalBuilder {
   private boolean caseInsensitiveUser;
 
   /**
+   * A set of additional realm names to reference when generating rules.
+   */
+  private Set<String> additionalRealms = new HashSet<String>();
+
+  /**
    * Default constructor. Case insensitive support false by default
    */
   public AuthToLocalBuilder() {
-    this.caseInsensitiveUser = false;
+    this(false, null);
   }
 
-  public AuthToLocalBuilder(boolean caseInsensitiveUserSupport) {
+  /**
+   * Constructs a new AuthToLocalBuilder.
+   *
+   * @param caseInsensitiveUserSupport true indicating that case-insensitivity should be
enabled;
+   *                                   false otherwise
+   * @param additionalRealms           a String containing a comma-delimited list of realm
names to generate
+   *                                   default auth-to-local rules for
+   */
+  public AuthToLocalBuilder(boolean caseInsensitiveUserSupport, String additionalRealms)
{
     this.caseInsensitiveUser = caseInsensitiveUserSupport;
+
+    if ((additionalRealms != null) && !additionalRealms.isEmpty()) {
+      for (String realm : additionalRealms.split("\\s*(?:\\r?\\n|,)\\s*")) {
+        realm = realm.trim();
+        if (!realm.isEmpty()) {
+          this.additionalRealms.add(realm);
+        }
+      }
+    }
   }
 
   /**
@@ -161,6 +184,11 @@ public class AuthToLocalBuilder {
     // ensure that a default rule is added for this realm
     setRules.add(createDefaultRealmRule(realm));
 
+    // ensure that a default realm rule is added for the specified additional realms
+    for (String additionalRealm : additionalRealms) {
+      setRules.add(createDefaultRealmRule(additionalRealm));
+    }
+
     if (concatenationType == null) {
       concatenationType = DEFAULT_CONCATENATION_TYPE;
     }
@@ -269,6 +297,7 @@ public class AuthToLocalBuilder {
       copy.setRules.add(rule);
     }
     copy.caseInsensitiveUser = this.caseInsensitiveUser;
+    copy.additionalRealms.addAll(this.additionalRealms);
 
     return copy;
   }

http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
index 11f578f..a1cd5b8 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
@@ -395,8 +395,11 @@ public class KerberosHelperImpl implements KerberosHelper {
       // the 'kerberos-env' structure is expected to be available here as it was previously
validated
       boolean caseInsensitiveUser = Boolean.valueOf(existingConfigurations.get("kerberos-env").get("case_insensitive_username_rules"));
 
+      // Additional realms that need to be handled according to the Kerberos Descriptor
+      String additionalRealms = kerberosDescriptor.getProperty("additional_realms");
+
       // Determine which properties need to be set
-      AuthToLocalBuilder authToLocalBuilder = new AuthToLocalBuilder(caseInsensitiveUser);
+      AuthToLocalBuilder authToLocalBuilder = new AuthToLocalBuilder(caseInsensitiveUser,
additionalRealms);
       addIdentities(authToLocalBuilder, kerberosDescriptor.getIdentities(), null, existingConfigurations);
 
       authToLocalProperties = kerberosDescriptor.getAuthToLocalProperties();

http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
index df99bce..df83969 100644
--- a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
@@ -45,7 +45,6 @@
           "core-site": {
             "hadoop.security.authentication": "kerberos",
             "hadoop.security.authorization": "true",
-            "hadoop.security.auth_to_local": "",
             "hadoop.proxyuser.HTTP.groups": "${hadoop-env/proxyuser_group}"
           }
         }

http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json
index 03198dc..52e7ee0 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json
+++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json
@@ -1,7 +1,8 @@
 {
   "properties": {
     "realm": "${kerberos-env/realm}",
-    "keytab_dir": "/etc/security/keytabs"
+    "keytab_dir": "/etc/security/keytabs",
+    "additional_realms": ""
   },
   "identities": [
     {

http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java
index 26253da..cf7c8cd 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java
@@ -1846,7 +1846,7 @@ public class AmbariMetaInfoTest {
 
     Assert.assertNotNull(descriptor);
     Assert.assertNotNull(descriptor.getProperties());
-    Assert.assertEquals(2, descriptor.getProperties().size());
+    Assert.assertEquals(3, descriptor.getProperties().size());
 
     Assert.assertNotNull(descriptor.getIdentities());
     Assert.assertEquals(1, descriptor.getIdentities().size());

http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
index 9e65b5e..cbcffe6 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
@@ -57,7 +57,7 @@ public class AuthToLocalBuilderTest {
 
   @Test
   public void testRuleGeneration_caseInsensitiveSupport() {
-    AuthToLocalBuilder builder = new AuthToLocalBuilder(true);
+    AuthToLocalBuilder builder = new AuthToLocalBuilder(true, null);
 
     builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
     // Duplicate principal for secondary namenode, should be filtered out...
@@ -312,4 +312,87 @@ public class AuthToLocalBuilderTest {
     assertEquals(copy.generate("EXAMPLE.COM"), builder.generate("EXAMPLE.COM"));
 
   }
+
+  @Test
+  public void testAdditionalRealms() {
+    AuthToLocalBuilder builder = new AuthToLocalBuilder(false, "REALM2,REALM3, REALM1  ");
+
+    builder.addRules(
+        "RULE:[1:$1@$0](.*@FOOBAR.COM)s/@.*//\n" +
+            "DEFAULT");
+
+    builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn");
+    builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred");
+    builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase");
+    builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase");
+
+    assertEquals(
+        "RULE:[1:$1@$0](.*@FOOBAR.COM)s/@.*//\n" +
+            "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" +
+            "RULE:[1:$1@$0](.*@REALM2)s/@.*//\n" +
+            "RULE:[1:$1@$0](.*@REALM1)s/@.*//\n" +
+            "RULE:[1:$1@$0](.*@REALM3)s/@.*//\n" +
+            "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](hm@EXAMPLE.COM)s/.*/hbase/\n" +
+            "RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/\n" +
+            "RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/\n" +
+            "RULE:[2:$1@$0](rs@EXAMPLE.COM)s/.*/hbase/\n" +
+            "DEFAULT",
+        builder.generate("EXAMPLE.COM"));
+  }
+
+  @Test
+  public void testAdditionalRealms_Null() {
+    AuthToLocalBuilder builder = new AuthToLocalBuilder(false, null);
+
+    builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn");
+    builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred");
+    builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase");
+    builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase");
+
+    assertEquals(
+        "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" +
+            "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](hm@EXAMPLE.COM)s/.*/hbase/\n" +
+            "RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/\n" +
+            "RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/\n" +
+            "RULE:[2:$1@$0](rs@EXAMPLE.COM)s/.*/hbase/\n" +
+            "DEFAULT",
+        builder.generate("EXAMPLE.COM"));
+  }
+
+  @Test
+  public void testAdditionalRealms_Empty() {
+    AuthToLocalBuilder builder = new AuthToLocalBuilder(false, "");
+
+    builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn");
+    builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred");
+    builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase");
+    builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase");
+
+    assertEquals(
+        "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" +
+            "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](hm@EXAMPLE.COM)s/.*/hbase/\n" +
+            "RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/\n" +
+            "RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/\n" +
+            "RULE:[2:$1@$0](rs@EXAMPLE.COM)s/.*/hbase/\n" +
+            "DEFAULT",
+        builder.generate("EXAMPLE.COM"));
+  }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
index f28a19b..7144ad0 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
@@ -1625,6 +1625,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     ))).times(1);
 
     final KerberosDescriptor kerberosDescriptor = createMock(KerberosDescriptor.class);
+    expect(kerberosDescriptor.getProperty("additional_realms")).andReturn(null).times(1);
     expect(kerberosDescriptor.getIdentities()).andReturn(null).times(1);
     expect(kerberosDescriptor.getAuthToLocalProperties()).andReturn(null).times(1);
     expect(kerberosDescriptor.getServices()).andReturn(Collections.singletonMap("SERVICE1",
serviceDescriptor1)).times(1);

http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json b/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json
index cf49786..14eefbf 100644
--- a/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json
+++ b/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json
@@ -1,7 +1,8 @@
 {
   "properties": {
     "realm": "${cluster-env/kerberos_domain}",
-    "keytab_dir": "/etc/security/keytabs"
+    "keytab_dir": "/etc/security/keytabs",
+    "additional_realms": ""
   },
   "identities": [
     {

http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-web/app/mixins/wizard/addSecurityConfigs.js
----------------------------------------------------------------------
diff --git a/ambari-web/app/mixins/wizard/addSecurityConfigs.js b/ambari-web/app/mixins/wizard/addSecurityConfigs.js
index d14d09e..3d2b11a 100644
--- a/ambari-web/app/mixins/wizard/addSecurityConfigs.js
+++ b/ambari-web/app/mixins/wizard/addSecurityConfigs.js
@@ -215,6 +215,7 @@ App.AddSecurityConfigs = Em.Mixin.create({
         displayName: serviceName == "Cluster" ? App.format.normalizeName(propertyName) :
propertyName,
         isOverridable: false,
         isEditable: propertyName != 'realm',
+        isRequired: propertyName != 'additional_realms',
         isSecureConfig: true
       };
       configs.push(App.ServiceConfigProperty.create(propertyObject));


Mime
View raw message