ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aonis...@apache.org
Subject ambari git commit: AMBARI-16810. Ambari Agent security bypassed in Python=>2.7.9 (aonishuk)
Date Tue, 24 May 2016 08:27:28 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk 8a99eb31f -> 4993ee489


AMBARI-16810. Ambari Agent security bypassed in Python=>2.7.9 (aonishuk)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/4993ee48
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/4993ee48
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/4993ee48

Branch: refs/heads/trunk
Commit: 4993ee48985ce29cd8b7d8001cef53329e16e45c
Parents: 8a99eb3
Author: Andrew Onishuk <aonishuk@hortonworks.com>
Authored: Tue May 24 11:27:19 2016 +0300
Committer: Andrew Onishuk <aonishuk@hortonworks.com>
Committed: Tue May 24 11:27:19 2016 +0300

----------------------------------------------------------------------
 ambari-agent/conf/unix/ambari-agent.ini                   | 1 +
 ambari-agent/src/main/python/ambari_agent/AmbariConfig.py | 2 +-
 ambari-agent/src/main/python/ambari_agent/Controller.py   | 2 +-
 ambari-agent/src/main/python/ambari_agent/NetUtil.py      | 7 +++++--
 ambari-agent/src/main/python/ambari_agent/main.py         | 2 +-
 ambari-agent/src/test/python/ambari_agent/TestNetUtil.py  | 4 ++--
 ambari-agent/src/test/python/ambari_agent/TestSecurity.py | 1 +
 7 files changed, 12 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/4993ee48/ambari-agent/conf/unix/ambari-agent.ini
----------------------------------------------------------------------
diff --git a/ambari-agent/conf/unix/ambari-agent.ini b/ambari-agent/conf/unix/ambari-agent.ini
index 4ec16d6..aacbb8a 100644
--- a/ambari-agent/conf/unix/ambari-agent.ini
+++ b/ambari-agent/conf/unix/ambari-agent.ini
@@ -39,6 +39,7 @@ system_resource_overrides=/etc/resource_overrides
 keysdir=/var/lib/ambari-agent/keys
 server_crt=ca.crt
 passphrase_env_var_name=AMBARI_PASSPHRASE
+ssl_verify_cert=0
 
 [services]
 pidLookupPath=/var/run/

http://git-wip-us.apache.org/repos/asf/ambari/blob/4993ee48/ambari-agent/src/main/python/ambari_agent/AmbariConfig.py
----------------------------------------------------------------------
diff --git a/ambari-agent/src/main/python/ambari_agent/AmbariConfig.py b/ambari-agent/src/main/python/ambari_agent/AmbariConfig.py
index f849fd1..89a881a 100644
--- a/ambari-agent/src/main/python/ambari_agent/AmbariConfig.py
+++ b/ambari-agent/src/main/python/ambari_agent/AmbariConfig.py
@@ -157,7 +157,7 @@ class AmbariConfig:
   def __init__(self):
     global content
     self.config = ConfigParser.RawConfigParser()
-    self.net = NetUtil()
+    self.net = NetUtil(self)
     self.config.readfp(StringIO.StringIO(content))
 
   def get(self, section, value, default=None):

http://git-wip-us.apache.org/repos/asf/ambari/blob/4993ee48/ambari-agent/src/main/python/ambari_agent/Controller.py
----------------------------------------------------------------------
diff --git a/ambari-agent/src/main/python/ambari_agent/Controller.py b/ambari-agent/src/main/python/ambari_agent/Controller.py
index aee0eec..91bc586 100644
--- a/ambari-agent/src/main/python/ambari_agent/Controller.py
+++ b/ambari-agent/src/main/python/ambari_agent/Controller.py
@@ -72,7 +72,7 @@ class Controller(threading.Thread):
     self.registerUrl = server_secured_url + '/agent/v1/register/' + self.hostname
     self.heartbeatUrl = server_secured_url + '/agent/v1/heartbeat/' + self.hostname
     self.componentsUrl = server_secured_url + '/agent/v1/components/'
-    self.netutil = NetUtil(heartbeat_stop_callback)
+    self.netutil = NetUtil(self.config, heartbeat_stop_callback)
     self.responseId = -1
     self.repeatRegistration = False
     self.isRegistered = False

http://git-wip-us.apache.org/repos/asf/ambari/blob/4993ee48/ambari-agent/src/main/python/ambari_agent/NetUtil.py
----------------------------------------------------------------------
diff --git a/ambari-agent/src/main/python/ambari_agent/NetUtil.py b/ambari-agent/src/main/python/ambari_agent/NetUtil.py
index 1d5cb29..79181f1 100644
--- a/ambari-agent/src/main/python/ambari_agent/NetUtil.py
+++ b/ambari-agent/src/main/python/ambari_agent/NetUtil.py
@@ -46,10 +46,11 @@ class NetUtil:
   # Returns true if the application is stopping, false if continuing execution
   stopCallback = None
 
-  def __init__(self, stop_callback=None):
+  def __init__(self, config, stop_callback=None):
     if stop_callback is None:
       stop_callback = HeartbeatStopHandlers()
     self.stopCallback = stop_callback
+    self.config = config
 
   def checkURL(self, url):
     """Try to connect to a given url. Result is True if url returns HTTP code 200, in any
other case
@@ -60,10 +61,12 @@ class NetUtil:
     logger.info("Connecting to " + url)
     responseBody = ""
 
+    ssl_verify_cert = self.config.get("security","ssl_verify_cert") != "0"
+
     try:
       parsedurl = urlparse(url)
       
-      if sys.version_info >= (2,7,9):
+      if sys.version_info >= (2,7,9) and not ssl_verify_cert:
           import ssl
           ca_connection = httplib.HTTPSConnection(parsedurl[1], context=ssl._create_unverified_context())
       else:

http://git-wip-us.apache.org/repos/asf/ambari/blob/4993ee48/ambari-agent/src/main/python/ambari_agent/main.py
----------------------------------------------------------------------
diff --git a/ambari-agent/src/main/python/ambari_agent/main.py b/ambari-agent/src/main/python/ambari_agent/main.py
index 5340239..32e522d 100644
--- a/ambari-agent/src/main/python/ambari_agent/main.py
+++ b/ambari-agent/src/main/python/ambari_agent/main.py
@@ -329,7 +329,7 @@ def main(heartbeat_stop_callback=None):
         logger.warn("Unable to determine the IP address of the Ambari server '%s'", server_hostname)
 
       # Wait until MAX_RETRIES to see if server is reachable
-      netutil = NetUtil(heartbeat_stop_callback)
+      netutil = NetUtil(config, heartbeat_stop_callback)
       (retries, connected, stopped) = netutil.try_to_connect(server_url, MAX_RETRIES, logger)
 
       # if connected, launch controller

http://git-wip-us.apache.org/repos/asf/ambari/blob/4993ee48/ambari-agent/src/test/python/ambari_agent/TestNetUtil.py
----------------------------------------------------------------------
diff --git a/ambari-agent/src/test/python/ambari_agent/TestNetUtil.py b/ambari-agent/src/test/python/ambari_agent/TestNetUtil.py
index 0cbf1e9..d72e319 100644
--- a/ambari-agent/src/test/python/ambari_agent/TestNetUtil.py
+++ b/ambari-agent/src/test/python/ambari_agent/TestNetUtil.py
@@ -41,7 +41,7 @@ class TestNetUtil(unittest.TestCase):
     httpsConMock.return_value = ca_connection
 
     # test 200
-    netutil = NetUtil.NetUtil()
+    netutil = NetUtil.NetUtil(MagicMock())
     self.assertTrue(netutil.checkURL("url")[0])
 
     # test fail
@@ -59,7 +59,7 @@ class TestNetUtil(unittest.TestCase):
   def test_try_to_connect(self, event_mock,
                             sleepMock):
     event_mock.return_value = False
-    netutil = NetUtil.NetUtil()
+    netutil = NetUtil.NetUtil(MagicMock())
     checkURL = MagicMock(name="checkURL")
     checkURL.return_value = True, "test"
     netutil.checkURL = checkURL

http://git-wip-us.apache.org/repos/asf/ambari/blob/4993ee48/ambari-agent/src/test/python/ambari_agent/TestSecurity.py
----------------------------------------------------------------------
diff --git a/ambari-agent/src/test/python/ambari_agent/TestSecurity.py b/ambari-agent/src/test/python/ambari_agent/TestSecurity.py
index d4160e4..9e28ae7 100644
--- a/ambari-agent/src/test/python/ambari_agent/TestSecurity.py
+++ b/ambari-agent/src/test/python/ambari_agent/TestSecurity.py
@@ -50,6 +50,7 @@ class TestSecurity(unittest.TestCase):
     sys.stdout = out
     # Create config
     self.config = AmbariConfig()
+    self.config.set('security', 'ssl_verify_cert', '0')
     # Instantiate CachedHTTPSConnection (skip connect() call)
     with patch.object(security.VerifiedHTTPSConnection, "connect"):
       self.cachedHTTPSConnection = security.CachedHTTPSConnection(self.config, "example.com")


Mime
View raw message