ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aonis...@apache.org
Subject [1/2] ambari git commit: AMBARI-16810. Ambari Agent security bypassed in Python=>2.7.9 (aonishuk)
Date Mon, 23 May 2016 14:39:22 GMT
Repository: ambari
Updated Branches:
  refs/heads/branch-2.4 e44d13368 -> 0cee92531
  refs/heads/trunk fff6514da -> 1066f40ad


AMBARI-16810. Ambari Agent security bypassed in Python=>2.7.9 (aonishuk)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/1066f40a
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/1066f40a
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/1066f40a

Branch: refs/heads/trunk
Commit: 1066f40ad8279160afecef4bee65ed9d33d6b5de
Parents: fff6514
Author: Andrew Onishuk <aonishuk@hortonworks.com>
Authored: Mon May 23 17:39:18 2016 +0300
Committer: Andrew Onishuk <aonishuk@hortonworks.com>
Committed: Mon May 23 17:39:18 2016 +0300

----------------------------------------------------------------------
 ambari-agent/conf/unix/ambari-agent.ini                   | 1 +
 ambari-agent/src/main/python/ambari_agent/AmbariConfig.py | 2 +-
 ambari-agent/src/main/python/ambari_agent/Controller.py   | 2 +-
 ambari-agent/src/main/python/ambari_agent/NetUtil.py      | 7 +++++--
 ambari-agent/src/main/python/ambari_agent/main.py         | 2 +-
 5 files changed, 9 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/1066f40a/ambari-agent/conf/unix/ambari-agent.ini
----------------------------------------------------------------------
diff --git a/ambari-agent/conf/unix/ambari-agent.ini b/ambari-agent/conf/unix/ambari-agent.ini
index 4ec16d6..aacbb8a 100644
--- a/ambari-agent/conf/unix/ambari-agent.ini
+++ b/ambari-agent/conf/unix/ambari-agent.ini
@@ -39,6 +39,7 @@ system_resource_overrides=/etc/resource_overrides
 keysdir=/var/lib/ambari-agent/keys
 server_crt=ca.crt
 passphrase_env_var_name=AMBARI_PASSPHRASE
+ssl_verify_cert=0
 
 [services]
 pidLookupPath=/var/run/

http://git-wip-us.apache.org/repos/asf/ambari/blob/1066f40a/ambari-agent/src/main/python/ambari_agent/AmbariConfig.py
----------------------------------------------------------------------
diff --git a/ambari-agent/src/main/python/ambari_agent/AmbariConfig.py b/ambari-agent/src/main/python/ambari_agent/AmbariConfig.py
index f849fd1..89a881a 100644
--- a/ambari-agent/src/main/python/ambari_agent/AmbariConfig.py
+++ b/ambari-agent/src/main/python/ambari_agent/AmbariConfig.py
@@ -157,7 +157,7 @@ class AmbariConfig:
   def __init__(self):
     global content
     self.config = ConfigParser.RawConfigParser()
-    self.net = NetUtil()
+    self.net = NetUtil(self)
     self.config.readfp(StringIO.StringIO(content))
 
   def get(self, section, value, default=None):

http://git-wip-us.apache.org/repos/asf/ambari/blob/1066f40a/ambari-agent/src/main/python/ambari_agent/Controller.py
----------------------------------------------------------------------
diff --git a/ambari-agent/src/main/python/ambari_agent/Controller.py b/ambari-agent/src/main/python/ambari_agent/Controller.py
index aee0eec..91bc586 100644
--- a/ambari-agent/src/main/python/ambari_agent/Controller.py
+++ b/ambari-agent/src/main/python/ambari_agent/Controller.py
@@ -72,7 +72,7 @@ class Controller(threading.Thread):
     self.registerUrl = server_secured_url + '/agent/v1/register/' + self.hostname
     self.heartbeatUrl = server_secured_url + '/agent/v1/heartbeat/' + self.hostname
     self.componentsUrl = server_secured_url + '/agent/v1/components/'
-    self.netutil = NetUtil(heartbeat_stop_callback)
+    self.netutil = NetUtil(self.config, heartbeat_stop_callback)
     self.responseId = -1
     self.repeatRegistration = False
     self.isRegistered = False

http://git-wip-us.apache.org/repos/asf/ambari/blob/1066f40a/ambari-agent/src/main/python/ambari_agent/NetUtil.py
----------------------------------------------------------------------
diff --git a/ambari-agent/src/main/python/ambari_agent/NetUtil.py b/ambari-agent/src/main/python/ambari_agent/NetUtil.py
index 1d5cb29..79181f1 100644
--- a/ambari-agent/src/main/python/ambari_agent/NetUtil.py
+++ b/ambari-agent/src/main/python/ambari_agent/NetUtil.py
@@ -46,10 +46,11 @@ class NetUtil:
   # Returns true if the application is stopping, false if continuing execution
   stopCallback = None
 
-  def __init__(self, stop_callback=None):
+  def __init__(self, config, stop_callback=None):
     if stop_callback is None:
       stop_callback = HeartbeatStopHandlers()
     self.stopCallback = stop_callback
+    self.config = config
 
   def checkURL(self, url):
     """Try to connect to a given url. Result is True if url returns HTTP code 200, in any
other case
@@ -60,10 +61,12 @@ class NetUtil:
     logger.info("Connecting to " + url)
     responseBody = ""
 
+    ssl_verify_cert = self.config.get("security","ssl_verify_cert") != "0"
+
     try:
       parsedurl = urlparse(url)
       
-      if sys.version_info >= (2,7,9):
+      if sys.version_info >= (2,7,9) and not ssl_verify_cert:
           import ssl
           ca_connection = httplib.HTTPSConnection(parsedurl[1], context=ssl._create_unverified_context())
       else:

http://git-wip-us.apache.org/repos/asf/ambari/blob/1066f40a/ambari-agent/src/main/python/ambari_agent/main.py
----------------------------------------------------------------------
diff --git a/ambari-agent/src/main/python/ambari_agent/main.py b/ambari-agent/src/main/python/ambari_agent/main.py
index 5340239..32e522d 100644
--- a/ambari-agent/src/main/python/ambari_agent/main.py
+++ b/ambari-agent/src/main/python/ambari_agent/main.py
@@ -329,7 +329,7 @@ def main(heartbeat_stop_callback=None):
         logger.warn("Unable to determine the IP address of the Ambari server '%s'", server_hostname)
 
       # Wait until MAX_RETRIES to see if server is reachable
-      netutil = NetUtil(heartbeat_stop_callback)
+      netutil = NetUtil(config, heartbeat_stop_callback)
       (retries, connected, stopped) = netutil.try_to_connect(server_url, MAX_RETRIES, logger)
 
       # if connected, launch controller


Mime
View raw message