ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject ambari git commit: AMBARI-16379. The 'krb5-conf' configuration is not available (rlevas)
Date Tue, 10 May 2016 18:08:26 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk 07dbee41a -> a14fd4a54


AMBARI-16379. The 'krb5-conf' configuration is not available (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/a14fd4a5
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/a14fd4a5
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/a14fd4a5

Branch: refs/heads/trunk
Commit: a14fd4a54bd6a99f448e9053c15dd430cb81ef9c
Parents: 07dbee4
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Tue May 10 14:08:15 2016 -0400
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Tue May 10 14:08:20 2016 -0400

----------------------------------------------------------------------
 .../server/controller/KerberosHelperImpl.java   | 221 ++++++++++---------
 .../server/controller/KerberosHelperTest.java   |  53 +++++
 2 files changed, 170 insertions(+), 104 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/a14fd4a5/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
index 93dc51a..fe466d5 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
@@ -1246,112 +1246,120 @@ public class KerberosHelperImpl implements KerberosHelper {
 
     Map<String, Collection<KerberosIdentityDescriptor>> activeIdentities = new
HashMap<String, Collection<KerberosIdentityDescriptor>>();
 
-    Collection<String> hosts;
-    String ambariServerHostname = StageUtils.getHostName();
+    // Only calculate the active identities if the kerberos-env configurtaion is available.
 Else
+    // important information like the realm will be missing (kerberos-env/realm)
+    Config kerberosEnvConfig = cluster.getDesiredConfigByType("kerberos-env");
+    if(kerberosEnvConfig == null) {
+      LOG.debug("Calculating the active identities for {} is being skipped since the kerberos-env
configuration is not available",
+          clusterName, cluster.getSecurityType().name(), SecurityType.KERBEROS.name());
+    }
+    else {
+      Collection<String> hosts;
+      String ambariServerHostname = StageUtils.getHostName();
 
-    if (hostName == null) {
-      Map<String, Host> hostMap = clusters.getHostsForCluster(clusterName);
-      if (hostMap == null) {
-        hosts = null;
-      } else {
-        hosts = hostMap.keySet();
-      }
+      if (hostName == null) {
+        Map<String, Host> hostMap = clusters.getHostsForCluster(clusterName);
+        if (hostMap == null) {
+          hosts = Collections.emptySet();
+        } else {
+          hosts = hostMap.keySet();
+        }
 
-      if (!hosts.contains(ambariServerHostname)) {
-        Collection<String> extendedHosts = new ArrayList<>(hosts.size() + 1);
-        extendedHosts.addAll(hosts);
-        extendedHosts.add(ambariServerHostname);
-        hosts = extendedHosts;
+        if (!hosts.contains(ambariServerHostname)) {
+          Collection<String> extendedHosts = new ArrayList<>(hosts.size() + 1);
+          extendedHosts.addAll(hosts);
+          extendedHosts.add(ambariServerHostname);
+          hosts = extendedHosts;
+        }
+      } else {
+        hosts = Collections.singleton(hostName);
       }
-    } else {
-      hosts = Collections.singleton(hostName);
-    }
 
-    KerberosDescriptor kerberosDescriptor = getKerberosDescriptor(cluster);
+      if (!hosts.isEmpty()) {
+        KerberosDescriptor kerberosDescriptor = getKerberosDescriptor(cluster);
 
-    if ((hosts != null) && !hosts.isEmpty()) {
+        if (kerberosDescriptor != null) {
+          Map<String, String> kerberosDescriptorProperties = kerberosDescriptor.getProperties();
 
-      if (kerberosDescriptor != null) {
-        Map<String, String> kerberosDescriptorProperties = kerberosDescriptor.getProperties();
+          for (String hostname : hosts) {
+            Map<String, KerberosIdentityDescriptor> hostActiveIdentities = new HashMap<String,
KerberosIdentityDescriptor>();
+            List<KerberosIdentityDescriptor> identities = getActiveIdentities(cluster,
hostname,
+                serviceName, componentName, kerberosDescriptor);
 
-        for (String hostname : hosts) {
-          Map<String, KerberosIdentityDescriptor> hostActiveIdentities = new HashMap<String,
KerberosIdentityDescriptor>();
-          List<KerberosIdentityDescriptor> identities = getActiveIdentities(cluster,
hostname,
-            serviceName, componentName, kerberosDescriptor);
+            if (hostname.equals(ambariServerHostname)) {
+              addAmbariServerIdentity(kerberosEnvConfig.getProperties(), kerberosDescriptor,
identities);
+            }
 
-          if (hostname.equals(ambariServerHostname)) {
-            addAmbariServerIdentity(cluster, kerberosDescriptor, identities);
-          }
+            if (!identities.isEmpty()) {
+              // Calculate the current host-specific configurations. These will be used to
replace
+              // variables within the Kerberos descriptor data
+              Map<String, Map<String, String>> configurations = calculateConfigurations(cluster,
hostname.equals
+                      (ambariServerHostname) ? null : hostname,
+                  kerberosDescriptorProperties);
 
-          if (!identities.isEmpty()) {
-            // Calculate the current host-specific configurations. These will be used to
replace
-            // variables within the Kerberos descriptor data
-            Map<String, Map<String, String>> configurations = calculateConfigurations(cluster,
hostname.equals
-                (ambariServerHostname) ? null : hostname,
-              kerberosDescriptorProperties);
+              for (KerberosIdentityDescriptor identity : identities) {
+                KerberosPrincipalDescriptor principalDescriptor = identity.getPrincipalDescriptor();
+                String principal = null;
 
-            for (KerberosIdentityDescriptor identity : identities) {
-              KerberosPrincipalDescriptor principalDescriptor = identity.getPrincipalDescriptor();
-              String principal = null;
+                if (principalDescriptor != null) {
+                  principal = variableReplacementHelper.replaceVariables(principalDescriptor.getValue(),
configurations);
+                }
 
-              if (principalDescriptor != null) {
-                principal = variableReplacementHelper.replaceVariables(principalDescriptor.getValue(),
configurations);
-              }
+                if (principal != null) {
+                  KerberosKeytabDescriptor keytabDescriptor = identity.getKeytabDescriptor();
+                  String keytabFile = null;
 
-              if (principal != null) {
-                KerberosKeytabDescriptor keytabDescriptor = identity.getKeytabDescriptor();
-                String keytabFile = null;
+                  if (keytabDescriptor != null) {
+                    keytabFile = variableReplacementHelper.replaceVariables(keytabDescriptor.getFile(),
configurations);
+                  }
 
-                if (keytabDescriptor != null) {
-                  keytabFile = variableReplacementHelper.replaceVariables(keytabDescriptor.getFile(),
configurations);
-                }
+                  if (replaceHostNames) {
+                    principal = principal.replace("_HOST", hostname);
+                  }
 
-                if (replaceHostNames) {
-                  principal = principal.replace("_HOST", hostname);
-                }
+                  String uniqueKey = String.format("%s|%s", principal, (keytabFile == null)
? "" : keytabFile);
 
-                String uniqueKey = String.format("%s|%s", principal, (keytabFile == null)
? "" : keytabFile);
+                  if (!hostActiveIdentities.containsKey(uniqueKey)) {
+                    KerberosPrincipalType principalType = principalDescriptor.getType();
 
-                if (!hostActiveIdentities.containsKey(uniqueKey)) {
-                  KerberosPrincipalType principalType = principalDescriptor.getType();
+                    // Assume the principal is a service principal if not specified
+                    if (principalType == null) {
+                      principalType = KerberosPrincipalType.SERVICE;
+                    }
 
-                  // Assume the principal is a service principal if not specified
-                  if (principalType == null) {
-                    principalType = KerberosPrincipalType.SERVICE;
-                  }
+                    KerberosPrincipalDescriptor resolvedPrincipalDescriptor =
+                        new KerberosPrincipalDescriptor(principal,
+                            principalType,
+                            variableReplacementHelper.replaceVariables(principalDescriptor.getConfiguration(),
configurations),
+                            variableReplacementHelper.replaceVariables(principalDescriptor.getLocalUsername(),
configurations));
+
+                    KerberosKeytabDescriptor resolvedKeytabDescriptor;
+
+                    if (keytabFile == null) {
+                      resolvedKeytabDescriptor = null;
+                    } else {
+                      resolvedKeytabDescriptor =
+                          new KerberosKeytabDescriptor(
+                              keytabFile,
+                              variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerName(),
configurations),
+                              variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerAccess(),
configurations),
+                              variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupName(),
configurations),
+                              variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupAccess(),
configurations),
+                              variableReplacementHelper.replaceVariables(keytabDescriptor.getConfiguration(),
configurations),
+                              keytabDescriptor.isCachable());
+                    }
 
-                  KerberosPrincipalDescriptor resolvedPrincipalDescriptor =
-                      new KerberosPrincipalDescriptor(principal,
-                          principalType,
-                          variableReplacementHelper.replaceVariables(principalDescriptor.getConfiguration(),
configurations),
-                          variableReplacementHelper.replaceVariables(principalDescriptor.getLocalUsername(),
configurations));
-
-                  KerberosKeytabDescriptor resolvedKeytabDescriptor;
-
-                  if (keytabFile == null) {
-                    resolvedKeytabDescriptor = null;
-                  } else {
-                    resolvedKeytabDescriptor =
-                        new KerberosKeytabDescriptor(
-                            keytabFile,
-                            variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerName(),
configurations),
-                            variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerAccess(),
configurations),
-                            variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupName(),
configurations),
-                            variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupAccess(),
configurations),
-                            variableReplacementHelper.replaceVariables(keytabDescriptor.getConfiguration(),
configurations),
-                            keytabDescriptor.isCachable());
+                    hostActiveIdentities.put(uniqueKey, new KerberosIdentityDescriptor(
+                        identity.getName(),
+                        resolvedPrincipalDescriptor,
+                        resolvedKeytabDescriptor));
                   }
-
-                  hostActiveIdentities.put(uniqueKey, new KerberosIdentityDescriptor(
-                      identity.getName(),
-                      resolvedPrincipalDescriptor,
-                      resolvedKeytabDescriptor));
                 }
               }
             }
-          }
 
-          activeIdentities.put(hostname, hostActiveIdentities.values());
+            activeIdentities.put(hostname, hostActiveIdentities.values());
+          }
         }
       }
     }
@@ -1359,18 +1367,28 @@ public class KerberosHelperImpl implements KerberosHelper {
     return activeIdentities;
   }
 
-  private void addAmbariServerIdentity(Cluster cluster, KerberosDescriptor kerberosDescriptor,
List<KerberosIdentityDescriptor> identities) throws AmbariException {
-    try {
-      KerberosDetails kerberosDetails = getKerberosDetails(cluster, null);
-      // append Ambari server principal
-      if (kerberosDetails.createAmbariPrincipal()) {
-        KerberosIdentityDescriptor ambariServerIdentity = kerberosDescriptor.getIdentity(KerberosHelper.AMBARI_IDENTITY_NAME);
-        if (ambariServerIdentity != null) {
-          identities.add(ambariServerIdentity);
-        }
+  /**
+   * Conditionally add the Ambari server Kerberos identity to the set of Kerberos Identities
expected
+   * to be available when Kerberos is enabled.
+   * <p>
+   * The Ambari server Kerberos identity should only be added if the <code>kerberos-env/create_ambari_principal</code>
+   * property is not explicitly set to <code>false</code>.
+   *
+   * @param kerberosEnvProperties the kerberos-env properties
+   * @param kerberosDescriptor    the kerberos descriptor
+   * @param identities            the collection of identities to add to
+   */
+  void addAmbariServerIdentity(Map<String, String> kerberosEnvProperties, KerberosDescriptor
kerberosDescriptor, List<KerberosIdentityDescriptor> identities) {
+    // Determine if we should _calculate_ the Ambari service identity.
+    // If kerberos-env/create_ambari_principal is not set to false the identity should be
calculated.
+    boolean createAmbariPrincipal = (kerberosEnvProperties == null) || !"false".equalsIgnoreCase(kerberosEnvProperties.get(CREATE_AMBARI_PRINCIPAL));
+
+    // append Ambari server principal
+    if (createAmbariPrincipal) {
+      KerberosIdentityDescriptor ambariServerIdentity = kerberosDescriptor.getIdentity(KerberosHelper.AMBARI_IDENTITY_NAME);
+      if (ambariServerIdentity != null) {
+        identities.add(ambariServerIdentity);
       }
-    } catch (KerberosInvalidConfigurationException e) {
-      LOG.warn("Unable to append Ambari server principal: {}", e);
     }
   }
 
@@ -3400,7 +3418,6 @@ public class KerberosHelperImpl implements KerberosHelper {
     private Map<String, String> kerberosEnvProperties;
     private SecurityType securityType;
     private Boolean manageIdentities;
-    private Boolean createAmbariPrincipal;
 
     public void setDefaultRealm(String defaultRealm) {
       this.defaultRealm = defaultRealm;
@@ -3443,17 +3460,13 @@ public class KerberosHelperImpl implements KerberosHelper {
       }
     }
 
-    public boolean createAmbariPrincipal() {
-      if (createAmbariPrincipal == null) {
-        return (kerberosEnvProperties == null) ||
-            !"false".equalsIgnoreCase(kerberosEnvProperties.get(CREATE_AMBARI_PRINCIPAL));
-      } else {
-        return createAmbariPrincipal;
-      }
-    }
-
     public void setManageIdentities(Boolean manageIdentities) {
       this.manageIdentities = manageIdentities;
     }
+
+    public boolean createAmbariPrincipal() {
+      return (kerberosEnvProperties == null) ||
+          !"false".equalsIgnoreCase(kerberosEnvProperties.get(CREATE_AMBARI_PRINCIPAL));
+    }
   }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/a14fd4a5/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
index 7f8be67..e03ed86 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
@@ -564,6 +564,26 @@ public class KerberosHelperTest extends EasyMockSupport {
   }
 
   @Test
+  public void addAmbariServerIdentity_CreateAmbariPrincipal() throws Exception {
+    addAmbariServerIdentity(Collections.singletonMap("create_ambari_principal", "true"));
+  }
+
+  @Test
+  public void addAmbariServerIdentity_DoNotCreateAmbariPrincipal() throws Exception {
+    addAmbariServerIdentity(Collections.singletonMap("create_ambari_principal", "false"));
+  }
+
+  @Test
+  public void addAmbariServerIdentity_MissingProperty() throws Exception {
+    addAmbariServerIdentity(Collections.singletonMap("not_create_ambari_principal", "value"));
+  }
+
+  @Test
+  public void addAmbariServerIdentity_MissingKerberosEnv() throws Exception {
+    addAmbariServerIdentity(null);
+  }
+
+  @Test
   public void testGetActiveIdentities_SingleService() throws Exception {
     Map<String, Collection<KerberosIdentityDescriptor>> identities = testGetActiveIdentities("c1",
null, "SERVICE1", null, true, SecurityType.KERBEROS);
 
@@ -3843,6 +3863,39 @@ public class KerberosHelperTest extends EasyMockSupport {
     return identities;
   }
 
+  private void addAmbariServerIdentity(Map<String, String> kerberosEnvProperties) throws
Exception {
+
+    boolean createAmbariPrincipal = (kerberosEnvProperties == null)
+        || !"false".equalsIgnoreCase(kerberosEnvProperties.get("create_ambari_principal"));
+
+    KerberosHelperImpl kerberosHelper = injector.getInstance(KerberosHelperImpl.class);
+
+    KerberosIdentityDescriptor ambariKerberosIdentity = createMock(KerberosIdentityDescriptor.class);
+
+    KerberosDescriptor kerberosDescriptor = createMock(KerberosDescriptor.class);
+    if (createAmbariPrincipal) {
+      expect(kerberosDescriptor.getIdentity(KerberosHelper.AMBARI_IDENTITY_NAME)).andReturn(ambariKerberosIdentity).once();
+    }
+
+    List<KerberosIdentityDescriptor> identities = new ArrayList<KerberosIdentityDescriptor>();
+
+    replayAll();
+
+    // Needed by infrastructure
+    injector.getInstance(AmbariMetaInfo.class).init();
+
+    kerberosHelper.addAmbariServerIdentity(kerberosEnvProperties, kerberosDescriptor, identities);
+
+    verifyAll();
+
+    if (createAmbariPrincipal) {
+      Assert.assertEquals(1, identities.size());
+      Assert.assertSame(ambariKerberosIdentity, identities.get(0));
+    } else {
+      Assert.assertTrue(identities.isEmpty());
+    }
+  }
+
   private KerberosConfigurationDescriptor createMockConfigurationDescriptor(Map<String,
String> properties) {
     KerberosConfigurationDescriptor descriptor = createMock(KerberosConfigurationDescriptor.class);
     expect(descriptor.getProperties()).andReturn(properties).anyTimes();


Mime
View raw message