ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject ambari git commit: AMBARI-16437. Add conditional constraints for Kerberos identities to control when they are created (rlevas)
Date Sat, 28 May 2016 12:19:46 GMT
Repository: ambari
Updated Branches:
  refs/heads/branch-2.4 dc340e8c6 -> ebdbe6f3e


AMBARI-16437. Add conditional constraints for Kerberos identities to control when they are
created (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/ebdbe6f3
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/ebdbe6f3
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/ebdbe6f3

Branch: refs/heads/branch-2.4
Commit: ebdbe6f3ec54c09b930bc827fc9aab59c96b90bf
Parents: dc340e8
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Sat May 28 08:18:28 2016 -0400
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Sat May 28 08:18:28 2016 -0400

----------------------------------------------------------------------
 .../server/controller/KerberosHelperImpl.java   | 64 +++++++++++-----
 .../AbstractPrepareKerberosServerAction.java    | 10 ++-
 .../AbstractKerberosDescriptorContainer.java    | 49 +++++++-----
 .../kerberos/KerberosIdentityDescriptor.java    | 80 +++++++++++++++++++-
 .../server/upgrade/UpgradeCatalog240.java       |  2 +-
 .../server/controller/KerberosHelperTest.java   | 32 ++++----
 .../state/kerberos/KerberosDescriptorTest.java  |  4 +-
 .../KerberosIdentityDescriptorTest.java         | 17 +++++
 8 files changed, 196 insertions(+), 62 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/ebdbe6f3/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
index c67c55d..1c46a93 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
@@ -353,6 +353,11 @@ public class KerberosHelperImpl implements KerberosHelper {
 
     Map<String, Set<String>> propertiesToIgnore = new HashMap<String, Set<String>>();
 
+    // Create the context to use for filtering Kerberos Identities based on the state of
the cluster
+    Map<String, Object> filterContext = new HashMap<String, Object>();
+    filterContext.put("configurations", configurations);
+    filterContext.put("services", services);
+
     for (String serviceName : services) {
       // Set properties...
       KerberosServiceDescriptor serviceDescriptor = kerberosDescriptor.getService(serviceName);
@@ -363,7 +368,7 @@ public class KerberosHelperImpl implements KerberosHelper {
           if (componentDescriptor != null) {
             Map<String, Map<String, String>> identityConfigurations;
 
-            identityConfigurations = getIdentityConfigurations(serviceDescriptor.getIdentities(true));
+            identityConfigurations = getIdentityConfigurations(serviceDescriptor.getIdentities(true,
filterContext));
             if (identityConfigurations != null) {
               for (Map.Entry<String, Map<String, String>> entry : identityConfigurations.entrySet())
{
                 String configType = entry.getKey();
@@ -382,7 +387,7 @@ public class KerberosHelperImpl implements KerberosHelper {
               }
             }
 
-            identityConfigurations = getIdentityConfigurations(componentDescriptor.getIdentities(true));
+            identityConfigurations = getIdentityConfigurations(componentDescriptor.getIdentities(true,
filterContext));
             if (identityConfigurations != null) {
               for (Map.Entry<String, Map<String, String>> entry : identityConfigurations.entrySet())
{
                 String configType = entry.getKey();
@@ -699,6 +704,11 @@ public class KerberosHelperImpl implements KerberosHelper {
         throw new AmbariException(message, e);
       }
 
+      // Create the context to use for filtering Kerberos Identities based on the state of
the cluster
+      Map<String, Object> filterContext = new HashMap<String, Object>();
+      filterContext.put("configurations", configurations);
+      filterContext.put("services", services);
+
       for (String serviceName : services) {
         // Set properties...
         KerberosServiceDescriptor serviceDescriptor = kerberosDescriptor.getService(serviceName);
@@ -710,7 +720,7 @@ public class KerberosHelperImpl implements KerberosHelper {
               List<KerberosIdentityDescriptor> identityDescriptors;
 
               // Handle the service-level Kerberos identities
-              identityDescriptors = serviceDescriptor.getIdentities(true);
+              identityDescriptors = serviceDescriptor.getIdentities(true, filterContext);
               if (identityDescriptors != null) {
                 for (KerberosIdentityDescriptor identityDescriptor : identityDescriptors)
{
                   createUserIdentity(identityDescriptor, kerberosConfiguration, kerberosOperationHandler,
configurations);
@@ -718,7 +728,7 @@ public class KerberosHelperImpl implements KerberosHelper {
               }
 
               // Handle the component-level Kerberos identities
-              identityDescriptors = componentDescriptor.getIdentities(true);
+              identityDescriptors = componentDescriptor.getIdentities(true, filterContext);
               if (identityDescriptors != null) {
                 for (KerberosIdentityDescriptor identityDescriptor : identityDescriptors)
{
                   createUserIdentity(identityDescriptor, kerberosConfiguration, kerberosOperationHandler,
configurations);
@@ -831,9 +841,14 @@ public class KerberosHelperImpl implements KerberosHelper {
       // Additional realms that need to be handled according to the Kerberos Descriptor
       String additionalRealms = kerberosDescriptor.getProperty("additional_realms");
 
+      // Create the context to use for filtering Kerberos Identities based on the state of
the cluster
+      Map<String, Object> filterContext = new HashMap<String, Object>();
+      filterContext.put("configurations", existingConfigurations);
+      filterContext.put("services", cluster.getServices().keySet());
+
       // Determine which properties need to be set
       AuthToLocalBuilder authToLocalBuilder = new AuthToLocalBuilder(realm, additionalRealms,
caseInsensitiveUser);
-      addIdentities(authToLocalBuilder, kerberosDescriptor.getIdentities(), null, existingConfigurations);
+      addIdentities(authToLocalBuilder, kerberosDescriptor.getIdentities(true, filterContext),
null, existingConfigurations);
 
       authToLocalProperties = kerberosDescriptor.getAuthToLocalProperties();
       if (authToLocalProperties != null) {
@@ -847,7 +862,7 @@ public class KerberosHelperImpl implements KerberosHelper {
         for (KerberosServiceDescriptor service : services.values()) {
           if (installedServices.containsKey(service.getName())) {
             Service svc = installedServices.get(service.getName());
-            addIdentities(authToLocalBuilder, service.getIdentities(true), null, existingConfigurations);
+            addIdentities(authToLocalBuilder, service.getIdentities(true, filterContext),
null, existingConfigurations);
 
             authToLocalProperties = service.getAuthToLocalProperties();
             if (authToLocalProperties != null) {
@@ -897,7 +912,7 @@ public class KerberosHelperImpl implements KerberosHelper {
 
                 if (addSvcCompIdentities) {
                   LOG.info("Adding identity for " + component.getName() + " to auth to local
mapping");
-                  addIdentities(authToLocalBuilder, component.getIdentities(true), null,
existingConfigurations);
+                  addIdentities(authToLocalBuilder, component.getIdentities(true, filterContext),
null, existingConfigurations);
 
                   authToLocalProperties = component.getAuthToLocalProperties();
                   if (authToLocalProperties != null) {
@@ -905,8 +920,6 @@ public class KerberosHelperImpl implements KerberosHelper {
 
                   }
                 }
-
-
               }
             }
           }
@@ -1281,22 +1294,30 @@ public class KerberosHelperImpl implements KerberosHelper {
         if (kerberosDescriptor != null) {
           Map<String, String> kerberosDescriptorProperties = kerberosDescriptor.getProperties();
 
+          Set<String> existingServices = cluster.getServices().keySet();
+
           for (String hostname : hosts) {
+            // Calculate the current host-specific configurations. These will be used to
replace
+            // variables within the Kerberos descriptor data
+            Map<String, Map<String, String>> configurations = calculateConfigurations(cluster,
+                hostname.equals(ambariServerHostname) ? null : hostname,
+                kerberosDescriptorProperties);
+
+            // Create the context to use for filtering Kerberos Identities based on the state
of the cluster
+            Map<String, Object> filterContext = new HashMap<String, Object>();
+            filterContext.put("configurations", configurations);
+            filterContext.put("services", existingServices);
+
+
             Map<String, KerberosIdentityDescriptor> hostActiveIdentities = new HashMap<String,
KerberosIdentityDescriptor>();
             List<KerberosIdentityDescriptor> identities = getActiveIdentities(cluster,
hostname,
-                serviceName, componentName, kerberosDescriptor);
+                serviceName, componentName, kerberosDescriptor, filterContext);
 
             if (hostname.equals(ambariServerHostname)) {
               addAmbariServerIdentity(kerberosEnvConfig.getProperties(), kerberosDescriptor,
identities);
             }
 
             if (!identities.isEmpty()) {
-              // Calculate the current host-specific configurations. These will be used to
replace
-              // variables within the Kerberos descriptor data
-              Map<String, Map<String, String>> configurations = calculateConfigurations(cluster,
hostname.equals
-                      (ambariServerHostname) ? null : hostname,
-                  kerberosDescriptorProperties);
-
               for (KerberosIdentityDescriptor identity : identities) {
                 KerberosPrincipalDescriptor principalDescriptor = identity.getPrincipalDescriptor();
                 String principal = null;
@@ -1352,7 +1373,8 @@ public class KerberosHelperImpl implements KerberosHelper {
                     hostActiveIdentities.put(uniqueKey, new KerberosIdentityDescriptor(
                         identity.getName(),
                         resolvedPrincipalDescriptor,
-                        resolvedKeytabDescriptor));
+                        resolvedKeytabDescriptor,
+                        identity.getWhen()));
                   }
                 }
               }
@@ -2305,13 +2327,15 @@ public class KerberosHelperImpl implements KerberosHelper {
    *                           components
    * @param kerberosDescriptor the relevant Kerberos Descriptor     @return a list of KerberosIdentityDescriptors
representing the active identities for the
    * requested service component
+   * @param filterContext      the context to use for filtering identities based on the state
of the cluster
    * @throws AmbariException if an error occurs processing the cluster's active identities
    */
   private List<KerberosIdentityDescriptor> getActiveIdentities(Cluster cluster,
                                                                String hostname,
                                                                String serviceName,
                                                                String componentName,
-                                                               KerberosDescriptor kerberosDescriptor)
+                                                               KerberosDescriptor kerberosDescriptor,
+                                                               Map<String, Object>
filterContext)
       throws AmbariException {
 
     List<KerberosIdentityDescriptor> identities = new ArrayList<KerberosIdentityDescriptor>();
@@ -2329,14 +2353,14 @@ public class KerberosHelperImpl implements KerberosHelper {
           KerberosServiceDescriptor serviceDescriptor = kerberosDescriptor.getService(schServiceName);
 
           if (serviceDescriptor != null) {
-            List<KerberosIdentityDescriptor> serviceIdentities = serviceDescriptor.getIdentities(true);
+            List<KerberosIdentityDescriptor> serviceIdentities = serviceDescriptor.getIdentities(true,
filterContext);
             if (serviceIdentities != null) {
               identities.addAll(serviceIdentities);
             }
 
             KerberosComponentDescriptor componentDescriptor = serviceDescriptor.getComponent(schComponentName);
             if (componentDescriptor != null) {
-              List<KerberosIdentityDescriptor> componentIdentities = componentDescriptor.getIdentities(true);
+              List<KerberosIdentityDescriptor> componentIdentities = componentDescriptor.getIdentities(true,
filterContext);
               if (componentIdentities != null) {
                 identities.addAll(componentIdentities);
               }

http://git-wip-us.apache.org/repos/asf/ambari/blob/ebdbe6f3/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
index 0dbd357..b6b0713 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
@@ -36,7 +36,6 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.Type;
-import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
@@ -89,6 +88,11 @@ public abstract class AbstractPrepareKerberosServerAction extends KerberosServer
       // variables within the Kerberos descriptor data
       Map<String, Map<String, String>> configurations = kerberosHelper.calculateConfigurations(cluster,
null, kerberosDescriptorProperties);
 
+      // Create the context to use for filtering Kerberos Identities based on the state of
the cluster
+      Map<String, Object> filterContext = new HashMap<String, Object>();
+      filterContext.put("configurations", configurations);
+      filterContext.put("services", cluster.getServices().keySet());
+
       actionLog.writeStdOut(String.format("Writing Kerberos identity data metadata file to
%s", identityDataFile.getAbsolutePath()));
       try {
         kerberosIdentityDataFileWriter = kerberosIdentityDataFileWriterFactory.createKerberosIdentityDataFileWriter(identityDataFile);
@@ -118,7 +122,7 @@ public abstract class AbstractPrepareKerberosServerAction extends KerberosServer
             KerberosServiceDescriptor serviceDescriptor = kerberosDescriptor.getService(serviceName);
 
             if (serviceDescriptor != null) {
-              List<KerberosIdentityDescriptor> serviceIdentities = serviceDescriptor.getIdentities(true);
+              List<KerberosIdentityDescriptor> serviceIdentities = serviceDescriptor.getIdentities(true,
filterContext);
 
               // Add service-level principals (and keytabs)
               kerberosHelper.addIdentities(kerberosIdentityDataFileWriter, serviceIdentities,
@@ -128,7 +132,7 @@ public abstract class AbstractPrepareKerberosServerAction extends KerberosServer
               KerberosComponentDescriptor componentDescriptor = serviceDescriptor.getComponent(componentName);
 
               if (componentDescriptor != null) {
-                List<KerberosIdentityDescriptor> componentIdentities = componentDescriptor.getIdentities(true);
+                List<KerberosIdentityDescriptor> componentIdentities = componentDescriptor.getIdentities(true,
filterContext);
 
                 // Calculate the set of configurations to update and replace any variables
                 // using the previously calculated Map of configurations for the host.

http://git-wip-us.apache.org/repos/asf/ambari/blob/ebdbe6f3/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/AbstractKerberosDescriptorContainer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/AbstractKerberosDescriptorContainer.java
b/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/AbstractKerberosDescriptorContainer.java
index bb2ed1c..64d9292 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/AbstractKerberosDescriptorContainer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/AbstractKerberosDescriptorContainer.java
@@ -162,14 +162,14 @@ public abstract class AbstractKerberosDescriptorContainer extends AbstractKerber
    * <p/>
    * The returned KerberosIdentityDescriptors are not merged with data from referenced
    * KerberosConfigurationDescriptors. This is the same calling
-   * {@link AbstractKerberosDescriptorContainer#getIdentities(boolean)} and setting the argument
to
-   * 'false'
+   * {@link AbstractKerberosDescriptorContainer#getIdentities(boolean, Map)} and setting
the
+   * argument to 'false'
    *
    * @return the relevant List of KerberosIdentityDescriptors
    */
   public List<KerberosIdentityDescriptor> getIdentities() {
     try {
-      return getIdentities(false);
+      return getIdentities(false, null);
     } catch (AmbariException e) {
       // AmbariException will not be thrown unless an error occurs while trying to dereference
       // identities.  This method does not attempt to dereference identities.
@@ -200,19 +200,20 @@ public abstract class AbstractKerberosDescriptorContainer extends AbstractKerber
    *                          (false)
    * @return a List of the requested KerberosIdentityDescriptors
    */
-  public List<KerberosIdentityDescriptor> getIdentities(boolean resolveReferences)
throws AmbariException {
-    if (resolveReferences) {
-      if (identities == null) {
-        return Collections.emptyList();
-      } else {
-        List<KerberosIdentityDescriptor> list = new ArrayList<KerberosIdentityDescriptor>();
-
-        // For each KerberosIdentityDescriptor, copy it and then attempt to find the referenced
-        // KerberosIdentityDescriptor.
-        // * If a reference is found, copy that, update it with the initial KerberosIdentityDescriptor
-        //   and then add it to the list.
-        // * If a reference is not found, simply add the initial KerberosIdentityDescriptor
to the list
-        for (KerberosIdentityDescriptor identity : identities) {
+  public List<KerberosIdentityDescriptor> getIdentities(boolean resolveReferences,
Map<String,Object> contextForFilter) throws AmbariException {
+    if (identities == null) {
+      return Collections.emptyList();
+    } else {
+      List<KerberosIdentityDescriptor> list = new ArrayList<KerberosIdentityDescriptor>();
+
+      for (KerberosIdentityDescriptor identity : identities) {
+        KerberosIdentityDescriptor identityToAdd;
+
+        if (resolveReferences) {
+          // Copy this KerberosIdentityDescriptor and then attempt to find the referenced
one.
+          // * If a reference is found, copy that, update it with the initial KerberosIdentityDescriptor
+          //   and then add it to the list.
+          // * If a reference is not found, simply add the initial KerberosIdentityDescriptor
to the list
           KerberosIdentityDescriptor referencedIdentity;
           try {
             referencedIdentity = getReferencedIdentityDescriptor(identity.getName());
@@ -226,16 +227,22 @@ public abstract class AbstractKerberosDescriptorContainer extends AbstractKerber
           if (referencedIdentity != null) {
             KerberosIdentityDescriptor detachedIdentity = new KerberosIdentityDescriptor(referencedIdentity.toMap());
             detachedIdentity.update(identity);
-            list.add(detachedIdentity);
+
+            identityToAdd = detachedIdentity;
           } else {
-            list.add(identity);
+            identityToAdd = identity;
           }
+        } else {
+          identityToAdd = identity;
         }
 
-        return list;
+        // Make sure this Kerberos Identity is not to be filtered out based on its "when"
clause
+        if ((identityToAdd != null) && ((contextForFilter == null) || identityToAdd.shouldInclude(contextForFilter)))
{
+          list.add(identityToAdd);
+        }
       }
-    } else {
-      return identities;
+
+      return list;
     }
   }
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/ebdbe6f3/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosIdentityDescriptor.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosIdentityDescriptor.java
b/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosIdentityDescriptor.java
index d31dd21..2631d35 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosIdentityDescriptor.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosIdentityDescriptor.java
@@ -17,6 +17,9 @@
  */
 package org.apache.ambari.server.state.kerberos;
 
+import org.apache.ambari.server.collections.Predicate;
+import org.apache.ambari.server.collections.PredicateUtils;
+
 import java.util.Map;
 
 /**
@@ -86,16 +89,25 @@ public class KerberosIdentityDescriptor extends AbstractKerberosDescriptor
{
   private String password = null;
 
   /**
+   * An expression used to determine when this {@link KerberosIdentityDescriptor} is relevant
for the
+   * cluster. If the process expression is not <code>null</code> and evaluates
to <code>false</code>
+   * then this {@link KerberosIdentityDescriptor} will be ignored when processing identities.
+   */
+  private Predicate when = null;
+
+  /**
    * Creates a new KerberosIdentityDescriptor
    *
    * @param name the name of this identity descriptor
    * @param principal a KerberosPrincipalDescriptor
    * @param keytab a KerberosKeytabDescriptor
+   * @param when a predicate
    */
-  public KerberosIdentityDescriptor(String name, KerberosPrincipalDescriptor principal, KerberosKeytabDescriptor
keytab) {
+  public KerberosIdentityDescriptor(String name, KerberosPrincipalDescriptor principal, KerberosKeytabDescriptor
keytab, Predicate when) {
     setName(name);
     setPrincipalDescriptor(principal);
     setKeytabDescriptor(keytab);
+    setWhen(when);
   }
 
   /**
@@ -126,6 +138,11 @@ public class KerberosIdentityDescriptor extends AbstractKerberosDescriptor
{
       if (item instanceof Map) {
         setKeytabDescriptor(new KerberosKeytabDescriptor((Map<?, ?>) item));
       }
+
+      item = data.get("when");
+      if (item instanceof Map) {
+        setWhen(PredicateUtils.fromMap((Map<String, Object>) item));
+      }
     }
   }
 
@@ -193,6 +210,48 @@ public class KerberosIdentityDescriptor extends AbstractKerberosDescriptor
{
     this.password = password;
   }
 
+
+  /**
+   * Gets the expression (or {@link Predicate}) to use to determine when to include this
Kerberos
+   * identity while processing Kerberos identities.
+   * <p>
+   * <code>null</code> indicates there is nothing to evaluate and this Kerberos
identity is to always
+   * be included when processing Kerberos identities.
+   *
+   * @return a predicate
+   */
+  public Predicate getWhen() {
+    return when;
+  }
+
+  /**
+   * Sets the expression (or {@link Predicate}) to use to determine when to include this
Kerberos
+   * identity while processing Kerberos identities.
+   * <p>
+   * <code>null</code> indicates there is nothing to evaluate and this Kerberos
identity is to always
+   * be included when processing Kerberos identities.
+   *
+   * @param when a predicate
+   */
+  public void setWhen(Predicate when) {
+    this.when = when;
+  }
+
+  /**
+   * Processes the expression indicating when this {@link KerberosIdentityDescriptor} is
to be included
+   * in the set of Kerberos identities to process.
+   * <p>
+   * <code>True</code> will be returned if the expression is <code>null</code>
or if it evaluates
+   * as such.
+   *
+   * @param context A Map of context values, including at least the list of services and
available configurations
+   * @return true if this {@link KerberosIdentityDescriptor} is to be included when processing
the
+   * Kerberos identities; otherwise false.
+   */
+  public boolean shouldInclude(Map<String, Object> context) {
+    return (this.when == null) || this.when.evaluate(context);
+  }
+
   /**
    * Updates this KerberosIdentityDescriptor with data from another KerberosIdentityDescriptor
    * <p/>
@@ -219,6 +278,11 @@ public class KerberosIdentityDescriptor extends AbstractKerberosDescriptor
{
       } else {
         existingKeytabDescriptor.update(updates.getKeytabDescriptor());
       }
+
+      Predicate updatedWhen = updates.getWhen();
+      if(updatedWhen != null) {
+        setWhen(updatedWhen);
+      }
     }
   }
 
@@ -246,6 +310,10 @@ public class KerberosIdentityDescriptor extends AbstractKerberosDescriptor
{
       dataMap.put("password", password);
     }
 
+    if(when != null) {
+      dataMap.put("when", PredicateUtils.toMap(when));
+    }
+
     return dataMap;
   }
 
@@ -257,7 +325,10 @@ public class KerberosIdentityDescriptor extends AbstractKerberosDescriptor
{
             : getPrincipalDescriptor().hashCode()) +
         ((getKeytabDescriptor() == null)
             ? 0
-            : getKeytabDescriptor().hashCode());
+            : getKeytabDescriptor().hashCode()) +
+        ((getWhen() == null)
+            ? 0
+            : getWhen().hashCode());
   }
 
   @Override
@@ -283,6 +354,11 @@ public class KerberosIdentityDescriptor extends AbstractKerberosDescriptor
{
               (getPassword() == null)
                   ? (descriptor.getPassword() == null)
                   : getPassword().equals(descriptor.getPassword())
+          ) &&
+          (
+              (getWhen() == null)
+                  ? (descriptor.getWhen() == null)
+                  : getWhen().equals(descriptor.getWhen())
           );
     } else {
       return false;

http://git-wip-us.apache.org/repos/asf/ambari/blob/ebdbe6f3/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java
b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java
index 77d4444..408df4f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java
@@ -2088,7 +2088,7 @@ public class UpgradeCatalog240 extends AbstractUpgradeCatalog {
                 componentDescriptor.removeIdentity("hbase_queryserver_hbase");
 
                 // Add the new identity
-                componentDescriptor.putIdentity(new KerberosIdentityDescriptor("/spnego",
newPrincipalDescriptor, newKeytabDescriptor));
+                componentDescriptor.putIdentity(new KerberosIdentityDescriptor("/spnego",
newPrincipalDescriptor, newKeytabDescriptor, null));
 
                 artifactEntity.setArtifactData(kerberosDescriptor.toMap());
                 artifactDAO.merge(artifactEntity);

http://git-wip-us.apache.org/repos/asf/ambari/blob/ebdbe6f3/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
index 5393fd6..c707a90 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
@@ -1952,19 +1952,19 @@ public class KerberosHelperTest extends EasyMockSupport {
 
     final KerberosIdentityDescriptor identityDescriptor1 = createMock(KerberosIdentityDescriptor.class);
     expect(identityDescriptor1.getPrincipalDescriptor()).andReturn(principalDescriptor1).times(1);
-//    expect(identityDescriptor1.getName()).andReturn("1").times(1);
+    expect(identityDescriptor1.shouldInclude(anyObject(Map.class))).andReturn(true).anyTimes();
 
     final KerberosIdentityDescriptor identityDescriptor2 = createMock(KerberosIdentityDescriptor.class);
     expect(identityDescriptor2.getPrincipalDescriptor()).andReturn(principalDescriptor2).times(1);
-//    expect(identityDescriptor2.getName()).andReturn("2").times(1);
+    expect(identityDescriptor2.shouldInclude(anyObject(Map.class))).andReturn(true).anyTimes();
 
     final KerberosIdentityDescriptor identityDescriptor3 = createMock(KerberosIdentityDescriptor.class);
     expect(identityDescriptor3.getPrincipalDescriptor()).andReturn(principalDescriptor3).times(1);
-//    expect(identityDescriptor3.getName()).andReturn("3").times(1);
+    expect(identityDescriptor3.shouldInclude(anyObject(Map.class))).andReturn(true).anyTimes();
 
     final KerberosServiceDescriptor serviceDescriptor1 = createMock(KerberosServiceDescriptor.class);
     expect(serviceDescriptor1.getName()).andReturn("SERVICE1").times(2);
-    expect(serviceDescriptor1.getIdentities(true)).andReturn(Arrays.asList(
+    expect(serviceDescriptor1.getIdentities(eq(true), anyObject(Map.class))).andReturn(Arrays.asList(
         identityDescriptor1,
         identityDescriptor2,
         identityDescriptor3
@@ -1983,14 +1983,14 @@ public class KerberosHelperTest extends EasyMockSupport {
 
     final KerberosDescriptor kerberosDescriptor = createMock(KerberosDescriptor.class);
     expect(kerberosDescriptor.getProperty("additional_realms")).andReturn(null).times(1);
-    expect(kerberosDescriptor.getIdentities()).andReturn(null).times(1);
+    expect(kerberosDescriptor.getIdentities(eq(true), anyObject(Map.class))).andReturn(null).times(1);
     expect(kerberosDescriptor.getAuthToLocalProperties()).andReturn(null).times(1);
     expect(kerberosDescriptor.getServices()).andReturn(Collections.singletonMap("SERVICE1",
serviceDescriptor1)).times(1);
 
     final Service service1 = createNiceMock(Service.class);
 
     final Cluster cluster = createNiceMock(Cluster.class);
-    expect(cluster.getServices()).andReturn(Collections.singletonMap("SERVICE1", service1)).times(1);
+    expect(cluster.getServices()).andReturn(Collections.singletonMap("SERVICE1", service1)).anyTimes();
 
     Map<String, Map<String, String>> kerberosConfigurations = new HashMap<String,
Map<String, String>>();
 
@@ -2253,7 +2253,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(kerberosDescriptor.getService("SERVICE2")).andReturn(serviceDescriptor2).atLeastOnce();
     expect(kerberosDescriptor.getService("SERVICE3")).andReturn(serviceDescriptor3).atLeastOnce();
     expect(kerberosDescriptor.getProperty("additional_realms")).andReturn(null).atLeastOnce();
-    expect(kerberosDescriptor.getIdentities()).andReturn(null).atLeastOnce();
+    expect(kerberosDescriptor.getIdentities(eq(true), anyObject(Map.class))).andReturn(null).atLeastOnce();
     expect(kerberosDescriptor.getAuthToLocalProperties()).andReturn(Collections.singleton("core-site/auth.to.local")).atLeastOnce();
 
     final ResourceProvider artifactResourceProvider = createMock(ArtifactResourceProvider.class);
@@ -3820,30 +3820,36 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(identityDescriptor1.getName()).andReturn("identity1").anyTimes();
     expect(identityDescriptor1.getPrincipalDescriptor()).andReturn(principalDescriptor1).anyTimes();
     expect(identityDescriptor1.getKeytabDescriptor()).andReturn(keytabDescriptor1).anyTimes();
+    expect(identityDescriptor1.shouldInclude(anyObject(Map.class))).andReturn(true).anyTimes();
+    expect(identityDescriptor1.getWhen()).andReturn(null).anyTimes();
 
     final KerberosIdentityDescriptor identityDescriptor2 = createMock(KerberosIdentityDescriptor.class);
     expect(identityDescriptor2.getName()).andReturn("identity2").anyTimes();
     expect(identityDescriptor2.getPrincipalDescriptor()).andReturn(principalDescriptor2).anyTimes();
     expect(identityDescriptor2.getKeytabDescriptor()).andReturn(keytabDescriptor2).anyTimes();
+    expect(identityDescriptor2.shouldInclude(anyObject(Map.class))).andReturn(true).anyTimes();
+    expect(identityDescriptor2.getWhen()).andReturn(null).anyTimes();
 
     final KerberosIdentityDescriptor identityDescriptorService1 = createMock(KerberosIdentityDescriptor.class);
     expect(identityDescriptorService1.getName()).andReturn("identity3").anyTimes();
     expect(identityDescriptorService1.getPrincipalDescriptor()).andReturn(principalDescriptorService1).anyTimes();
     expect(identityDescriptorService1.getKeytabDescriptor()).andReturn(keytabDescriptorService1).anyTimes();
+    expect(identityDescriptorService1.shouldInclude(anyObject(Map.class))).andReturn(true).anyTimes();
+    expect(identityDescriptorService1.getWhen()).andReturn(null).anyTimes();
 
     final KerberosComponentDescriptor componentDescriptor1 = createMock(KerberosComponentDescriptor.class);
-    expect(componentDescriptor1.getIdentities(true)).andReturn(Collections.singletonList(identityDescriptor1)).anyTimes();
+    expect(componentDescriptor1.getIdentities(eq(true), anyObject(Map.class))).andReturn(Collections.singletonList(identityDescriptor1)).anyTimes();
 
     final KerberosComponentDescriptor componentDescriptor2 = createMock(KerberosComponentDescriptor.class);
-    expect(componentDescriptor2.getIdentities(true)).andReturn(Collections.singletonList(identityDescriptor2)).anyTimes();
+    expect(componentDescriptor2.getIdentities(eq(true), anyObject(Map.class))).andReturn(Collections.singletonList(identityDescriptor2)).anyTimes();
 
     final KerberosServiceDescriptor serviceDescriptor1 = createMock(KerberosServiceDescriptor.class);
     expect(serviceDescriptor1.getComponent("COMPONENT1")).andReturn(componentDescriptor1).anyTimes();
-    expect(serviceDescriptor1.getIdentities(true)).andReturn(Collections.singletonList(identityDescriptorService1)).anyTimes();
+    expect(serviceDescriptor1.getIdentities(eq(true), anyObject(Map.class))).andReturn(Collections.singletonList(identityDescriptorService1)).anyTimes();
 
     final KerberosServiceDescriptor serviceDescriptor2 = createMock(KerberosServiceDescriptor.class);
     expect(serviceDescriptor2.getComponent("COMPONENT2")).andReturn(componentDescriptor2).anyTimes();
-    expect(serviceDescriptor2.getIdentities(true)).andReturn(null).anyTimes();
+    expect(serviceDescriptor2.getIdentities(eq(true), anyObject(Map.class))).andReturn(null).anyTimes();
 
     final KerberosDescriptor kerberosDescriptor = createMock(KerberosDescriptor.class);
     expect(kerberosDescriptor.getProperties()).andReturn(new HashMap<String, String>()
{
@@ -3934,7 +3940,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     KerberosServiceDescriptor descriptor = createMock(KerberosServiceDescriptor.class);
     expect(descriptor.getName()).andReturn(serviceName).anyTimes();
     expect(descriptor.getComponents()).andReturn(componentMap).anyTimes();
-    expect(descriptor.getIdentities(true)).andReturn(identities).anyTimes();
+    expect(descriptor.getIdentities(eq(true), anyObject(Map.class))).andReturn(identities).anyTimes();
     expect(descriptor.getAuthToLocalProperties()).andReturn(null).anyTimes();
     return descriptor;
   }
@@ -3955,7 +3961,7 @@ public class KerberosHelperTest extends EasyMockSupport {
       throws AmbariException {
     KerberosComponentDescriptor descriptor = createMock(KerberosComponentDescriptor.class);
     expect(descriptor.getName()).andReturn(componentName).anyTimes();
-    expect(descriptor.getIdentities(true)).andReturn(identities).anyTimes();
+    expect(descriptor.getIdentities(eq(true), anyObject(Map.class))).andReturn(identities).anyTimes();
     expect(descriptor.getConfigurations(true)).andReturn(configurations).anyTimes();
     expect(descriptor.getAuthToLocalProperties()).andReturn(null).anyTimes();
     return descriptor;

http://git-wip-us.apache.org/repos/asf/ambari/blob/ebdbe6f3/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorTest.java
index d80d7cc..004cd66 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorTest.java
@@ -163,7 +163,7 @@ public class KerberosDescriptorTest {
       KerberosComponentDescriptor component = service.getComponent("A_DIFFERENT_COMPONENT_NAME");
       Assert.assertNotNull(component);
 
-      List<KerberosIdentityDescriptor> resolvedIdentities = component.getIdentities(true);
+      List<KerberosIdentityDescriptor> resolvedIdentities = component.getIdentities(true,
null);
       KerberosIdentityDescriptor resolvedIdentity = null;
       Assert.assertNotNull(resolvedIdentities);
       Assert.assertEquals(3, resolvedIdentities.size());
@@ -176,7 +176,7 @@ public class KerberosDescriptorTest {
       }
       Assert.assertNotNull(resolvedIdentity);
 
-      List<KerberosIdentityDescriptor> identities = component.getIdentities(false);
+      List<KerberosIdentityDescriptor> identities = component.getIdentities(false,
null);
       Assert.assertNotNull(identities);
       Assert.assertEquals(3, identities.size());
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/ebdbe6f3/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosIdentityDescriptorTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosIdentityDescriptorTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosIdentityDescriptorTest.java
index 0ea7b26..79a861d 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosIdentityDescriptorTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosIdentityDescriptorTest.java
@@ -23,7 +23,9 @@ import junit.framework.Assert;
 import org.apache.ambari.server.AmbariException;
 import org.junit.Test;
 
+import java.util.Arrays;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 
 public class KerberosIdentityDescriptorTest {
@@ -34,6 +36,8 @@ public class KerberosIdentityDescriptorTest {
           "  \"principal\":" + KerberosPrincipalDescriptorTest.JSON_VALUE +
           "," +
           "  \"keytab\":" + KerberosKeytabDescriptorTest.JSON_VALUE +
+          "," +
+          "  \"when\": {\"contains\" : [\"services\", \"HIVE\"]}" +
           "}";
 
   public static final Map<String, Object> MAP_VALUE =
@@ -151,4 +155,17 @@ public class KerberosIdentityDescriptorTest {
 
     validateUpdatedData(identityDescriptor);
   }
+
+  @Test
+  public void testShouldInclude() {
+    KerberosIdentityDescriptor identityDescriptor = createFromJSON();
+
+    Map<String, Object> context = new HashMap<String, Object>();
+
+    context.put("services", new HashSet<String>(Arrays.asList("HIVE", "HDFS", "ZOOKEEPER")));
+    Assert.assertTrue(identityDescriptor.shouldInclude(context));
+
+    context.put("services", new HashSet<String>(Arrays.asList("NOT_HIVE", "HDFS", "ZOOKEEPER")));
+    Assert.assertFalse(identityDescriptor.shouldInclude(context));
+  }
 }
\ No newline at end of file


Mime
View raw message