ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject ambari git commit: AMBARI-17968. Changed oozie.authentication.kerberos.principal and oozie.authentication.kerberos.keytab are reverted while regenerating keytab files (rlevas)
Date Mon, 01 Aug 2016 15:15:41 GMT
Repository: ambari
Updated Branches:
  refs/heads/branch-2.4 2400d524a -> 810162c61


AMBARI-17968. Changed oozie.authentication.kerberos.principal and oozie.authentication.kerberos.keytab
are reverted while regenerating keytab files (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/810162c6
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/810162c6
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/810162c6

Branch: refs/heads/branch-2.4
Commit: 810162c61c7ff8ce5395e762bf735acbef3a736e
Parents: 2400d52
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Mon Aug 1 11:15:35 2016 -0400
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Mon Aug 1 11:15:35 2016 -0400

----------------------------------------------------------------------
 .../BlueprintConfigurationProcessor.java        |  1 +
 .../4.0.0.2.0/package/scripts/params_linux.py   | 27 +++++++++++---
 .../stacks/2.0.6/OOZIE/test_oozie_server.py     | 39 +++++++++++++++++++-
 3 files changed, 59 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/810162c6/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java
b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java
index 23c9edc..4776dc6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java
@@ -2539,6 +2539,7 @@ public class BlueprintConfigurationProcessor {
     // OOZIE_SERVER
     oozieSiteMap.put("oozie.base.url", new SingleHostTopologyUpdater("OOZIE_SERVER"));
     oozieSiteMap.put("oozie.authentication.kerberos.principal", new SingleHostTopologyUpdater("OOZIE_SERVER"));
+    oozieSiteMap.put("oozie.ha.authentication.kerberos.principal", new SingleHostTopologyUpdater("OOZIE_SERVER"));
     oozieSiteMap.put("oozie.service.HadoopAccessorService.kerberos.principal", new SingleHostTopologyUpdater("OOZIE_SERVER"));
     multiCoreSiteMap.put("hadoop.proxyuser.oozie.hosts", new MultipleHostTopologyUpdater("OOZIE_SERVER"));
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/810162c6/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py
b/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py
index 85085de..ca57c81 100644
--- a/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py
+++ b/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py
@@ -148,13 +148,28 @@ oozie_site = config['configurations']['oozie-site']
 yarn_log_dir_prefix = config['configurations']['yarn-env']['yarn_log_dir_prefix']
 yarn_resourcemanager_address = config['configurations']['yarn-site']['yarn.resourcemanager.address']
 
-if security_enabled and stack_version_formatted and check_stack_feature(StackFeature.OOZIE_HOST_KERBEROS,
stack_version_formatted):
-  #older versions of oozie have problems when using _HOST in principal
+if security_enabled:
   oozie_site = dict(config['configurations']['oozie-site'])
-  oozie_site['oozie.service.HadoopAccessorService.kerberos.principal'] = \
-    oozie_principal.replace('_HOST', hostname)
-  oozie_site['oozie.authentication.kerberos.principal'] = \
-    http_principal.replace('_HOST', hostname)
+
+  # If a user-supplied oozie.ha.authentication.kerberos.principal property exists in oozie-site,
+  # use it to replace the existing oozie.authentication.kerberos.principal value. This is
to ensure
+  # that any special principal name needed for HA is used rather than the Ambari-generated
value
+  if "oozie.ha.authentication.kerberos.principal" in oozie_site:
+    oozie_site['oozie.authentication.kerberos.principal'] = oozie_site['oozie.ha.authentication.kerberos.principal']
+    http_principal = oozie_site['oozie.authentication.kerberos.principal']
+
+  # If a user-supplied oozie.ha.authentication.kerberos.keytab property exists in oozie-site,
+  # use it to replace the existing oozie.authentication.kerberos.keytab value. This is to
ensure
+  # that any special keytab file needed for HA is used rather than the Ambari-generated value
+  if "oozie.ha.authentication.kerberos.keytab" in oozie_site:
+    oozie_site['oozie.authentication.kerberos.keytab'] = oozie_site['oozie.ha.authentication.kerberos.keytab']
+
+  if stack_version_formatted and check_stack_feature(StackFeature.OOZIE_HOST_KERBEROS, stack_version_formatted):
+    #older versions of oozie have problems when using _HOST in principal
+    oozie_site['oozie.service.HadoopAccessorService.kerberos.principal'] = \
+      oozie_principal.replace('_HOST', hostname)
+    oozie_site['oozie.authentication.kerberos.principal'] = \
+      http_principal.replace('_HOST', hostname)
 
 smokeuser_keytab = config['configurations']['cluster-env']['smokeuser_keytab']
 oozie_keytab = default("/configurations/oozie-env/oozie_keytab", oozie_service_keytab)

http://git-wip-us.apache.org/repos/asf/ambari/blob/810162c6/ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py b/ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py
index 99d6dec..f38444b 100644
--- a/ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py
+++ b/ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py
@@ -602,6 +602,37 @@ class TestOozieServer(RMFTestCase):
     self.assertNoMoreResources()
 
   @patch.object(shell, "call")
+  @patch('os.path.exists', new=MagicMock(side_effect = [False, True, False, True]))
+  def test_configure_secured_ha(self, call_mocks):
+    call_mocks = MagicMock(return_value=(0, "New Oozie WAR file with added"))
+
+    config_file = "stacks/2.0.6/configs/secured.json"
+    with open(config_file, "r") as f:
+      secured_json = json.load(f)
+
+    secured_json['configurations']['oozie-site']['oozie.ha.authentication.kerberos.principal']
= "*"
+    secured_json['configurations']['oozie-site']['oozie.ha.authentication.kerberos.keytab']
= "/etc/security/keytabs/oozie_ha.keytab"
+
+    self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/oozie_server.py",
+                       classname = "OozieServer",
+                       command = "configure",
+                       config_dict = secured_json,
+                       stack_version = self.STACK_VERSION,
+                       target = RMFTestCase.TARGET_COMMON_SERVICES,
+                       call_mocks = call_mocks
+    )
+
+    # Update the config data to see if
+    #  * configurations/oozie-site/oozie.authentication.kerberos.principal == configurations/oozie-site/oozie.ha.authentication.kerberos.principal
+    #  * configurations/oozie-site/oozie.authentication.kerberos.keytab == configurations/oozie-site/oozie.ha.authentication.kerberos.keytab
+    expected_oozie_site = dict(self.getConfig()['configurations']['oozie-site'])
+    expected_oozie_site['oozie.authentication.kerberos.principal'] = expected_oozie_site['oozie.ha.authentication.kerberos.principal']
+    expected_oozie_site['oozie.authentication.kerberos.keytab'] = expected_oozie_site['oozie.ha.authentication.kerberos.keytab']
+
+    self.assert_configure_secured(expected_oozie_site)
+    self.assertNoMoreResources()
+
+  @patch.object(shell, "call")
   @patch("os.path.isfile")
   @patch('os.path.exists', new=MagicMock(side_effect = [False, True, False, True]))
   def test_start_secured(self, isfile_mock, call_mocks):
@@ -878,7 +909,7 @@ class TestOozieServer(RMFTestCase):
                               recursive_ownership = True,
     )
 
-  def assert_configure_secured(self):
+  def assert_configure_secured(self, expected_oozie_site = None):
     self.assertResourceCalled('HdfsResource', '/user/oozie',
         immutable_paths = self.DEFAULT_IMMUTABLE_PATHS,
         security_enabled = True,
@@ -911,12 +942,16 @@ class TestOozieServer(RMFTestCase):
                               group = 'hadoop',
                               create_parents = True
                               )
+
+    if expected_oozie_site is None:
+      expected_oozie_site = self.getConfig()['configurations']['oozie-site']
+
     self.assertResourceCalled('XmlConfig', 'oozie-site.xml',
                               owner = 'oozie',
                               group = 'hadoop',
                               mode = 0664,
                               conf_dir = '/etc/oozie/conf',
-                              configurations = self.getConfig()['configurations']['oozie-site'],
+                              configurations = expected_oozie_site,
                               configuration_attributes = self.getConfig()['configuration_attributes']['oozie-site']
                               )
     self.assertResourceCalled('File', '/etc/oozie/conf/oozie-env.sh',


Mime
View raw message