ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smn...@apache.org
Subject ambari git commit: AMBARI-19545: Ambari-agent - In HIVE and OOZIE stack scripts, copy JCEKS file to desired location
Date Wed, 18 Jan 2017 02:56:50 GMT
Repository: ambari
Updated Branches:
  refs/heads/branch-2.5 c215cc7cc -> 513aa1aad


AMBARI-19545: Ambari-agent - In HIVE and OOZIE stack scripts, copy JCEKS file to desired location

This reverts commit e700484e80446174d72b3ce40295cbea4689a50a.


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/513aa1aa
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/513aa1aa
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/513aa1aa

Branch: refs/heads/branch-2.5
Commit: 513aa1aad1f061d9e9c5d790f1f9d303b47f40fa
Parents: c215cc7
Author: Nahappan Somasundaram <nsomasundaram@hortonworks.com>
Authored: Tue Jan 17 11:48:57 2017 -0800
Committer: Nahappan Somasundaram <nsomasundaram@hortonworks.com>
Committed: Tue Jan 17 18:56:41 2017 -0800

----------------------------------------------------------------------
 .../libraries/functions/security_commons.py     | 37 ++++++++++++++++++++
 .../HIVE/0.12.0.2.0/package/scripts/hive.py     |  9 +++--
 .../OOZIE/4.0.0.2.0/package/scripts/oozie.py    | 18 ++++++++--
 3 files changed, 60 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/513aa1aa/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py
----------------------------------------------------------------------
diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py
b/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py
index 8282dc5..cca244d 100644
--- a/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py
+++ b/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py
@@ -22,11 +22,48 @@ from resource_management import Execute, File
 from tempfile import mkstemp
 import os
 import ambari_simplejson as json # simplejson is much faster comparing to Python 2.6 json
module and has the same functions set.
+from resource_management.core.source import StaticFile
 
 FILE_TYPE_XML = 'XML'
 FILE_TYPE_PROPERTIES = 'PROPERTIES'
 FILE_TYPE_JAAS_CONF = 'JAAS_CONF'
 
+# The property name used by the hadoop credential provider
+HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME = 'hadoop.security.credential.provider.path'
+
+# Copy JCEKS provider to service specific location and update the ACL
+def update_credential_provider_path(config, config_type, dest_provider_path, file_owner,
file_group):
+  """
+  Copies the JCEKS file for the specified config from the default location to the given location,
+  and sets the ACLs for the specified owner and group. Also updates the config type's configuration
+  hadoop credential store provider with the copied file name.
+  :param config: configurations['configurations'][config_type]
+  :param config_type: Like hive-site, oozie-site, etc.
+  :param dest_provider_path: The full path to the file where the JCEKS provider file is to
be copied to.
+  :param file_owner: File owner
+  :param file_group: Group
+  :return: A copy of the config that was modified or the input config itself if nothing was
modified.
+  """
+  # Get the path to the provider <config_type>.jceks
+  if HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME in config:
+    provider_paths = config[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME].split(',')
+    for path_index in range(len(provider_paths)):
+      provider_path = provider_paths[path_index]
+      if config_type == os.path.splitext(os.path.basename(provider_path))[0]:
+        src_provider_path = provider_path[len('jceks://file'):]
+        File(dest_provider_path,
+             owner = file_owner,
+             group = file_group,
+             mode = 0640,
+             content = StaticFile(src_provider_path)
+             )
+        provider_paths[path_index] = 'jceks://file{0}'.format(dest_provider_path)
+        # make a copy of the config dictionary since it is read-only
+        config_copy = config.copy()
+        config_copy[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME] = ','.join(provider_paths)
+        return config_copy
+  return config
+
 def validate_security_config_properties(params, configuration_rules):
   """
   Generic security configuration validation based on a set of rules and operations

http://git-wip-us.apache.org/repos/asf/ambari/blob/513aa1aa/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive.py
b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive.py
index 4ac3f8e..99980b3 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive.py
@@ -40,13 +40,12 @@ from resource_management.core.shell import quote_bash_args
 from resource_management.core.logger import Logger
 from resource_management.core import utils
 from resource_management.libraries.functions.setup_atlas_hook import has_atlas_in_cluster,
setup_atlas_hook
+from resource_management.libraries.functions.security_commons import update_credential_provider_path
 from ambari_commons.constants import SERVICE
 
 from ambari_commons.os_family_impl import OsFamilyFuncImpl, OsFamilyImpl
 from ambari_commons import OSConst
 
-
-
 @OsFamilyFuncImpl(os_family=OSConst.WINSRV_FAMILY)
 def hive(name=None):
   import params
@@ -222,6 +221,12 @@ def hive(name=None):
   for conf_dir in params.hive_conf_dirs_list:
     fill_conf_dir(conf_dir)
 
+  params.hive_site_config = update_credential_provider_path(params.hive_site_config,
+                                                     'hive-site',
+                                                     os.path.join(params.hive_conf_dir, 'hive-site.jceks'),
+                                                     params.hive_user,
+                                                     params.user_group
+                                                     )
   XmlConfig("hive-site.xml",
             conf_dir=params.hive_config_dir,
             configurations=params.hive_site_config,

http://git-wip-us.apache.org/repos/asf/ambari/blob/513aa1aa/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py
b/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py
index 82bb301..0c38b0b 100644
--- a/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py
+++ b/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py
@@ -36,6 +36,7 @@ from resource_management.libraries.functions.oozie_prepare_war import prepare_wa
 from resource_management.libraries.functions.copy_tarball import get_current_version
 from resource_management.libraries.resources.xml_config import XmlConfig
 from resource_management.libraries.script.script import Script
+from resource_management.libraries.functions.security_commons import update_credential_provider_path
 from resource_management.core.resources.packaging import Package
 from resource_management.core.shell import as_user, as_sudo, call
 from resource_management.core.exceptions import Fail
@@ -50,7 +51,6 @@ from ambari_commons.inet_utils import download_file
 
 from resource_management.core import Logger
 
-
 @OsFamilyFuncImpl(os_family=OSConst.WINSRV_FAMILY)
 def oozie(is_server=False):
   import params
@@ -115,6 +115,14 @@ def oozie(is_server=False):
              owner = params.oozie_user,
              group = params.user_group
   )
+
+  params.oozie_site = update_credential_provider_path(params.oozie_site,
+                                                      'oozie-site',
+                                                      os.path.join(params.conf_dir, 'oozie-site.jceks'),
+                                                      params.oozie_user,
+                                                      params.user_group
+                                                      )
+
   XmlConfig("oozie-site.xml",
     conf_dir = params.conf_dir,
     configurations = params.oozie_site,
@@ -289,9 +297,15 @@ def oozie_server_specific():
         group = params.user_group
     )
     if 'hive-site' in params.config['configurations']:
+      hive_site_config = update_credential_provider_path(params.config['configurations']['hive-site'],
+                                                         'hive-site',
+                                                         os.path.join(params.hive_conf_dir,
'hive-site.jceks'),
+                                                         params.oozie_user,
+                                                         params.user_group
+                                                         )
       XmlConfig("hive-site.xml",
         conf_dir=params.hive_conf_dir,
-        configurations=params.config['configurations']['hive-site'],
+        configurations=hive_site_config,
         configuration_attributes=params.config['configuration_attributes']['hive-site'],
         owner=params.oozie_user,
         group=params.user_group,


Mime
View raw message