Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ambari-dev@ambari.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: ncole@apache.org
To: commits@ambari.apache.org
Date: Wed, 29 Mar 2017 22:41:05 -0000
Message-Id: <04cd3cbb8c7c4061bcea617f9c187b6b@git.apache.org>
In-Reply-To: <64b914f1d34c4628a2ec80942086fadd@git.apache.org>
References: <64b914f1d34c4628a2ec80942086fadd@git.apache.org>
Subject: [47/50] [abbrv] ambari git commit: AMBARI-20600 : AMS grafana restart
 fails with ssl error after upgrading from 2.4.2.0. (avijayan)
archived-at: Wed, 29 Mar 2017 22:40:25 -0000

AMBARI-20600 : AMS grafana restart fails with ssl error after upgrading from 2.4.2.0. (avijayan)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/efa0b5da
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/efa0b5da
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/efa0b5da

Branch: refs/heads/branch-feature-AMBARI-12556
Commit: efa0b5dabb07dbd1d917877c945306f60e370dcb
Parents: 5a78a93
Author: Aravindan Vijayan <avijayan@hortonworks.com>
Authored: Wed Mar 29 14:20:17 2017 -0700
Committer: Aravindan Vijayan <avijayan@hortonworks.com>
Committed: Wed Mar 29 14:20:17 2017 -0700

----------------------------------------------------------------------
 ambari-common/src/main/python/ambari_commons/network.py  |  2 ++
 .../0.1.0/configuration/ams-grafana-ini.xml              | 11 +++++++++++
 .../0.1.0/package/scripts/metrics_grafana_util.py        |  8 ++++----
 .../AMBARI_METRICS/0.1.0/package/scripts/params.py       |  1 +
 4 files changed, 18 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/efa0b5da/ambari-common/src/main/python/ambari_commons/network.py
----------------------------------------------------------------------
diff --git a/ambari-common/src/main/python/ambari_commons/network.py b/ambari-common/src/main/python/ambari_commons/network.py
index 6ab92b2..4c589f3 100644
--- a/ambari-common/src/main/python/ambari_commons/network.py
+++ b/ambari-common/src/main/python/ambari_commons/network.py
@@ -53,12 +53,14 @@ def get_http_connection(host, port, https_enabled=False, ca_certs=None):
 
 def check_ssl_certificate_and_return_ssl_version(host, port, ca_certs):
   try:
+    # Try with TLSv1 first.
     ssl_version = ssl.PROTOCOL_TLSv1
     ssl.get_server_certificate((host, port), ssl_version=ssl_version, ca_certs=ca_certs)
   except ssl.SSLError as ssl_error:
     print_warning_msg("Failed to verify the SSL certificate for https://{0}:{1} with CA certificate in {2} using ssl.PROTOCOL_TLSv1."
                       " Trying to use less secure ssl.PROTOCOL_SSLv23. Error : {3}".format(host, port, ca_certs, str(ssl_error)))
     try:
+      # Try with SSLv23 only if TLSv1 failed.
       ssl_version = ssl.PROTOCOL_SSLv23
       ssl.get_server_certificate((host, port), ssl_version=ssl_version, ca_certs=ca_certs)
     except ssl.SSLError as ssl_error:

http://git-wip-us.apache.org/repos/asf/ambari/blob/efa0b5da/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml
index ee0a4ad..90ff540 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml
+++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml
@@ -46,6 +46,17 @@
     <on-ambari-upgrade add="true"/>
   </property>
   <property>
+    <name>ca_cert</name>
+    <value></value>
+    <description>Path to CA root certificate or bundle to be used to validate the Grafana certificate against.
+      For self signed certificates, this value can be the same as the value for 'cert_file'.
+      (If a path is not specified, the certificate validation is skipped)</description>
+    <value-attributes>
+      <empty-value-valid>true</empty-value-valid>
+    </value-attributes>
+    <on-ambari-upgrade add="true"/>
+  </property>
+  <property>
     <name>content</name>
     <display-name>ams-grafana-ini template</display-name>
     <value>

http://git-wip-us.apache.org/repos/asf/ambari/blob/efa0b5da/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py
index c8d532f..06a4518 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py
+++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py
@@ -50,7 +50,7 @@ def perform_grafana_get_call(url, server):
   ca_certs = None
   if grafana_https_enabled:
     import params
-    ca_certs = params.ams_grafana_cert_file
+    ca_certs = params.ams_grafana_ca_cert
 
   for i in xrange(0, GRAFANA_CONNECT_TRIES):
     try:
@@ -90,7 +90,7 @@ def perform_grafana_put_call(url, id, payload, server):
   ca_certs = None
   if grafana_https_enabled:
     import params
-    ca_certs = params.ams_grafana_cert_file
+    ca_certs = params.ams_grafana_ca_cert
 
   for i in xrange(0, GRAFANA_CONNECT_TRIES):
     try:
@@ -125,7 +125,7 @@ def perform_grafana_post_call(url, payload, server):
   ca_certs = None
   if grafana_https_enabled:
     import params
-    ca_certs = params.ams_grafana_cert_file
+    ca_certs = params.ams_grafana_ca_cert
 
   for i in xrange(0, GRAFANA_CONNECT_TRIES):
     try:
@@ -167,7 +167,7 @@ def perform_grafana_delete_call(url, server):
   ca_certs = None
   if grafana_https_enabled:
     import params
-    ca_certs = params.ams_grafana_cert_file
+    ca_certs = params.ams_grafana_ca_cert
 
   for i in xrange(0, GRAFANA_CONNECT_TRIES):
     try:

http://git-wip-us.apache.org/repos/asf/ambari/blob/efa0b5da/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
index 1733b19..919f26d 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
@@ -172,6 +172,7 @@ ams_grafana_port = default("/configurations/ams-grafana-ini/port", 3000)
 ams_grafana_protocol = default("/configurations/ams-grafana-ini/protocol", 'http')
 ams_grafana_cert_file = default("/configurations/ams-grafana-ini/cert_file", '/etc/ambari-metrics/conf/ams-grafana.crt')
 ams_grafana_cert_key = default("/configurations/ams-grafana-ini/cert_key", '/etc/ambari-metrics/conf/ams-grafana.key')
+ams_grafana_ca_cert = default("/configurations/ams-grafana-ini/ca_cert", None)
 
 ams_hbase_home_dir = "/usr/lib/ams-hbase/"