Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3B38810469 for ; Mon, 31 Aug 2015 22:36:31 +0000 (UTC) Received: (qmail 37900 invoked by uid 500); 31 Aug 2015 22:36:31 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 37864 invoked by uid 500); 31 Aug 2015 22:36:31 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 37845 invoked by uid 99); 31 Aug 2015 22:36:30 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 31 Aug 2015 22:36:30 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id 71F4026D44C; Mon, 31 Aug 2015 22:36:29 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============8984313798788569117==" MIME-Version: 1.0 Subject: Re: Review Request 37690: Adding host via blueprint fails on secure cluster From: "Robert Levas" To: "Sid Wagle" , "Larry McCay" , "Robert Nettleton" , "Jonathan Hurley" Cc: "Robert Levas" , "Ambari" Date: Mon, 31 Aug 2015 22:36:29 -0000 Message-ID: <20150831223629.17241.555@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: "Robert Levas" X-ReviewGroup: Ambari X-Auto-Response-Suppress: DR, RN, OOF, AutoReply X-ReviewRequest-URL: https://reviews.apache.org/r/37690/ X-Sender: "Robert Levas" References: <20150824132215.13583.5526@reviews.apache.org> In-Reply-To: <20150824132215.13583.5526@reviews.apache.org> Reply-To: "Robert Levas" X-ReviewRequest-Repository: ambari --===============8984313798788569117== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > On Aug. 24, 2015, 9:22 a.m., Jonathan Hurley wrote: > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java, lines 958-974 > > > > > > Instead of using a separate timer and single-threaded executor, could you use a Guice Cache that auto expires after the set amount of time? This would also let you vary the amount of time each entry lives in the store. > > Robert Levas wrote: > I like that idea... I am looking into implementing this now. Thanks! Regarding a _Guice Cache_, are you referring to Google's Guava Cache (https://code.google.com/p/guava-libraries/wiki/CachesExplained) or something built into Guice? - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/37690/#review96142 ----------------------------------------------------------- On Aug. 21, 2015, 4:07 p.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/37690/ > ----------------------------------------------------------- > > (Updated Aug. 21, 2015, 4:07 p.m.) > > > Review request for Ambari, Jonathan Hurley, Larry McCay, Robert Nettleton, and Sid Wagle. > > > Bugs: AMBARI-12772 > https://issues.apache.org/jira/browse/AMBARI-12772 > > > Repository: ambari > > > Description > ------- > > #STR > Install cluster via blueprints > Enable Kerberos security > Add host via blueprints > > #Result > Adding hosts freeze forever > In ambari-server.log: > ``` > The KDC administrator credentials must be set in session by updating the relevant Cluster resource.This may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry point with the following payload: > { > "session_attributes" : { > "kerberos_admin" : {"principal" : "(PRINCIPAL)", "password" : "(PASSWORD)"} > } > ``` > #Cause > This is caused because the KDC administrative credentials are not available when needed during the add host process. If set in the HTTP session, the credentials are not accessible since the Kerberos logic is executed outside the scope of that HTTP session. > > #Solution > Store the KDC credentials to a _more secure_ global credential store that is accessible no matter what the context is. This storage facility is in-memory and has a retention period of 90 minutes. This solution refactors the current CredentialStoreService and MasterKeyService classes to allow for file-based and in-memory implementations. It also paves the way for future changes to allow for the KDC administrative credentials to be persisted indefinitely. > > *Note:* This patch is rather large due to refactoring the CredentialStoreService and releated classes in an effort to make way for future features related to storing sensitive data. > > > Diffs > ----- > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ef6fc58 > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java cb9e6ca > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 708d267 > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialProvider.java 8351a99 > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreService.java 8ea7ca2 > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceImpl.java d93faec > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/FileBasedCredentialStoreService.java PRE-CREATION > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/InMemoryCredentialStoreService.java PRE-CREATION > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/MasterKeyServiceImpl.java 219c14b > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosCredential.java 19997e7 > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java 425aa06 > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java 389f1b8 > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java d3e3fa4 > ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java 2a1ac3c > ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 5d84fbc > ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialProviderTest.java 51f2220 > ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceTest.java 0652a52 > ambari-server/src/test/java/org/apache/ambari/server/security/encryption/MasterKeyServiceTest.java 993601b > ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java 9ad3da6 > ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosCredentialTest.java 305b122 > ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java 44a68ae > ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java 8fc5325 > ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java 8c096b0 > > Diff: https://reviews.apache.org/r/37690/diff/ > > > Testing > ------- > > Manually tested the following on trunk and branch-2.1: > - backwards compatibailiy with storing and retrieving the master key and key store data > - adding a host on a non-kerberized cluster > - adding a host on a kerberized cluster > - credential retention timeout > > #Local test results: > [INFO] ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] ------------------------------------------------------------------------ > [INFO] Total time: 49:19.549s > [INFO] Finished at: Fri Aug 21 15:55:04 EDT 2015 > [INFO] Final Memory: 66M/1436M > [INFO] ------------------------------------------------------------------------ > > > Thanks, > > Robert Levas > > --===============8984313798788569117==--