ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-13214) Create a credentials resource used to securely set, update, and remove credentials used by Ambari
Date Thu, 01 Oct 2015 15:52:26 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-13214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-13214:
----------------------------------
    Description: 
Storage of the credentials is to be done using the existing _secure_ credentials provider
API which already exits within Ambari.  See {{org.apache.ambari.server.security.encryption.CredentialStoreService}}
and {{org.apache.ambari.server.security.encryption.CredentialStoreServiceImpl}}.

Credential may be stored in either Ambari's persistent or temporary secure storage facilities.


*Test capabilities*
* Request 
{noformat}GET api/v1/clusters/{CLUSTER_NAME}{noformat}
* Responses
{code:title=200 OK}
{
  ...
  "credential_store_properties" : {
    "storage.persistent" : "true",
    "storage.temporary" : "true"
  },
  ...
}
{code}

*Setting the credentials*
* Request 
{noformat}POST /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
{code:title=payload}
{
  "Credential" : {
    "principal" : "USERNAME",
    "key" : "SECRET",
    "type" : "persisted"
  }
}
{code}
Where:
** principal:  the principal (or username) part of the credential to store
** key: the secret key part of the credential to store
** type:  declares the storage facility type: persisted or temporary
* Responses
{code:title=200 OK}
<empty>
{code}
{code:title=400 Bad Request}
{
  "status": 400,
  "message": "Cannot persist credential in Ambari's secure credential store since secure storage
has not yet be configured.  Use ambari-server setup-security to enable this feature."
}
{code}
{code:title=403 Forbidden}
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
{code}

*Updating the credentials*
* Request
{noformat}PUT /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
{code:title=payload}
{
  "Credential" : {
    "principal" : "USERNAME",
    "key" : "SECRET1",
    "type" : "persisted"
  }
}
{code}
Where:
** principal:  the principal (or username) part of the credential to store
** key: the secret key part of the credential to store
** type:  declares the storage facility type: persisted or temporary
* Responses
{code:title=200 OK}
<empty>
{code}
{code:title=400 Bad Request}
{
  "status": 400,
  "message": "Cannot persist credential in Ambari's secure credential store since secure storage
has not yet be configured.  Use ambari-server setup-security to enable this feature."
}
{code}
{code:title=403 Forbidden}
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
{code}

*Removing the credentials*
* Request
{noformat}DELETE /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
* Responses
{code:title=200 OK}
<empty>
{code}
{code:title=404 Not Found}
{
  "status": 404,
  "message": "Not Found"
}
{code}
{code:title=403 Forbidden}
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
{code}

*Listing credentials*
* Request
{noformat}GET /api/v1/clusters/{CLUSTER_NAME}/credentials{noformat}
* Responses 
{code:title=200 OK}
{
  "href" : "http://host:8080/api/v1/clusters/c1/credentials",
  "items" : [
    {
      "href" : "http://host:8080/api/v1/clusters/c1/credentials/kdc.admin.credentials",
      "Credential" : {
        "alias" : "kdc.admin.credentials",
        "cluster_name" : "c1"
      }
    },
    {
      "href" : "http://host:8080/api/v1/clusters/c1/credentials/service.admin.credentials",
      "Credential" : {
        "alias" : "service.admin.credentials",
        "cluster_name" : "c1"
      }
    }
  ]
}
{code}
{code:title=404 Not Found}
{
  "status": 404,
  "message": "Not Found"
}
{code}
{code:title=403 Forbidden}
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
{code}

*Retrieving credentials*
* Request
{noformat}GET /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
* Responses 
{code:title=200 OK}
{
  "href" : "http://host:8080/api/v1/clusters/c1/credentials/kdc.admin.credentials",
  "Credential" : {
    "alias" : "kdc.admin.credentials",
    "cluster_name" : "c1",
    "type" : "persisted"
  }
}
{code}
{code:title=404 Not Found}
{
  "status": 404,
  "message": "Not Found"
}
{code}
{code:title=403 Forbidden}
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
{code}

  was:
Storage of the credentials is to be done using the existing _secure_ credentials provider
API which already exits within Ambari.  See {{org.apache.ambari.server.security.encryption.CredentialStoreService}}
and {{org.apache.ambari.server.security.encryption.CredentialStoreServiceImpl}}.

Credential may be stored in either Ambari's persistent or temporary secure storage facilities.


*Test capabilities*
* Request 
{noformat}GET api/v1/clusters/{CLUSTER_NAME}{noformat}
* Responses
{code:title=200 OK}
{
  ...
  "credential_store_properties" : {
    "storage.persistent" : "true",
    "storage.temporary" : "true"
  },
  ...
}
{code}

*Setting the credentials*
* Request 
{noformat}POST /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
{code:title=payload}
{
  "Credential" : {
    "principal" : "USERNAME",
    "key" : "SECRET",
    "persist" : true
  }
}
{code}
Where:
** principal:  the principal (or username) part of the credential to store
** key: the secret key part of the credential to store
** persist:  a boolean value indicating whether to store this credential in a persisted (true)
or temporary (false) secure credential store
* Responses
{code:title=200 OK}
<empty>
{code}
{code:title=400 Bad Request}
{
  "status": 400,
  "message": "Cannot persist credential in Ambari's secure credential store since secure storage
has not yet be configured.  Use ambari-server setup-security to enable this feature."
}
{code}
{code:title=403 Forbidden}
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
{code}

*Updating the credentials*
* Request
{noformat}PUT /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
{code:title=payload}
{
  "Credential" : {
    "principal" : "USERNAME",
    "key" : "SECRET1",
    "persist" : true
  }
}
{code}
Where:
** principal:  the principal (or username) part of the credential to store
** key: the secret key part of the credential to store
** persist:  a boolean value indicating whether to store this credential in a persisted (true)
or temporary (false) secure credential store
* Responses
{code:title=200 OK}
<empty>
{code}
{code:title=400 Bad Request}
{
  "status": 400,
  "message": "Cannot persist credential in Ambari's secure credential store since secure storage
has not yet be configured.  Use ambari-server setup-security to enable this feature."
}
{code}
{code:title=403 Forbidden}
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
{code}

*Removing the credentials*
* Request
{noformat}DELETE /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
* Responses
{code:title=200 OK}
<empty>
{code}
{code:title=404 Not Found}
{
  "status": 404,
  "message": "Not Found"
}
{code}
{code:title=403 Forbidden}
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
{code}

*Listing credentials*
* Request
{noformat}GET /api/v1/clusters/{CLUSTER_NAME}/credentials{noformat}
* Responses 
{code:title=200 OK}
{
  "href" : "http://host:8080/api/v1/clusters/c1/credentials",
  "items" : [
    {
      "href" : "http://host:8080/api/v1/clusters/c1/credentials/kdc.admin.credentials",
      "Credential" : {
        "alias" : "kdc.admin.credentials",
        "cluster_name" : "c1"
      }
    },
    {
      "href" : "http://host:8080/api/v1/clusters/c1/credentials/service.admin.credentials",
      "Credential" : {
        "alias" : "service.admin.credentials",
        "cluster_name" : "c1"
      }
    }
  ]
}
{code}
{code:title=404 Not Found}
{
  "status": 404,
  "message": "Not Found"
}
{code}
{code:title=403 Forbidden}
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
{code}

*Retrieving credentials*
* Request
{noformat}GET /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
* Responses 
{code:title=200 OK}
{
  "href" : "http://host:8080/api/v1/clusters/c1/credentials/kdc.admin.credentials",
  "Credential" : {
    "alias" : "kdc.admin.credentials",
    "cluster_name" : "c1",
    "persist" : true
  }
}
{code}
{code:title=404 Not Found}
{
  "status": 404,
  "message": "Not Found"
}
{code}
{code:title=403 Forbidden}
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
{code}


> Create a credentials resource used to securely set, update, and remove credentials used
by Ambari
> -------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-13214
>                 URL: https://issues.apache.org/jira/browse/AMBARI-13214
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.3
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>              Labels: security
>             Fix For: 2.1.3
>
>         Attachments: AMBARI-13214_branch-2.1_01.patch, AMBARI-13214_trunk_01.patch
>
>
> Storage of the credentials is to be done using the existing _secure_ credentials provider
API which already exits within Ambari.  See {{org.apache.ambari.server.security.encryption.CredentialStoreService}}
and {{org.apache.ambari.server.security.encryption.CredentialStoreServiceImpl}}.
> Credential may be stored in either Ambari's persistent or temporary secure storage facilities.

> *Test capabilities*
> * Request 
> {noformat}GET api/v1/clusters/{CLUSTER_NAME}{noformat}
> * Responses
> {code:title=200 OK}
> {
>   ...
>   "credential_store_properties" : {
>     "storage.persistent" : "true",
>     "storage.temporary" : "true"
>   },
>   ...
> }
> {code}
> *Setting the credentials*
> * Request 
> {noformat}POST /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
> {code:title=payload}
> {
>   "Credential" : {
>     "principal" : "USERNAME",
>     "key" : "SECRET",
>     "type" : "persisted"
>   }
> }
> {code}
> Where:
> ** principal:  the principal (or username) part of the credential to store
> ** key: the secret key part of the credential to store
> ** type:  declares the storage facility type: persisted or temporary
> * Responses
> {code:title=200 OK}
> <empty>
> {code}
> {code:title=400 Bad Request}
> {
>   "status": 400,
>   "message": "Cannot persist credential in Ambari's secure credential store since secure
storage has not yet be configured.  Use ambari-server setup-security to enable this feature."
> }
> {code}
> {code:title=403 Forbidden}
> {
>   "status": 403,
>   "message": "You do not have permissions to access this resource."
> }
> {code}
> *Updating the credentials*
> * Request
> {noformat}PUT /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
> {code:title=payload}
> {
>   "Credential" : {
>     "principal" : "USERNAME",
>     "key" : "SECRET1",
>     "type" : "persisted"
>   }
> }
> {code}
> Where:
> ** principal:  the principal (or username) part of the credential to store
> ** key: the secret key part of the credential to store
> ** type:  declares the storage facility type: persisted or temporary
> * Responses
> {code:title=200 OK}
> <empty>
> {code}
> {code:title=400 Bad Request}
> {
>   "status": 400,
>   "message": "Cannot persist credential in Ambari's secure credential store since secure
storage has not yet be configured.  Use ambari-server setup-security to enable this feature."
> }
> {code}
> {code:title=403 Forbidden}
> {
>   "status": 403,
>   "message": "You do not have permissions to access this resource."
> }
> {code}
> *Removing the credentials*
> * Request
> {noformat}DELETE /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
> * Responses
> {code:title=200 OK}
> <empty>
> {code}
> {code:title=404 Not Found}
> {
>   "status": 404,
>   "message": "Not Found"
> }
> {code}
> {code:title=403 Forbidden}
> {
>   "status": 403,
>   "message": "You do not have permissions to access this resource."
> }
> {code}
> *Listing credentials*
> * Request
> {noformat}GET /api/v1/clusters/{CLUSTER_NAME}/credentials{noformat}
> * Responses 
> {code:title=200 OK}
> {
>   "href" : "http://host:8080/api/v1/clusters/c1/credentials",
>   "items" : [
>     {
>       "href" : "http://host:8080/api/v1/clusters/c1/credentials/kdc.admin.credentials",
>       "Credential" : {
>         "alias" : "kdc.admin.credentials",
>         "cluster_name" : "c1"
>       }
>     },
>     {
>       "href" : "http://host:8080/api/v1/clusters/c1/credentials/service.admin.credentials",
>       "Credential" : {
>         "alias" : "service.admin.credentials",
>         "cluster_name" : "c1"
>       }
>     }
>   ]
> }
> {code}
> {code:title=404 Not Found}
> {
>   "status": 404,
>   "message": "Not Found"
> }
> {code}
> {code:title=403 Forbidden}
> {
>   "status": 403,
>   "message": "You do not have permissions to access this resource."
> }
> {code}
> *Retrieving credentials*
> * Request
> {noformat}GET /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}{noformat}
> * Responses 
> {code:title=200 OK}
> {
>   "href" : "http://host:8080/api/v1/clusters/c1/credentials/kdc.admin.credentials",
>   "Credential" : {
>     "alias" : "kdc.admin.credentials",
>     "cluster_name" : "c1",
>     "type" : "persisted"
>   }
> }
> {code}
> {code:title=404 Not Found}
> {
>   "status": 404,
>   "message": "Not Found"
> }
> {code}
> {code:title=403 Forbidden}
> {
>   "status": 403,
>   "message": "You do not have permissions to access this resource."
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message