Repository: ambari Updated Branches: refs/heads/trunk 3f7fdf501 -> 464e77f03
AMBARI-7460. Ambari needs to use password files instead of clear password in configuration file for LDAP password. Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/1591aaa4 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/1591aaa4 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/1591aaa4 Branch: refs/heads/trunk Commit: 1591aaa48929bae9b54676b8b816411dd028a0f2 Parents: 3f7fdf5 Author: Siddharth Wagle <swa...@hortonworks.com> Authored: Tue Sep 23 13:21:37 2014 -0700 Committer: Siddharth Wagle <swa...@hortonworks.com> Committed: Tue Sep 23 15:34:01 2014 -0700 ---------------------------------------------------------------------- .../ambari/server/configuration/Configuration.java | 14 ++++++++------ ambari-server/src/main/python/ambari-server.py | 14 +++++++++++++- ambari-server/src/test/python/TestAmbariServer.py | 3 +-- 3 files changed, 22 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/1591aaa4/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 9bdbc31..53d61e7 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -794,13 +794,15 @@ public class Configuration { LDAP_BIND_ANONYMOUSLY_DEFAULT))); ldapServerProperties.setManagerDn(properties.getProperty( LDAP_MANAGER_DN_KEY)); - String ldapPasswd = readPasswordFromStore(properties - .getProperty(LDAP_MANAGER_PASSWORD_KEY)); - if (ldapPasswd != null) { - ldapServerProperties.setManagerPassword(ldapPasswd); + String ldapPasswordProperty = properties.getProperty(LDAP_MANAGER_PASSWORD_KEY); + String ldapPassword = null; + if (CredentialProvider.isAliasString(ldapPasswordProperty)) { + ldapPassword = readPasswordFromStore(ldapPasswordProperty); + } + if (ldapPassword != null) { + ldapServerProperties.setManagerPassword(ldapPassword); } else { - ldapServerProperties.setManagerPassword(properties.getProperty - (LDAP_MANAGER_PASSWORD_KEY)); + ldapServerProperties.setManagerPassword(readPasswordFromFile(ldapPasswordProperty, "")); } ldapServerProperties.setBaseDN(properties.getProperty (LDAP_BASE_DN_KEY, LDAP_BASE_DN_DEFAULT)); http://git-wip-us.apache.org/repos/asf/ambari/blob/1591aaa4/ambari-server/src/main/python/ambari-server.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/python/ambari-server.py b/ambari-server/src/main/python/ambari-server.py index a99ad05..9059319 100755 --- a/ambari-server/src/main/python/ambari-server.py +++ b/ambari-server/src/main/python/ambari-server.py @@ -235,6 +235,7 @@ CLIENT_SECURITY_KEY = "client.security" IS_LDAP_CONFIGURED = "ambari.ldap.isConfigured" LDAP_MGR_PASSWORD_ALIAS = "ambari.ldap.manager.password" LDAP_MGR_PASSWORD_PROPERTY = "authentication.ldap.managerPassword" +LDAP_MGR_PASSWORD_FILENAME = "ldap-password.dat" LDAP_MGR_USERNAME_PROPERTY = "authentication.ldap.managerDn" SSL_TRUSTSTORE_PASSWORD_ALIAS = "ambari.ssl.trustStore.password" @@ -549,6 +550,7 @@ NR_ADJUST_OWNERSHIP_LIST = [ ("/etc/ambari-server/conf", "644", "{0}", True), ("/etc/ambari-server/conf", "755", "{0}", False), ("/etc/ambari-server/conf/password.dat", "640", "{0}", False), + ("/etc/ambari-server/conf/ldap-password.dat", "640", "{0}", False), # Also, /etc/ambari-server/conf/password.dat # is generated later at store_password_file ] @@ -3260,6 +3262,8 @@ def setup_ldap(): # Persisting values ldap_property_value_map[IS_LDAP_CONFIGURED] = "true" + if mgr_password: + ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME) update_properties(properties, ldap_property_value_map) print 'Saving...done' @@ -3404,12 +3408,19 @@ def setup_master_key(): isSecure = get_is_secure(properties) (isPersisted, masterKeyFile) = get_is_persisted(properties) - # Read clear text password from file + # Read clear text DB password from file if not is_alias_string(db_password) and os.path.isfile(db_password): with open(db_password, 'r') as passwdfile: db_password = passwdfile.read() ldap_password = properties.get_property(LDAP_MGR_PASSWORD_PROPERTY) + + if ldap_password: + # Read clear text LDAP password from file + if not is_alias_string(ldap_password) and os.path.isfile(ldap_password): + with open(ldap_password, 'r') as passwdfile: + ldap_password = passwdfile.read() + ts_password = properties.get_property(SSL_TRUSTSTORE_PASSWORD_PROPERTY) resetKey = False masterKey = None @@ -3505,6 +3516,7 @@ def setup_master_key(): print 'Failed to save secure LDAP password.' else: propertyMap[LDAP_MGR_PASSWORD_PROPERTY] = get_alias_string(LDAP_MGR_PASSWORD_ALIAS) + remove_password_file(LDAP_MGR_PASSWORD_FILENAME) pass if ts_password and not is_alias_string(ts_password): http://git-wip-us.apache.org/repos/asf/ambari/blob/1591aaa4/ambari-server/src/test/python/TestAmbariServer.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/TestAmbariServer.py b/ambari-server/src/test/python/TestAmbariServer.py index 421cde7..7f769f1 100644 --- a/ambari-server/src/test/python/TestAmbariServer.py +++ b/ambari-server/src/test/python/TestAmbariServer.py @@ -4741,8 +4741,7 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV "authentication.ldap.groupMembershipAttr": "test", "authentication.ldap.groupNamingAttr": "test", "client.security": "ldap", \ - ambari_server.LDAP_MGR_PASSWORD_PROPERTY: ambari_server.get_alias_string( \ - ambari_server.LDAP_MGR_PASSWORD_ALIAS), + ambari_server.LDAP_MGR_PASSWORD_PROPERTY: "ldap-password.dat", "ambari.ldap.isConfigured": "true" }