Repository: ambari Updated Branches: refs/heads/trunk a619219ff -> 0800415ca
AMBARI-7658. Fix warning when using HTTPS_ONLY for secured DN (dlysnichenko) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/0800415c Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/0800415c Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/0800415c Branch: refs/heads/trunk Commit: 0800415cacf997914941a3465914cf55bf2c573c Parents: a619219 Author: Lisnichenko Dmitro <dlysniche...@hortonworks.com> Authored: Mon Oct 6 19:17:46 2014 +0300 Committer: Lisnichenko Dmitro <dlysniche...@hortonworks.com> Committed: Mon Oct 6 22:23:04 2014 +0300 ---------------------------------------------------------------------- .../stacks/HDP/2.2/services/stack_advisor.py | 5 +- .../stacks/2.2/common/test_stack_advisor.py | 137 ++++++++++++++++--- 2 files changed, 121 insertions(+), 21 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/0800415c/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py index 3f1faf7..19b1065 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py @@ -101,10 +101,9 @@ class HDP22StackAdvisor(HDP21StackAdvisor): # determine whether we use secure ports address_properties_with_warnings = [] if dfs_http_policy_value == HTTPS_ONLY: - any_privileged_ports_are_in_use = privileged_dfs_dn_port or privileged_dfs_https_port - if any_privileged_ports_are_in_use: + if not privileged_dfs_dn_port and (privileged_dfs_https_port or datanode_https_address not in hdfs_site): important_properties = [dfs_datanode_address, datanode_https_address] - message = "You set up datanode to use some non-secure ports, but {0} is set to {1}. " \ + message = "You set up datanode to use some non-secure ports. " \ "If you want to run Datanode under non-root user in a secure cluster, " \ "you should set all these properties {2} " \ "to use non-secure ports (if property {3} does not exist, " \ http://git-wip-us.apache.org/repos/asf/ambari/blob/0800415c/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py index 7d29ca8..3d6b2e6 100644 --- a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py +++ b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py @@ -113,12 +113,64 @@ class TestHDP22StackAdvisor(TestCase): validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) self.assertEquals(validation_problems, expected) - # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, secure ports + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, https address not defined + properties = { # hdfs-site + 'dfs.http.policy': 'HTTPS_ONLY', + 'dfs.datanode.address': '0.0.0.0:1019', + } + configurations = { + 'hdfs-site': { + 'properties': properties, + }, + 'core-site': { + 'properties': secure_cluster_core_site + } + } + expected = [ ] + validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) + self.assertEquals(validation_problems, expected) + + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, https address defined and secure + properties = { # hdfs-site + 'dfs.http.policy': 'HTTPS_ONLY', + 'dfs.datanode.address': '0.0.0.0:1019', + 'dfs.datanode.https.address': '0.0.0.0:1022', + } + configurations = { + 'hdfs-site': { + 'properties': properties, + }, + 'core-site': { + 'properties': secure_cluster_core_site + } + } + expected = [] + validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) + self.assertEquals(validation_problems, expected) + + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, https address defined and non secure properties = { # hdfs-site 'dfs.http.policy': 'HTTPS_ONLY', 'dfs.datanode.address': '0.0.0.0:1019', 'dfs.datanode.https.address': '0.0.0.0:50475', + } + configurations = { + 'hdfs-site': { + 'properties': properties, + }, + 'core-site': { + 'properties': secure_cluster_core_site + } } + expected = [] + validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) + self.assertEquals(validation_problems, expected) + + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, non secure dfs port, https property not defined + properties = { # hdfs-site + 'dfs.http.policy': 'HTTPS_ONLY', + 'dfs.datanode.address': '0.0.0.0:50010', + } configurations = { 'hdfs-site': { 'properties': properties, @@ -130,31 +182,80 @@ class TestHDP22StackAdvisor(TestCase): expected = [{'config-name': 'dfs.datanode.address', 'config-type': 'hdfs-site', 'level': 'WARN', - 'message': "You set up datanode to use some non-secure ports, " - "but dfs.http.policy is set to HTTPS_ONLY. If you " - "want to run Datanode under non-root user in a secure" - " cluster, you should set all these properties ['dfs.datanode.address', 'dfs.datanode.https.address'] " - "to use non-secure ports (if property dfs.datanode.https.address does not exist, just add it)." - " You may also set up property dfs.data.transfer.protection ('authentication' is a good default value). " - "Also, set up WebHDFS with SSL as described in manual in order to be able to use HTTPS.", + 'message': "You set up datanode to use some non-secure ports. " + "If you want to run Datanode under non-root user in " + "a secure cluster, you should set all these properties " + "['dfs.datanode.address', 'dfs.datanode.https.address'] " + "to use non-secure ports (if property " + "dfs.datanode.https.address does not exist, just add it). " + "You may also set up property dfs.data.transfer.protection " + "('authentication' is a good default value). Also, set up " + "WebHDFS with SSL as described in manual in order to " + "be able to use HTTPS.", 'type': 'configuration'}, {'config-name': 'dfs.datanode.https.address', 'config-type': 'hdfs-site', 'level': 'WARN', - 'message': "You set up datanode to use some non-secure ports, " - "but dfs.http.policy is set to HTTPS_ONLY. If you " - "want to run Datanode under non-root user in a secure" - " cluster, you should set all these properties ['dfs.datanode.address', 'dfs.datanode.https.address'] " - "to use non-secure ports (if property dfs.datanode.https.address does not exist, just add it)." - " You may also set up property dfs.data.transfer.protection ('authentication' is a good default value). " - "Also, set up WebHDFS with SSL as described in manual in order to be able to use HTTPS.", + 'message': "You set up datanode to use some non-secure ports. " + "If you want to run Datanode under non-root user in " + "a secure cluster, you should set all these properties " + "['dfs.datanode.address', 'dfs.datanode.https.address'] " + "to use non-secure ports (if property dfs.datanode.https.address " + "does not exist, just add it). You may also set up property " + "dfs.data.transfer.protection ('authentication' is a good default value). " + "Also, set up WebHDFS with SSL as described in manual in " + "order to be able to use HTTPS.", 'type': 'configuration'} - ] + ] validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) self.assertEquals(validation_problems, expected) - # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, valid configuration + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, non secure dfs port, https defined and secure + properties = { # hdfs-site + 'dfs.http.policy': 'HTTPS_ONLY', + 'dfs.datanode.address': '0.0.0.0:50010', + 'dfs.datanode.https.address': '0.0.0.0:1022', + } + configurations = { + 'hdfs-site': { + 'properties': properties, + }, + 'core-site': { + 'properties': secure_cluster_core_site + } + } + expected = [{'config-name': 'dfs.datanode.address', + 'config-type': 'hdfs-site', + 'level': 'WARN', + 'message': "You set up datanode to use some non-secure ports. " + "If you want to run Datanode under non-root user in " + "a secure cluster, you should set all these properties " + "['dfs.datanode.address', 'dfs.datanode.https.address'] " + "to use non-secure ports (if property dfs.datanode.https.address " + "does not exist, just add it). You may also set up property " + "dfs.data.transfer.protection ('authentication' is a good " + "default value). Also, set up WebHDFS with SSL as described " + "in manual in order to be able to use HTTPS.", + 'type': 'configuration'}, + {'config-name': 'dfs.datanode.https.address', + 'config-type': 'hdfs-site', + 'level': 'WARN', + 'message': "You set up datanode to use some non-secure ports. " + "If you want to run Datanode under non-root user in " + "a secure cluster, you should set all these properties " + "['dfs.datanode.address', 'dfs.datanode.https.address'] " + "to use non-secure ports (if property dfs.datanode.https.address " + "does not exist, just add it). You may also set up property " + "dfs.data.transfer.protection ('authentication' is a good default value). " + "Also, set up WebHDFS with SSL as described in manual in order to be " + "able to use HTTPS.", + 'type': 'configuration'} + ] + validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) + self.assertEquals(validation_problems, expected) + + # TEST CASE: Secure cluster, dfs.http.policy=HTTPS_ONLY, valid non-root configuration properties = { # hdfs-site 'dfs.http.policy': 'HTTPS_ONLY', 'dfs.datanode.address': '0.0.0.0:50010', @@ -173,7 +274,7 @@ class TestHDP22StackAdvisor(TestCase): validation_problems = self.stackAdvisor.validateHDFSConfigurations(properties, recommendedDefaults, configurations) self.assertEquals(validation_problems, expected) - # TEST CASE: Secure cluster, dfs.http.policy=HTTP_ONLY, insecure ports + # TEST CASE: Secure cluster, dfs.http.policy=HTTP_ONLY, insecure port properties = { # hdfs-site 'dfs.http.policy': 'HTTP_ONLY', 'dfs.datanode.address': '0.0.0.0:1019',