AMBARI-9209. Add the ability to append a random value to values in LDAP 
attributes when generating principals in Active Directory (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/9f291484
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/9f291484
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/9f291484

Branch: refs/heads/2.0-preview
Commit: 9f291484ae3764975e3f3f2c616288454bca41c5
Parents: ae82067
Author: Robert Levas <rle...@hortonworks.com>
Authored: Wed Jan 21 11:20:30 2015 -0500
Committer: Yusaku Sako <yus...@hortonworks.com>
Committed: Wed Jan 21 12:21:26 2015 -0800

----------------------------------------------------------------------
 .../kerberos/ADKerberosOperationHandler.java    | 161 +++++-----
 .../kerberos/DeconstructedPrincipal.java        | 201 +++++++++++++
 .../kerberos/KerberosOperationHandler.java      |  10 +-
 .../1.10.3-10/configuration/kerberos-env.xml    |  16 +-
 .../ADKerberosOperationHandlerTest.java         | 301 +++++++++++--------
 .../kerberos/DeconstructedPrincipalTest.java    | 113 +++++++
 6 files changed, 582 insertions(+), 220 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/9f291484/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
index 20f7e60..b5de64f 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
@@ -21,7 +21,7 @@ package org.apache.ambari.server.serveraction.kerberos;
 
 import com.google.common.reflect.TypeToken;
 import com.google.gson.Gson;
-import org.apache.ambari.server.utils.StageUtils;
+import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.velocity.VelocityContext;
@@ -42,8 +42,6 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Properties;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 /**
  * Implementation of <code>KerberosOperationHandler</code> to created 
principal in Active Directory
@@ -52,15 +50,6 @@ public class ADKerberosOperationHandler extends 
KerberosOperationHandler {
 
   private static Log LOG = LogFactory.getLog(ADKerberosOperationHandler.class);
 
-  /**
-   * Regular expression to parse the different principal formats:
-   * primary/instance@REALM
-   * primary@REALM
-   * primary/instance
-   * primary
-   */
-  private static Pattern PATTERN_PRINCIPAL = Pattern.compile("^(([^ 
/@]+)(?:/([^ /@]+))?)(?:@(.+)?)?$");
-
   private static final String LDAP_CONTEXT_FACTORY_CLASS = 
"com.sun.jndi.ldap.LdapCtxFactory";
 
   public final static String KERBEROS_ENV_LDAP_URL = "ldap_url";
@@ -213,27 +202,14 @@ public class ADKerberosOperationHandler extends 
KerberosOperationHandler {
     if (principal == null) {
       throw new KerberosOperationException("principal is null");
     }
-    NamingEnumeration<SearchResult> searchResultEnum = null;
+
+    DeconstructedPrincipal deconstructPrincipal = 
deconstructPrincipal(principal);
+
     try {
-      searchResultEnum = ldapContext.search(
-          principalContainerDn,
-          "(userPrincipalName=" + principal + ")",
-          searchControls);
-      if (searchResultEnum.hasMore()) {
-        return true;
-      }
+      return (findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal()) 
!= null);
     } catch (NamingException ne) {
       throw new KerberosOperationException("can not check if principal exists: 
" + principal, ne);
-    } finally {
-      try {
-        if (searchResultEnum != null) {
-          searchResultEnum.close();
-        }
-      } catch (NamingException ne) {
-        // ignore, we can not do anything about it
-      }
     }
-    return false;
   }
 
   /**
@@ -262,31 +238,24 @@ public class ADKerberosOperationHandler extends 
KerberosOperationHandler {
     }
 
     // TODO: (rlevas) pass components and realm in separately (AMBARI-9122)
-    String realm = null;
-    String principal_primary = null;
-    String principal_instance = null;
-
-    Matcher matcher = PATTERN_PRINCIPAL.matcher(principal);
-    if (matcher.matches()) {
-      principal = matcher.group(1);
-      principal_primary = matcher.group(2);
-      principal_instance = matcher.group(3);
-      realm = matcher.group(4);
-    }
+    DeconstructedPrincipal deconstructedPrincipal = 
deconstructPrincipal(principal);
 
-    if ((realm == null) || realm.isEmpty()) {
-      realm = getDefaultRealm();
+    String realm = deconstructedPrincipal.getRealm();
+    if (realm == null) {
+      realm = "";
     }
 
     Map<String, Object> context = new HashMap<String, Object>();
-    context.put("principal", principal);
-    context.put("principal_primary", principal_primary);
-    context.put("principal_instance", principal_instance);
+    context.put("normalized_principal", 
deconstructedPrincipal.getNormalizedPrincipal());
+    context.put("principal_name", deconstructedPrincipal.getPrincipalName());
+    context.put("principal_primary", deconstructedPrincipal.getPrimary());
+    context.put("principal_instance", deconstructedPrincipal.getInstance());
     context.put("realm", realm);
-    context.put("realm_lowercase", (realm == null) ? null : 
realm.toLowerCase());
+    context.put("realm_lowercase", realm.toLowerCase());
     context.put("password", password);
     context.put("is_service", service);
     context.put("container_dn", this.principalContainerDn);
+    context.put("principal_digest", 
DigestUtils.sha1Hex(deconstructedPrincipal.getNormalizedPrincipal()));
 
     Map<String, Object> data = processCreateTemplate(context);
 
@@ -300,13 +269,11 @@ public class ADKerberosOperationHandler extends 
KerberosOperationHandler {
 
         if ("unicodePwd".equals(key)) {
           if (value instanceof String) {
-            Attribute passwordAttr = new BasicAttribute("unicodePwd");  // 
password
             try {
-              passwordAttr.add(((String) value).getBytes("UTF-16LE"));
+              attributes.put(new BasicAttribute("unicodePwd", 
String.format("\"%s\"", password).getBytes("UTF-16LE")));
             } catch (UnsupportedEncodingException ue) {
               throw new KerberosOperationException("Can not encode password 
with UTF-16LE", ue);
             }
-            attributes.put(passwordAttr);
           }
         } else {
           Attribute attribute = new BasicAttribute(key);
@@ -327,7 +294,7 @@ public class ADKerberosOperationHandler extends 
KerberosOperationHandler {
     }
 
     if (cn == null) {
-      cn = String.format("%s@%s", principal, realm);
+      cn = deconstructedPrincipal.getNormalizedPrincipal();
     }
     try {
       Name name = new CompositeName().add(String.format("cn=%s,%s", cn, 
principalContainerDn));
@@ -359,26 +326,27 @@ public class ADKerberosOperationHandler extends 
KerberosOperationHandler {
     if (password == null) {
       throw new KerberosOperationException("principal password is null");
     }
+
+    DeconstructedPrincipal deconstructPrincipal = 
deconstructPrincipal(principal);
+
     try {
-      if (!principalExists(principal)) {
-        throw new KerberosOperationException("principal not found : " + 
principal);
+      String dn = 
findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal());
+
+      if (dn != null) {
+        ldapContext.modifyAttributes(dn,
+            new ModificationItem[]{
+                new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new 
BasicAttribute("unicodePwd", String.format("\"%s\"", 
password).getBytes("UTF-16LE")))
+            }
+        );
+      } else {
+        throw new KerberosOperationException(String.format("Can not set 
password for principal %s: Not Found", principal));
       }
-    } catch (KerberosOperationException e) {
-      e.printStackTrace();
-    }
-    try {
-      ModificationItem[] mods = new ModificationItem[1];
-      String quotedPasswordVal = "\"" + password + "\"";
-      mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
-          new BasicAttribute("UnicodePwd", 
quotedPasswordVal.getBytes("UTF-16LE")));
-      ldapContext.modifyAttributes(
-          new CompositeName().add("cn=" + principal + "," + 
principalContainerDn),
-          mods);
-    } catch (NamingException ne) {
-      throw new KerberosOperationException("Can not set password for principal 
: " + principal, ne);
-    } catch (UnsupportedEncodingException ue) {
-      throw new KerberosOperationException("Unsupported encoding UTF-16LE", 
ue);
+    } catch (NamingException e) {
+      throw new KerberosOperationException(String.format("Can not set password 
for principal %s: %s", principal, e.getMessage()), e);
+    } catch (UnsupportedEncodingException e) {
+      throw new KerberosOperationException("Unsupported encoding UTF-16LE", e);
     }
+
     return 0;
   }
 
@@ -399,18 +367,17 @@ public class ADKerberosOperationHandler extends 
KerberosOperationHandler {
     if (principal == null) {
       throw new KerberosOperationException("principal is null");
     }
+
+    DeconstructedPrincipal deconstructPrincipal = 
deconstructPrincipal(principal);
+
     try {
-      if (!principalExists(principal)) {
-        return false;
+      String dn = 
findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal());
+
+      if (dn != null) {
+        ldapContext.destroySubcontext(dn);
       }
-    } catch (KerberosOperationException e) {
-      e.printStackTrace();
-    }
-    try {
-      Name name = new CompositeName().add("cn=" + principal + "," + 
principalContainerDn);
-      ldapContext.destroySubcontext(name);
-    } catch (NamingException ne) {
-      throw new KerberosOperationException("Can not remove principal: " + 
principal);
+    } catch (NamingException e) {
+      throw new KerberosOperationException(String.format("Can not remove 
principal %s: %s", principal, e.getMessage()), e);
     }
 
     return true;
@@ -531,14 +498,14 @@ public class ADKerberosOperationHandler extends 
KerberosOperationHandler {
     if ((createTemplate == null) || createTemplate.isEmpty()) {
       template = "{" +
           "\"objectClass\": [\"top\", \"person\", \"organizationalPerson\", 
\"user\"]," +
-          "\"cn\": \"$principal\"," +
+          "\"cn\": \"$principal_name\"," +
           "#if( $is_service )" +
-          "  \"servicePrincipalName\": \"$principal\"," +
+          "  \"servicePrincipalName\": \"$principal_name\"," +
           "#end" +
-          "\"userPrincipalName\": \"$principal@$realm.toLowerCase()\"," +
-          "\"unicodePwd\": \"\\\"$password\\\"\"," +
+          "\"userPrincipalName\": \"$normalized_principal.toLowerCase()\"," +
+          "\"unicodePwd\": \"$password\"," +
           "\"accountExpires\": \"0\"," +
-          "\"userAccountControl\": \"512\"" +
+          "\"userAccountControl\": \"66048\"" +
           "}";
     } else {
       template = createTemplate;
@@ -566,4 +533,34 @@ public class ADKerberosOperationHandler extends 
KerberosOperationHandler {
     return data;
   }
 
+  private String findPrincipalDN(String normalizedPrincipal) throws 
NamingException, KerberosOperationException {
+    String dn = null;
+
+    if (normalizedPrincipal != null) {
+      NamingEnumeration<SearchResult> results = null;
+
+      try {
+        results = ldapContext.search(
+            principalContainerDn,
+            String.format("(userPrincipalName=%s)", normalizedPrincipal),
+            searchControls
+        );
+
+        if ((results != null) && results.hasMore()) {
+          SearchResult result = results.next();
+          dn = result.getNameInNamespace();
+        }
+      } finally {
+        try {
+          if (results != null) {
+            results.close();
+          }
+        } catch (NamingException ne) {
+          // ignore, we can not do anything about it
+        }
+      }
+    }
+
+    return dn;
+  }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/9f291484/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipal.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipal.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipal.java
new file mode 100644
index 0000000..f5d8156
--- /dev/null
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipal.java
@@ -0,0 +1,201 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.serveraction.kerberos;
+
+import javax.annotation.Nullable;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * DeconstructedPrincipal manages the different parts of a principal and can 
be used to get a
+ * normalized principal value
+ * <p/>
+ * A "normalized" principal has the following forms:
+ * <ul>
+ * <li>primary/instance@realm</li>
+ * <li>primary@realm</li>
+ * </ul>
+ * <p/>
+ * This class will create a DeconstructedPrincipal from a String containing a 
principal using
+ * {@link DeconstructedPrincipal#valueOf(String, String)}
+ */
+class DeconstructedPrincipal {
+  /**
+   * Regular expression to parse the different principal formats:
+   * <ul>
+   * <li>primary/instance@REALM</li>
+   * <li>primary@REALM</li>
+   * <li>primary/instance</li>
+   * <li>primary</li>
+   * </ul>
+   */
+  private static Pattern PATTERN_PRINCIPAL = Pattern.compile("^([^ 
/@]+)(?:/([^ /@]+))?(?:@(.+)?)?$");
+
+  /**
+   * A String containing the "primary" component of a principal
+   */
+  private final String primary;
+
+  /**
+   * A String containing the "instance" component of a principal
+   */
+  private final String instance;
+
+  /**
+   * A String containing the "realm" component of a principal
+   */
+  private final String realm;
+
+  /**
+   * A String containing the principal name portion of the principal.
+   * The principal name is the combination of the primary and instance 
components.
+   * This value is generated using the primary, instance, and realm components.
+   */
+  private final String principalName;
+
+  /**
+   * A String containing the complete normalized principal
+   * The normalized principal is the combination of the primary, instance, and 
realm components.
+   * This value is generated using the primary, instance, and realm components.
+   */
+  private final String normalizedPrincipal;
+
+  /**
+   * Given a principal and a default realm, creates a new 
DeconstructedPrincipal
+   * <p/>
+   * If the supplied principal does not have a realm component, the default 
realm (supplied) will be
+   * used.
+   *
+   * @param principal    a String containing the principal to deconstruct
+   * @param defaultRealm a String containing the default realm
+   * @return a new DeconstructedPrincipal
+   */
+  public static DeconstructedPrincipal valueOf(String principal, @Nullable 
String defaultRealm) {
+    if (principal == null) {
+      throw new IllegalArgumentException("The principal may not be null");
+    }
+
+    Matcher matcher = PATTERN_PRINCIPAL.matcher(principal);
+
+    if (matcher.matches()) {
+      String primary = matcher.group(1);
+      String instance = matcher.group(2);
+      String realm = matcher.group(3);
+
+      if ((realm == null) || realm.isEmpty()) {
+        realm = defaultRealm;
+      }
+
+      return new DeconstructedPrincipal(primary, instance, realm);
+    } else {
+      throw new IllegalArgumentException(String.format("Invalid principal 
value: %s", principal));
+    }
+  }
+
+
+  /**
+   * Constructs a new DeconstructedPrincipal
+   *
+   * @param primary  a String containing the "primary" component of the 
principal
+   * @param instance a String containing the "instance" component of the 
principal
+   * @param realm    a String containing the "realm" component of the principal
+   */
+  protected DeconstructedPrincipal(String primary, String instance, String 
realm) {
+    this.primary = primary;
+    this.instance = instance;
+    this.realm = realm;
+
+    StringBuilder builder = new StringBuilder();
+
+    if (this.primary != null) {
+      builder.append(primary);
+    }
+
+    if (this.instance != null) {
+      builder.append('/');
+      builder.append(this.instance);
+    }
+
+    this.principalName = builder.toString();
+
+    if (this.realm != null) {
+      builder.append('@');
+      builder.append(this.realm);
+    }
+
+    this.normalizedPrincipal = builder.toString();
+  }
+
+  /**
+   * Gets the primary component of this DeconstructedPrincipal
+   *
+   * @return a String containing the "primary" component of this 
DeconstructedPrincipal
+   */
+  public String getPrimary() {
+    return primary;
+  }
+
+  /**
+   * Gets the instance component of this DeconstructedPrincipal
+   *
+   * @return a String containing the "instance" component of this 
DeconstructedPrincipal
+   */
+  public String getInstance() {
+    return instance;
+  }
+
+  /**
+   * Gets the realm component of this DeconstructedPrincipal
+   *
+   * @return a String containing the "realm" component of this 
DeconstructedPrincipal
+   */
+  public String getRealm() {
+    return realm;
+  }
+
+  /**
+   * Gets the constructed principal name for this DeconstructedPrincipal
+   * <p/>
+   * The principal name is the combination of the primary and instance 
components:
+   * <ul>
+   * <li>primary/instance</li>
+   * <li>primary</li>
+   * </ul>
+   *
+   * @return a String containing the "realm" component of this 
DeconstructedPrincipal
+   */
+  public String getPrincipalName() {
+    return principalName;
+  }
+
+  /**
+   * Gets the constructed normalized  principal for this DeconstructedPrincipal
+   * <p/>
+   * The normalized principal is the combination of the primary, instance, and 
realm components:
+   * <ul>
+   * <li>primary/instance@realm</li>
+   * <li>primary@realm</li>
+   * </ul>
+   *
+   * @return a String containing the "realm" component of this 
DeconstructedPrincipal
+   */
+  public String getNormalizedPrincipal() {
+    return normalizedPrincipal;
+  }
+}

http://git-wip-us.apache.org/repos/asf/ambari/blob/9f291484/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
index 7a9233b..a23aa81 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
@@ -63,7 +63,6 @@ public abstract class KerberosOperationHandler {
   private final static char[] SECURE_PASSWORD_CHARS =
       
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890?.!$%^*()-_+=~".toCharArray();
 
-
   /**
    * The default set of ciphers to use for creating keytab entries
    */
@@ -432,4 +431,13 @@ public abstract class KerberosOperationHandler {
       }
     }
   }
+
+  protected DeconstructedPrincipal deconstructPrincipal(String principal) 
throws KerberosOperationException {
+    try {
+      return DeconstructedPrincipal.valueOf(principal, getDefaultRealm());
+    } catch (IllegalArgumentException e) {
+      throw new KerberosOperationException(e.getMessage(), e);
+    }
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/9f291484/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
 
b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
index 85ae018..d37e736 100644
--- 
a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
+++ 
b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
@@ -40,19 +40,23 @@
   <property require-input="true">
     <name>create_attributes_template</name>
     <description>
-      Customizable JSON document representing the LDAP attributes needed to 
create a new Kerberos entity in the KDC (Velocity template engine).
+      A Velocity template to use to generate a JSON-formatted document 
containing the set of
+      attribute names and values needed to create a new Kerberos identity in 
the relevant KDC.
+      Variables include:
+      principal_name, principal_primary, principal_instance, realm, 
realm_lowercase,
+      normalized_principal, principal digest, password, is_service, 
container_dn
     </description>
     <value>
 {
   "objectClass": ["top", "person", "organizationalPerson", "user"],
-  "cn": "$principal",
+  "cn": "$principal_name",
   #if( $is_service )
-  "servicePrincipalName": "$principal",
+  "servicePrincipalName": "$principal_name",
   #end
-  "userPrincipalName": "$principal@$realm.toLowerCase()",
-  "unicodePwd": "\"$password\"",
+  "userPrincipalName": "$normalized_principal.toLowerCase()",
+  "unicodePwd": "$password",
   "accountExpires": "0",
-  "userAccountControl": "512"
+  "userAccountControl": "66048"
 }
     </value>
   </property>

http://git-wip-us.apache.org/repos/asf/ambari/blob/9f291484/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
 
b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
index 6a89dbb..8d2a3c4 100644
--- 
a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
+++ 
b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
@@ -19,6 +19,8 @@
 package org.apache.ambari.server.serveraction.kerberos;
 
 import junit.framework.Assert;
+import org.easymock.Capture;
+import org.easymock.CaptureType;
 import org.easymock.EasyMockSupport;
 import org.easymock.IAnswer;
 import org.junit.Ignore;
@@ -26,21 +28,22 @@ import org.junit.Test;
 
 import javax.naming.AuthenticationException;
 import javax.naming.CommunicationException;
+import javax.naming.Name;
 import javax.naming.NamingEnumeration;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.Control;
 import javax.naming.ldap.LdapContext;
 
-import java.util.ArrayList;
-import java.util.Arrays;
+import java.nio.charset.Charset;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 
-import static org.easymock.EasyMock.anyObject;
-import static org.easymock.EasyMock.expect;
-import static org.easymock.EasyMock.replay;
+import static org.easymock.EasyMock.*;
 
 public class ADKerberosOperationHandlerTest extends EasyMockSupport {
   private static final String DEFAULT_ADMIN_PRINCIPAL = 
"cluser_admin@HDP01.LOCAL";
@@ -235,32 +238,30 @@ public class ADKerberosOperationHandlerTest extends 
EasyMockSupport {
       }
     };
 
+    Capture<Name> capturedName = new Capture<Name>(CaptureType.ALL);
+    Capture<Attributes> capturedAttributes = new 
Capture<Attributes>(CaptureType.ALL);
+
     ADKerberosOperationHandler handler = 
createMockBuilder(ADKerberosOperationHandler.class)
         
.addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createInitialLdapContext",
 Properties.class, Control[].class))
         
.addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createSearchControls"))
         .createNiceMock();
 
+    NamingEnumeration<SearchResult> searchResult = 
createNiceMock(NamingEnumeration.class);
+    expect(searchResult.hasMore()).andReturn(false).once();
+
+    LdapContext ldapContext = createNiceMock(LdapContext.class);
+    expect(ldapContext.search(anyObject(String.class), 
anyObject(String.class), anyObject(SearchControls.class)))
+        .andReturn(searchResult)
+        .once();
+
+    expect(ldapContext.createSubcontext(capture(capturedName), 
capture(capturedAttributes)))
+        .andReturn(createNiceMock(DirContext.class))
+        .anyTimes();
+
     expect(handler.createInitialLdapContext(anyObject(Properties.class), 
anyObject(Control[].class)))
-        .andAnswer(new IAnswer<LdapContext>() {
-          @Override
-          public LdapContext answer() throws Throwable {
-            LdapContext ldapContext = createNiceMock(LdapContext.class);
-            expect(ldapContext.search(anyObject(String.class), 
anyObject(String.class), anyObject(SearchControls.class)))
-                .andAnswer(new IAnswer<NamingEnumeration<SearchResult>>() {
-                  @Override
-                  public NamingEnumeration<SearchResult> answer() throws 
Throwable {
-                    NamingEnumeration<SearchResult> result = 
createNiceMock(NamingEnumeration.class);
-                    expect(result.hasMore()).andReturn(false).once();
-                    replay(result);
-                    return result;
-                  }
-                })
-                .once();
-            replay(ldapContext);
-            return ldapContext;
-          }
-        })
+        .andReturn(ldapContext)
         .once();
+
     expect(handler.createSearchControls()).andAnswer(new 
IAnswer<SearchControls>() {
       @Override
       public SearchControls answer() throws Throwable {
@@ -273,45 +274,67 @@ public class ADKerberosOperationHandlerTest extends 
EasyMockSupport {
     replayAll();
 
     handler.open(kc, DEFAULT_REALM, kerberosEnvMap);
+    handler.createPrincipal("nn/c6501.ambari.apache.org", "secret", true);
+    handler.createPrincipal("hdfs@" + DEFAULT_REALM, "secret", false);
+    handler.close();
 
-    Map<String, Object> context = new HashMap<String, Object>();
-    context.put("principal", "nn/c6501.ambari.apache.org");
-    context.put("principal_primary", "nn");
-    context.put("principal_instance", "c6501.ambari.apache.org");
-    context.put("realm", "EXAMPLE.COM");
-    context.put("realm_lowercase", "example.com");
-    context.put("password", "secret");
-    context.put("is_service", true);
-    context.put("container_dn", "ou=cluster,DC=EXAMPLE,DC=COM");
-
-    Map<String, Object> data;
-
-    data = handler.processCreateTemplate(context);
-
-    Assert.assertNotNull(data);
-    Assert.assertEquals(7, data.size());
-    Assert.assertEquals(new ArrayList<String>(Arrays.asList("top", "person", 
"organizationalPerson", "user")), data.get("objectClass"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org", data.get("cn"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org", 
data.get("servicePrincipalName"));
-    Assert.assertEquals("nn/c6501.ambari.apache....@example.com", 
data.get("userPrincipalName"));
-    Assert.assertEquals("\"secret\"", data.get("unicodePwd"));
-    Assert.assertEquals("0", data.get("accountExpires"));
-    Assert.assertEquals("512", data.get("userAccountControl"));
-
-
-    context.put("is_service", false);
-    data = handler.processCreateTemplate(context);
-
-    Assert.assertNotNull(data);
-    Assert.assertEquals(6, data.size());
-    Assert.assertEquals(new ArrayList<String>(Arrays.asList("top", "person", 
"organizationalPerson", "user")), data.get("objectClass"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org", data.get("cn"));
-    Assert.assertEquals("nn/c6501.ambari.apache....@example.com", 
data.get("userPrincipalName"));
-    Assert.assertEquals("\"secret\"", data.get("unicodePwd"));
-    Assert.assertEquals("0", data.get("accountExpires"));
-    Assert.assertEquals("512", data.get("userAccountControl"));
+    List<Attributes> attributesList = capturedAttributes.getValues();
+    Attributes attributes;
 
-    handler.close();
+    attributes = attributesList.get(0);
+    String[] objectClasses = new String[]{"top", "person", 
"organizationalPerson", "user"};
+
+    Assert.assertNotNull(attributes);
+    Assert.assertEquals(7, attributes.size());
+
+    Assert.assertNotNull(attributes.get("objectClass"));
+    Assert.assertEquals(objectClasses.length, 
attributes.get("objectClass").size());
+    for (int i = 0; i < objectClasses.length; i++) {
+      Assert.assertEquals(objectClasses[i], 
attributes.get("objectClass").get(i));
+    }
+
+    Assert.assertNotNull(attributes.get("cn"));
+    Assert.assertEquals("nn/c6501.ambari.apache.org", 
attributes.get("cn").get());
+
+    Assert.assertNotNull(attributes.get("servicePrincipalName"));
+    Assert.assertEquals("nn/c6501.ambari.apache.org", 
attributes.get("servicePrincipalName").get());
+
+    Assert.assertNotNull(attributes.get("userPrincipalName"));
+    Assert.assertEquals("nn/c6501.ambari.apache.org@hdp01.local", 
attributes.get("userPrincipalName").get());
+
+    Assert.assertNotNull(attributes.get("unicodePwd"));
+    Assert.assertEquals("\"secret\"", new String((byte[]) 
attributes.get("unicodePwd").get(), Charset.forName("UTF-16LE")));
+
+    Assert.assertNotNull(attributes.get("accountExpires"));
+    Assert.assertEquals("0", attributes.get("accountExpires").get());
+
+    Assert.assertNotNull(attributes.get("userAccountControl"));
+    Assert.assertEquals("66048", attributes.get("userAccountControl").get());
+
+    attributes = attributesList.get(1);
+    Assert.assertNotNull(attributes);
+    Assert.assertEquals(6, attributes.size());
+
+    Assert.assertNotNull(attributes.get("objectClass"));
+    Assert.assertEquals(objectClasses.length, 
attributes.get("objectClass").size());
+    for (int i = 0; i < objectClasses.length; i++) {
+      Assert.assertEquals(objectClasses[i], 
attributes.get("objectClass").get(i));
+    }
+
+    Assert.assertNotNull(attributes.get("cn"));
+    Assert.assertEquals("hdfs", attributes.get("cn").get());
+
+    Assert.assertNotNull(attributes.get("userPrincipalName"));
+    Assert.assertEquals("hdfs@hdp01.local", 
attributes.get("userPrincipalName").get());
+
+    Assert.assertNotNull(attributes.get("unicodePwd"));
+    Assert.assertEquals("\"secret\"", new String((byte[]) 
attributes.get("unicodePwd").get(), Charset.forName("UTF-16LE")));
+
+    Assert.assertNotNull(attributes.get("accountExpires"));
+    Assert.assertEquals("0", attributes.get("accountExpires").get());
+
+    Assert.assertNotNull(attributes.get("userAccountControl"));
+    Assert.assertEquals("66048", attributes.get("userAccountControl").get());
   }
 
   @Test
@@ -321,54 +344,52 @@ public class ADKerberosOperationHandlerTest extends 
EasyMockSupport {
       {
         put(ADKerberosOperationHandler.KERBEROS_ENV_LDAP_URL, 
DEFAULT_LDAP_URL);
         put(ADKerberosOperationHandler.KERBEROS_ENV_PRINCIPAL_CONTAINER_DN, 
DEFAULT_PRINCIPAL_CONTAINER_DN);
-        
put(ADKerberosOperationHandler.KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE, "{" +
+        
put(ADKerberosOperationHandler.KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE, "" +
+            "#set( $user = \"${principal_primary}-${principal_digest}\" )" +
+            "{" +
             "  \"objectClass\": [" +
             "    \"top\"," +
             "    \"person\"," +
             "    \"organizationalPerson\"," +
             "    \"user\"" +
             "  ]," +
-            "  \"cn\": \"$principal@$realm\"," +
-            "  \"dn\": \"$principal@$realm,$container_dn\"," +
-            "  \"distinguishedName\": \"$principal@$realm,$container_dn\"," +
-            "  \"sAMAccountName\": \"$principal\"," +
+            "  \"cn\": \"$user\"," +
+            "  \"sAMAccountName\": \"$user.substring(0,20)\"," +
             "  #if( $is_service )" +
-            "  \"servicePrincipalName\": \"$principal\"," +
+            "  \"servicePrincipalName\": \"$principal_name\"," +
             "  #end" +
-            "  \"userPrincipalName\": \"$principal@$realm.toLowerCase()\"," +
-            "  \"unicodePwd\": \"`$password`\"," +
+            "  \"userPrincipalName\": 
\"$normalized_principal.toLowerCase()\"," +
+            "  \"unicodePwd\": \"$password\"," +
             "  \"accountExpires\": \"0\"," +
             "  \"userAccountControl\": \"66048\"" +
             "}");
       }
     };
 
+    Capture<Name> capturedName = new Capture<Name>();
+    Capture<Attributes> capturedAttributes = new Capture<Attributes>();
+
     ADKerberosOperationHandler handler = 
createMockBuilder(ADKerberosOperationHandler.class)
         
.addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createInitialLdapContext",
 Properties.class, Control[].class))
         
.addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createSearchControls"))
         .createNiceMock();
 
+    NamingEnumeration<SearchResult> searchResult = 
createNiceMock(NamingEnumeration.class);
+    expect(searchResult.hasMore()).andReturn(false).once();
+
+    LdapContext ldapContext = createNiceMock(LdapContext.class);
+    expect(ldapContext.search(anyObject(String.class), 
anyObject(String.class), anyObject(SearchControls.class)))
+        .andReturn(searchResult)
+        .once();
+
+    expect(ldapContext.createSubcontext(capture(capturedName), 
capture(capturedAttributes)))
+        .andReturn(createNiceMock(DirContext.class))
+        .once();
+
     expect(handler.createInitialLdapContext(anyObject(Properties.class), 
anyObject(Control[].class)))
-        .andAnswer(new IAnswer<LdapContext>() {
-          @Override
-          public LdapContext answer() throws Throwable {
-            LdapContext ldapContext = createNiceMock(LdapContext.class);
-            expect(ldapContext.search(anyObject(String.class), 
anyObject(String.class), anyObject(SearchControls.class)))
-                .andAnswer(new IAnswer<NamingEnumeration<SearchResult>>() {
-                  @Override
-                  public NamingEnumeration<SearchResult> answer() throws 
Throwable {
-                    NamingEnumeration<SearchResult> result = 
createNiceMock(NamingEnumeration.class);
-                    expect(result.hasMore()).andReturn(false).once();
-                    replay(result);
-                    return result;
-                  }
-                })
-                .once();
-            replay(ldapContext);
-            return ldapContext;
-          }
-        })
+        .andReturn(ldapContext)
         .once();
+
     expect(handler.createSearchControls()).andAnswer(new 
IAnswer<SearchControls>() {
       @Override
       public SearchControls answer() throws Throwable {
@@ -381,34 +402,43 @@ public class ADKerberosOperationHandlerTest extends 
EasyMockSupport {
     replayAll();
 
     handler.open(kc, DEFAULT_REALM, kerberosEnvMap);
+    handler.createPrincipal("nn/c6501.ambari.apache.org", "secret", true);
+    handler.close();
 
+    Attributes attributes = capturedAttributes.getValue();
+    String[] objectClasses = new String[]{"top", "person", 
"organizationalPerson", "user"};
 
-    Map<String, Object> context = new HashMap<String, Object>();
-    context.put("principal", "nn/c6501.ambari.apache.org");
-    context.put("principal_primary", "nn");
-    context.put("principal_instance", "c6501.ambari.apache.org");
-    context.put("realm", "EXAMPLE.COM");
-    context.put("realm_lowercase", "example.com");
-    context.put("password", "secret");
-    context.put("is_service", true);
-    context.put("container_dn", "ou=cluster,DC=EXAMPLE,DC=COM");
-
-    Map<String, Object> data = handler.processCreateTemplate(context);
-
-    Assert.assertNotNull(data);
-    Assert.assertEquals(10, data.size());
-    Assert.assertEquals(new ArrayList<String>(Arrays.asList("top", "person", 
"organizationalPerson", "user")), data.get("objectClass"));
-    Assert.assertEquals("nn/c6501.ambari.apache....@example.com", 
data.get("cn"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org", 
data.get("servicePrincipalName"));
-    Assert.assertEquals("nn/c6501.ambari.apache....@example.com", 
data.get("userPrincipalName"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org", 
data.get("sAMAccountName"));
-    
Assert.assertEquals("nn/c6501.ambari.apache....@example.com,ou=cluster,DC=EXAMPLE,DC=COM",
 data.get("distinguishedName"));
-    
Assert.assertEquals("nn/c6501.ambari.apache....@example.com,ou=cluster,DC=EXAMPLE,DC=COM",
 data.get("dn"));
-    Assert.assertEquals("`secret`", data.get("unicodePwd"));
-    Assert.assertEquals("0", data.get("accountExpires"));
-    Assert.assertEquals("66048", data.get("userAccountControl"));
+    Assert.assertNotNull(attributes);
+    Assert.assertEquals(8, attributes.size());
+
+    Assert.assertNotNull(attributes.get("objectClass"));
+    Assert.assertEquals(objectClasses.length, 
attributes.get("objectClass").size());
+    for (int i = 0; i < objectClasses.length; i++) {
+      Assert.assertEquals(objectClasses[i], 
attributes.get("objectClass").get(i));
+    }
+
+    Assert.assertNotNull(attributes.get("cn"));
+    Assert.assertEquals("nn-995e1580db28198e7fda1417ab5d894c877937d2", 
attributes.get("cn").get());
+
+    Assert.assertNotNull(attributes.get("servicePrincipalName"));
+    Assert.assertEquals("nn/c6501.ambari.apache.org", 
attributes.get("servicePrincipalName").get());
+
+    Assert.assertNotNull(attributes.get("userPrincipalName"));
+    Assert.assertEquals("nn/c6501.ambari.apache.org@hdp01.local", 
attributes.get("userPrincipalName").get());
+
+    Assert.assertNotNull(attributes.get("sAMAccountName"));
+    
Assert.assertTrue(attributes.get("sAMAccountName").get().toString().length() <= 
20);
+    Assert.assertEquals("nn-995e1580db28198e7", 
attributes.get("sAMAccountName").get());
+
+    Assert.assertNotNull(attributes.get("unicodePwd"));
+    Assert.assertEquals("\"secret\"", new String((byte[]) 
attributes.get("unicodePwd").get(), Charset.forName("UTF-16LE")));
+
+    Assert.assertNotNull(attributes.get("accountExpires"));
+    Assert.assertEquals("0", attributes.get("accountExpires").get());
+
+    Assert.assertNotNull(attributes.get("userAccountControl"));
+    Assert.assertEquals("66048", attributes.get("userAccountControl").get());
 
-    handler.close();
   }
 
   /**
@@ -458,31 +488,40 @@ public class ADKerberosOperationHandlerTest extends 
EasyMockSupport {
     // does the principal already exist?
     System.out.println("Principal exists: " + 
handler.principalExists("nn/c1508.ambari.apache.org"));
 
-    //create principal
-//    handler.createPrincipal("nn/c1508.ambari.apache.org@" + DEFAULT_REALM, 
handler.createSecurePassword(), true);
-
     handler.close();
 
-    
kerberosEnvMap.put(ADKerberosOperationHandler.KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE,
 "{" +
-        "\"objectClass\": [\"top\", \"person\", \"organizationalPerson\", 
\"user\"]," +
-        "\"distinguishedName\": \"CN=$principal@$realm,$container_dn\"," +
-        "#if( $is_service )" +
-        "\"servicePrincipalName\": \"$principal\"," +
-        "#end" +
-        "\"userPrincipalName\": \"$principal@$realm.toLowerCase()\"," +
-        "\"unicodePwd\": \"\\\"$password\\\"\"," +
-        "\"accountExpires\": \"0\"," +
-        "\"userAccountControl\": \"66048\"" +
-        "}");
+    
kerberosEnvMap.put(ADKerberosOperationHandler.KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE,
+        "#set( $user = \"${principal_primary}-${principal_digest}\" )" +
+            "{" +
+            "  \"objectClass\": [" +
+            "    \"top\"," +
+            "    \"person\"," +
+            "    \"organizationalPerson\"," +
+            "    \"user\"" +
+            "  ]," +
+            "  \"cn\": \"$user\"," +
+            "  \"sAMAccountName\": \"$user.substring(0,20)\"," +
+            "  #if( $is_service )" +
+            "  \"servicePrincipalName\": \"$principal_name\"," +
+            "  #end" +
+            "  \"userPrincipalName\": 
\"$normalized_principal.toLowerCase()\"," +
+            "  \"unicodePwd\": \"$password\"," +
+            "  \"accountExpires\": \"0\"," +
+            "  \"userAccountControl\": \"66048\"" +
+            "}"
+    );
 
     handler.open(credentials, realm, kerberosEnvMap);
+
+    // remove the principal
+    handler.removePrincipal("abcdefg");
+    handler.removePrincipal("abcdefg/c1509.ambari.apache.org@" + 
DEFAULT_REALM);
+
     handler.createPrincipal("abcdefg/c1509.ambari.apache.org@" + 
DEFAULT_REALM, handler.createSecurePassword(), true);
+    handler.createPrincipal("abcdefg@" + DEFAULT_REALM, 
handler.createSecurePassword(), false);
 
     //update the password
-    handler.setPrincipalPassword("nn/c1508.ambari.apache.org", 
handler.createSecurePassword());
-
-    // remove the principal
-    // handler.removeServicePrincipal("nn/c1508.ambari.apache.org");
+    handler.setPrincipalPassword("abcdefg/c1509.ambari.apache.org@" + 
DEFAULT_REALM, handler.createSecurePassword());
 
     handler.close();
   }

http://git-wip-us.apache.org/repos/asf/ambari/blob/9f291484/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipalTest.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipalTest.java
 
b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipalTest.java
new file mode 100644
index 0000000..28dd08a
--- /dev/null
+++ 
b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipalTest.java
@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.serveraction.kerberos;
+
+import org.junit.Test;
+
+import static org.junit.Assert.*;
+
+public class DeconstructedPrincipalTest {
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testNullPrincipal() throws Exception {
+    DeconstructedPrincipal.valueOf(null, null);
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testEmptyPrincipal() throws Exception {
+    DeconstructedPrincipal.valueOf("", null);
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testInvalidPrincipal() throws Exception {
+    DeconstructedPrincipal.valueOf("/invalid", null);
+  }
+
+  @Test
+  public void testPrimary() throws Exception {
+    DeconstructedPrincipal deconstructedPrincipal = 
DeconstructedPrincipal.valueOf("primary", "REALM");
+
+    assertNotNull(deconstructedPrincipal);
+    assertEquals("primary", deconstructedPrincipal.getPrimary());
+    assertNull(deconstructedPrincipal.getInstance());
+    assertEquals("REALM", deconstructedPrincipal.getRealm());
+    assertEquals("primary", deconstructedPrincipal.getPrincipalName());
+    assertEquals("primary@REALM", 
deconstructedPrincipal.getNormalizedPrincipal());
+  }
+
+  @Test
+  public void testPrimaryRealm() throws Exception {
+    DeconstructedPrincipal deconstructedPrincipal = 
DeconstructedPrincipal.valueOf("primary@MYREALM", "REALM");
+
+    assertNotNull(deconstructedPrincipal);
+    assertEquals("primary", deconstructedPrincipal.getPrimary());
+    assertNull(deconstructedPrincipal.getInstance());
+    assertEquals("MYREALM", deconstructedPrincipal.getRealm());
+    assertEquals("primary", deconstructedPrincipal.getPrincipalName());
+    assertEquals("primary@MYREALM", 
deconstructedPrincipal.getNormalizedPrincipal());
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testInstance() throws Exception {
+    DeconstructedPrincipal.valueOf("/instance", "REALM");
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testInstanceRealm() throws Exception {
+    DeconstructedPrincipal.valueOf("/instance@MYREALM", "REALM");
+  }
+
+  @Test
+  public void testPrimaryInstance() throws Exception {
+    DeconstructedPrincipal deconstructedPrincipal = 
DeconstructedPrincipal.valueOf("primary/instance", "REALM");
+
+    assertNotNull(deconstructedPrincipal);
+    assertEquals("primary", deconstructedPrincipal.getPrimary());
+    assertEquals("instance", deconstructedPrincipal.getInstance());
+    assertEquals("instance", deconstructedPrincipal.getInstance());
+    assertEquals("REALM", deconstructedPrincipal.getRealm());
+    assertEquals("primary/instance", 
deconstructedPrincipal.getPrincipalName());
+    assertEquals("primary/instance@REALM", 
deconstructedPrincipal.getNormalizedPrincipal());
+  }
+
+  @Test
+  public void testPrimaryInstanceRealm() throws Exception {
+    DeconstructedPrincipal deconstructedPrincipal = 
DeconstructedPrincipal.valueOf("primary/instance@MYREALM", "REALM");
+
+    assertNotNull(deconstructedPrincipal);
+    assertEquals("primary", deconstructedPrincipal.getPrimary());
+    assertEquals("instance", deconstructedPrincipal.getInstance());
+    assertEquals("MYREALM", deconstructedPrincipal.getRealm());
+    assertEquals("primary/instance", 
deconstructedPrincipal.getPrincipalName());
+    assertEquals("primary/instance@MYREALM", 
deconstructedPrincipal.getNormalizedPrincipal());
+  }
+
+  @Test
+  public void testOddCharacters() throws Exception {
+    DeconstructedPrincipal deconstructedPrincipal = 
DeconstructedPrincipal.valueOf("p_ri.ma-ry/i.n_s-tance@M_Y-REALM.COM", "REALM");
+
+    assertNotNull(deconstructedPrincipal);
+    assertEquals("p_ri.ma-ry", deconstructedPrincipal.getPrimary());
+    assertEquals("i.n_s-tance", deconstructedPrincipal.getInstance());
+    assertEquals("M_Y-REALM.COM", deconstructedPrincipal.getRealm());
+    assertEquals("p_ri.ma-ry/i.n_s-tance", 
deconstructedPrincipal.getPrincipalName());
+    assertEquals("p_ri.ma-ry/i.n_s-tance@M_Y-REALM.COM", 
deconstructedPrincipal.getNormalizedPrincipal());
+  }
+
+}
\ No newline at end of file

Reply via email to