Repository: ambari Updated Branches: refs/heads/trunk 07dbee41a -> a14fd4a54
AMBARI-16379. The 'krb5-conf' configuration is not available (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/a14fd4a5 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/a14fd4a5 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/a14fd4a5 Branch: refs/heads/trunk Commit: a14fd4a54bd6a99f448e9053c15dd430cb81ef9c Parents: 07dbee4 Author: Robert Levas <rle...@hortonworks.com> Authored: Tue May 10 14:08:15 2016 -0400 Committer: Robert Levas <rle...@hortonworks.com> Committed: Tue May 10 14:08:20 2016 -0400 ---------------------------------------------------------------------- .../server/controller/KerberosHelperImpl.java | 221 ++++++++++--------- .../server/controller/KerberosHelperTest.java | 53 +++++ 2 files changed, 170 insertions(+), 104 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/a14fd4a5/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java index 93dc51a..fe466d5 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java @@ -1246,112 +1246,120 @@ public class KerberosHelperImpl implements KerberosHelper { Map<String, Collection<KerberosIdentityDescriptor>> activeIdentities = new HashMap<String, Collection<KerberosIdentityDescriptor>>(); - Collection<String> hosts; - String ambariServerHostname = StageUtils.getHostName(); + // Only calculate the active identities if the kerberos-env configurtaion is available. Else + // important information like the realm will be missing (kerberos-env/realm) + Config kerberosEnvConfig = cluster.getDesiredConfigByType("kerberos-env"); + if(kerberosEnvConfig == null) { + LOG.debug("Calculating the active identities for {} is being skipped since the kerberos-env configuration is not available", + clusterName, cluster.getSecurityType().name(), SecurityType.KERBEROS.name()); + } + else { + Collection<String> hosts; + String ambariServerHostname = StageUtils.getHostName(); - if (hostName == null) { - Map<String, Host> hostMap = clusters.getHostsForCluster(clusterName); - if (hostMap == null) { - hosts = null; - } else { - hosts = hostMap.keySet(); - } + if (hostName == null) { + Map<String, Host> hostMap = clusters.getHostsForCluster(clusterName); + if (hostMap == null) { + hosts = Collections.emptySet(); + } else { + hosts = hostMap.keySet(); + } - if (!hosts.contains(ambariServerHostname)) { - Collection<String> extendedHosts = new ArrayList<>(hosts.size() + 1); - extendedHosts.addAll(hosts); - extendedHosts.add(ambariServerHostname); - hosts = extendedHosts; + if (!hosts.contains(ambariServerHostname)) { + Collection<String> extendedHosts = new ArrayList<>(hosts.size() + 1); + extendedHosts.addAll(hosts); + extendedHosts.add(ambariServerHostname); + hosts = extendedHosts; + } + } else { + hosts = Collections.singleton(hostName); } - } else { - hosts = Collections.singleton(hostName); - } - KerberosDescriptor kerberosDescriptor = getKerberosDescriptor(cluster); + if (!hosts.isEmpty()) { + KerberosDescriptor kerberosDescriptor = getKerberosDescriptor(cluster); - if ((hosts != null) && !hosts.isEmpty()) { + if (kerberosDescriptor != null) { + Map<String, String> kerberosDescriptorProperties = kerberosDescriptor.getProperties(); - if (kerberosDescriptor != null) { - Map<String, String> kerberosDescriptorProperties = kerberosDescriptor.getProperties(); + for (String hostname : hosts) { + Map<String, KerberosIdentityDescriptor> hostActiveIdentities = new HashMap<String, KerberosIdentityDescriptor>(); + List<KerberosIdentityDescriptor> identities = getActiveIdentities(cluster, hostname, + serviceName, componentName, kerberosDescriptor); - for (String hostname : hosts) { - Map<String, KerberosIdentityDescriptor> hostActiveIdentities = new HashMap<String, KerberosIdentityDescriptor>(); - List<KerberosIdentityDescriptor> identities = getActiveIdentities(cluster, hostname, - serviceName, componentName, kerberosDescriptor); + if (hostname.equals(ambariServerHostname)) { + addAmbariServerIdentity(kerberosEnvConfig.getProperties(), kerberosDescriptor, identities); + } - if (hostname.equals(ambariServerHostname)) { - addAmbariServerIdentity(cluster, kerberosDescriptor, identities); - } + if (!identities.isEmpty()) { + // Calculate the current host-specific configurations. These will be used to replace + // variables within the Kerberos descriptor data + Map<String, Map<String, String>> configurations = calculateConfigurations(cluster, hostname.equals + (ambariServerHostname) ? null : hostname, + kerberosDescriptorProperties); - if (!identities.isEmpty()) { - // Calculate the current host-specific configurations. These will be used to replace - // variables within the Kerberos descriptor data - Map<String, Map<String, String>> configurations = calculateConfigurations(cluster, hostname.equals - (ambariServerHostname) ? null : hostname, - kerberosDescriptorProperties); + for (KerberosIdentityDescriptor identity : identities) { + KerberosPrincipalDescriptor principalDescriptor = identity.getPrincipalDescriptor(); + String principal = null; - for (KerberosIdentityDescriptor identity : identities) { - KerberosPrincipalDescriptor principalDescriptor = identity.getPrincipalDescriptor(); - String principal = null; + if (principalDescriptor != null) { + principal = variableReplacementHelper.replaceVariables(principalDescriptor.getValue(), configurations); + } - if (principalDescriptor != null) { - principal = variableReplacementHelper.replaceVariables(principalDescriptor.getValue(), configurations); - } + if (principal != null) { + KerberosKeytabDescriptor keytabDescriptor = identity.getKeytabDescriptor(); + String keytabFile = null; - if (principal != null) { - KerberosKeytabDescriptor keytabDescriptor = identity.getKeytabDescriptor(); - String keytabFile = null; + if (keytabDescriptor != null) { + keytabFile = variableReplacementHelper.replaceVariables(keytabDescriptor.getFile(), configurations); + } - if (keytabDescriptor != null) { - keytabFile = variableReplacementHelper.replaceVariables(keytabDescriptor.getFile(), configurations); - } + if (replaceHostNames) { + principal = principal.replace("_HOST", hostname); + } - if (replaceHostNames) { - principal = principal.replace("_HOST", hostname); - } + String uniqueKey = String.format("%s|%s", principal, (keytabFile == null) ? "" : keytabFile); - String uniqueKey = String.format("%s|%s", principal, (keytabFile == null) ? "" : keytabFile); + if (!hostActiveIdentities.containsKey(uniqueKey)) { + KerberosPrincipalType principalType = principalDescriptor.getType(); - if (!hostActiveIdentities.containsKey(uniqueKey)) { - KerberosPrincipalType principalType = principalDescriptor.getType(); + // Assume the principal is a service principal if not specified + if (principalType == null) { + principalType = KerberosPrincipalType.SERVICE; + } - // Assume the principal is a service principal if not specified - if (principalType == null) { - principalType = KerberosPrincipalType.SERVICE; - } + KerberosPrincipalDescriptor resolvedPrincipalDescriptor = + new KerberosPrincipalDescriptor(principal, + principalType, + variableReplacementHelper.replaceVariables(principalDescriptor.getConfiguration(), configurations), + variableReplacementHelper.replaceVariables(principalDescriptor.getLocalUsername(), configurations)); + + KerberosKeytabDescriptor resolvedKeytabDescriptor; + + if (keytabFile == null) { + resolvedKeytabDescriptor = null; + } else { + resolvedKeytabDescriptor = + new KerberosKeytabDescriptor( + keytabFile, + variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerName(), configurations), + variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerAccess(), configurations), + variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupName(), configurations), + variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupAccess(), configurations), + variableReplacementHelper.replaceVariables(keytabDescriptor.getConfiguration(), configurations), + keytabDescriptor.isCachable()); + } - KerberosPrincipalDescriptor resolvedPrincipalDescriptor = - new KerberosPrincipalDescriptor(principal, - principalType, - variableReplacementHelper.replaceVariables(principalDescriptor.getConfiguration(), configurations), - variableReplacementHelper.replaceVariables(principalDescriptor.getLocalUsername(), configurations)); - - KerberosKeytabDescriptor resolvedKeytabDescriptor; - - if (keytabFile == null) { - resolvedKeytabDescriptor = null; - } else { - resolvedKeytabDescriptor = - new KerberosKeytabDescriptor( - keytabFile, - variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerName(), configurations), - variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerAccess(), configurations), - variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupName(), configurations), - variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupAccess(), configurations), - variableReplacementHelper.replaceVariables(keytabDescriptor.getConfiguration(), configurations), - keytabDescriptor.isCachable()); + hostActiveIdentities.put(uniqueKey, new KerberosIdentityDescriptor( + identity.getName(), + resolvedPrincipalDescriptor, + resolvedKeytabDescriptor)); } - - hostActiveIdentities.put(uniqueKey, new KerberosIdentityDescriptor( - identity.getName(), - resolvedPrincipalDescriptor, - resolvedKeytabDescriptor)); } } } - } - activeIdentities.put(hostname, hostActiveIdentities.values()); + activeIdentities.put(hostname, hostActiveIdentities.values()); + } } } } @@ -1359,18 +1367,28 @@ public class KerberosHelperImpl implements KerberosHelper { return activeIdentities; } - private void addAmbariServerIdentity(Cluster cluster, KerberosDescriptor kerberosDescriptor, List<KerberosIdentityDescriptor> identities) throws AmbariException { - try { - KerberosDetails kerberosDetails = getKerberosDetails(cluster, null); - // append Ambari server principal - if (kerberosDetails.createAmbariPrincipal()) { - KerberosIdentityDescriptor ambariServerIdentity = kerberosDescriptor.getIdentity(KerberosHelper.AMBARI_IDENTITY_NAME); - if (ambariServerIdentity != null) { - identities.add(ambariServerIdentity); - } + /** + * Conditionally add the Ambari server Kerberos identity to the set of Kerberos Identities expected + * to be available when Kerberos is enabled. + * <p> + * The Ambari server Kerberos identity should only be added if the <code>kerberos-env/create_ambari_principal</code> + * property is not explicitly set to <code>false</code>. + * + * @param kerberosEnvProperties the kerberos-env properties + * @param kerberosDescriptor the kerberos descriptor + * @param identities the collection of identities to add to + */ + void addAmbariServerIdentity(Map<String, String> kerberosEnvProperties, KerberosDescriptor kerberosDescriptor, List<KerberosIdentityDescriptor> identities) { + // Determine if we should _calculate_ the Ambari service identity. + // If kerberos-env/create_ambari_principal is not set to false the identity should be calculated. + boolean createAmbariPrincipal = (kerberosEnvProperties == null) || !"false".equalsIgnoreCase(kerberosEnvProperties.get(CREATE_AMBARI_PRINCIPAL)); + + // append Ambari server principal + if (createAmbariPrincipal) { + KerberosIdentityDescriptor ambariServerIdentity = kerberosDescriptor.getIdentity(KerberosHelper.AMBARI_IDENTITY_NAME); + if (ambariServerIdentity != null) { + identities.add(ambariServerIdentity); } - } catch (KerberosInvalidConfigurationException e) { - LOG.warn("Unable to append Ambari server principal: {}", e); } } @@ -3400,7 +3418,6 @@ public class KerberosHelperImpl implements KerberosHelper { private Map<String, String> kerberosEnvProperties; private SecurityType securityType; private Boolean manageIdentities; - private Boolean createAmbariPrincipal; public void setDefaultRealm(String defaultRealm) { this.defaultRealm = defaultRealm; @@ -3443,17 +3460,13 @@ public class KerberosHelperImpl implements KerberosHelper { } } - public boolean createAmbariPrincipal() { - if (createAmbariPrincipal == null) { - return (kerberosEnvProperties == null) || - !"false".equalsIgnoreCase(kerberosEnvProperties.get(CREATE_AMBARI_PRINCIPAL)); - } else { - return createAmbariPrincipal; - } - } - public void setManageIdentities(Boolean manageIdentities) { this.manageIdentities = manageIdentities; } + + public boolean createAmbariPrincipal() { + return (kerberosEnvProperties == null) || + !"false".equalsIgnoreCase(kerberosEnvProperties.get(CREATE_AMBARI_PRINCIPAL)); + } } } http://git-wip-us.apache.org/repos/asf/ambari/blob/a14fd4a5/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java index 7f8be67..e03ed86 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java @@ -564,6 +564,26 @@ public class KerberosHelperTest extends EasyMockSupport { } @Test + public void addAmbariServerIdentity_CreateAmbariPrincipal() throws Exception { + addAmbariServerIdentity(Collections.singletonMap("create_ambari_principal", "true")); + } + + @Test + public void addAmbariServerIdentity_DoNotCreateAmbariPrincipal() throws Exception { + addAmbariServerIdentity(Collections.singletonMap("create_ambari_principal", "false")); + } + + @Test + public void addAmbariServerIdentity_MissingProperty() throws Exception { + addAmbariServerIdentity(Collections.singletonMap("not_create_ambari_principal", "value")); + } + + @Test + public void addAmbariServerIdentity_MissingKerberosEnv() throws Exception { + addAmbariServerIdentity(null); + } + + @Test public void testGetActiveIdentities_SingleService() throws Exception { Map<String, Collection<KerberosIdentityDescriptor>> identities = testGetActiveIdentities("c1", null, "SERVICE1", null, true, SecurityType.KERBEROS); @@ -3843,6 +3863,39 @@ public class KerberosHelperTest extends EasyMockSupport { return identities; } + private void addAmbariServerIdentity(Map<String, String> kerberosEnvProperties) throws Exception { + + boolean createAmbariPrincipal = (kerberosEnvProperties == null) + || !"false".equalsIgnoreCase(kerberosEnvProperties.get("create_ambari_principal")); + + KerberosHelperImpl kerberosHelper = injector.getInstance(KerberosHelperImpl.class); + + KerberosIdentityDescriptor ambariKerberosIdentity = createMock(KerberosIdentityDescriptor.class); + + KerberosDescriptor kerberosDescriptor = createMock(KerberosDescriptor.class); + if (createAmbariPrincipal) { + expect(kerberosDescriptor.getIdentity(KerberosHelper.AMBARI_IDENTITY_NAME)).andReturn(ambariKerberosIdentity).once(); + } + + List<KerberosIdentityDescriptor> identities = new ArrayList<KerberosIdentityDescriptor>(); + + replayAll(); + + // Needed by infrastructure + injector.getInstance(AmbariMetaInfo.class).init(); + + kerberosHelper.addAmbariServerIdentity(kerberosEnvProperties, kerberosDescriptor, identities); + + verifyAll(); + + if (createAmbariPrincipal) { + Assert.assertEquals(1, identities.size()); + Assert.assertSame(ambariKerberosIdentity, identities.get(0)); + } else { + Assert.assertTrue(identities.isEmpty()); + } + } + private KerberosConfigurationDescriptor createMockConfigurationDescriptor(Map<String, String> properties) { KerberosConfigurationDescriptor descriptor = createMock(KerberosConfigurationDescriptor.class); expect(descriptor.getProperties()).andReturn(properties).anyTimes();
