http://git-wip-us.apache.org/repos/asf/ambari/blob/7aff03f5/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorUpdateHelperTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorUpdateHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorUpdateHelperTest.java new file mode 100644 index 0000000..fca2f1f --- /dev/null +++ b/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorUpdateHelperTest.java @@ -0,0 +1,2272 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ambari.server.state.kerberos; + +import com.google.gson.Gson; +import com.google.inject.AbstractModule; +import com.google.inject.Guice; +import com.google.inject.Injector; +import com.google.inject.assistedinject.FactoryModuleBuilder; +import junit.framework.Assert; +import org.apache.ambari.server.AmbariException; +import org.apache.ambari.server.api.services.AmbariMetaInfo; +import org.apache.ambari.server.configuration.Configuration; +import org.apache.ambari.server.orm.DBAccessor; +import org.apache.ambari.server.orm.dao.ExtensionLinkDAO; +import org.apache.ambari.server.orm.entities.ExtensionLinkEntity; +import org.apache.ambari.server.orm.entities.MetainfoEntity; +import org.apache.ambari.server.orm.entities.StackEntity; +import org.apache.ambari.server.stack.StackManagerFactory; +import org.apache.ambari.server.state.Clusters; +import org.apache.ambari.server.state.stack.OsFamily; +import org.easymock.EasyMock; +import org.easymock.EasyMockSupport; +import org.junit.Test; + +import javax.persistence.EntityManager; +import javax.persistence.TypedQuery; +import java.util.Collections; +import java.util.Properties; + +import static org.easymock.EasyMock.anyString; +import static org.easymock.EasyMock.expect; + +public class KerberosDescriptorUpdateHelperTest extends EasyMockSupport { + private static final KerberosDescriptorFactory KERBEROS_DESCRIPTOR_FACTORY = new KerberosDescriptorFactory(); + private static final Gson GSON = new Gson(); + + @Test + public void updateDefaultUserKerberosDescriptor() throws Exception { + Injector injector = Guice.createInjector(new AbstractModule() { + + @Override + protected void configure() { + Properties properties = new Properties(); + properties.put("metadata.path", "src/main/resources/stacks"); + properties.put("common.services.path", "src/main/resources/common-services"); + properties.put("server.version.file", "target/version"); + properties.put("custom.action.definitions", "/tmp/nofile"); + Configuration configuration = new Configuration(properties); + + install(new FactoryModuleBuilder().build(StackManagerFactory.class)); + + bind(Clusters.class).toInstance(createNiceMock(Clusters.class)); + bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class)); + bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class)); + bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class)); + bind(Configuration.class).toInstance(configuration); + bind(ExtensionLinkDAO.class).toInstance(createNiceMock(ExtensionLinkDAO.class)); + } + }); + + OsFamily osFamily = injector.getInstance(OsFamily.class); + expect(osFamily.os_list()).andReturn(Collections.singleton("centos6")).anyTimes(); + + ExtensionLinkDAO linkDao = injector.getInstance(ExtensionLinkDAO.class); + expect(linkDao.findByStack(anyString(), anyString())).andReturn(Collections.<ExtensionLinkEntity>emptyList()).anyTimes(); + + TypedQuery<StackEntity> query = createNiceMock(TypedQuery.class); + expect(query.setMaxResults(1)).andReturn(query).anyTimes(); + expect(query.getSingleResult()).andReturn(null).anyTimes(); + + EntityManager entityManager = injector.getInstance(EntityManager.class); + expect(entityManager.createNamedQuery("StackEntity.findByNameAndVersion", StackEntity.class)).andReturn(query).anyTimes(); + expect(entityManager.find(EasyMock.eq(MetainfoEntity.class), anyString())).andReturn(createNiceMock(MetainfoEntity.class)).anyTimes(); + + AmbariMetaInfo metaInfo = new AmbariMetaInfo(injector.getInstance(Configuration.class)); + + replayAll(); + + injector.injectMembers(metaInfo); + metaInfo.init(); + + KerberosDescriptor hdp24 = metaInfo.getKerberosDescriptor("HDP", "2.4"); + KerberosDescriptor hdp25 = metaInfo.getKerberosDescriptor("HDP", "2.5"); + KerberosDescriptor user = new KerberosDescriptor(hdp24.toMap()); + + KerberosDescriptor updated = KerberosDescriptorUpdateHelper.updateUserKerberosDescriptor(hdp24, hdp25, user); + + KerberosDescriptor composite = new KerberosDescriptor(hdp25.toMap()); + composite.update(updated); + Assert.assertEquals(GSON.toJson(hdp25.toMap()), GSON.toJson(composite.toMap())); + } + + @Test + public void testUpdateProperties() throws AmbariException { + KerberosDescriptor oldValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance("{" + + " \"properties\": {" + + " \"realm\": \"${kerberos-env/realm}\"," + + " \"keytab_dir\": \"/etc/security/keytabs\"," + + " \"additional_realms\": \"\"," + + " \"old_property\": \"old_value\"" + + " }" + + "}"); + + KerberosDescriptor newValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance("{" + + " \"properties\": {" + + " \"realm\": \"${kerberos-env/realm}\"," + + " \"keytab_dir\": \"/etc/security/keytabs\"," + + " \"additional_realms\": \"\"," + + " \"new_property\": \"new_value\"" + + " }" + + "}"); + + KerberosDescriptor userValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance("{" + + " \"properties\": {" + + " \"realm\": \"EXAMPLE.COM\"," + + " \"keytab_dir\": \"/etc/security/keytabs\"," + + " \"additional_realms\": \"\"," + + " \"old_property\": \"old_value\"" + + " }" + + "}"); + + KerberosDescriptor updatedUserValue = KerberosDescriptorUpdateHelper.updateUserKerberosDescriptor( + oldValue, + newValue, + userValue); + + // "old_property" is removed + // "new_property" is added + // "realm" retains user set value + Assert.assertEquals( + KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"properties\": {\n" + + " \"new_property\": \"new_value\",\n" + + " \"realm\": \"EXAMPLE.COM\",\n" + + " \"additional_realms\": \"\",\n" + + " \"keytab_dir\": \"/etc/security/keytabs\"\n" + + " }\n" + + "}"), + updatedUserValue); + } + + @Test + public void testUpdateIdentities() throws AmbariException { + KerberosDescriptor oldValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{" + + " \"identities\": [" + + " {" + + " \"name\": \"spnego\"," + + " \"principal\": {" + + " \"value\": \"HTTP/_HOST@${realm}\"," + + " \"type\": \"service\"" + + " }," + + " \"keytab\": {" + + " \"file\": \"${keytab_dir}/spnego.service.keytab\"," + + " \"owner\": {" + + " \"name\": \"root\"," + + " \"access\": \"r\"" + + " }," + + " \"group\": {" + + " \"name\": \"${cluster-env/user_group}\"," + + " \"access\": \"r\"" + + " }" + + " }" + + " }," + + " {" + + " \"name\": \"smokeuser\"," + + " \"principal\": {" + + " \"value\": \"old_value@${realm}\"," + + " \"type\": \"user\"," + + " \"configuration\": \"cluster-env/smokeuser_principal_name\"," + + " \"local_username\": \"${cluster-env/smokeuser}\"" + + " }," + + " \"keytab\": {" + + " \"file\": \"${keytab_dir}/smokeuser.headless.keytab\"," + + " \"owner\": {" + + " \"name\": \"${cluster-env/smokeuser}\"," + + " \"access\": \"r\"" + + " }," + + " \"group\": {" + + " \"name\": \"${cluster-env/user_group}\"," + + " \"access\": \"r\"" + + " }," + + " \"configuration\": \"cluster-env/smokeuser_keytab\"" + + " }" + + " }," + + " {" + + " \"name\": \"old_identity\"," + + " \"principal\": {" + + " \"value\": \"foobar-${cluster_name|toLower()}@${realm}\"," + + " \"type\": \"user\"," + + " \"configuration\": \"cluster-env/ambari_principal_name\"" + + " }," + + " \"keytab\": {" + + " \"file\": \"${keytab_dir}/ambari.server.keytab\"" + + " }" + + " }" + + " ]" + + "}"); + + KerberosDescriptor newValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{" + + " \"identities\": [" + + " {" + + " \"name\": \"spnego\"," + + " \"principal\": {" + + " \"value\": \"HTTP/_HOST@${realm}\"," + + " \"type\": \"service\"" + + " }," + + " \"keytab\": {" + + " \"file\": \"${keytab_dir}/spnego.service.keytab\"," + + " \"owner\": {" + + " \"name\": \"root\"," + + " \"access\": \"r\"" + + " }," + + " \"group\": {" + + " \"name\": \"${cluster-env/user_group}\"," + + " \"access\": \"r\"" + + " }" + + " }" + + " }," + + " {" + + " \"name\": \"smokeuser\"," + + " \"principal\": {" + + " \"value\": \"${cluster-env/smokeuser}-${cluster_name|toLower()}@${realm}\"," + + " \"type\": \"user\"," + + " \"configuration\": \"cluster-env/smokeuser_principal_name\"," + + " \"local_username\": \"${cluster-env/smokeuser}\"" + + " }," + + " \"keytab\": {" + + " \"file\": \"updated_dir/smokeuser.headless.keytab\"," + + " \"owner\": {" + + " \"name\": \"${cluster-env/smokeuser}\"," + + " \"access\": \"r\"" + + " }," + + " \"group\": {" + + " \"name\": \"${cluster-env/user_group}\"," + + " \"access\": \"r\"" + + " }," + + " \"configuration\": \"cluster-env/smokeuser_keytab\"" + + " }" + + " }," + + " {" + + " \"name\": \"ambari-server\"," + + " \"principal\": {" + + " \"value\": \"ambari-server-${cluster_name|toLower()}@${realm}\"," + + " \"type\": \"user\"," + + " \"configuration\": \"cluster-env/ambari_principal_name\"" + + " }," + + " \"keytab\": {" + + " \"file\": \"${keytab_dir}/ambari.server.keytab\"" + + " }" + + " }" + + " ]" + + "}"); + + KerberosDescriptor userValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{" + + " \"identities\": [" + + " {" + + " \"name\": \"spnego\"," + + " \"principal\": {" + + " \"value\": \"CHANGED_HTTP/_HOST@${realm}\"," + + " \"type\": \"service\"" + + " }," + + " \"keytab\": {" + + " \"file\": \"${keytab_dir}/spnego.service.keytab\"," + + " \"owner\": {" + + " \"name\": \"root\"," + + " \"access\": \"r\"" + + " }," + + " \"group\": {" + + " \"name\": \"${cluster-env/user_group}\"," + + " \"access\": \"r\"" + + " }" + + " }" + + " }," + + " {" + + " \"name\": \"smokeuser\"," + + " \"principal\": {" + + " \"value\": \"old_value@${realm}\"," + + " \"type\": \"user\"," + + " \"configuration\": \"cluster-env/smokeuser_principal_name\"," + + " \"local_username\": \"${cluster-env/smokeuser}\"" + + " }," + + " \"keytab\": {" + + " \"file\": \"custom_dir/smokeuser.headless.keytab\"," + + " \"owner\": {" + + " \"name\": \"${cluster-env/smokeuser}\"," + + " \"access\": \"r\"" + + " }," + + " \"group\": {" + + " \"name\": \"${cluster-env/user_group}\"," + + " \"access\": \"r\"" + + " }," + + " \"configuration\": \"cluster-env/smokeuser_keytab\"" + + " }" + + " }," + + " {" + + " \"name\": \"old_identity\"," + + " \"principal\": {" + + " \"value\": \"foobar-${cluster_name|toLower()}@${realm}\"," + + " \"type\": \"user\"," + + " \"configuration\": \"cluster-env/ambari_principal_name\"" + + " }," + + " \"keytab\": {" + + " \"file\": \"${keytab_dir}/ambari.server.keytab\"" + + " }" + + " }" + + " ]" + + "}"); + + + KerberosDescriptor updatedUserValue = KerberosDescriptorUpdateHelper.updateUserKerberosDescriptor( + oldValue, + newValue, + userValue); + + Assert.assertEquals( + GSON.toJson(KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"spnego\",\n" + + " \"principal\": {\n" + + " \"value\": \"CHANGED_HTTP/_HOST@${realm}\",\n" + + " \"type\": \"service\"\n" + + " },\n" + + " \"keytab\": {\n" + + " \"file\": \"${keytab_dir}/spnego.service.keytab\",\n" + + " \"owner\": {\n" + + " \"name\": \"root\",\n" + + " \"access\": \"r\"\n" + + " },\n" + + " \"group\": {\n" + + " \"name\": \"${cluster-env/user_group}\",\n" + + " \"access\": \"r\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"name\": \"smokeuser\",\n" + + " \"principal\": {\n" + + " \"value\": \"${cluster-env/smokeuser}-${cluster_name|toLower()}@${realm}\",\n" + + " \"local_username\": \"${cluster-env/smokeuser}\",\n" + + " \"configuration\": \"cluster-env/smokeuser_principal_name\",\n" + + " \"type\": \"user\"\n" + + " },\n" + + " \"keytab\": {\n" + + " \"file\": \"custom_dir/smokeuser.headless.keytab\",\n" + + " \"owner\": {\n" + + " \"name\": \"${cluster-env/smokeuser}\",\n" + + " \"access\": \"r\"\n" + + " },\n" + + " \"group\": {\n" + + " \"name\": \"${cluster-env/user_group}\",\n" + + " \"access\": \"r\"\n" + + " },\n" + + " \"configuration\": \"cluster-env/smokeuser_keytab\"\n" + + " }\n" + + " }\n" + + " ]\n" + + "}").toMap()), + GSON.toJson(updatedUserValue.toMap())); + + // Test that the merge of the default (stack) Kerberos descriptor and the updated user-specified + // Kerberos descriptor yield the expected composite Kerberos descriptor. + newValue.update(updatedUserValue); + + Assert.assertEquals( + GSON.toJson(KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"ambari-server\",\n" + + " \"principal\": {\n" + + " \"value\": \"ambari-server-${cluster_name|toLower()}@${realm}\",\n" + + " \"configuration\": \"cluster-env/ambari_principal_name\",\n" + + " \"type\": \"user\"\n" + + " },\n" + + " \"keytab\": {\n" + + " \"file\": \"${keytab_dir}/ambari.server.keytab\"\n" + + " }\n" + + " },\n" + + " {\n" + + " \"name\": \"spnego\",\n" + + " \"principal\": {\n" + + " \"value\": \"CHANGED_HTTP/_HOST@${realm}\",\n" + + " \"type\": \"service\"\n" + + " },\n" + + " \"keytab\": {\n" + + " \"file\": \"${keytab_dir}/spnego.service.keytab\",\n" + + " \"owner\": {\n" + + " \"name\": \"root\",\n" + + " \"access\": \"r\"\n" + + " },\n" + + " \"group\": {\n" + + " \"name\": \"${cluster-env/user_group}\",\n" + + " \"access\": \"r\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"name\": \"smokeuser\",\n" + + " \"principal\": {\n" + + " \"value\": \"${cluster-env/smokeuser}-${cluster_name|toLower()}@${realm}\",\n" + + " \"local_username\": \"${cluster-env/smokeuser}\",\n" + + " \"configuration\": \"cluster-env/smokeuser_principal_name\",\n" + + " \"type\": \"user\"\n" + + " },\n" + + " \"keytab\": {\n" + + " \"file\": \"custom_dir/smokeuser.headless.keytab\",\n" + + " \"owner\": {\n" + + " \"name\": \"${cluster-env/smokeuser}\",\n" + + " \"access\": \"r\"\n" + + " },\n" + + " \"group\": {\n" + + " \"name\": \"${cluster-env/user_group}\",\n" + + " \"access\": \"r\"\n" + + " },\n" + + " \"configuration\": \"cluster-env/smokeuser_keytab\"\n" + + " }\n" + + " }\n" + + " ]\n" + + "}").toMap()), + GSON.toJson(newValue.toMap())); + } + + @Test + public void testUpdateConfigurations() throws AmbariException { + KerberosDescriptor oldValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"configurations\": [\n" + + " {\n" + + " \"core-site\": {\n" + + " \"hadoop.security.authentication\": \"kerberos\",\n" + + " \"hadoop.security.authorization\": \"true\",\n" + + " \"hadoop.proxyuser.HTTP.groups\": \"${hadoop-env/proxyuser_group}\"\n" + + " }\n" + + " },\n" + + " {\n" + + " \"some-site\": {\n" + + " \"property.unchanged\": \"value 1\",\n" + + " \"property.removed\": \"removed value\",\n" + + " \"property.altered\": \"old value\"\n," + + " \"property.property.changed.in.new\": \"orig value\"\n" + + " }\n" + + " },\n" + + " {\n" + + " \"old-site\": {\n" + + " \"property\": \"value\"\n" + + " }\n" + + " }\n" + + " ]\n" + + "}\n"); + + KerberosDescriptor newValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"configurations\": [\n" + + " {\n" + + " \"core-site\": {\n" + + " \"hadoop.security.authentication\": \"kerberos\",\n" + + " \"hadoop.security.authorization\": \"true\",\n" + + " \"hadoop.proxyuser.HTTP.groups\": \"${hadoop-env/proxyuser_group}\"\n" + + " }\n" + + " },\n" + + " {\n" + + " \"some-site\": {\n" + + " \"property.unchanged\": \"value 1\",\n" + + " \"property.added\": \"added value\",\n" + + " \"property.altered\": \"new value\",\n" + + " \"property.changed.in.new\": \"new value\"\n" + + " }\n" + + " },\n" + + " {\n" + + " \"new-site\": {\n" + + " \"property.for.new.site\": \"value\"\n" + + " }\n" + + " }\n" + + " ]\n" + + "}\n"); + + KerberosDescriptor userValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"configurations\": [\n" + + " {\n" + + " \"core-site\": {\n" + + " \"hadoop.security.authentication\": \"kerberos\",\n" + + " \"hadoop.security.authorization\": \"true\",\n" + + " \"hadoop.proxyuser.HTTP.groups\": \"${hadoop-env/proxyuser_group}\"\n" + + " }\n" + + " },\n" + + " {\n" + + " \"some-site\": {\n" + + " \"property.unchanged\": \"value 1\",\n" + + " \"property.removed\": \"changed removed value\",\n" + + " \"property.altered\": \"custom value\"\n," + + " \"property.property.changed.in.new\": \"orig value\"\n" + + " }\n" + + " },\n" + + " {\n" + + " \"old-site\": {\n" + + " \"property\": \"value\"\n" + + " }\n" + + " }\n" + + " ]\n" + + "}\n"); + + KerberosDescriptor updatedUserValue = KerberosDescriptorUpdateHelper.updateUserKerberosDescriptor( + oldValue, + newValue, + userValue); + + Assert.assertEquals( + GSON.toJson(KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"configurations\": [\n" + + " {\n" + + " \"core-site\": {\n" + + " \"hadoop.security.authentication\": \"kerberos\",\n" + + " \"hadoop.security.authorization\": \"true\",\n" + + " \"hadoop.proxyuser.HTTP.groups\": \"${hadoop-env/proxyuser_group}\"\n" + + " }\n" + + " },\n" + + " {\n" + + " \"some-site\": {\n" + + " \"property.unchanged\": \"value 1\",\n" + + " \"property.added\": \"added value\",\n" + + " \"property.altered\": \"custom value\",\n" + + " \"property.changed.in.new\": \"new value\"\n" + + " }\n" + + " }\n" + + " ]\n" + + "}\n").toMap()), + GSON.toJson(updatedUserValue.toMap())); + } + + @Test + public void testUpdateAuthToLocalRules() throws AmbariException { + KerberosDescriptor oldValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"auth_to_local_properties\" : [\n" + + " \"core-site/hadoop.security.auth_to_local\",\n" + + " \"some-site/to.be.removed\"\n" + + " ]\n" + + "}\n"); + + KerberosDescriptor newValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"auth_to_local_properties\" : [\n" + + " \"core-site/hadoop.security.auth_to_local\",\n" + + " \"some-site/to.be.added\"\n" + + " ]\n" + + "}\n"); + + KerberosDescriptor userValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"auth_to_local_properties\" : [\n" + + " \"core-site/hadoop.security.auth_to_local\",\n" + + " \"some-site/added.by.user\"\n" + + " ]\n" + + "}\n"); + + KerberosDescriptor updatedUserValue = KerberosDescriptorUpdateHelper.updateUserKerberosDescriptor( + oldValue, + newValue, + userValue); + + Assert.assertEquals( + KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"auth_to_local_properties\" : [\n" + + " \"core-site/hadoop.security.auth_to_local\",\n" + + " \"some-site/to.be.added\",\n" + + " \"some-site/added.by.user\"\n" + + " ]\n" + + "}\n"), + updatedUserValue); + } + + @Test + public void testUpdateServices() throws AmbariException { + KerberosDescriptor oldValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"services\": [\n" + + " {\n" + + " \"components\": [\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.secondary.namenode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"nn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"secondary_namenode_nn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/nn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.secondary.namenode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"SECONDARY_NAMENODE\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/HDFS/NAMENODE/hdfs\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"HDFS_CLIENT\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.datanode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"dn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"datanode_dn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/dn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.datanode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"hdfs-site\": {\n" + + " \"dfs.datanode.address\": \"0.0.0.0:1019\",\n" + + " \"dfs.datanode.http.address\": \"0.0.0.0:1022\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"DATANODE\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/nfs.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"nfs/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"nfsgateway\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/nfs.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/nfs.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"NFS_GATEWAY\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.journalnode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"jn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"journalnode_jn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/jn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.journalnode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.journalnode.kerberos.internal.spnego.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"JOURNALNODE\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hadoop-env/hdfs_principal_name\",\n" + + " \"type\": \"user\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"${hadoop-env/hdfs_user}-${cluster_name|toLower()}@${realm}\"\n" + + " },\n" + + " \"name\": \"hdfs\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/hdfs.headless.keytab\",\n" + + " \"configuration\": \"hadoop-env/hdfs_user_keytab\",\n" + + " \"group\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.namenode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"nn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"namenode_nn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/nn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.namenode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.namenode.kerberos.internal.spnego.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\"\n" + + " }\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"hdfs-site\": {\n" + + " \"dfs.block.access.token.enable\": \"true\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"NAMENODE\"\n" + + " }\n" + + " ],\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.web.authentication.kerberos.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " },\n" + + " \"file\": null,\n" + + " \"configuration\": \"hdfs-site/dfs.web.authentication.kerberos.keytab\",\n" + + " \"group\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"name\": \"/smokeuser\"\n" + + " }\n" + + " ],\n" + + " \"auth_to_local_properties\": [\n" + + " \"core-site/hadoop.security.auth_to_local\"\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"core-site\": {\n" + + " \"hadoop.security.authorization\": \"true\",\n" + + " \"hadoop.security.authentication\": \"kerberos\",\n" + + " \"hadoop.proxyuser.HTTP.groups\": \"${hadoop-env/proxyuser_group}\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"HDFS\"\n" + + " },\n" + + " {\n" + + " \"components\" : [\n" + + " {\n" + + " \"name\" : \"OLD_SERVICE_CLIENT\"\n" + + " },\n" + + " {\n" + + " \"identities\" : [\n" + + " {\n" + + " \"name\" : \"/HDFS/NAMENODE/hdfs\"\n" + + " }\n" + + " ],\n" + + " \"name\" : \"OLD_SERVICE_FOOBAR\"\n" + + " },\n" + + " {\n" + + " \"identities\" : [\n" + + " {\n" + + " \"name\" : \"/HDFS/NAMENODE/hdfs\"\n" + + " },\n" + + " {\n" + + " \"name\" : \"/HIVE/HIVE_SERVER/hive_server_hive\"\n" + + " }\n" + + " ],\n" + + " \"name\" : \"OLD_SERVICE_SERVER\"\n" + + " }\n" + + " ],\n" + + " \"identities\" : [\n" + + " {\n" + + " \"name\" : \"/smokeuser\"\n" + + " }\n" + + " ],\n" + + " \"name\" : \"OLD_SERVICE\"\n" + + " },\n" + + " {\n" + + " \"components\": [\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"application-properties/atlas.authentication.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${atlas-env/metadata_user}\",\n" + + " \"value\": \"atlas/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"atlas\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${atlas-env/metadata_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/atlas.service.keytab\",\n" + + " \"configuration\": \"application-properties/atlas.authentication.keytab\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"application-properties/atlas.http.authentication.kerberos.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": \"HTTP/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"/spnego\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " },\n" + + " \"file\": null,\n" + + " \"configuration\": \"application-properties/atlas.http.authentication.kerberos.keytab\",\n" + + " \"group\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " }\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"ATLAS_SERVER\"\n" + + " }\n" + + " ],\n" + + " \"auth_to_local_properties\": [\n" + + " \"application-properties/atlas.http.authentication.kerberos.name.rules|new_lines_escaped\"\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"application-properties\": {\n" + + " \"atlas.authentication.method\": \"kerberos\",\n" + + " \"atlas.http.authentication.enabled\": \"true\",\n" + + " \"atlas.http.authentication.type\": \"kerberos\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"ATLAS\"\n" + + " },\n" + + " {\n" + + " \"components\": [\n" + + " {\n" + + " \"name\": \"EXISTING_SERVICE_CLIENT\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/HDFS/NAMENODE/hdfs\"\n" + + " },\n" + + " {\n" + + " \"name\": \"/HIVE/HIVE_SERVER/hive_server_hive\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"EXISTING_SERVICE_SERVER\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/HDFS/NAMENODE/hdfs\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"EXISTING_SERVICE_ORIG_SERVER\"\n" + + " }\n" + + " ],\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/smokeuser\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"EXISTING_SERVICE\"\n" + + " }\n" + + " ]\n" + + "}\n"); + + KerberosDescriptor newValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"services\": [\n" + + " {\n" + + " \"components\": [\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"application-properties/atlas.jaas.KafkaClient.option.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${atlas-env/metadata_user}\",\n" + + " \"value\": \"atlas/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"atlas\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${atlas-env/metadata_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/atlas.service.keytab\",\n" + + " \"configuration\": \"application-properties/atlas.jaas.KafkaClient.option.keyTab\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"reference\": \"/ATLAS/ATLAS_SERVER/atlas\",\n" + + " \"principal\": {\n" + + " \"configuration\": \"application-properties/atlas.authentication.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"atlas_auth\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " },\n" + + " \"file\": null,\n" + + " \"configuration\": \"application-properties/atlas.authentication.keytab\",\n" + + " \"group\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"application-properties/atlas.authentication.method.kerberos.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": \"HTTP/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"/spnego\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " },\n" + + " \"file\": null,\n" + + " \"configuration\": \"application-properties/atlas.authentication.method.kerberos.keytab\",\n" + + " \"group\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"reference\": \"/ATLAS/ATLAS_SERVER/atlas\",\n" + + " \"principal\": {\n" + + " \"configuration\": \"ranger-atlas-audit/xasecure.audit.jaas.Client.option.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"ranger_atlas_audit\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " },\n" + + " \"file\": null,\n" + + " \"configuration\": \"ranger-atlas-audit/xasecure.audit.jaas.Client.option.keyTab\",\n" + + " \"group\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " }\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"ATLAS_SERVER\"\n" + + " }\n" + + " ],\n" + + " \"auth_to_local_properties\": [\n" + + " \"application-properties/atlas.authentication.method.kerberos.name.rules|new_lines_escaped\"\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"ranger-atlas-audit\": {\n" + + " \"xasecure.audit.jaas.Client.loginModuleControlFlag\": \"required\",\n" + + " \"xasecure.audit.jaas.Client.option.serviceName\": \"solr\",\n" + + " \"xasecure.audit.jaas.Client.loginModuleName\": \"com.sun.security.auth.module.Krb5LoginModule\",\n" + + " \"xasecure.audit.jaas.Client.option.useKeyTab\": \"true\",\n" + + " \"xasecure.audit.jaas.Client.option.storeKey\": \"false\",\n" + + " \"xasecure.audit.destination.solr.force.use.inmemory.jaas.config\": \"true\"\n" + + " }\n" + + " },\n" + + " {\n" + + " \"application-properties\": {\n" + + " \"atlas.kafka.security.protocol\": \"PLAINTEXTSASL\",\n" + + " \"atlas.jaas.KafkaClient.option.storeKey\": \"true\",\n" + + " \"atlas.solr.kerberos.enable\": \"true\",\n" + + " \"atlas.jaas.KafkaClient.loginModuleControlFlag\": \"required\",\n" + + " \"atlas.authentication.method.kerberos\": \"true\",\n" + + " \"atlas.jaas.KafkaClient.option.useKeyTab\": \"true\",\n" + + " \"atlas.kafka.sasl.kerberos.service.name\": \"${kafka-env/kafka_user}\",\n" + + " \"atlas.jaas.KafkaClient.loginModuleName\": \"com.sun.security.auth.module.Krb5LoginModule\",\n" + + " \"atlas.jaas.KafkaClient.option.serviceName\": \"${kafka-env/kafka_user}\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"ATLAS\"\n" + + " },\n" + + " {\n" + + " \"components\": [\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.secondary.namenode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"nn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"secondary_namenode_nn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/nn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.secondary.namenode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"SECONDARY_NAMENODE\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/HDFS/NAMENODE/hdfs\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"HDFS_CLIENT\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.datanode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"dn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"datanode_dn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/dn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.datanode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"hdfs-site\": {\n" + + " \"dfs.datanode.address\": \"0.0.0.0:1019\",\n" + + " \"dfs.datanode.http.address\": \"0.0.0.0:1022\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"DATANODE\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/nfs.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"nfs/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"nfsgateway\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/nfs.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/nfs.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"NFS_GATEWAY\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.journalnode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"jn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"journalnode_jn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/jn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.journalnode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.journalnode.kerberos.internal.spnego.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"JOURNALNODE\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hadoop-env/hdfs_principal_name\",\n" + + " \"type\": \"user\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"${hadoop-env/hdfs_user}-${cluster_name|toLower()}@${realm}\"\n" + + " },\n" + + " \"name\": \"hdfs\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/hdfs.headless.keytab\",\n" + + " \"configuration\": \"hadoop-env/hdfs_user_keytab\",\n" + + " \"group\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.namenode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"nn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"namenode_nn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/nn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.namenode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.namenode.kerberos.internal.spnego.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\"\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"ranger-hdfs-audit/xasecure.audit.jaas.Client.option.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/HDFS/NAMENODE/namenode_nn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " },\n" + + " \"file\": null,\n" + + " \"configuration\": \"ranger-hdfs-audit/xasecure.audit.jaas.Client.option.keyTab\",\n" + + " \"group\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " }\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"hdfs-site\": {\n" + + " \"dfs.block.access.token.enable\": \"true\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"NAMENODE\"\n" + + " }\n" + + " ],\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.web.authentication.kerberos.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " },\n" + + " \"file\": null,\n" + + " \"configuration\": \"hdfs-site/dfs.web.authentication.kerberos.keytab\",\n" + + " \"group\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"name\": \"/smokeuser\"\n" + + " }\n" + + " ],\n" + + " \"auth_to_local_properties\": [\n" + + " \"core-site/hadoop.security.auth_to_local\"\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"ranger-hdfs-audit\": {\n" + + " \"xasecure.audit.jaas.Client.loginModuleControlFlag\": \"required\",\n" + + " \"xasecure.audit.jaas.Client.option.serviceName\": \"solr\",\n" + + " \"xasecure.audit.jaas.Client.loginModuleName\": \"com.sun.security.auth.module.Krb5LoginModule\",\n" + + " \"xasecure.audit.jaas.Client.option.useKeyTab\": \"true\",\n" + + " \"xasecure.audit.jaas.Client.option.storeKey\": \"false\",\n" + + " \"xasecure.audit.destination.solr.force.use.inmemory.jaas.config\": \"true\"\n" + + " }\n" + + " },\n" + + " {\n" + + " \"core-site\": {\n" + + " \"hadoop.security.authorization\": \"true\",\n" + + " \"hadoop.security.authentication\": \"kerberos\",\n" + + " \"hadoop.proxyuser.HTTP.groups\": \"${hadoop-env/proxyuser_group}\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"HDFS\"\n" + + " },\n" + + " {\n" + + " \"components\": [\n" + + " {\n" + + " \"name\": \"NEW_SERVICE_CLIENT\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/HDFS/NAMENODE/hdfs\"\n" + + " },\n" + + " {\n" + + " \"name\": \"/HIVE/HIVE_SERVER/hive_server_hive\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"NEW_SERVICE_FOO_BAR\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/HDFS/NAMENODE/hdfs\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"NEW_SERVICE_SERVER\"\n" + + " }\n" + + " ],\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/smokeuser\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"NEW_SERVICE\"\n" + + " },\n" + + " {\n" + + " \"components\": [\n" + + " {\n" + + " \"name\": \"EXISTING_SERVICE_CLIENT\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/HDFS/NAMENODE/hdfs\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"EXISTING_SERVICE_SERVER\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/HDFS/NAMENODE/hdfs\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"EXISTING_SERVICE_NEW_SERVER\"\n" + + " }\n" + + " ],\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/smokeuser\"\n" + + " },\n" + + " {\n" + + " \"name\": \"/HIVE/HIVE_SERVER/hive_server_hive\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"EXISTING_SERVICE\"\n" + + " }\n" + + " ]\n" + + "}\n"); + + KerberosDescriptor userValue = KERBEROS_DESCRIPTOR_FACTORY.createInstance(oldValue.toMap()); + + KerberosDescriptor updatedUserValue = KerberosDescriptorUpdateHelper.updateUserKerberosDescriptor( + oldValue, + newValue, + userValue); + + Assert.assertEquals( + GSON.toJson(KERBEROS_DESCRIPTOR_FACTORY.createInstance( + "{\n" + + " \"services\": [\n" + + " {\n" + + " \"components\": [\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"application-properties/atlas.jaas.KafkaClient.option.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${atlas-env/metadata_user}\",\n" + + " \"value\": \"atlas/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"atlas\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${atlas-env/metadata_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/atlas.service.keytab\",\n" + + " \"configuration\": \"application-properties/atlas.jaas.KafkaClient.option.keyTab\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"application-properties/atlas.authentication.method.kerberos.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": \"HTTP/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"/spnego\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " },\n" + + " \"file\": null,\n" + + " \"configuration\": \"application-properties/atlas.authentication.method.kerberos.keytab\",\n" + + " \"group\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " }\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"ATLAS_SERVER\"\n" + + " }\n" + + " ],\n" + + " \"auth_to_local_properties\": [\n" + + " \"application-properties/atlas.authentication.method.kerberos.name.rules|new_lines_escaped\"\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"application-properties\": {\n" + + " \"atlas.kafka.security.protocol\": \"PLAINTEXTSASL\",\n" + + " \"atlas.jaas.KafkaClient.option.storeKey\": \"true\",\n" + + " \"atlas.solr.kerberos.enable\": \"true\",\n" + + " \"atlas.jaas.KafkaClient.loginModuleControlFlag\": \"required\",\n" + + " \"atlas.authentication.method.kerberos\": \"true\",\n" + + " \"atlas.jaas.KafkaClient.option.useKeyTab\": \"true\",\n" + + " \"atlas.kafka.sasl.kerberos.service.name\": \"${kafka-env/kafka_user}\",\n" + + " \"atlas.jaas.KafkaClient.loginModuleName\": \"com.sun.security.auth.module.Krb5LoginModule\",\n" + + " \"atlas.jaas.KafkaClient.option.serviceName\": \"${kafka-env/kafka_user}\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"ATLAS\"\n" + + " },\n" + + " {\n" + + " \"components\": [\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.secondary.namenode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"nn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"secondary_namenode_nn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/nn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.secondary.namenode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"SECONDARY_NAMENODE\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"name\": \"/HDFS/NAMENODE/hdfs\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"HDFS_CLIENT\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.datanode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"dn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"datanode_dn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/dn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.datanode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"hdfs-site\": {\n" + + " \"dfs.datanode.address\": \"0.0.0.0:1019\",\n" + + " \"dfs.datanode.http.address\": \"0.0.0.0:1022\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"DATANODE\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/nfs.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"nfs/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"nfsgateway\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/nfs.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/nfs.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"NFS_GATEWAY\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.journalnode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"jn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"journalnode_jn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/jn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.journalnode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.journalnode.kerberos.internal.spnego.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\"\n" + + " }\n" + + " ],\n" + + " \"name\": \"JOURNALNODE\"\n" + + " },\n" + + " {\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hadoop-env/hdfs_principal_name\",\n" + + " \"type\": \"user\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"${hadoop-env/hdfs_user}-${cluster_name|toLower()}@${realm}\"\n" + + " },\n" + + " \"name\": \"hdfs\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/hdfs.headless.keytab\",\n" + + " \"configuration\": \"hadoop-env/hdfs_user_keytab\",\n" + + " \"group\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.namenode.kerberos.principal\",\n" + + " \"type\": \"service\",\n" + + " \"local_username\": \"${hadoop-env/hdfs_user}\",\n" + + " \"value\": \"nn/_HOST@${realm}\"\n" + + " },\n" + + " \"name\": \"namenode_nn\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": \"r\",\n" + + " \"name\": \"${hadoop-env/hdfs_user}\"\n" + + " },\n" + + " \"file\": \"${keytab_dir}/nn.service.keytab\",\n" + + " \"configuration\": \"hdfs-site/dfs.namenode.keytab.file\",\n" + + " \"group\": {\n" + + " \"access\": \"\",\n" + + " \"name\": \"${cluster-env/user_group}\"\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.namenode.kerberos.internal.spnego.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\"\n" + + " }\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"hdfs-site\": {\n" + + " \"dfs.block.access.token.enable\": \"true\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"NAMENODE\"\n" + + " }\n" + + " ],\n" + + " \"identities\": [\n" + + " {\n" + + " \"principal\": {\n" + + " \"configuration\": \"hdfs-site/dfs.web.authentication.kerberos.principal\",\n" + + " \"type\": null,\n" + + " \"local_username\": null,\n" + + " \"value\": null\n" + + " },\n" + + " \"name\": \"/spnego\",\n" + + " \"keytab\": {\n" + + " \"owner\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " },\n" + + " \"file\": null,\n" + + " \"configuration\": \"hdfs-site/dfs.web.authentication.kerberos.keytab\",\n" + + " \"group\": {\n" + + " \"access\": null,\n" + + " \"name\": null\n" + + " }\n" + + " }\n" + + " },\n" + + " {\n" + + " \"name\": \"/smokeuser\"\n" + + " }\n" + + " ],\n" + + " \"auth_to_local_properties\": [\n" + + " \"core-site/hadoop.security.auth_to_local\"\n" + + " ],\n" + + " \"configurations\": [\n" + + " {\n" + + " \"core-site\": {\n" + + " \"hadoop.security.authorization\": \"true\",\n" + + " \"hadoop.security.authentication\": \"kerberos\",\n" + + " \"hadoop.proxyuser.HTTP.groups\": \"${hadoop-env/proxyuser_group}\"\n" + + " }\n" + + " }\n" + + " ],\n" + + " \"name\": \"HDFS\"\n" + + " },\n" + + " {\n" + + " \"components\": [\n" + + " {\n" + + " \"name\": \"EXISTING_SERVICE_CLIENT\"\n" + + " },\n" + +
<TRUNCATED>