AMBARI-20049. One way SSL fallback logic can cause some agents to be connected with 2-way SSL (aonishuk)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/4379aea0 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/4379aea0 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/4379aea0 Branch: refs/heads/branch-2.5 Commit: 4379aea0b947bca6e9a0de0927335139892aaec9 Parents: 48ea538 Author: Andrew Onishuk <aonis...@hortonworks.com> Authored: Thu Feb 16 17:36:31 2017 +0200 Committer: Andrew Onishuk <aonis...@hortonworks.com> Committed: Thu Feb 16 17:36:31 2017 +0200 ---------------------------------------------------------------------- .../src/main/python/ambari_agent/security.py | 17 +++++------------ .../src/test/python/ambari_agent/TestSecurity.py | 2 ++ 2 files changed, 7 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/4379aea0/ambari-agent/src/main/python/ambari_agent/security.py ---------------------------------------------------------------------- diff --git a/ambari-agent/src/main/python/ambari_agent/security.py b/ambari-agent/src/main/python/ambari_agent/security.py index 779b85c..d0cfde4 100644 --- a/ambari-agent/src/main/python/ambari_agent/security.py +++ b/ambari-agent/src/main/python/ambari_agent/security.py @@ -55,18 +55,11 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): 'Server require two-way SSL authentication. Use it instead of one-way...') if not self.two_way_ssl_required: - try: - sock = self.create_connection() - self.sock = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_NONE) - logger.info('SSL connection established. Two-way SSL authentication is ' - 'turned off on the server.') - except (ssl.SSLError, AttributeError): - self.two_way_ssl_required = True - logger.info( - 'Insecure connection to https://' + self.host + ':' + self.port + - '/ failed. Reconnecting using two-way SSL authentication..') - - if self.two_way_ssl_required: + sock = self.create_connection() + self.sock = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_NONE) + logger.info('SSL connection established. Two-way SSL authentication is ' + 'turned off on the server.') + else: self.certMan = CertificateManager(self.config, self.host) self.certMan.initSecurity() agent_key = self.certMan.getAgentKeyName() http://git-wip-us.apache.org/repos/asf/ambari/blob/4379aea0/ambari-agent/src/test/python/ambari_agent/TestSecurity.py ---------------------------------------------------------------------- diff --git a/ambari-agent/src/test/python/ambari_agent/TestSecurity.py b/ambari-agent/src/test/python/ambari_agent/TestSecurity.py index 9e28ae7..c9a7fbe 100644 --- a/ambari-agent/src/test/python/ambari_agent/TestSecurity.py +++ b/ambari-agent/src/test/python/ambari_agent/TestSecurity.py @@ -102,6 +102,8 @@ class TestSecurity(unittest.TestCase): wrap_socket_mock.side_effect=ssl.SSLError() connection = security.VerifiedHTTPSConnection("example.com", self.config.get('server', 'secured_url_port'), self.config) + self.config.isTwoWaySSLConnection = MagicMock(return_value=True) + connection._tunnel_host = False connection.sock = None try: