AMBARI-20335. Kerberos identity reference not working for ranger-audit property in hbase (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/225edb97 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/225edb97 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/225edb97 Branch: refs/heads/branch-dev-logsearch Commit: 225edb97f91428be6426f50b794ba051df2bb65e Parents: 4df38c3 Author: Robert Levas <rle...@hortonworks.com> Authored: Tue Mar 7 10:03:12 2017 -0500 Committer: Robert Levas <rle...@hortonworks.com> Committed: Tue Mar 7 10:03:12 2017 -0500 ---------------------------------------------------------------------- .../server/upgrade/UpgradeCatalog250.java | 57 ++++--- .../stacks/HDP/2.5/services/HBASE/kerberos.json | 3 +- .../PERF/1.0/services/FAKEHBASE/kerberos.json | 3 +- .../server/upgrade/UpgradeCatalog250Test.java | 71 ++++++--- ...test_kerberos_descriptor_2_5_infra_solr.json | 148 ++++++++++++++++++- 5 files changed, 238 insertions(+), 44 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/225edb97/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java index 0246229..e244925 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java @@ -469,6 +469,7 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { addInfrSolrDescriptor(artifactDAO, artifactEntity, kerberosDescriptor, logSearchKerberosDescriptor, "LOGSEARCH_SERVER"); addInfrSolrDescriptor(artifactDAO, artifactEntity, kerberosDescriptor, rangerKerberosDescriptor, "RANGER_ADMIN"); KerberosServiceDescriptor stormKerberosDescriptor = kerberosDescriptor.getService("STORM"); + if (stormKerberosDescriptor != null) { KerberosComponentDescriptor componentDescriptor = stormKerberosDescriptor.getComponent("NIMBUS"); if (componentDescriptor != null) { @@ -476,27 +477,24 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { if (origIdentityDescriptor != null) { KerberosPrincipalDescriptor origPrincipalDescriptor = origIdentityDescriptor.getPrincipalDescriptor(); KerberosPrincipalDescriptor newPrincipalDescriptor = new KerberosPrincipalDescriptor( - null, - null, - (origPrincipalDescriptor == null) ? - "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal" : origPrincipalDescriptor.getConfiguration(), - null + null, + null, + (origPrincipalDescriptor == null) ? + "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal" : origPrincipalDescriptor.getConfiguration(), + null ); KerberosKeytabDescriptor origKeytabDescriptor = origIdentityDescriptor.getKeytabDescriptor(); KerberosKeytabDescriptor newKeytabDescriptor = new KerberosKeytabDescriptor( - null, - null, - null, - null, - null, - (origKeytabDescriptor == null) ? - "ranger-storm-audit/xasecure.audit.jaas.Client.option.keyTab" : origKeytabDescriptor.getConfiguration(), - false); + null, + null, + null, + null, + null, + (origKeytabDescriptor == null) ? + "ranger-storm-audit/xasecure.audit.jaas.Client.option.keyTab" : origKeytabDescriptor.getConfiguration(), + false); componentDescriptor.removeIdentity("/STORM/NIMBUS/nimbus_server"); componentDescriptor.putIdentity(new KerberosIdentityDescriptor("/STORM/storm_components", null, newPrincipalDescriptor, newKeytabDescriptor, null)); - - artifactEntity.setArtifactData(kerberosDescriptor.toMap()); - artifactDAO.merge(artifactEntity); } } } @@ -508,11 +506,32 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { Map<String, String> properties = yarnSiteConfigDescriptor.getProperties(); if (properties != null && properties.containsKey(YARN_LCE_CGROUPS_MOUNT_PATH)) { properties.remove(YARN_LCE_CGROUPS_MOUNT_PATH); - artifactEntity.setArtifactData(kerberosDescriptor.toMap()); - artifactDAO.merge(artifactEntity); } } } + + // Fix HBASE_MASTER Kerberos identity for Ranger audit by clearing out any keytab file or principal name values. + KerberosServiceDescriptor hbaseKerberosDescriptor = kerberosDescriptor.getService("HBASE"); + if (hbaseKerberosDescriptor != null) { + KerberosComponentDescriptor hbaseMasterKerberosDescriptor = hbaseKerberosDescriptor.getComponent("HBASE_MASTER"); + if (hbaseMasterKerberosDescriptor != null) { + KerberosIdentityDescriptor identityDescriptor = hbaseMasterKerberosDescriptor.getIdentity("/HBASE/HBASE_MASTER/hbase_master_hbase"); + + if (identityDescriptor != null) { + KerberosPrincipalDescriptor principalDescriptor = identityDescriptor.getPrincipalDescriptor(); + KerberosKeytabDescriptor keytabDescriptor = identityDescriptor.getKeytabDescriptor(); + + identityDescriptor.setReference(identityDescriptor.getName()); + identityDescriptor.setName("ranger_hbase_audit"); + + principalDescriptor.setValue(null); + keytabDescriptor.setFile(null); + } + } + } + + artifactEntity.setArtifactData(kerberosDescriptor.toMap()); + artifactDAO.merge(artifactEntity); } } } @@ -532,8 +551,6 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { } else { Predicate predicate = ContainsPredicate.fromMap(Collections.<String, Object>singletonMap(ContainsPredicate.NAME, Arrays.asList("services", "AMBARI_INFRA"))); componentDescriptor.putIdentity(new KerberosIdentityDescriptor("/AMBARI_INFRA/INFRA_SOLR/infra-solr",null, null, null, predicate)); - artifactEntity.setArtifactData(kerberosDescriptor.toMap()); - artifactDAO.merge(artifactEntity); } } } http://git-wip-us.apache.org/repos/asf/ambari/blob/225edb97/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json index f510770..011921b 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json @@ -93,7 +93,8 @@ } }, { - "name": "/HBASE/HBASE_MASTER/hbase_master_hbase", + "name" : "ranger_hbase_audit", + "reference": "/HBASE/HBASE_MASTER/hbase_master_hbase", "principal": { "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal" }, http://git-wip-us.apache.org/repos/asf/ambari/blob/225edb97/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json index b053779..f1026f1 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json @@ -93,7 +93,8 @@ } }, { - "name": "/FAKEHBASE/FAKEHBASE_MASTER/hbase_master_hbase", + "name": "ranger_hbase_audit", + "reference": "/FAKEHBASE/FAKEHBASE_MASTER/hbase_master_hbase", "principal": { "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal" }, http://git-wip-us.apache.org/repos/asf/ambari/blob/225edb97/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java index ad01e07..3dfc32f 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java @@ -56,8 +56,13 @@ import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; import org.apache.ambari.server.state.Config; import org.apache.ambari.server.state.Service; +import org.apache.ambari.server.state.kerberos.AbstractKerberosDescriptorContainer; +import org.apache.ambari.server.state.kerberos.KerberosComponentDescriptor; import org.apache.ambari.server.state.kerberos.KerberosDescriptor; import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory; +import org.apache.ambari.server.state.kerberos.KerberosIdentityDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosKeytabDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosPrincipalDescriptor; import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor; import org.apache.ambari.server.state.stack.OsFamily; import org.easymock.Capture; @@ -1682,34 +1687,34 @@ public class UpgradeCatalog250Test { Capture<Map<String, Object>> updateData = Capture.newInstance(CaptureType.ALL); artifactEntity.setArtifactData(capture(updateData)); - expectLastCall().times(4); + expectLastCall().times(1); ArtifactDAO artifactDAO = createNiceMock(ArtifactDAO.class); - expect(artifactDAO.merge(anyObject(ArtifactEntity.class))).andReturn(artifactEntity).times(4); + expect(artifactDAO.merge(anyObject(ArtifactEntity.class))).andReturn(artifactEntity).times(1); replay(artifactEntity, artifactDAO, upgradeMock); upgradeMock.updateKerberosDescriptorArtifact(artifactDAO, artifactEntity); verify(artifactEntity, artifactDAO, upgradeMock); - KerberosDescriptor atlasKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(0)); - KerberosDescriptor rangerKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(1)); - KerberosDescriptor stormKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(2)); - KerberosDescriptor yarnKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(3)); - - Assert.assertNotNull(atlasKerberosDescriptorUpdated.getIdentity("spnego")); - Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("LOGSEARCH")); - Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("LOGSEARCH").getComponent("LOGSEARCH_SERVER")); - Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("LOGSEARCH").getComponent("LOGSEARCH_SERVER").getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr")); - Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("ATLAS")); - Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("ATLAS").getComponent("ATLAS_SERVER")); - Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("ATLAS").getComponent("ATLAS_SERVER").getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr")); - Assert.assertNotNull(rangerKerberosDescriptorUpdated.getService("RANGER")); - Assert.assertNotNull(rangerKerberosDescriptorUpdated.getService("RANGER").getComponent("RANGER_ADMIN")); - Assert.assertNotNull(rangerKerberosDescriptorUpdated.getService("RANGER").getComponent("RANGER_ADMIN").getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr")); - Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM")); - Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM").getComponent("NIMBUS")); - Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM").getComponent("NIMBUS").getIdentity("/STORM/storm_components")); - Assert.assertFalse(yarnKerberosDescriptorUpdated.getService("YARN").getConfigurations().get("yarn-site").getProperties().containsKey(propertyToRemove)); + KerberosDescriptor kerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValue()); + + getIdentity(kerberosDescriptorUpdated,null, null, "spnego"); + getIdentity(kerberosDescriptorUpdated,"LOGSEARCH", "LOGSEARCH_SERVER", "/AMBARI_INFRA/INFRA_SOLR/infra-solr"); + getIdentity(kerberosDescriptorUpdated,"ATLAS", "ATLAS_SERVER", "/AMBARI_INFRA/INFRA_SOLR/infra-solr"); + getIdentity(kerberosDescriptorUpdated,"RANGER", "RANGER_ADMIN", "/AMBARI_INFRA/INFRA_SOLR/infra-solr"); + getIdentity(kerberosDescriptorUpdated,"STORM", "NIMBUS", "/STORM/storm_components"); + + Assert.assertFalse(kerberosDescriptorUpdated.getService("YARN").getConfigurations().get("yarn-site").getProperties().containsKey(propertyToRemove)); + + KerberosIdentityDescriptor rangerHbaseAuditIdentityDescriptor = getIdentity(kerberosDescriptorUpdated,"HBASE", "HBASE_MASTER", "ranger_hbase_audit"); + + KerberosPrincipalDescriptor rangerHbaseAuditPrincipalDescriptor = rangerHbaseAuditIdentityDescriptor.getPrincipalDescriptor(); + Assert.assertNotNull(rangerHbaseAuditPrincipalDescriptor); + Assert.assertNull(rangerHbaseAuditPrincipalDescriptor.getValue()); + + KerberosKeytabDescriptor rangerHbaseAuditKeytabDescriptor = rangerHbaseAuditIdentityDescriptor.getKeytabDescriptor(); + Assert.assertNotNull(rangerHbaseAuditKeytabDescriptor); + Assert.assertNull(rangerHbaseAuditKeytabDescriptor.getFile()); } @Test @@ -1936,4 +1941,28 @@ public class UpgradeCatalog250Test { } }); } + + private KerberosIdentityDescriptor getIdentity(KerberosDescriptor kerberosDescriptor, String serviceName, String componentName, String identityName) { + KerberosIdentityDescriptor identityDescriptor = null; + AbstractKerberosDescriptorContainer container = kerberosDescriptor; + + if(serviceName != null) { + KerberosServiceDescriptor serviceDescriptor = kerberosDescriptor.getService(serviceName); + Assert.assertNotNull(serviceDescriptor); + container = serviceDescriptor; + + if(componentName != null) { + KerberosComponentDescriptor componentDescriptor = serviceDescriptor.getComponent(componentName); + Assert.assertNotNull(componentDescriptor); + container = componentDescriptor; + } + } + + if(identityName != null) { + identityDescriptor = container.getIdentity(identityName); + Assert.assertNotNull(identityDescriptor); + } + + return identityDescriptor; + } } http://git-wip-us.apache.org/repos/asf/ambari/blob/225edb97/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json index 0c2723e..de12baf 100644 --- a/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json +++ b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json @@ -71,6 +71,153 @@ ] }, { + "components": [ + { + "identities": [ + { + "keytab": { + "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab", + "file": "${keytab_dir}/ams-hbase.master.keytab" + }, + "name": "/HBASE/HBASE_MASTER/hbase_master_hbase", + "principal": { + "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal", + "local_username": null, + "type": null, + "value": "amshbase/_HOST@${realm}" + } + }, + { + "name": "/HDFS/NAMENODE/hdfs" + }, + { + "keytab": { + "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.keytab", + "file": "${keytab_dir}/spnego.service.keytab" + }, + "name": "/spnego", + "principal": { + "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.principal", + "local_username": null, + "type": null, + "value": "HTTP/_HOST@${realm}" + } + }, + { + "keytab": { + "configuration": "hbase-site/hbase.master.keytab.file", + "file": "${keytab_dir}/hbase.service.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + }, + "owner": { + "access": "r", + "name": "${hbase-env/hbase_user}" + } + }, + "name": "hbase_master_hbase", + "principal": { + "configuration": "hbase-site/hbase.master.kerberos.principal", + "local_username": "${hbase-env/hbase_user}", + "type": "service", + "value": "hbase/_HOST@${realm}" + } + } + ], + "name": "HBASE_MASTER" + }, + { + "identities": [ + { + "keytab": { + "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.keytab", + "file": "${keytab_dir}/spnego.service.keytab" + }, + "name": "/spnego", + "principal": { + "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.principal", + "local_username": null, + "type": null, + "value": "HTTP/_HOST@${realm}" + } + }, + { + "keytab": { + "configuration": "hbase-site/hbase.regionserver.keytab.file", + "file": "${keytab_dir}/hbase.service.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + }, + "owner": { + "access": "r", + "name": "${hbase-env/hbase_user}" + } + }, + "name": "hbase_regionserver_hbase", + "principal": { + "configuration": "hbase-site/hbase.regionserver.kerberos.principal", + "local_username": "${hbase-env/hbase_user}", + "type": "service", + "value": "hbase/_HOST@${realm}" + } + } + ], + "name": "HBASE_REGIONSERVER" + }, + { + "identities": [ + { + "keytab": { + "configuration": "hbase-site/phoenix.queryserver.keytab.file", + "file": null + }, + "name": "phoenix_spnego", + "principal": { + "configuration": "hbase-site/phoenix.queryserver.kerberos.principal", + "local_username": null, + "type": null, + "value": null + }, + "reference": "/spnego" + } + ], + "name": "PHOENIX_QUERY_SERVER" + } + ], + "identities": [ + { + "name": "/smokeuser" + }, + { + "name": "/spnego" + }, + { + "keytab": { + "configuration": "hbase-env/hbase_user_keytab", + "file": "${keytab_dir}/hbase.headless.keytab", + "group": { + "access": "r", + "name": "${cluster-env/user_group}" + }, + "owner": { + "access": "r", + "name": "${hbase-env/hbase_user}" + } + }, + "name": "hbase", + "principal": { + "configuration": "hbase-env/hbase_principal_name", + "local_username": "${hbase-env/hbase_user}", + "type": "user", + "value": "${hbase-env/hbase_user}-${cluster_name|toLower()}@${realm}" + } + } + ], + "name": "HBASE" + }, + { "name": "LOGSEARCH", "identities": [ { @@ -114,7 +261,6 @@ } ] }, - , { "components": [ {