AMBARI-20600 : AMS grafana restart fails with ssl error after upgrading from 2.4.2.0. (avijayan)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/efa0b5da Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/efa0b5da Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/efa0b5da Branch: refs/heads/branch-feature-AMBARI-12556 Commit: efa0b5dabb07dbd1d917877c945306f60e370dcb Parents: 5a78a93 Author: Aravindan Vijayan <avija...@hortonworks.com> Authored: Wed Mar 29 14:20:17 2017 -0700 Committer: Aravindan Vijayan <avija...@hortonworks.com> Committed: Wed Mar 29 14:20:17 2017 -0700 ---------------------------------------------------------------------- ambari-common/src/main/python/ambari_commons/network.py | 2 ++ .../0.1.0/configuration/ams-grafana-ini.xml | 11 +++++++++++ .../0.1.0/package/scripts/metrics_grafana_util.py | 8 ++++---- .../AMBARI_METRICS/0.1.0/package/scripts/params.py | 1 + 4 files changed, 18 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/efa0b5da/ambari-common/src/main/python/ambari_commons/network.py ---------------------------------------------------------------------- diff --git a/ambari-common/src/main/python/ambari_commons/network.py b/ambari-common/src/main/python/ambari_commons/network.py index 6ab92b2..4c589f3 100644 --- a/ambari-common/src/main/python/ambari_commons/network.py +++ b/ambari-common/src/main/python/ambari_commons/network.py @@ -53,12 +53,14 @@ def get_http_connection(host, port, https_enabled=False, ca_certs=None): def check_ssl_certificate_and_return_ssl_version(host, port, ca_certs): try: + # Try with TLSv1 first. ssl_version = ssl.PROTOCOL_TLSv1 ssl.get_server_certificate((host, port), ssl_version=ssl_version, ca_certs=ca_certs) except ssl.SSLError as ssl_error: print_warning_msg("Failed to verify the SSL certificate for https://{0}:{1} with CA certificate in {2} using ssl.PROTOCOL_TLSv1." " Trying to use less secure ssl.PROTOCOL_SSLv23. Error : {3}".format(host, port, ca_certs, str(ssl_error))) try: + # Try with SSLv23 only if TLSv1 failed. ssl_version = ssl.PROTOCOL_SSLv23 ssl.get_server_certificate((host, port), ssl_version=ssl_version, ca_certs=ca_certs) except ssl.SSLError as ssl_error: http://git-wip-us.apache.org/repos/asf/ambari/blob/efa0b5da/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml index ee0a4ad..90ff540 100644 --- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml +++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml @@ -46,6 +46,17 @@ <on-ambari-upgrade add="true"/> </property> <property> + <name>ca_cert</name> + <value></value> + <description>Path to CA root certificate or bundle to be used to validate the Grafana certificate against. + For self signed certificates, this value can be the same as the value for 'cert_file'. + (If a path is not specified, the certificate validation is skipped)</description> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> <name>content</name> <display-name>ams-grafana-ini template</display-name> <value> http://git-wip-us.apache.org/repos/asf/ambari/blob/efa0b5da/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py index c8d532f..06a4518 100644 --- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py +++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py @@ -50,7 +50,7 @@ def perform_grafana_get_call(url, server): ca_certs = None if grafana_https_enabled: import params - ca_certs = params.ams_grafana_cert_file + ca_certs = params.ams_grafana_ca_cert for i in xrange(0, GRAFANA_CONNECT_TRIES): try: @@ -90,7 +90,7 @@ def perform_grafana_put_call(url, id, payload, server): ca_certs = None if grafana_https_enabled: import params - ca_certs = params.ams_grafana_cert_file + ca_certs = params.ams_grafana_ca_cert for i in xrange(0, GRAFANA_CONNECT_TRIES): try: @@ -125,7 +125,7 @@ def perform_grafana_post_call(url, payload, server): ca_certs = None if grafana_https_enabled: import params - ca_certs = params.ams_grafana_cert_file + ca_certs = params.ams_grafana_ca_cert for i in xrange(0, GRAFANA_CONNECT_TRIES): try: @@ -167,7 +167,7 @@ def perform_grafana_delete_call(url, server): ca_certs = None if grafana_https_enabled: import params - ca_certs = params.ams_grafana_cert_file + ca_certs = params.ams_grafana_ca_cert for i in xrange(0, GRAFANA_CONNECT_TRIES): try: http://git-wip-us.apache.org/repos/asf/ambari/blob/efa0b5da/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py index 1733b19..919f26d 100644 --- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py @@ -172,6 +172,7 @@ ams_grafana_port = default("/configurations/ams-grafana-ini/port", 3000) ams_grafana_protocol = default("/configurations/ams-grafana-ini/protocol", 'http') ams_grafana_cert_file = default("/configurations/ams-grafana-ini/cert_file", '/etc/ambari-metrics/conf/ams-grafana.crt') ams_grafana_cert_key = default("/configurations/ams-grafana-ini/cert_key", '/etc/ambari-metrics/conf/ams-grafana.key') +ams_grafana_ca_cert = default("/configurations/ams-grafana-ini/ca_cert", None) ams_hbase_home_dir = "/usr/lib/ams-hbase/"