AMBARI-21904 Remove redundant smokeuser entry from Ranger KMS Kerberos descriptor (mugdha)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/a0594787 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/a0594787 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/a0594787 Branch: refs/heads/feature-branch-AMBARI-21307 Commit: a05947873b39d646575e6568e9b7cd086a10fac3 Parents: b7f53dc Author: Mugdha Varadkar <mug...@apache.org> Authored: Fri Sep 8 12:08:00 2017 +0530 Committer: Mugdha Varadkar <mug...@apache.org> Committed: Fri Sep 8 14:24:18 2017 +0530 ---------------------------------------------------------------------- .../server/upgrade/UpgradeCatalog260.java | 40 +++++++ .../RANGER_KMS/0.5.0.2.3/kerberos.json | 6 -- .../RANGER_KMS/1.0.0.3.0/kerberos.json | 6 -- .../HDP/2.5/services/RANGER_KMS/kerberos.json | 6 -- .../server/upgrade/UpgradeCatalog260Test.java | 53 +++++++++ .../test_kerberos_descriptor_ranger_kms.json | 108 +++++++++++++++++++ 6 files changed, 201 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/a0594787/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java index d1de998..d05f39a 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java @@ -30,10 +30,17 @@ import javax.persistence.Query; import org.apache.ambari.server.AmbariException; import org.apache.ambari.server.orm.DBAccessor; +import org.apache.ambari.server.orm.dao.ArtifactDAO; +import org.apache.ambari.server.orm.entities.ArtifactEntity; import org.apache.ambari.server.orm.entities.ClusterConfigEntity; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; import org.apache.ambari.server.state.Config; +import org.apache.ambari.server.state.kerberos.KerberosComponentDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory; +import org.apache.ambari.server.state.kerberos.KerberosIdentityDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor; import org.apache.commons.lang.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -387,6 +394,7 @@ public class UpgradeCatalog260 extends AbstractUpgradeCatalog { setUnmappedForOrphanedConfigs(); removeSupersetFromDruid(); ensureZeppelinProxyUserConfigs(); + updateKerberosDescriptorArtifacts(); } public int getCurrentVersionID() throws AmbariException, SQLException { @@ -495,4 +503,36 @@ public class UpgradeCatalog260 extends AbstractUpgradeCatalog { } } } + + /** + * {@inheritDoc} + */ + @Override + protected void updateKerberosDescriptorArtifact(ArtifactDAO artifactDAO, ArtifactEntity artifactEntity) throws AmbariException { + if (artifactEntity != null) { + Map<String, Object> data = artifactEntity.getArtifactData(); + if (data != null) { + final KerberosDescriptor kerberosDescriptor = new KerberosDescriptorFactory().createInstance(data); + if (kerberosDescriptor != null) { + KerberosServiceDescriptor rangerKmsServiceDescriptor = kerberosDescriptor.getService("RANGER_KMS"); + if (rangerKmsServiceDescriptor != null) { + + KerberosIdentityDescriptor rangerKmsServiceIdentity = rangerKmsServiceDescriptor.getIdentity("/smokeuser"); + if (rangerKmsServiceIdentity != null) { + rangerKmsServiceDescriptor.removeIdentity("/smokeuser"); + } + KerberosComponentDescriptor rangerKmscomponentDescriptor = rangerKmsServiceDescriptor.getComponent("RANGER_KMS_SERVER"); + if (rangerKmscomponentDescriptor != null) { + KerberosIdentityDescriptor rangerKmsComponentIdentity = rangerKmscomponentDescriptor.getIdentity("/smokeuser"); + if (rangerKmsComponentIdentity != null) { + rangerKmscomponentDescriptor.removeIdentity("/smokeuser"); + } + } + } + artifactEntity.setArtifactData(kerberosDescriptor.toMap()); + artifactDAO.merge(artifactEntity); + } + } + } + } } http://git-wip-us.apache.org/repos/asf/ambari/blob/a0594787/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/kerberos.json index 69d6b6c..208a04d 100644 --- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/kerberos.json +++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/kerberos.json @@ -8,9 +8,6 @@ "keytab": { "configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab" } - }, - { - "name": "/smokeuser" } ], "configurations": [ @@ -33,9 +30,6 @@ "keytab": { "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab" } - }, - { - "name": "/smokeuser" } ] } http://git-wip-us.apache.org/repos/asf/ambari/blob/a0594787/ambari-server/src/main/resources/common-services/RANGER_KMS/1.0.0.3.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/1.0.0.3.0/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER_KMS/1.0.0.3.0/kerberos.json index a54783e..8bf4cd8 100644 --- a/ambari-server/src/main/resources/common-services/RANGER_KMS/1.0.0.3.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/1.0.0.3.0/kerberos.json @@ -8,9 +8,6 @@ "keytab": { "configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab" } - }, - { - "name": "/smokeuser" } ], "auth_to_local_properties" : [ @@ -48,9 +45,6 @@ } }, { - "name": "/smokeuser" - }, - { "name": "rangerkms", "principal": { "value": "rangerkms/_HOST@${realm}", http://git-wip-us.apache.org/repos/asf/ambari/blob/a0594787/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER_KMS/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER_KMS/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER_KMS/kerberos.json index a54783e..8bf4cd8 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER_KMS/kerberos.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER_KMS/kerberos.json @@ -8,9 +8,6 @@ "keytab": { "configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab" } - }, - { - "name": "/smokeuser" } ], "auth_to_local_properties" : [ @@ -48,9 +45,6 @@ } }, { - "name": "/smokeuser" - }, - { "name": "rangerkms", "principal": { "value": "rangerkms/_HOST@${realm}", http://git-wip-us.apache.org/repos/asf/ambari/blob/a0594787/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java index 2a62f2e..33c29bc 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java @@ -22,6 +22,7 @@ import static org.easymock.EasyMock.anyObject; import static org.easymock.EasyMock.anyString; import static org.easymock.EasyMock.capture; import static org.easymock.EasyMock.createMock; +import static org.easymock.EasyMock.createMockBuilder; import static org.easymock.EasyMock.eq; import static org.easymock.EasyMock.expect; import static org.easymock.EasyMock.expectLastCall; @@ -30,6 +31,8 @@ import static org.easymock.EasyMock.replay; import static org.easymock.EasyMock.reset; import static org.easymock.EasyMock.verify; +import java.io.File; +import java.net.URL; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; @@ -51,11 +54,17 @@ import org.apache.ambari.server.controller.KerberosHelper; import org.apache.ambari.server.controller.MaintenanceStateHelper; import org.apache.ambari.server.orm.DBAccessor; import org.apache.ambari.server.orm.DBAccessor.DBColumnInfo; +import org.apache.ambari.server.orm.dao.ArtifactDAO; +import org.apache.ambari.server.orm.entities.ArtifactEntity; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; import org.apache.ambari.server.state.Config; import org.apache.ambari.server.state.Service; import org.apache.ambari.server.state.StackId; +import org.apache.ambari.server.state.kerberos.KerberosComponentDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory; +import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor; import org.apache.ambari.server.state.stack.OsFamily; import org.easymock.Capture; import org.easymock.EasyMockRunner; @@ -620,4 +629,48 @@ public class UpgradeCatalog260Test { Assert.assertEquals("existing_value", captureCoreSiteConfProperties.getValue().get("hadoop.proxyuser.zeppelin_user.hosts")); Assert.assertEquals("*", captureCoreSiteConfProperties.getValue().get("hadoop.proxyuser.zeppelin_user.groups")); } + + @Test + public void testUpdateKerberosDescriptorArtifact() throws Exception { + + URL systemResourceURL = ClassLoader.getSystemResource("kerberos/test_kerberos_descriptor_ranger_kms.json"); + Assert.assertNotNull(systemResourceURL); + + final KerberosDescriptor kerberosDescriptor = new KerberosDescriptorFactory().createInstance(new File(systemResourceURL.getFile())); + Assert.assertNotNull(kerberosDescriptor); + + KerberosServiceDescriptor serviceDescriptor; + serviceDescriptor = kerberosDescriptor.getService("RANGER_KMS"); + Assert.assertNotNull(serviceDescriptor); + Assert.assertNotNull(serviceDescriptor.getIdentity("/smokeuser")); + + KerberosComponentDescriptor componentDescriptor; + componentDescriptor = serviceDescriptor.getComponent("RANGER_KMS_SERVER"); + Assert.assertNotNull(componentDescriptor); + Assert.assertNotNull(componentDescriptor.getIdentity("/smokeuser")); + + ArtifactEntity artifactEntity = createMock(ArtifactEntity.class); + + expect(artifactEntity.getArtifactData()).andReturn(kerberosDescriptor.toMap()).once(); + + Capture<Map<String, Object>> captureMap = newCapture(); + artifactEntity.setArtifactData(capture(captureMap)); + expectLastCall().once(); + + ArtifactDAO artifactDAO = createMock(ArtifactDAO.class); + expect(artifactDAO.merge(artifactEntity)).andReturn(artifactEntity).atLeastOnce(); + + replay(artifactDAO, artifactEntity); + + UpgradeCatalog260 upgradeCatalog260 = createMockBuilder(UpgradeCatalog260.class).createMock(); + upgradeCatalog260.updateKerberosDescriptorArtifact(artifactDAO, artifactEntity); + verify(artifactDAO, artifactEntity); + + KerberosDescriptor kerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(captureMap.getValue()); + Assert.assertNotNull(kerberosDescriptorUpdated); + + Assert.assertNull(kerberosDescriptorUpdated.getService("RANGER_KMS").getIdentity("/smokeuser")); + Assert.assertNull(kerberosDescriptorUpdated.getService("RANGER_KMS").getComponent("RANGER_KMS_SERVER").getIdentity("/smokeuser")); + + } } http://git-wip-us.apache.org/repos/asf/ambari/blob/a0594787/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json new file mode 100644 index 0000000..d7e048f --- /dev/null +++ b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json @@ -0,0 +1,108 @@ +{ + "properties": { + "realm": "${kerberos-env/realm}", + "keytab_dir": "/etc/security/keytabs" + }, + "identities": [ + { + "name": "spnego", + "principal": { + "value": "HTTP/_HOST@${realm}", + "type": "service" + }, + "keytab": { + "file": "${keytab_dir}/spnego.service.keytab", + "owner": { + "name": "root", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "r" + } + } + } + ], + "services": [ + { + "name": "RANGER_KMS", + "identities": [ + { + "name": "/spnego", + "keytab": { + "configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab" + } + }, + { + "name": "/smokeuser" + } + ], + "auth_to_local_properties" : [ + "kms-site/hadoop.kms.authentication.kerberos.name.rules" + ], + "configurations": [ + { + "kms-site": { + "hadoop.kms.authentication.type": "kerberos", + "hadoop.kms.authentication.kerberos.principal": "*" + } + }, + { + "ranger-kms-audit": { + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr", + "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true" + } + } + ], + "components": [ + { + "name": "RANGER_KMS_SERVER", + "identities": [ + { + "name": "/spnego", + "principal": { + "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal" + }, + "keytab": { + "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab" + } + }, + { + "name": "/smokeuser" + }, + { + "name": "rangerkms", + "principal": { + "value": "rangerkms/_HOST@${realm}", + "type" : "service", + "configuration": "dbks-site/ranger.ks.kerberos.principal", + "local_username" : "keyadmin" + }, + "keytab": { + "file": "${keytab_dir}/rangerkms.service.keytab", + "owner": { + "name": "${kms-env/kms_user}", + "access": "r" + }, + "configuration": "dbks-site/ranger.ks.kerberos.keytab" + } + }, + { + "name": "/RANGER_KMS/RANGER_KMS_SERVER/rangerkms", + "principal": { + "configuration": "ranger-kms-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-kms-audit/xasecure.audit.jaas.Client.option.keyTab" + } + } + ] + } + ] + } + ] +} \ No newline at end of file