This is an automated email from the ASF dual-hosted git repository. smolnar pushed a commit to branch branch-2.7 in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push: new a05bb20 AMBARI-25141. Encrypting LDAP manager password in case password security is ON (#2810) a05bb20 is described below commit a05bb201067f0ae10d40f180bb6216d098f9447f Author: Sandor Molnar <smol...@apache.org> AuthorDate: Mon Feb 4 17:37:33 2019 +0100 AMBARI-25141. Encrypting LDAP manager password in case password security is ON (#2810) --- .../org/apache/ambari/server/utils/PasswordUtils.java | 3 ++- .../src/main/python/ambari_server/setupSecurity.py | 14 +++++--------- .../apache/ambari/server/utils/PasswordUtilsTest.java | 18 ++++++++++++++++-- 3 files changed, 23 insertions(+), 12 deletions(-) diff --git a/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java b/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java index dafc47c..04df5d9 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java @@ -82,7 +82,8 @@ public class PasswordUtils { if (CredentialProvider.isAliasString(passwordProperty)) { return readPasswordFromStore(passwordProperty); } else { - return readPasswordFromFile(passwordProperty, defaultPassword); + final String pw = readPasswordFromFile(passwordProperty, defaultPassword); + return CredentialProvider.isAliasString(pw) ? readPasswordFromStore(pw) : pw; } } return defaultPassword; diff --git a/ambari-server/src/main/python/ambari_server/setupSecurity.py b/ambari-server/src/main/python/ambari_server/setupSecurity.py index f6d0a3e..1958f8f 100644 --- a/ambari-server/src/main/python/ambari_server/setupSecurity.py +++ b/ambari-server/src/main/python/ambari_server/setupSecurity.py @@ -918,19 +918,15 @@ def setup_ldap(options): if isSecure: if mgr_password: encrypted_passwd = encrypt_password(LDAP_MGR_PASSWORD_ALIAS, mgr_password, options) - if mgr_password != encrypted_passwd: - ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = encrypted_passwd - pass + ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(encrypted_passwd, LDAP_MGR_PASSWORD_FILENAME) + if ts_password: encrypted_passwd = encrypt_password(SSL_TRUSTSTORE_PASSWORD_ALIAS, ts_password, options) if ts_password != encrypted_passwd: ldap_property_values_in_ambari_properties[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = encrypted_passwd - pass - pass - - # Persisting values - if mgr_password: - ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME) + else: #not secure + if mgr_password: + ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME) print 'Saving LDAP properties...' diff --git a/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java b/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java index b18ebd3..a47cb64 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java @@ -66,10 +66,10 @@ public class PasswordUtilsTest extends EasyMockSupport { final CredentialProvider credentialProvider = PowerMock.createNiceMock(CredentialProvider.class); setupBasicCredentialProviderExpectations(credentialProvider); credentialProvider.getPasswordForAlias(CS_ALIAS); - PowerMock.expectLastCall().andReturn("testPassword".toCharArray()).once(); + PowerMock.expectLastCall().andReturn("testPassword".toCharArray()).anyTimes(); PowerMock.replay(credentialProvider, CredentialProvider.class); replayAll(); - assertEquals("testPassword", passwordUtils.readPassword(CS_ALIAS, "testPassword")); + assertEquals("testPassword", passwordUtils.readPassword(CS_ALIAS, "testPasswordDefault")); verifyAll(); } @@ -95,6 +95,20 @@ public class PasswordUtilsTest extends EasyMockSupport { assertEquals("testPasswordDefault", passwordUtils.readPassword(passwordFile.getAbsolutePath(), "testPasswordDefault")); } + @Test + public void shouldResolveEncryptedPaswordIfWeStoreTheAliasInPasswordFile() throws Exception { + final String testPassword = "testPassword"; + final File passwordFile = writeTestPasswordFile(CS_ALIAS); + final CredentialProvider credentialProvider = PowerMock.createNiceMock(CredentialProvider.class); + setupBasicCredentialProviderExpectations(credentialProvider); + credentialProvider.getPasswordForAlias(CS_ALIAS); + PowerMock.expectLastCall().andReturn(testPassword.toCharArray()).anyTimes(); + PowerMock.replay(credentialProvider, CredentialProvider.class); + replayAll(); + assertEquals(testPassword, passwordUtils.readPassword(passwordFile.getAbsolutePath(), "testPasswordDefault")); + verifyAll(); + } + private File writeTestPasswordFile(final String testPassword) throws IOException { final TemporaryFolder tempFolder = new TemporaryFolder(); tempFolder.create();