AMBARI-19681: Credential store should add hadoop credential provider path property to all affected configuration types
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/f4f7571d Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/f4f7571d Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/f4f7571d Branch: refs/heads/branch-dev-patch-upgrade Commit: f4f7571d8f9a7709f030cd2587052492e40e8527 Parents: d77f3a5 Author: Nahappan Somasundaram <nsomasunda...@hortonworks.com> Authored: Tue Jan 24 09:53:58 2017 -0800 Committer: Nahappan Somasundaram <nsomasunda...@hortonworks.com> Committed: Tue Jan 24 12:34:25 2017 -0800 ---------------------------------------------------------------------- .../ambari_agent/CustomServiceOrchestrator.py | 8 ++---- .../libraries/functions/security_commons.py | 29 +++++++++----------- 2 files changed, 15 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/f4f7571d/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py ---------------------------------------------------------------------- diff --git a/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py b/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py index 02f4212..8f1848c 100644 --- a/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py +++ b/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py @@ -266,7 +266,6 @@ class CustomServiceOrchestrator(): serviceName = commandJson['serviceName'] # Gather the password values and remove them from the configuration - provider_paths = [] # A service may depend on multiple configs configtype_credentials = self.getConfigTypeCredentials(commandJson) for config_type, credentials in configtype_credentials.items(): config = commandJson['configurations'][config_type] @@ -274,7 +273,6 @@ class CustomServiceOrchestrator(): if os.path.exists(file_path): os.remove(file_path) provider_path = 'jceks://file{file_path}'.format(file_path=file_path) - provider_paths.append(provider_path) logger.info('provider_path={0}'.format(provider_path)) for alias, pwd in credentials.items(): logger.debug("config={0}".format(config)) @@ -286,10 +284,8 @@ class CustomServiceOrchestrator(): cmd_result = subprocess.call(cmd) logger.info('cmd_result = {0}'.format(cmd_result)) os.chmod(file_path, 0644) # group and others should have read access so that the service user can read - - if provider_paths: - # Add JCEKS provider paths instead - config[self.CREDENTIAL_PROVIDER_PROPERTY_NAME] = ','.join(provider_paths) + # Add JCEKS provider path instead + config[self.CREDENTIAL_PROVIDER_PROPERTY_NAME] = provider_path return cmd_result http://git-wip-us.apache.org/repos/asf/ambari/blob/f4f7571d/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py ---------------------------------------------------------------------- diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py b/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py index cca244d..96d60da 100644 --- a/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py +++ b/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py @@ -46,22 +46,19 @@ def update_credential_provider_path(config, config_type, dest_provider_path, fil """ # Get the path to the provider <config_type>.jceks if HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME in config: - provider_paths = config[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME].split(',') - for path_index in range(len(provider_paths)): - provider_path = provider_paths[path_index] - if config_type == os.path.splitext(os.path.basename(provider_path))[0]: - src_provider_path = provider_path[len('jceks://file'):] - File(dest_provider_path, - owner = file_owner, - group = file_group, - mode = 0640, - content = StaticFile(src_provider_path) - ) - provider_paths[path_index] = 'jceks://file{0}'.format(dest_provider_path) - # make a copy of the config dictionary since it is read-only - config_copy = config.copy() - config_copy[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME] = ','.join(provider_paths) - return config_copy + provider_path = config[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME] + src_provider_path = provider_path[len('jceks://file'):] + File(dest_provider_path, + owner = file_owner, + group = file_group, + mode = 0640, + content = StaticFile(src_provider_path) + ) + # make a copy of the config dictionary since it is read-only + config_copy = config.copy() + # overwrite the provider path with the path specified + config_copy[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME] = 'jceks://file{0}'.format(dest_provider_path) + return config_copy return config def validate_security_config_properties(params, configuration_rules):