You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/06/09 17:21:15 UTC
ambari git commit: AMBARI-11687. Kerberos: Force principal names to
resolve to lowercase lower usernames in auth-to-local default rules (Emil
Anca via rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk 3726656ec -> e71784299
AMBARI-11687. Kerberos: Force principal names to resolve to lowercase lower usernames in auth-to-local default rules (Emil Anca via rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e7178429
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e7178429
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e7178429
Branch: refs/heads/trunk
Commit: e71784299a526d8fa11d5430cc82aa9080c768d0
Parents: 3726656
Author: Emil Anca <ea...@hortonworks.com>
Authored: Tue Jun 9 11:20:56 2015 -0400
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Tue Jun 9 11:21:01 2015 -0400
----------------------------------------------------------------------
.../server/controller/AuthToLocalBuilder.java | 21 ++++++++++++-
.../server/controller/KerberosHelperImpl.java | 7 +++--
.../1.10.3-10/configuration/kerberos-env.xml | 8 +++++
.../controller/AuthToLocalBuilderTest.java | 31 ++++++++++++++++++++
.../server/controller/KerberosHelperTest.java | 4 ++-
ambari-web/app/data/HDP2/site_properties.js | 12 ++++++++
6 files changed, 79 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/e7178429/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
index 89d0b55..2a05614 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
@@ -61,6 +61,22 @@ public class AuthToLocalBuilder {
/**
+ * A flag indicating whether case insensitive support to the local username has been requested. This will append an //L switch to the generic realm rule
+ */
+ private boolean caseInsensitiveUser;
+
+ /**
+ * Default constructor. Case insensitive support false by default
+ */
+ public AuthToLocalBuilder() {
+ this.caseInsensitiveUser = false;
+ }
+
+ public AuthToLocalBuilder(boolean caseInsensitiveUserSupport) {
+ this.caseInsensitiveUser = caseInsensitiveUserSupport;
+ }
+
+ /**
* Add existing rules from the given authToLocal configuration property.
* The rules are added verbatim.
*
@@ -223,8 +239,10 @@ public class AuthToLocalBuilder {
* @return a new default realm rule
*/
private Rule createDefaultRealmRule(String realm) {
+ String caseSensitivityRule = caseInsensitiveUser ? "/L" : "";
+
return new Rule(new Principal(String.format(".*@%s", realm)),
- 1, 1, String.format("RULE:[1:$1@$0](.*@%s)s/@.*//", realm));
+ 1, 1, String.format("RULE:[1:$1@$0](.*@%s)s/@.*//" + caseSensitivityRule, realm));
}
/**
@@ -250,6 +268,7 @@ public class AuthToLocalBuilder {
for(Rule rule:setRules) {
copy.setRules.add(rule);
}
+ copy.caseInsensitiveUser = this.caseInsensitiveUser;
return copy;
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/e7178429/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
index 94de899..4ae1260 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
@@ -365,9 +365,12 @@ public class KerberosHelperImpl implements KerberosHelper {
Set<String> authToLocalProperties;
Set<String> authToLocalPropertiesToSet = new HashSet<String>();
- // Determine which properties need to be set
- AuthToLocalBuilder authToLocalBuilder = new AuthToLocalBuilder();
+ // a flag to be used by the AuthToLocalBuilder marking whether the default realm rule should contain the //L option, indicating username case insensitive behaviour
+ // the 'kerberos-env' structure is expected to be available here as it was previously validated
+ boolean caseInsensitiveUser = Boolean.valueOf(existingConfigurations.get("kerberos-env").get("case_insensitive_username_rules"));
+ // Determine which properties need to be set
+ AuthToLocalBuilder authToLocalBuilder = new AuthToLocalBuilder(caseInsensitiveUser);
addIdentities(authToLocalBuilder, kerberosDescriptor.getIdentities(), null, existingConfigurations);
authToLocalProperties = kerberosDescriptor.getAuthToLocalProperties();
http://git-wip-us.apache.org/repos/asf/ambari/blob/e7178429/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
index 6d720a0..e9665f3 100644
--- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
+++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
@@ -160,6 +160,14 @@
<value>${cluster_name}-${short_date}</value>
</property>
+ <property>
+ <name>case_insensitive_username_rules</name>
+ <description>
+ Force principal names to resolve to lowercase local usernames in auth-to-local rules
+ </description>
+ <value>false</value>
+ </property>
+
<property require-input="true">
<name>create_attributes_template</name>
<description>
http://git-wip-us.apache.org/repos/asf/ambari/blob/e7178429/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
index d1a2bd1..a88d962 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
@@ -54,6 +54,37 @@ public class AuthToLocalBuilderTest {
builder.generate("EXAMPLE.COM"));
}
+
+ @Test
+ public void testRuleGeneration_caseInsensitiveSupport() {
+ AuthToLocalBuilder builder = new AuthToLocalBuilder(true);
+
+ builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+ // Duplicate principal for secondary namenode, should be filtered out...
+ builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn");
+ builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred");
+ builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase");
+ builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase");
+
+ builder.addRule("foobar@EXAMPLE.COM", "hdfs");
+
+ assertEquals(
+ "RULE:[1:$1@$0](foobar@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*///L\n" +
+ "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](hm@EXAMPLE.COM)s/.*/hbase/\n" +
+ "RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/\n" +
+ "RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/\n" +
+ "RULE:[2:$1@$0](rs@EXAMPLE.COM)s/.*/hbase/\n" +
+ "DEFAULT",
+ builder.generate("EXAMPLE.COM"));
+ }
+
@Test
public void testRuleGeneration_ExistingRules() {
AuthToLocalBuilder builder = new AuthToLocalBuilder();
http://git-wip-us.apache.org/repos/asf/ambari/blob/e7178429/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
index e056ee3..467c3ac 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
@@ -1653,8 +1653,10 @@ public class KerberosHelperTest extends EasyMockSupport {
// Needed by infrastructure
injector.getInstance(AmbariMetaInfo.class).init();
+ Map existingConfigs = new HashMap<String, Map<String, String>>();
+ existingConfigs.put("kerberos-env", new HashMap<String,String>());
- kerberosHelper.setAuthToLocalRules(kerberosDescriptor, cluster, "EXAMPLE.COM", new HashMap<String, Map<String, String>>(), kerberosConfigurations);
+ kerberosHelper.setAuthToLocalRules(kerberosDescriptor, cluster, "EXAMPLE.COM", existingConfigs, kerberosConfigurations);
verifyAll();
http://git-wip-us.apache.org/repos/asf/ambari/blob/e7178429/ambari-web/app/data/HDP2/site_properties.js
----------------------------------------------------------------------
diff --git a/ambari-web/app/data/HDP2/site_properties.js b/ambari-web/app/data/HDP2/site_properties.js
index 484ad38..ebdbb18 100644
--- a/ambari-web/app/data/HDP2/site_properties.js
+++ b/ambari-web/app/data/HDP2/site_properties.js
@@ -2413,6 +2413,18 @@ var hdp2properties = [
},
{
"id": "puppet var",
+ "name": "case_insensitive_username_rules",
+ "displayName": "Enable case insensitive username rules",
+ "displayType": "checkbox",
+ "isOverridable": false,
+ "isVisible": true,
+ "serviceName": "KERBEROS",
+ "filename": "kerberos-env.xml",
+ "category": "Advanced kerberos-env",
+ "index" : 11
+ },
+ {
+ "id": "puppet var",
"name": "domains",
"displayName": "Domains",
"isRequired": false,