You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/01/07 02:21:12 UTC
ambari git commit: AMBARI-8485. Hive service components should
indicate security state (rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk 14cb9b4ce -> db3b306d8
AMBARI-8485. Hive service components should indicate security state (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/db3b306d
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/db3b306d
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/db3b306d
Branch: refs/heads/trunk
Commit: db3b306d828994af5e7bc5e4537261536f24e040
Parents: 14cb9b4
Author: Robert Levas <rl...@hortonworks.com>
Authored: Tue Jan 6 20:20:56 2015 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Tue Jan 6 20:20:56 2015 -0500
----------------------------------------------------------------------
.../package/scripts/hive_metastore.py | 54 ++++++++-
.../0.12.0.2.0/package/scripts/hive_server.py | 64 +++++++++++
.../HIVE/0.12.0.2.0/package/scripts/params.py | 4 +-
.../0.12.0.2.0/package/scripts/status_params.py | 15 ++-
.../HIVE/0.12.0.2.0/package/scripts/webhcat.py | 8 +-
.../package/scripts/webhcat_server.py | 74 +++++++++++-
.../stacks/HDP/2.2/services/HIVE/kerberos.json | 7 +-
.../stacks/2.0.6/HIVE/test_hive_server.py | 113 ++++++++++++++++++
.../stacks/2.0.6/HIVE/test_webhcat_server.py | 115 +++++++++++++++++++
.../python/stacks/2.0.6/configs/secured.json | 2 +-
.../stacks/2.1/HIVE/test_hive_metastore.py | 115 ++++++++++++++++++-
11 files changed, 560 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/db3b306d/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_metastore.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_metastore.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_metastore.py
index 84a76ea..c83affa 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_metastore.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_metastore.py
@@ -20,7 +20,9 @@ limitations under the License.
import sys
from resource_management import *
-
+from resource_management.libraries.functions.security_commons import build_expectations, \
+ cached_kinit_executor, get_params_from_filesystem, validate_security_config_properties, \
+ FILE_TYPE_XML
from hive import hive
from hive_service import hive_service
@@ -73,5 +75,55 @@ class HiveMetastore(Script):
Execute(format("hdp-select set hive-metastore {version}"))
+ def security_status(self, env):
+ import status_params
+ env.set_params(status_params)
+ if status_params.security_enabled:
+ props_value_check = {"hive.server2.authentication": "KERBEROS",
+ "hive.metastore.sasl.enabled": "true",
+ "hive.security.authorization.enabled": "true"}
+ props_empty_check = ["hive.metastore.kerberos.keytab.file",
+ "hive.metastore.kerberos.principal"]
+
+ props_read_check = ["hive.metastore.kerberos.keytab.file"]
+ hive_site_props = build_expectations('hive-site', props_value_check, props_empty_check,
+ props_read_check)
+
+ hive_expectations ={}
+ hive_expectations.update(hive_site_props)
+
+ security_params = get_params_from_filesystem(status_params.hive_conf_dir,
+ {'hive-site.xml': FILE_TYPE_XML})
+ result_issues = validate_security_config_properties(security_params, hive_expectations)
+ if not result_issues: # If all validations passed successfully
+ try:
+ # Double check the dict before calling execute
+ if 'hive-site' not in security_params \
+ or 'hive.metastore.kerberos.keytab.file' not in security_params['hive-site'] \
+ or 'hive.metastore.kerberos.principal' not in security_params['hive-site']:
+ self.put_structured_out({"securityState": "UNSECURED"})
+ self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
+ return
+
+ cached_kinit_executor(status_params.kinit_path_local,
+ status_params.hive_user,
+ security_params['hive-site']['hive.metastore.kerberos.keytab.file'],
+ security_params['hive-site']['hive.metastore.kerberos.principal'],
+ status_params.hostname,
+ status_params.tmp_dir)
+
+ self.put_structured_out({"securityState": "SECURED_KERBEROS"})
+ except Exception as e:
+ self.put_structured_out({"securityState": "ERROR"})
+ self.put_structured_out({"securityStateErrorInfo": str(e)})
+ else:
+ issues = []
+ for cf in result_issues:
+ issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
+ self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
+ self.put_structured_out({"securityState": "UNSECURED"})
+ else:
+ self.put_structured_out({"securityState": "UNSECURED"})
+
if __name__ == "__main__":
HiveMetastore().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/db3b306d/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_server.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_server.py
index 12efae8..b85e088 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_server.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_server.py
@@ -23,6 +23,9 @@ from resource_management import *
from hive import hive
from hive_service import hive_service
from resource_management.libraries.functions.dynamic_variable_interpretation import copy_tarballs_to_hdfs
+from resource_management.libraries.functions.security_commons import build_expectations, \
+ cached_kinit_executor, get_params_from_filesystem, validate_security_config_properties, \
+ FILE_TYPE_XML
from install_jars import install_tez_jars
class HiveServer(Script):
@@ -82,5 +85,66 @@ class HiveServer(Script):
Execute(format("hdp-select set hive-server2 {version}"))
+ def security_status(self, env):
+ import status_params
+ env.set_params(status_params)
+ if status_params.security_enabled:
+ props_value_check = {"hive.server2.authentication": "KERBEROS",
+ "hive.metastore.sasl.enabled": "true",
+ "hive.security.authorization.enabled": "true"}
+ props_empty_check = ["hive.server2.authentication.kerberos.keytab",
+ "hive.server2.authentication.kerberos.principal",
+ "hive.server2.authentication.spnego.principal",
+ "hive.server2.authentication.spnego.keytab"]
+
+ props_read_check = ["hive.server2.authentication.kerberos.keytab",
+ "hive.server2.authentication.spnego.keytab"]
+ hive_site_props = build_expectations('hive-site', props_value_check, props_empty_check,
+ props_read_check)
+
+ hive_expectations ={}
+ hive_expectations.update(hive_site_props)
+
+ security_params = get_params_from_filesystem(status_params.hive_conf_dir,
+ {'hive-site.xml': FILE_TYPE_XML})
+ result_issues = validate_security_config_properties(security_params, hive_expectations)
+ if not result_issues: # If all validations passed successfully
+ try:
+ # Double check the dict before calling execute
+ if 'hive-site' not in security_params \
+ or 'hive.server2.authentication.kerberos.keytab' not in security_params['hive-site'] \
+ or 'hive.server2.authentication.kerberos.principal' not in security_params['hive-site'] \
+ or 'hive.server2.authentication.spnego.keytab' not in security_params['hive-site'] \
+ or 'hive.server2.authentication.spnego.principal' not in security_params['hive-site']:
+ self.put_structured_out({"securityState": "UNSECURED"})
+ self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
+ return
+
+ cached_kinit_executor(status_params.kinit_path_local,
+ status_params.hive_user,
+ security_params['hive-site']['hive.server2.authentication.kerberos.keytab'],
+ security_params['hive-site']['hive.server2.authentication.kerberos.principal'],
+ status_params.hostname,
+ status_params.tmp_dir)
+ cached_kinit_executor(status_params.kinit_path_local,
+ status_params.hive_user,
+ security_params['hive-site']['hive.server2.authentication.spnego.keytab'],
+ security_params['hive-site']['hive.server2.authentication.spnego.principal'],
+ status_params.hostname,
+ status_params.tmp_dir)
+ self.put_structured_out({"securityState": "SECURED_KERBEROS"})
+ except Exception as e:
+ self.put_structured_out({"securityState": "ERROR"})
+ self.put_structured_out({"securityStateErrorInfo": str(e)})
+ else:
+ issues = []
+ for cf in result_issues:
+ issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
+ self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
+ self.put_structured_out({"securityState": "UNSECURED"})
+ else:
+ self.put_structured_out({"securityState": "UNSECURED"})
+
+
if __name__ == "__main__":
HiveServer().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/db3b306d/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params.py
index 8eae687..80f5c54 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params.py
@@ -239,7 +239,7 @@ hive_hdfs_user_mode = 0700
hive_apps_whs_dir = config['configurations']['hive-site']["hive.metastore.warehouse.dir"]
#for create_hdfs_directory
hdfs_user_keytab = config['configurations']['hadoop-env']['hdfs_user_keytab']
-hdfs_principal_name = config['configurations']['hadoop-env']['hdfs_principal_name']
+hdfs_principal_name = default('/configurations/hadoop-env/hdfs_principal_name', 'missing_principal').replace("_HOST", hostname)
# Tez-related properties
tez_user = config['configurations']['tez-env']['tez_user']
@@ -306,7 +306,7 @@ import functools
HdfsDirectory = functools.partial(
HdfsDirectory,
conf_dir = hadoop_conf_dir,
- hdfs_user = hdfs_principal_name if security_enabled else hdfs_user,
+ hdfs_user = hdfs_user,
security_enabled = security_enabled,
keytab = hdfs_user_keytab,
kinit_path_local = kinit_path_local,
http://git-wip-us.apache.org/repos/asf/ambari/blob/db3b306d/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/status_params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/status_params.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/status_params.py
index e6f2514..66de02a 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/status_params.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/status_params.py
@@ -33,4 +33,17 @@ webhcat_pid_file = format('{hcat_pid_dir}/webhcat.pid')
if System.get_instance().os_family == "suse" or System.get_instance().os_family == "ubuntu":
daemon_name = 'mysql'
else:
- daemon_name = 'mysqld'
\ No newline at end of file
+ daemon_name = 'mysqld'
+
+
+# Security related/required params
+hostname = config['hostname']
+security_enabled = config['configurations']['cluster-env']['security_enabled']
+hadoop_conf_dir = "/etc/hadoop/conf"
+kinit_path_local = functions.get_kinit_path(["/usr/bin", "/usr/kerberos/bin", "/usr/sbin"])
+tmp_dir = Script.get_tmp_dir()
+hdfs_user = config['configurations']['hadoop-env']['hdfs_user']
+hive_user = config['configurations']['hive-env']['hive_user']
+hive_conf_dir = "/etc/hive/conf"
+webhcat_user = config['configurations']['hive-env']['webhcat_user']
+webhcat_conf_dir = '/etc/hive-webhcat/conf'
http://git-wip-us.apache.org/repos/asf/ambari/blob/db3b306d/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py
index c02bf74..9d53ea9 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py
@@ -128,9 +128,15 @@ def webhcat():
hadoop_conf_dir=params.hadoop_conf_dir
)
+ # Replace _HOST with hostname in relevant principal-related properties
+ webhcat_site = params.config['configurations']['webhcat-site'].copy()
+ for prop_name in ['templeton.hive.properties', 'templeton.kerberos.principal']:
+ if prop_name in webhcat_site:
+ webhcat_site[prop_name] = webhcat_site[prop_name].replace("_HOST", params.hostname)
+
XmlConfig("webhcat-site.xml",
conf_dir=params.config_dir,
- configurations=params.config['configurations']['webhcat-site'],
+ configurations=webhcat_site,
configuration_attributes=params.config['configuration_attributes']['webhcat-site'],
owner=params.webhcat_user,
group=params.user_group,
http://git-wip-us.apache.org/repos/asf/ambari/blob/db3b306d/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat_server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat_server.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat_server.py
index f1f9f37..38c7ee5 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat_server.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat_server.py
@@ -19,7 +19,9 @@ Ambari Agent
"""
from resource_management import *
-
+from resource_management.libraries.functions.security_commons import build_expectations, \
+ cached_kinit_executor, get_params_from_filesystem, validate_security_config_properties, \
+ FILE_TYPE_XML
from webhcat import webhcat
from webhcat_service import webhcat_service
@@ -62,5 +64,75 @@ class WebHCatServer(Script):
if params.version and compare_versions(format_hdp_stack_version(params.version), '2.2.0.0') >= 0:
Execute(format("hdp-select set hive-webhcat {version}"))
+ def security_status(self, env):
+ import status_params
+ env.set_params(status_params)
+
+ if status_params.security_enabled:
+ expectations ={}
+ expectations.update(
+ build_expectations(
+ 'webhcat-site',
+ {
+ "templeton.kerberos.secret": "secret"
+ },
+ [
+ "templeton.kerberos.keytab",
+ "templeton.kerberos.principal"
+ ],
+ [
+ "templeton.kerberos.keytab"
+ ]
+ )
+ )
+ expectations.update(
+ build_expectations(
+ 'hive-site',
+ {
+ "hive.server2.authentication": "KERBEROS",
+ "hive.metastore.sasl.enabled": "true",
+ "hive.security.authorization.enabled": "true"
+ },
+ None,
+ None
+ )
+ )
+
+ security_params = {}
+ security_params.update(get_params_from_filesystem(status_params.hive_conf_dir,
+ {'hive-site.xml': FILE_TYPE_XML}))
+ security_params.update(get_params_from_filesystem(status_params.webhcat_conf_dir,
+ {'webhcat-site.xml': FILE_TYPE_XML}))
+ result_issues = validate_security_config_properties(security_params, expectations)
+ if not result_issues: # If all validations passed successfully
+ try:
+ # Double check the dict before calling execute
+ if 'webhcat-site' not in security_params \
+ or 'templeton.kerberos.keytab' not in security_params['webhcat-site'] \
+ or 'templeton.kerberos.principal' not in security_params['webhcat-site']:
+ self.put_structured_out({"securityState": "UNSECURED"})
+ self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
+ return
+
+ cached_kinit_executor(status_params.kinit_path_local,
+ status_params.webhcat_user,
+ security_params['webhcat-site']['templeton.kerberos.keytab'],
+ security_params['webhcat-site']['templeton.kerberos.principal'],
+ status_params.hostname,
+ status_params.tmp_dir)
+ self.put_structured_out({"securityState": "SECURED_KERBEROS"})
+ except Exception as e:
+ self.put_structured_out({"securityState": "ERROR"})
+ self.put_structured_out({"securityStateErrorInfo": str(e)})
+ else:
+ issues = []
+ for cf in result_issues:
+ issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
+ self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
+ self.put_structured_out({"securityState": "UNSECURED"})
+ else:
+ self.put_structured_out({"securityState": "UNSECURED"})
+
+
if __name__ == "__main__":
WebHCatServer().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/db3b306d/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/kerberos.json
index de5d733..e2d1d88 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/kerberos.json
+++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/kerberos.json
@@ -33,7 +33,8 @@
"name": "hive_metastore_hive",
"principal": {
"value": "hive/_HOST@${realm}",
- "configuration": "hive-site/hive.metastore.kerberos.principal"
+ "configuration": "hive-site/hive.metastore.kerberos.principal",
+ "local_username": "${hive-env/hive_user}"
},
"keytab": {
"file": "${keytab_dir}/hive.service.keytab",
@@ -57,7 +58,8 @@
"name": "hive_server_hive",
"principal": {
"value": "hive/_HOST@${realm}",
- "configuration": "hive-site/hive.server2.authentication.kerberos.principal"
+ "configuration": "hive-site/hive.server2.authentication.kerberos.principal",
+ "local_username": "${hive-env/hive_user}"
},
"keytab": {
"file": "${keytab_dir}/hive.service.keytab",
@@ -89,7 +91,6 @@
{
"name": "/spnego",
"principal": {
- "value": "HTTP/${host}@${realm}",
"configuration": "webhcat-site/templeton.kerberos.principal"
},
"keytab": {
http://git-wip-us.apache.org/repos/asf/ambari/blob/db3b306d/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py b/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py
index f1a65e3..5dcc016 100644
--- a/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py
+++ b/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py
@@ -516,3 +516,116 @@ class TestHiveServer(RMFTestCase):
pass
self.assertNoMoreResources()
+
+ @patch("resource_management.libraries.functions.security_commons.build_expectations")
+ @patch("resource_management.libraries.functions.security_commons.get_params_from_filesystem")
+ @patch("resource_management.libraries.functions.security_commons.validate_security_config_properties")
+ @patch("resource_management.libraries.functions.security_commons.cached_kinit_executor")
+ @patch("resource_management.libraries.script.Script.put_structured_out")
+ def test_security_status(self, put_structured_out_mock, cached_kinit_executor_mock, validate_security_config_mock, get_params_mock, build_exp_mock):
+ # Test that function works when is called with correct parameters
+ import status_params
+
+ security_params = {
+ 'hive-site': {
+ "hive.server2.authentication": "KERBEROS",
+ "hive.metastore.sasl.enabled": "true",
+ "hive.security.authorization.enabled": "true",
+ "hive.server2.authentication.kerberos.keytab": "path/to/keytab",
+ "hive.server2.authentication.kerberos.principal": "principal",
+ "hive.server2.authentication.spnego.keytab": "path/to/spnego_keytab",
+ "hive.server2.authentication.spnego.principal": "spnego_principal"
+ }
+ }
+ result_issues = []
+ props_value_check = {"hive.server2.authentication": "KERBEROS",
+ "hive.metastore.sasl.enabled": "true",
+ "hive.security.authorization.enabled": "true"}
+ props_empty_check = ["hive.server2.authentication.kerberos.keytab",
+ "hive.server2.authentication.kerberos.principal",
+ "hive.server2.authentication.spnego.principal",
+ "hive.server2.authentication.spnego.keytab"]
+
+ props_read_check = ["hive.server2.authentication.kerberos.keytab",
+ "hive.server2.authentication.spnego.keytab"]
+
+ get_params_mock.return_value = security_params
+ validate_security_config_mock.return_value = result_issues
+
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/hive_server.py",
+ classname = "HiveServer",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+
+ get_params_mock.assert_called_with(status_params.hive_conf_dir, {'hive-site.xml': "XML"})
+ build_exp_mock.assert_called_with('hive-site', props_value_check, props_empty_check, props_read_check)
+ put_structured_out_mock.assert_called_with({"securityState": "SECURED_KERBEROS"})
+ self.assertTrue(cached_kinit_executor_mock.call_count, 2)
+ cached_kinit_executor_mock.assert_called_with(status_params.kinit_path_local,
+ status_params.hive_user,
+ security_params['hive-site']['hive.server2.authentication.spnego.keytab'],
+ security_params['hive-site']['hive.server2.authentication.spnego.principal'],
+ status_params.hostname,
+ status_params.tmp_dir)
+
+ # Testing that the exception throw by cached_executor is caught
+ cached_kinit_executor_mock.reset_mock()
+ cached_kinit_executor_mock.side_effect = Exception("Invalid command")
+
+ try:
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/hive_server.py",
+ classname = "HiveServer",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ except:
+ self.assertTrue(True)
+
+ # Testing with a security_params which doesn't contains startup
+ empty_security_params = {}
+ cached_kinit_executor_mock.reset_mock()
+ get_params_mock.reset_mock()
+ put_structured_out_mock.reset_mock()
+ get_params_mock.return_value = empty_security_params
+
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/hive_server.py",
+ classname = "HiveServer",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ put_structured_out_mock.assert_called_with({"securityIssuesFound": "Keytab file or principal are not set property."})
+
+ # Testing with not empty result_issues
+ result_issues_with_params = {}
+ result_issues_with_params['hive-site']="Something bad happened"
+
+ validate_security_config_mock.reset_mock()
+ get_params_mock.reset_mock()
+ validate_security_config_mock.return_value = result_issues_with_params
+ get_params_mock.return_value = security_params
+
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/hive_server.py",
+ classname = "HiveServer",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ put_structured_out_mock.assert_called_with({"securityState": "UNSECURED"})
+
+ # Testing with security_enable = false
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/hive_server.py",
+ classname = "HiveServer",
+ command = "security_status",
+ config_file="../../2.1/configs/default.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ put_structured_out_mock.assert_called_with({"securityState": "UNSECURED"})
http://git-wip-us.apache.org/repos/asf/ambari/blob/db3b306d/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py b/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py
index 7ebd4b9..89766b7 100644
--- a/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py
+++ b/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py
@@ -314,3 +314,118 @@ class TestWebHCatServer(RMFTestCase):
owner = 'hcat',
group = 'hadoop',
)
+
+ @patch("resource_management.libraries.functions.security_commons.build_expectations")
+ @patch("resource_management.libraries.functions.security_commons.get_params_from_filesystem")
+ @patch("resource_management.libraries.functions.security_commons.validate_security_config_properties")
+ @patch("resource_management.libraries.functions.security_commons.cached_kinit_executor")
+ @patch("resource_management.libraries.script.Script.put_structured_out")
+ def test_security_status(self, put_structured_out_mock, cached_kinit_executor_mock, validate_security_config_mock, get_params_mock, build_exp_mock):
+ # Test that function works when is called with correct parameters
+ import status_params
+
+ security_params = {
+ 'webhcat-site': {
+ "templeton.kerberos.secret": "secret",
+ "templeton.kerberos.keytab": 'path/to/keytab',
+ "templeton.kerberos.principal": "principal"
+ },
+ "hive-site": {
+ "hive.server2.authentication": "KERBEROS",
+ "hive.metastore.sasl.enabled": "true",
+ "hive.security.authorization.enabled": "true"
+ }
+ }
+ result_issues = []
+ webhcat_props_value_check = {"templeton.kerberos.secret": "secret"}
+ webhcat_props_empty_check = ["templeton.kerberos.keytab",
+ "templeton.kerberos.principal"]
+ webhcat_props_read_check = ["templeton.kerberos.keytab"]
+
+ hive_props_value_check = {"hive.server2.authentication": "KERBEROS",
+ "hive.metastore.sasl.enabled": "true",
+ "hive.security.authorization.enabled": "true"}
+ hive_props_empty_check = None
+ hive_props_read_check = None
+
+ get_params_mock.return_value = security_params
+ validate_security_config_mock.return_value = result_issues
+
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/webhcat_server.py",
+ classname = "WebHCatServer",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+
+ build_exp_mock.assert_called_with('hive-site', hive_props_value_check, hive_props_empty_check, hive_props_read_check)
+ # get_params_mock.assert_called_with(status_params.hive_conf_dir, {'hive-site.xml': "XML"})
+ get_params_mock.assert_called_with(status_params.webhcat_conf_dir, {'webhcat-site.xml': "XML"})
+ put_structured_out_mock.assert_called_with({"securityState": "SECURED_KERBEROS"})
+ self.assertTrue(cached_kinit_executor_mock.call_count, 2)
+ cached_kinit_executor_mock.assert_called_with(status_params.kinit_path_local,
+ status_params.webhcat_user,
+ security_params['webhcat-site']['templeton.kerberos.keytab'],
+ security_params['webhcat-site']['templeton.kerberos.principal'],
+ status_params.hostname,
+ status_params.tmp_dir)
+
+ # Testing that the exception throw by cached_executor is caught
+ cached_kinit_executor_mock.reset_mock()
+ cached_kinit_executor_mock.side_effect = Exception("Invalid command")
+
+ try:
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/webhcat_server.py",
+ classname = "WebHCatServer",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ except:
+ self.assertTrue(True)
+
+ # Testing with a security_params which doesn't contains startup
+ empty_security_params = {}
+ cached_kinit_executor_mock.reset_mock()
+ get_params_mock.reset_mock()
+ put_structured_out_mock.reset_mock()
+ get_params_mock.return_value = empty_security_params
+
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/webhcat_server.py",
+ classname = "WebHCatServer",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ put_structured_out_mock.assert_called_with({"securityIssuesFound": "Keytab file or principal are not set property."})
+
+ # Testing with not empty result_issues
+ result_issues_with_params = {}
+ result_issues_with_params['hive-site']="Something bad happened"
+
+ validate_security_config_mock.reset_mock()
+ get_params_mock.reset_mock()
+ validate_security_config_mock.return_value = result_issues_with_params
+ get_params_mock.return_value = security_params
+
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/webhcat_server.py",
+ classname = "WebHCatServer",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ put_structured_out_mock.assert_called_with({"securityState": "UNSECURED"})
+
+ # Testing with security_enable = false
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/webhcat_server.py",
+ classname = "WebHCatServer",
+ command = "security_status",
+ config_file="../../2.1/configs/default.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ put_structured_out_mock.assert_called_with({"securityState": "UNSECURED"})
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/db3b306d/ambari-server/src/test/python/stacks/2.0.6/configs/secured.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.0.6/configs/secured.json b/ambari-server/src/test/python/stacks/2.0.6/configs/secured.json
index 455a138..d48b0ab 100644
--- a/ambari-server/src/test/python/stacks/2.0.6/configs/secured.json
+++ b/ambari-server/src/test/python/stacks/2.0.6/configs/secured.json
@@ -212,7 +212,7 @@
},
"webhcat-site": {
"templeton.pig.path": "pig.tar.gz/pig/bin/pig",
- "templeton.hive.properties": "hive.metastore.local=false,hive.metastore.uris=thrift://c6402.ambari.apache.org:9083,hive.metastore.sasl.enabled=true,hive.metastore.execute.setugi=true,hive.metastore.warehouse.dir=/apps/hive/warehouse,hive.exec.mode.local.auto=false,hive.metastore.kerberos.principal=hive/_HOST@EXAMPLE.COM",
+ "templeton.hive.properties": "hive.metastore.local=false,hive.metastore.uris=thrift://c6402.ambari.apache.org:9083,hive.metastore.sasl.enabled=true,hive.metastore.execute.setugi=true,hive.metastore.warehouse.dir=/apps/hive/warehouse,hive.exec.mode.local.auto=false,hive.metastore.kerberos.principal=hive/c6402.ambari.apache.org@EXAMPLE.COM",
"templeton.override.enabled": "false",
"templeton.jar": "/usr/lib/hcatalog/share/webhcat/svr/webhcat.jar",
"templeton.kerberos.secret": "secret",
http://git-wip-us.apache.org/repos/asf/ambari/blob/db3b306d/ambari-server/src/test/python/stacks/2.1/HIVE/test_hive_metastore.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.1/HIVE/test_hive_metastore.py b/ambari-server/src/test/python/stacks/2.1/HIVE/test_hive_metastore.py
index 7ca6a50..21aef34 100644
--- a/ambari-server/src/test/python/stacks/2.1/HIVE/test_hive_metastore.py
+++ b/ambari-server/src/test/python/stacks/2.1/HIVE/test_hive_metastore.py
@@ -290,4 +290,117 @@ class TestHiveMetastore(RMFTestCase):
group = 'hadoop',
mode = 0755,
recursive = True,
- )
\ No newline at end of file
+ )
+
+ @patch("resource_management.libraries.functions.security_commons.build_expectations")
+ @patch("resource_management.libraries.functions.security_commons.get_params_from_filesystem")
+ @patch("resource_management.libraries.functions.security_commons.validate_security_config_properties")
+ @patch("resource_management.libraries.functions.security_commons.cached_kinit_executor")
+ @patch("resource_management.libraries.script.Script.put_structured_out")
+ def test_security_status(self, put_structured_out_mock, cached_kinit_executor_mock, validate_security_config_mock, get_params_mock, build_exp_mock):
+ # Test that function works when is called with correct parameters
+ import status_params
+
+ security_params = {
+ 'hive-site': {
+ 'hive.server2.authentication': "KERBEROS",
+ 'hive.metastore.sasl.enabled': "true",
+ 'hive.security.authorization.enabled': 'true',
+ 'hive.metastore.kerberos.keytab.file': 'path/to/keytab',
+ 'hive.metastore.kerberos.principal': 'principal'
+ }
+ }
+ result_issues = []
+ props_value_check = {
+ 'hive.server2.authentication': "KERBEROS",
+ 'hive.metastore.sasl.enabled': "true",
+ 'hive.security.authorization.enabled': 'true'
+ }
+ props_empty_check = [
+ 'hive.metastore.kerberos.keytab.file',
+ 'hive.metastore.kerberos.principal'
+ ]
+ props_read_check = [
+ 'hive.metastore.kerberos.keytab.file'
+ ]
+
+ get_params_mock.return_value = security_params
+ validate_security_config_mock.return_value = result_issues
+
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/hive_metastore.py",
+ classname = "HiveMetastore",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+
+ get_params_mock.assert_called_with(status_params.hive_conf_dir, {'hive-site.xml': "XML"})
+ build_exp_mock.assert_called_with('hive-site', props_value_check, props_empty_check, props_read_check)
+ put_structured_out_mock.assert_called_with({"securityState": "SECURED_KERBEROS"})
+ self.assertTrue(cached_kinit_executor_mock.call_count, 2)
+ cached_kinit_executor_mock.assert_called_with(status_params.kinit_path_local,
+ status_params.hive_user,
+ security_params['hive-site']['hive.metastore.kerberos.keytab.file'],
+ security_params['hive-site']['hive.metastore.kerberos.principal'],
+ status_params.hostname,
+ status_params.tmp_dir)
+
+ # Testing that the exception throw by cached_executor is caught
+ cached_kinit_executor_mock.reset_mock()
+ cached_kinit_executor_mock.side_effect = Exception("Invalid command")
+
+ try:
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/hive_metastore.py",
+ classname = "HiveMetastore",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ except:
+ self.assertTrue(True)
+
+ # Testing with a security_params which doesn't contains startup
+ empty_security_params = {}
+ cached_kinit_executor_mock.reset_mock()
+ get_params_mock.reset_mock()
+ put_structured_out_mock.reset_mock()
+ get_params_mock.return_value = empty_security_params
+
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/hive_metastore.py",
+ classname = "HiveMetastore",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ put_structured_out_mock.assert_called_with({"securityIssuesFound": "Keytab file or principal are not set property."})
+
+ # Testing with not empty result_issues
+ result_issues_with_params = {}
+ result_issues_with_params['hive-site']="Something bad happened"
+
+ validate_security_config_mock.reset_mock()
+ get_params_mock.reset_mock()
+ validate_security_config_mock.return_value = result_issues_with_params
+ get_params_mock.return_value = security_params
+
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/hive_metastore.py",
+ classname = "HiveMetastore",
+ command = "security_status",
+ config_file="../../2.1/configs/secured.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ put_structured_out_mock.assert_called_with({"securityState": "UNSECURED"})
+
+ # Testing with security_enable = false
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/hive_metastore.py",
+ classname = "HiveMetastore",
+ command = "security_status",
+ config_file="../../2.1/configs/default.json",
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+ put_structured_out_mock.assert_called_with({"securityState": "UNSECURED"})
\ No newline at end of file