You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by mu...@apache.org on 2017/09/08 08:51:03 UTC
ambari git commit: AMBARI-21904 Remove redundant smokeuser entry from
Ranger KMS Kerberos descriptor (mugdha)
Repository: ambari
Updated Branches:
refs/heads/branch-2.6 af16726a9 -> 77786e4c7
AMBARI-21904 Remove redundant smokeuser entry from Ranger KMS Kerberos descriptor (mugdha)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/77786e4c
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/77786e4c
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/77786e4c
Branch: refs/heads/branch-2.6
Commit: 77786e4c74b1d43fc1449a1eb93262ef45ff757d
Parents: af16726
Author: Mugdha Varadkar <mu...@apache.org>
Authored: Fri Sep 8 12:13:43 2017 +0530
Committer: Mugdha Varadkar <mu...@apache.org>
Committed: Fri Sep 8 14:19:41 2017 +0530
----------------------------------------------------------------------
.../server/upgrade/UpgradeCatalog260.java | 40 +++++++
.../RANGER_KMS/0.5.0.2.3/kerberos.json | 6 --
.../HDP/2.5/services/RANGER_KMS/kerberos.json | 6 --
.../server/upgrade/UpgradeCatalog260Test.java | 53 +++++++++
.../test_kerberos_descriptor_ranger_kms.json | 108 +++++++++++++++++++
5 files changed, 201 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/77786e4c/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java
index 07ae0c2..9e145c0 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java
@@ -28,10 +28,17 @@ import javax.persistence.Query;
import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.orm.DBAccessor;
+import org.apache.ambari.server.orm.dao.ArtifactDAO;
+import org.apache.ambari.server.orm.entities.ArtifactEntity;
import org.apache.ambari.server.orm.entities.ClusterConfigEntity;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.Config;
+import org.apache.ambari.server.state.kerberos.KerberosComponentDescriptor;
+import org.apache.ambari.server.state.kerberos.KerberosDescriptor;
+import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory;
+import org.apache.ambari.server.state.kerberos.KerberosIdentityDescriptor;
+import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -386,6 +393,7 @@ public class UpgradeCatalog260 extends AbstractUpgradeCatalog {
setUnmappedForOrphanedConfigs();
removeSupersetFromDruid();
ensureZeppelinProxyUserConfigs();
+ updateKerberosDescriptorArtifacts();
}
/**
@@ -505,4 +513,36 @@ public class UpgradeCatalog260 extends AbstractUpgradeCatalog {
}
}
}
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ protected void updateKerberosDescriptorArtifact(ArtifactDAO artifactDAO, ArtifactEntity artifactEntity) throws AmbariException {
+ if (artifactEntity != null) {
+ Map<String, Object> data = artifactEntity.getArtifactData();
+ if (data != null) {
+ final KerberosDescriptor kerberosDescriptor = new KerberosDescriptorFactory().createInstance(data);
+ if (kerberosDescriptor != null) {
+ KerberosServiceDescriptor rangerKmsServiceDescriptor = kerberosDescriptor.getService("RANGER_KMS");
+ if (rangerKmsServiceDescriptor != null) {
+
+ KerberosIdentityDescriptor rangerKmsServiceIdentity = rangerKmsServiceDescriptor.getIdentity("/smokeuser");
+ if (rangerKmsServiceIdentity != null) {
+ rangerKmsServiceDescriptor.removeIdentity("/smokeuser");
+ }
+ KerberosComponentDescriptor rangerKmscomponentDescriptor = rangerKmsServiceDescriptor.getComponent("RANGER_KMS_SERVER");
+ if (rangerKmscomponentDescriptor != null) {
+ KerberosIdentityDescriptor rangerKmsComponentIdentity = rangerKmscomponentDescriptor.getIdentity("/smokeuser");
+ if (rangerKmsComponentIdentity != null) {
+ rangerKmscomponentDescriptor.removeIdentity("/smokeuser");
+ }
+ }
+ }
+ artifactEntity.setArtifactData(kerberosDescriptor.toMap());
+ artifactDAO.merge(artifactEntity);
+ }
+ }
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/77786e4c/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/kerberos.json
index 69d6b6c..208a04d 100644
--- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/kerberos.json
@@ -8,9 +8,6 @@
"keytab": {
"configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab"
}
- },
- {
- "name": "/smokeuser"
}
],
"configurations": [
@@ -33,9 +30,6 @@
"keytab": {
"configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab"
}
- },
- {
- "name": "/smokeuser"
}
]
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/77786e4c/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER_KMS/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER_KMS/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER_KMS/kerberos.json
index a54783e..8bf4cd8 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER_KMS/kerberos.json
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER_KMS/kerberos.json
@@ -8,9 +8,6 @@
"keytab": {
"configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab"
}
- },
- {
- "name": "/smokeuser"
}
],
"auth_to_local_properties" : [
@@ -48,9 +45,6 @@
}
},
{
- "name": "/smokeuser"
- },
- {
"name": "rangerkms",
"principal": {
"value": "rangerkms/_HOST@${realm}",
http://git-wip-us.apache.org/repos/asf/ambari/blob/77786e4c/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java
index 2e16754..db6ebc1 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java
@@ -22,6 +22,7 @@ import static org.easymock.EasyMock.anyObject;
import static org.easymock.EasyMock.anyString;
import static org.easymock.EasyMock.capture;
import static org.easymock.EasyMock.createMock;
+import static org.easymock.EasyMock.createMockBuilder;
import static org.easymock.EasyMock.eq;
import static org.easymock.EasyMock.expect;
import static org.easymock.EasyMock.expectLastCall;
@@ -30,6 +31,8 @@ import static org.easymock.EasyMock.replay;
import static org.easymock.EasyMock.reset;
import static org.easymock.EasyMock.verify;
+import java.io.File;
+import java.net.URL;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
@@ -51,10 +54,16 @@ import org.apache.ambari.server.controller.KerberosHelper;
import org.apache.ambari.server.controller.MaintenanceStateHelper;
import org.apache.ambari.server.orm.DBAccessor;
import org.apache.ambari.server.orm.DBAccessor.DBColumnInfo;
+import org.apache.ambari.server.orm.dao.ArtifactDAO;
+import org.apache.ambari.server.orm.entities.ArtifactEntity;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.Config;
import org.apache.ambari.server.state.Service;
+import org.apache.ambari.server.state.kerberos.KerberosComponentDescriptor;
+import org.apache.ambari.server.state.kerberos.KerberosDescriptor;
+import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory;
+import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor;
import org.apache.ambari.server.state.stack.OsFamily;
import org.easymock.Capture;
import org.easymock.EasyMockRunner;
@@ -618,4 +627,48 @@ public class UpgradeCatalog260Test {
Assert.assertEquals("existing_value", captureCoreSiteConfProperties.getValue().get("hadoop.proxyuser.zeppelin_user.hosts"));
Assert.assertEquals("*", captureCoreSiteConfProperties.getValue().get("hadoop.proxyuser.zeppelin_user.groups"));
}
+
+ @Test
+ public void testUpdateKerberosDescriptorArtifact() throws Exception {
+
+ URL systemResourceURL = ClassLoader.getSystemResource("kerberos/test_kerberos_descriptor_ranger_kms.json");
+ Assert.assertNotNull(systemResourceURL);
+
+ final KerberosDescriptor kerberosDescriptor = new KerberosDescriptorFactory().createInstance(new File(systemResourceURL.getFile()));
+ Assert.assertNotNull(kerberosDescriptor);
+
+ KerberosServiceDescriptor serviceDescriptor;
+ serviceDescriptor = kerberosDescriptor.getService("RANGER_KMS");
+ Assert.assertNotNull(serviceDescriptor);
+ Assert.assertNotNull(serviceDescriptor.getIdentity("/smokeuser"));
+
+ KerberosComponentDescriptor componentDescriptor;
+ componentDescriptor = serviceDescriptor.getComponent("RANGER_KMS_SERVER");
+ Assert.assertNotNull(componentDescriptor);
+ Assert.assertNotNull(componentDescriptor.getIdentity("/smokeuser"));
+
+ ArtifactEntity artifactEntity = createMock(ArtifactEntity.class);
+
+ expect(artifactEntity.getArtifactData()).andReturn(kerberosDescriptor.toMap()).once();
+
+ Capture<Map<String, Object>> captureMap = newCapture();
+ artifactEntity.setArtifactData(capture(captureMap));
+ expectLastCall().once();
+
+ ArtifactDAO artifactDAO = createMock(ArtifactDAO.class);
+ expect(artifactDAO.merge(artifactEntity)).andReturn(artifactEntity).atLeastOnce();
+
+ replay(artifactDAO, artifactEntity);
+
+ UpgradeCatalog260 upgradeCatalog260 = createMockBuilder(UpgradeCatalog260.class).createMock();
+ upgradeCatalog260.updateKerberosDescriptorArtifact(artifactDAO, artifactEntity);
+ verify(artifactDAO, artifactEntity);
+
+ KerberosDescriptor kerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(captureMap.getValue());
+ Assert.assertNotNull(kerberosDescriptorUpdated);
+
+ Assert.assertNull(kerberosDescriptorUpdated.getService("RANGER_KMS").getIdentity("/smokeuser"));
+ Assert.assertNull(kerberosDescriptorUpdated.getService("RANGER_KMS").getComponent("RANGER_KMS_SERVER").getIdentity("/smokeuser"));
+
+ }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/77786e4c/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json
new file mode 100644
index 0000000..d7e048f
--- /dev/null
+++ b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json
@@ -0,0 +1,108 @@
+{
+ "properties": {
+ "realm": "${kerberos-env/realm}",
+ "keytab_dir": "/etc/security/keytabs"
+ },
+ "identities": [
+ {
+ "name": "spnego",
+ "principal": {
+ "value": "HTTP/_HOST@${realm}",
+ "type": "service"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/spnego.service.keytab",
+ "owner": {
+ "name": "root",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": "r"
+ }
+ }
+ }
+ ],
+ "services": [
+ {
+ "name": "RANGER_KMS",
+ "identities": [
+ {
+ "name": "/spnego",
+ "keytab": {
+ "configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab"
+ }
+ },
+ {
+ "name": "/smokeuser"
+ }
+ ],
+ "auth_to_local_properties" : [
+ "kms-site/hadoop.kms.authentication.kerberos.name.rules"
+ ],
+ "configurations": [
+ {
+ "kms-site": {
+ "hadoop.kms.authentication.type": "kerberos",
+ "hadoop.kms.authentication.kerberos.principal": "*"
+ }
+ },
+ {
+ "ranger-kms-audit": {
+ "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule",
+ "xasecure.audit.jaas.Client.loginModuleControlFlag": "required",
+ "xasecure.audit.jaas.Client.option.useKeyTab": "true",
+ "xasecure.audit.jaas.Client.option.storeKey": "false",
+ "xasecure.audit.jaas.Client.option.serviceName": "solr",
+ "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true"
+ }
+ }
+ ],
+ "components": [
+ {
+ "name": "RANGER_KMS_SERVER",
+ "identities": [
+ {
+ "name": "/spnego",
+ "principal": {
+ "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal"
+ },
+ "keytab": {
+ "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab"
+ }
+ },
+ {
+ "name": "/smokeuser"
+ },
+ {
+ "name": "rangerkms",
+ "principal": {
+ "value": "rangerkms/_HOST@${realm}",
+ "type" : "service",
+ "configuration": "dbks-site/ranger.ks.kerberos.principal",
+ "local_username" : "keyadmin"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/rangerkms.service.keytab",
+ "owner": {
+ "name": "${kms-env/kms_user}",
+ "access": "r"
+ },
+ "configuration": "dbks-site/ranger.ks.kerberos.keytab"
+ }
+ },
+ {
+ "name": "/RANGER_KMS/RANGER_KMS_SERVER/rangerkms",
+ "principal": {
+ "configuration": "ranger-kms-audit/xasecure.audit.jaas.Client.option.principal"
+ },
+ "keytab": {
+ "configuration": "ranger-kms-audit/xasecure.audit.jaas.Client.option.keyTab"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file