You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by sm...@apache.org on 2019/02/04 16:37:38 UTC
[ambari] branch branch-2.7 updated: AMBARI-25141. Encrypting LDAP
manager password in case password security is ON (#2810)
This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push:
new a05bb20 AMBARI-25141. Encrypting LDAP manager password in case password security is ON (#2810)
a05bb20 is described below
commit a05bb201067f0ae10d40f180bb6216d098f9447f
Author: Sandor Molnar <sm...@apache.org>
AuthorDate: Mon Feb 4 17:37:33 2019 +0100
AMBARI-25141. Encrypting LDAP manager password in case password security is ON (#2810)
---
.../org/apache/ambari/server/utils/PasswordUtils.java | 3 ++-
.../src/main/python/ambari_server/setupSecurity.py | 14 +++++---------
.../apache/ambari/server/utils/PasswordUtilsTest.java | 18 ++++++++++++++++--
3 files changed, 23 insertions(+), 12 deletions(-)
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java b/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java
index dafc47c..04df5d9 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java
@@ -82,7 +82,8 @@ public class PasswordUtils {
if (CredentialProvider.isAliasString(passwordProperty)) {
return readPasswordFromStore(passwordProperty);
} else {
- return readPasswordFromFile(passwordProperty, defaultPassword);
+ final String pw = readPasswordFromFile(passwordProperty, defaultPassword);
+ return CredentialProvider.isAliasString(pw) ? readPasswordFromStore(pw) : pw;
}
}
return defaultPassword;
diff --git a/ambari-server/src/main/python/ambari_server/setupSecurity.py b/ambari-server/src/main/python/ambari_server/setupSecurity.py
index f6d0a3e..1958f8f 100644
--- a/ambari-server/src/main/python/ambari_server/setupSecurity.py
+++ b/ambari-server/src/main/python/ambari_server/setupSecurity.py
@@ -918,19 +918,15 @@ def setup_ldap(options):
if isSecure:
if mgr_password:
encrypted_passwd = encrypt_password(LDAP_MGR_PASSWORD_ALIAS, mgr_password, options)
- if mgr_password != encrypted_passwd:
- ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = encrypted_passwd
- pass
+ ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(encrypted_passwd, LDAP_MGR_PASSWORD_FILENAME)
+
if ts_password:
encrypted_passwd = encrypt_password(SSL_TRUSTSTORE_PASSWORD_ALIAS, ts_password, options)
if ts_password != encrypted_passwd:
ldap_property_values_in_ambari_properties[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = encrypted_passwd
- pass
- pass
-
- # Persisting values
- if mgr_password:
- ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME)
+ else: #not secure
+ if mgr_password:
+ ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME)
print 'Saving LDAP properties...'
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java b/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java
index b18ebd3..a47cb64 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java
@@ -66,10 +66,10 @@ public class PasswordUtilsTest extends EasyMockSupport {
final CredentialProvider credentialProvider = PowerMock.createNiceMock(CredentialProvider.class);
setupBasicCredentialProviderExpectations(credentialProvider);
credentialProvider.getPasswordForAlias(CS_ALIAS);
- PowerMock.expectLastCall().andReturn("testPassword".toCharArray()).once();
+ PowerMock.expectLastCall().andReturn("testPassword".toCharArray()).anyTimes();
PowerMock.replay(credentialProvider, CredentialProvider.class);
replayAll();
- assertEquals("testPassword", passwordUtils.readPassword(CS_ALIAS, "testPassword"));
+ assertEquals("testPassword", passwordUtils.readPassword(CS_ALIAS, "testPasswordDefault"));
verifyAll();
}
@@ -95,6 +95,20 @@ public class PasswordUtilsTest extends EasyMockSupport {
assertEquals("testPasswordDefault", passwordUtils.readPassword(passwordFile.getAbsolutePath(), "testPasswordDefault"));
}
+ @Test
+ public void shouldResolveEncryptedPaswordIfWeStoreTheAliasInPasswordFile() throws Exception {
+ final String testPassword = "testPassword";
+ final File passwordFile = writeTestPasswordFile(CS_ALIAS);
+ final CredentialProvider credentialProvider = PowerMock.createNiceMock(CredentialProvider.class);
+ setupBasicCredentialProviderExpectations(credentialProvider);
+ credentialProvider.getPasswordForAlias(CS_ALIAS);
+ PowerMock.expectLastCall().andReturn(testPassword.toCharArray()).anyTimes();
+ PowerMock.replay(credentialProvider, CredentialProvider.class);
+ replayAll();
+ assertEquals(testPassword, passwordUtils.readPassword(passwordFile.getAbsolutePath(), "testPasswordDefault"));
+ verifyAll();
+ }
+
private File writeTestPasswordFile(final String testPassword) throws IOException {
final TemporaryFolder tempFolder = new TemporaryFolder();
tempFolder.create();