You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by sm...@apache.org on 2019/02/04 16:37:38 UTC

[ambari] branch branch-2.7 updated: AMBARI-25141. Encrypting LDAP manager password in case password security is ON (#2810)

This is an automated email from the ASF dual-hosted git repository.

smolnar pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.7 by this push:
     new a05bb20  AMBARI-25141. Encrypting LDAP manager password in case password security is ON (#2810)
a05bb20 is described below

commit a05bb201067f0ae10d40f180bb6216d098f9447f
Author: Sandor Molnar <sm...@apache.org>
AuthorDate: Mon Feb 4 17:37:33 2019 +0100

    AMBARI-25141. Encrypting LDAP manager password in case password security is ON (#2810)
---
 .../org/apache/ambari/server/utils/PasswordUtils.java  |  3 ++-
 .../src/main/python/ambari_server/setupSecurity.py     | 14 +++++---------
 .../apache/ambari/server/utils/PasswordUtilsTest.java  | 18 ++++++++++++++++--
 3 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java b/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java
index dafc47c..04df5d9 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/utils/PasswordUtils.java
@@ -82,7 +82,8 @@ public class PasswordUtils {
       if (CredentialProvider.isAliasString(passwordProperty)) {
         return readPasswordFromStore(passwordProperty);
       } else {
-        return readPasswordFromFile(passwordProperty, defaultPassword);
+        final String pw = readPasswordFromFile(passwordProperty, defaultPassword);
+        return CredentialProvider.isAliasString(pw) ? readPasswordFromStore(pw) : pw;
       }
     }
     return defaultPassword;
diff --git a/ambari-server/src/main/python/ambari_server/setupSecurity.py b/ambari-server/src/main/python/ambari_server/setupSecurity.py
index f6d0a3e..1958f8f 100644
--- a/ambari-server/src/main/python/ambari_server/setupSecurity.py
+++ b/ambari-server/src/main/python/ambari_server/setupSecurity.py
@@ -918,19 +918,15 @@ def setup_ldap(options):
     if isSecure:
       if mgr_password:
         encrypted_passwd = encrypt_password(LDAP_MGR_PASSWORD_ALIAS, mgr_password, options)
-        if mgr_password != encrypted_passwd:
-          ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = encrypted_passwd
-      pass
+        ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(encrypted_passwd, LDAP_MGR_PASSWORD_FILENAME)
+
       if ts_password:
         encrypted_passwd = encrypt_password(SSL_TRUSTSTORE_PASSWORD_ALIAS, ts_password, options)
         if ts_password != encrypted_passwd:
           ldap_property_values_in_ambari_properties[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = encrypted_passwd
-      pass
-    pass
-
-    # Persisting values
-    if mgr_password:
-      ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME)
+    else: #not secure
+      if mgr_password:
+        ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME)
 
     print 'Saving LDAP properties...'
 
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java b/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java
index b18ebd3..a47cb64 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/utils/PasswordUtilsTest.java
@@ -66,10 +66,10 @@ public class PasswordUtilsTest extends EasyMockSupport {
     final CredentialProvider credentialProvider = PowerMock.createNiceMock(CredentialProvider.class);
     setupBasicCredentialProviderExpectations(credentialProvider);
     credentialProvider.getPasswordForAlias(CS_ALIAS);
-    PowerMock.expectLastCall().andReturn("testPassword".toCharArray()).once();
+    PowerMock.expectLastCall().andReturn("testPassword".toCharArray()).anyTimes();
     PowerMock.replay(credentialProvider, CredentialProvider.class);
     replayAll();
-    assertEquals("testPassword", passwordUtils.readPassword(CS_ALIAS, "testPassword"));
+    assertEquals("testPassword", passwordUtils.readPassword(CS_ALIAS, "testPasswordDefault"));
     verifyAll();
   }
   
@@ -95,6 +95,20 @@ public class PasswordUtilsTest extends EasyMockSupport {
     assertEquals("testPasswordDefault", passwordUtils.readPassword(passwordFile.getAbsolutePath(), "testPasswordDefault"));
   }
 
+  @Test
+  public void shouldResolveEncryptedPaswordIfWeStoreTheAliasInPasswordFile() throws Exception {
+    final String testPassword = "testPassword";
+    final File passwordFile = writeTestPasswordFile(CS_ALIAS);
+    final CredentialProvider credentialProvider = PowerMock.createNiceMock(CredentialProvider.class);
+    setupBasicCredentialProviderExpectations(credentialProvider);
+    credentialProvider.getPasswordForAlias(CS_ALIAS);
+    PowerMock.expectLastCall().andReturn(testPassword.toCharArray()).anyTimes();
+    PowerMock.replay(credentialProvider, CredentialProvider.class);
+    replayAll();
+    assertEquals(testPassword, passwordUtils.readPassword(passwordFile.getAbsolutePath(), "testPasswordDefault"));
+    verifyAll();
+  }
+
   private File writeTestPasswordFile(final String testPassword) throws IOException {
     final TemporaryFolder tempFolder = new TemporaryFolder();
     tempFolder.create();