You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/12/18 22:23:55 UTC

ambari git commit: AMBARI-14434. Passwords for headless principals with cached keytab files are changed unnecessarily (rlevas)

Repository: ambari
Updated Branches:
  refs/heads/trunk fd6e9cc00 -> f0b029e57


AMBARI-14434. Passwords for headless principals with cached keytab files are changed unnecessarily (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/f0b029e5
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/f0b029e5
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/f0b029e5

Branch: refs/heads/trunk
Commit: f0b029e57daf5e3ec01b8dbc53ea41886ebe5e55
Parents: fd6e9cc
Author: Robert Levas <rl...@hortonworks.com>
Authored: Fri Dec 18 16:23:45 2015 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Fri Dec 18 16:23:45 2015 -0500

----------------------------------------------------------------------
 .../kerberos/CreatePrincipalsServerAction.java  | 56 +++++++++++++-------
 1 file changed, 38 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/f0b029e5/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java
index fdcc672..8009ae1 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java
@@ -24,8 +24,10 @@ import org.apache.ambari.server.actionmanager.HostRoleStatus;
 import org.apache.ambari.server.agent.CommandReport;
 import org.apache.ambari.server.orm.dao.KerberosPrincipalDAO;
 import org.apache.ambari.server.orm.dao.KerberosPrincipalHostDAO;
+import org.apache.ambari.server.orm.entities.KerberosPrincipalEntity;
 import org.apache.ambari.server.security.SecurePasswordHelper;
 import org.apache.ambari.server.serveraction.ActionLog;
+import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -111,10 +113,30 @@ public class CreatePrincipalsServerAction extends KerberosServerAction {
       throws AmbariException {
     CommandReport commandReport = null;
 
+    boolean processPrincipal;
     boolean regenerateKeytabs = "true".equalsIgnoreCase(getCommandParameterValue(getCommandParameters(), REGENERATE_ALL));
 
-    if (regenerateKeytabs || !kerberosPrincipalHostDAO.exists(evaluatedPrincipal)) {
+    if (regenerateKeytabs) {
+      processPrincipal = true;
+    } else {
+      KerberosPrincipalEntity kerberosPrincipalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
+
+      if (kerberosPrincipalEntity == null) {
+        // This principal has not been processed before, process it.
+        processPrincipal = true;
+      } else if (!StringUtils.isEmpty(kerberosPrincipalEntity.getCachedKeytabPath())) {
+        // This principal has been processed and a keytab file has been cached for it... do not process it.
+        processPrincipal = false;
+      } else if (kerberosPrincipalHostDAO.exists(evaluatedPrincipal)) {
+        // This principal has been processed and a keytab file has been distributed... do not process it.
+        processPrincipal = false;
+      } else {
+        // This principal has been processed but a keytab file for it has been distributed... process it.
+        processPrincipal = true;
+      }
+    }
 
+    if (processPrincipal) {
       Map<String, String> principalPasswordMap = getPrincipalPasswordMap(requestSharedDataContext);
       Map<String, Integer> principalKeyNumberMap = getPrincipalKeyNumberMap(requestSharedDataContext);
 
@@ -124,10 +146,9 @@ public class CreatePrincipalsServerAction extends KerberosServerAction {
         boolean servicePrincipal = "service".equalsIgnoreCase(identityRecord.get(KerberosIdentityDataFileReader.PRINCIPAL_TYPE));
         CreatePrincipalResult result = createPrincipal(evaluatedPrincipal, servicePrincipal, kerberosConfiguration, operationHandler, actionLog);
 
-        if(result == null) {
+        if (result == null) {
           commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
-        }
-        else {
+        } else {
           principalPasswordMap.put(evaluatedPrincipal, result.getPassword());
           principalKeyNumberMap.put(evaluatedPrincipal, result.getKeyNumber());
         }
@@ -156,7 +177,7 @@ public class CreatePrincipalsServerAction extends KerberosServerAction {
 
     String message = String.format("Creating principal, %s", principal);
     LOG.info(message);
-    if(actionLog != null) {
+    if (actionLog != null) {
       actionLog.writeStdOut(message);
     }
 
@@ -167,15 +188,14 @@ public class CreatePrincipalsServerAction extends KerberosServerAction {
     Integer minPunctuation;
     Integer minWhitespace;
 
-    if(kerberosConfiguration == null) {
+    if (kerberosConfiguration == null) {
       length = null;
-      minLowercaseLetters= null;
-      minUppercaseLetters= null;
-      minDigits= null;
-      minPunctuation= null;
-      minWhitespace= null;
-    }
-    else {
+      minLowercaseLetters = null;
+      minUppercaseLetters = null;
+      minDigits = null;
+      minPunctuation = null;
+      minWhitespace = null;
+    } else {
       length = toInt(kerberosConfiguration.get("password_length"));
       minLowercaseLetters = toInt(kerberosConfiguration.get("password_min_lowercase_letters"));
       minUppercaseLetters = toInt(kerberosConfiguration.get("password_min_uppercase_letters"));
@@ -193,20 +213,20 @@ public class CreatePrincipalsServerAction extends KerberosServerAction {
         // A new password/key would have been generated after exporting the keytab anyways.
         message = String.format("Principal, %s, already exists, setting new password", principal);
         LOG.warn(message);
-        if(actionLog != null) {
+        if (actionLog != null) {
           actionLog.writeStdOut(message);
         }
 
         Integer keyNumber = kerberosOperationHandler.setPrincipalPassword(principal, password);
 
         if (keyNumber != null) {
+          result = new CreatePrincipalResult(principal, password, keyNumber);
           message = String.format("Successfully set password for %s", principal);
           LOG.debug(message);
-          result = new CreatePrincipalResult(principal, password, keyNumber);
         } else {
           message = String.format("Failed to set password for %s - unknown reason", principal);
           LOG.error(message);
-          if(actionLog != null) {
+          if (actionLog != null) {
             actionLog.writeStdErr(message);
           }
         }
@@ -223,7 +243,7 @@ public class CreatePrincipalsServerAction extends KerberosServerAction {
         } else {
           message = String.format("Failed to create principal, %s - unknown reason", principal);
           LOG.error(message);
-          if(actionLog != null) {
+          if (actionLog != null) {
             actionLog.writeStdErr(message);
           }
         }
@@ -236,7 +256,7 @@ public class CreatePrincipalsServerAction extends KerberosServerAction {
     } catch (KerberosOperationException e) {
       message = String.format("Failed to create principal, %s - %s", principal, e.getMessage());
       LOG.error(message, e);
-      if(actionLog != null) {
+      if (actionLog != null) {
         actionLog.writeStdErr(message);
       }
     }