You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by sw...@apache.org on 2014/09/24 00:34:12 UTC
[1/2] git commit: AMBARI-7460. Ambari needs to use password files
instead of clear password in configuration file for LDAP password.
Repository: ambari
Updated Branches:
refs/heads/trunk 3f7fdf501 -> 464e77f03
AMBARI-7460. Ambari needs to use password files instead of clear password in configuration file for LDAP password.
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/1591aaa4
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/1591aaa4
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/1591aaa4
Branch: refs/heads/trunk
Commit: 1591aaa48929bae9b54676b8b816411dd028a0f2
Parents: 3f7fdf5
Author: Siddharth Wagle <sw...@hortonworks.com>
Authored: Tue Sep 23 13:21:37 2014 -0700
Committer: Siddharth Wagle <sw...@hortonworks.com>
Committed: Tue Sep 23 15:34:01 2014 -0700
----------------------------------------------------------------------
.../ambari/server/configuration/Configuration.java | 14 ++++++++------
ambari-server/src/main/python/ambari-server.py | 14 +++++++++++++-
ambari-server/src/test/python/TestAmbariServer.py | 3 +--
3 files changed, 22 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/1591aaa4/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index 9bdbc31..53d61e7 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -794,13 +794,15 @@ public class Configuration {
LDAP_BIND_ANONYMOUSLY_DEFAULT)));
ldapServerProperties.setManagerDn(properties.getProperty(
LDAP_MANAGER_DN_KEY));
- String ldapPasswd = readPasswordFromStore(properties
- .getProperty(LDAP_MANAGER_PASSWORD_KEY));
- if (ldapPasswd != null) {
- ldapServerProperties.setManagerPassword(ldapPasswd);
+ String ldapPasswordProperty = properties.getProperty(LDAP_MANAGER_PASSWORD_KEY);
+ String ldapPassword = null;
+ if (CredentialProvider.isAliasString(ldapPasswordProperty)) {
+ ldapPassword = readPasswordFromStore(ldapPasswordProperty);
+ }
+ if (ldapPassword != null) {
+ ldapServerProperties.setManagerPassword(ldapPassword);
} else {
- ldapServerProperties.setManagerPassword(properties.getProperty
- (LDAP_MANAGER_PASSWORD_KEY));
+ ldapServerProperties.setManagerPassword(readPasswordFromFile(ldapPasswordProperty, ""));
}
ldapServerProperties.setBaseDN(properties.getProperty
(LDAP_BASE_DN_KEY, LDAP_BASE_DN_DEFAULT));
http://git-wip-us.apache.org/repos/asf/ambari/blob/1591aaa4/ambari-server/src/main/python/ambari-server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari-server.py b/ambari-server/src/main/python/ambari-server.py
index a99ad05..9059319 100755
--- a/ambari-server/src/main/python/ambari-server.py
+++ b/ambari-server/src/main/python/ambari-server.py
@@ -235,6 +235,7 @@ CLIENT_SECURITY_KEY = "client.security"
IS_LDAP_CONFIGURED = "ambari.ldap.isConfigured"
LDAP_MGR_PASSWORD_ALIAS = "ambari.ldap.manager.password"
LDAP_MGR_PASSWORD_PROPERTY = "authentication.ldap.managerPassword"
+LDAP_MGR_PASSWORD_FILENAME = "ldap-password.dat"
LDAP_MGR_USERNAME_PROPERTY = "authentication.ldap.managerDn"
SSL_TRUSTSTORE_PASSWORD_ALIAS = "ambari.ssl.trustStore.password"
@@ -549,6 +550,7 @@ NR_ADJUST_OWNERSHIP_LIST = [
("/etc/ambari-server/conf", "644", "{0}", True),
("/etc/ambari-server/conf", "755", "{0}", False),
("/etc/ambari-server/conf/password.dat", "640", "{0}", False),
+ ("/etc/ambari-server/conf/ldap-password.dat", "640", "{0}", False),
# Also, /etc/ambari-server/conf/password.dat
# is generated later at store_password_file
]
@@ -3260,6 +3262,8 @@ def setup_ldap():
# Persisting values
ldap_property_value_map[IS_LDAP_CONFIGURED] = "true"
+ if mgr_password:
+ ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME)
update_properties(properties, ldap_property_value_map)
print 'Saving...done'
@@ -3404,12 +3408,19 @@ def setup_master_key():
isSecure = get_is_secure(properties)
(isPersisted, masterKeyFile) = get_is_persisted(properties)
- # Read clear text password from file
+ # Read clear text DB password from file
if not is_alias_string(db_password) and os.path.isfile(db_password):
with open(db_password, 'r') as passwdfile:
db_password = passwdfile.read()
ldap_password = properties.get_property(LDAP_MGR_PASSWORD_PROPERTY)
+
+ if ldap_password:
+ # Read clear text LDAP password from file
+ if not is_alias_string(ldap_password) and os.path.isfile(ldap_password):
+ with open(ldap_password, 'r') as passwdfile:
+ ldap_password = passwdfile.read()
+
ts_password = properties.get_property(SSL_TRUSTSTORE_PASSWORD_PROPERTY)
resetKey = False
masterKey = None
@@ -3505,6 +3516,7 @@ def setup_master_key():
print 'Failed to save secure LDAP password.'
else:
propertyMap[LDAP_MGR_PASSWORD_PROPERTY] = get_alias_string(LDAP_MGR_PASSWORD_ALIAS)
+ remove_password_file(LDAP_MGR_PASSWORD_FILENAME)
pass
if ts_password and not is_alias_string(ts_password):
http://git-wip-us.apache.org/repos/asf/ambari/blob/1591aaa4/ambari-server/src/test/python/TestAmbariServer.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/TestAmbariServer.py b/ambari-server/src/test/python/TestAmbariServer.py
index 421cde7..7f769f1 100644
--- a/ambari-server/src/test/python/TestAmbariServer.py
+++ b/ambari-server/src/test/python/TestAmbariServer.py
@@ -4741,8 +4741,7 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
"authentication.ldap.groupMembershipAttr": "test",
"authentication.ldap.groupNamingAttr": "test",
"client.security": "ldap", \
- ambari_server.LDAP_MGR_PASSWORD_PROPERTY: ambari_server.get_alias_string( \
- ambari_server.LDAP_MGR_PASSWORD_ALIAS),
+ ambari_server.LDAP_MGR_PASSWORD_PROPERTY: "ldap-password.dat",
"ambari.ldap.isConfigured": "true"
}
[2/2] git commit: AMBARI-7460. Ambari needs to use password files
instead of clear password in configuration file for LDAP password. Missing
file.
Posted by sw...@apache.org.
AMBARI-7460. Ambari needs to use password files instead of clear password in configuration file for LDAP password. Missing file.
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/464e77f0
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/464e77f0
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/464e77f0
Branch: refs/heads/trunk
Commit: 464e77f0325bcf5e8fb12ec7ad1eacc77733fdf6
Parents: 1591aaa
Author: Siddharth Wagle <sw...@hortonworks.com>
Authored: Tue Sep 23 15:33:56 2014 -0700
Committer: Siddharth Wagle <sw...@hortonworks.com>
Committed: Tue Sep 23 15:34:02 2014 -0700
----------------------------------------------------------------------
ambari-server/src/test/python/ldap-password.dat | 1 +
1 file changed, 1 insertion(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/464e77f0/ambari-server/src/test/python/ldap-password.dat
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/ldap-password.dat b/ambari-server/src/test/python/ldap-password.dat
new file mode 100644
index 0000000..7aa311a
--- /dev/null
+++ b/ambari-server/src/test/python/ldap-password.dat
@@ -0,0 +1 @@
+password
\ No newline at end of file