You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/09/14 23:57:28 UTC
ambari git commit: AMBARI-13060. Kerberos: Allow user to specify
additional realms for auth-to-local rules (rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk c6e61d8bb -> 9b6d33d0c
AMBARI-13060. Kerberos: Allow user to specify additional realms for auth-to-local rules (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/9b6d33d0
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/9b6d33d0
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/9b6d33d0
Branch: refs/heads/trunk
Commit: 9b6d33d0cb8635ca13f23b468c32bb31c30bd966
Parents: c6e61d8
Author: Robert Levas <rl...@hortonworks.com>
Authored: Mon Sep 14 17:57:15 2015 -0400
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Mon Sep 14 17:57:26 2015 -0400
----------------------------------------------------------------------
.../server/controller/AuthToLocalBuilder.java | 33 +++++++-
.../server/controller/KerberosHelperImpl.java | 5 +-
.../HDFS/2.1.0.2.0/kerberos.json | 1 -
.../resources/stacks/HDP/2.0.6/kerberos.json | 3 +-
.../server/api/services/AmbariMetaInfoTest.java | 2 +-
.../controller/AuthToLocalBuilderTest.java | 85 +++++++++++++++++++-
.../server/controller/KerberosHelperTest.java | 1 +
.../resources/stacks/HDP/2.0.8/kerberos.json | 3 +-
.../app/mixins/wizard/addSecurityConfigs.js | 1 +
9 files changed, 126 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
index 00e8291..a8fc487 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
@@ -20,6 +20,7 @@ package org.apache.ambari.server.controller;
import java.util.Arrays;
import java.util.Collections;
+import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
@@ -66,14 +67,36 @@ public class AuthToLocalBuilder {
private boolean caseInsensitiveUser;
/**
+ * A set of additional realm names to reference when generating rules.
+ */
+ private Set<String> additionalRealms = new HashSet<String>();
+
+ /**
* Default constructor. Case insensitive support false by default
*/
public AuthToLocalBuilder() {
- this.caseInsensitiveUser = false;
+ this(false, null);
}
- public AuthToLocalBuilder(boolean caseInsensitiveUserSupport) {
+ /**
+ * Constructs a new AuthToLocalBuilder.
+ *
+ * @param caseInsensitiveUserSupport true indicating that case-insensitivity should be enabled;
+ * false otherwise
+ * @param additionalRealms a String containing a comma-delimited list of realm names to generate
+ * default auth-to-local rules for
+ */
+ public AuthToLocalBuilder(boolean caseInsensitiveUserSupport, String additionalRealms) {
this.caseInsensitiveUser = caseInsensitiveUserSupport;
+
+ if ((additionalRealms != null) && !additionalRealms.isEmpty()) {
+ for (String realm : additionalRealms.split("\\s*(?:\\r?\\n|,)\\s*")) {
+ realm = realm.trim();
+ if (!realm.isEmpty()) {
+ this.additionalRealms.add(realm);
+ }
+ }
+ }
}
/**
@@ -161,6 +184,11 @@ public class AuthToLocalBuilder {
// ensure that a default rule is added for this realm
setRules.add(createDefaultRealmRule(realm));
+ // ensure that a default realm rule is added for the specified additional realms
+ for (String additionalRealm : additionalRealms) {
+ setRules.add(createDefaultRealmRule(additionalRealm));
+ }
+
if (concatenationType == null) {
concatenationType = DEFAULT_CONCATENATION_TYPE;
}
@@ -269,6 +297,7 @@ public class AuthToLocalBuilder {
copy.setRules.add(rule);
}
copy.caseInsensitiveUser = this.caseInsensitiveUser;
+ copy.additionalRealms.addAll(this.additionalRealms);
return copy;
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
index 11f578f..a1cd5b8 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
@@ -395,8 +395,11 @@ public class KerberosHelperImpl implements KerberosHelper {
// the 'kerberos-env' structure is expected to be available here as it was previously validated
boolean caseInsensitiveUser = Boolean.valueOf(existingConfigurations.get("kerberos-env").get("case_insensitive_username_rules"));
+ // Additional realms that need to be handled according to the Kerberos Descriptor
+ String additionalRealms = kerberosDescriptor.getProperty("additional_realms");
+
// Determine which properties need to be set
- AuthToLocalBuilder authToLocalBuilder = new AuthToLocalBuilder(caseInsensitiveUser);
+ AuthToLocalBuilder authToLocalBuilder = new AuthToLocalBuilder(caseInsensitiveUser, additionalRealms);
addIdentities(authToLocalBuilder, kerberosDescriptor.getIdentities(), null, existingConfigurations);
authToLocalProperties = kerberosDescriptor.getAuthToLocalProperties();
http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
index df99bce..df83969 100644
--- a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
@@ -45,7 +45,6 @@
"core-site": {
"hadoop.security.authentication": "kerberos",
"hadoop.security.authorization": "true",
- "hadoop.security.auth_to_local": "",
"hadoop.proxyuser.HTTP.groups": "${hadoop-env/proxyuser_group}"
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json
index 03198dc..52e7ee0 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json
+++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json
@@ -1,7 +1,8 @@
{
"properties": {
"realm": "${kerberos-env/realm}",
- "keytab_dir": "/etc/security/keytabs"
+ "keytab_dir": "/etc/security/keytabs",
+ "additional_realms": ""
},
"identities": [
{
http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java b/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java
index 26253da..cf7c8cd 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java
@@ -1846,7 +1846,7 @@ public class AmbariMetaInfoTest {
Assert.assertNotNull(descriptor);
Assert.assertNotNull(descriptor.getProperties());
- Assert.assertEquals(2, descriptor.getProperties().size());
+ Assert.assertEquals(3, descriptor.getProperties().size());
Assert.assertNotNull(descriptor.getIdentities());
Assert.assertEquals(1, descriptor.getIdentities().size());
http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
index 9e65b5e..cbcffe6 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
@@ -57,7 +57,7 @@ public class AuthToLocalBuilderTest {
@Test
public void testRuleGeneration_caseInsensitiveSupport() {
- AuthToLocalBuilder builder = new AuthToLocalBuilder(true);
+ AuthToLocalBuilder builder = new AuthToLocalBuilder(true, null);
builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
// Duplicate principal for secondary namenode, should be filtered out...
@@ -312,4 +312,87 @@ public class AuthToLocalBuilderTest {
assertEquals(copy.generate("EXAMPLE.COM"), builder.generate("EXAMPLE.COM"));
}
+
+ @Test
+ public void testAdditionalRealms() {
+ AuthToLocalBuilder builder = new AuthToLocalBuilder(false, "REALM2,REALM3, REALM1 ");
+
+ builder.addRules(
+ "RULE:[1:$1@$0](.*@FOOBAR.COM)s/@.*//\n" +
+ "DEFAULT");
+
+ builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn");
+ builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred");
+ builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase");
+ builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase");
+
+ assertEquals(
+ "RULE:[1:$1@$0](.*@FOOBAR.COM)s/@.*//\n" +
+ "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" +
+ "RULE:[1:$1@$0](.*@REALM2)s/@.*//\n" +
+ "RULE:[1:$1@$0](.*@REALM1)s/@.*//\n" +
+ "RULE:[1:$1@$0](.*@REALM3)s/@.*//\n" +
+ "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](hm@EXAMPLE.COM)s/.*/hbase/\n" +
+ "RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/\n" +
+ "RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/\n" +
+ "RULE:[2:$1@$0](rs@EXAMPLE.COM)s/.*/hbase/\n" +
+ "DEFAULT",
+ builder.generate("EXAMPLE.COM"));
+ }
+
+ @Test
+ public void testAdditionalRealms_Null() {
+ AuthToLocalBuilder builder = new AuthToLocalBuilder(false, null);
+
+ builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn");
+ builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred");
+ builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase");
+ builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase");
+
+ assertEquals(
+ "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" +
+ "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](hm@EXAMPLE.COM)s/.*/hbase/\n" +
+ "RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/\n" +
+ "RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/\n" +
+ "RULE:[2:$1@$0](rs@EXAMPLE.COM)s/.*/hbase/\n" +
+ "DEFAULT",
+ builder.generate("EXAMPLE.COM"));
+ }
+
+ @Test
+ public void testAdditionalRealms_Empty() {
+ AuthToLocalBuilder builder = new AuthToLocalBuilder(false, "");
+
+ builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs");
+ builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn");
+ builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred");
+ builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase");
+ builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase");
+
+ assertEquals(
+ "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" +
+ "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](hm@EXAMPLE.COM)s/.*/hbase/\n" +
+ "RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/\n" +
+ "RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" +
+ "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/\n" +
+ "RULE:[2:$1@$0](rs@EXAMPLE.COM)s/.*/hbase/\n" +
+ "DEFAULT",
+ builder.generate("EXAMPLE.COM"));
+ }
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
index f28a19b..7144ad0 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
@@ -1625,6 +1625,7 @@ public class KerberosHelperTest extends EasyMockSupport {
))).times(1);
final KerberosDescriptor kerberosDescriptor = createMock(KerberosDescriptor.class);
+ expect(kerberosDescriptor.getProperty("additional_realms")).andReturn(null).times(1);
expect(kerberosDescriptor.getIdentities()).andReturn(null).times(1);
expect(kerberosDescriptor.getAuthToLocalProperties()).andReturn(null).times(1);
expect(kerberosDescriptor.getServices()).andReturn(Collections.singletonMap("SERVICE1", serviceDescriptor1)).times(1);
http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json b/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json
index cf49786..14eefbf 100644
--- a/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json
+++ b/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json
@@ -1,7 +1,8 @@
{
"properties": {
"realm": "${cluster-env/kerberos_domain}",
- "keytab_dir": "/etc/security/keytabs"
+ "keytab_dir": "/etc/security/keytabs",
+ "additional_realms": ""
},
"identities": [
{
http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-web/app/mixins/wizard/addSecurityConfigs.js
----------------------------------------------------------------------
diff --git a/ambari-web/app/mixins/wizard/addSecurityConfigs.js b/ambari-web/app/mixins/wizard/addSecurityConfigs.js
index d14d09e..3d2b11a 100644
--- a/ambari-web/app/mixins/wizard/addSecurityConfigs.js
+++ b/ambari-web/app/mixins/wizard/addSecurityConfigs.js
@@ -215,6 +215,7 @@ App.AddSecurityConfigs = Em.Mixin.create({
displayName: serviceName == "Cluster" ? App.format.normalizeName(propertyName) : propertyName,
isOverridable: false,
isEditable: propertyName != 'realm',
+ isRequired: propertyName != 'additional_realms',
isSecureConfig: true
};
configs.push(App.ServiceConfigProperty.create(propertyObject));