You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ds...@apache.org on 2017/02/13 17:43:10 UTC
ambari git commit: AMBARI-19987 Oozie start failed after enabling
credential store (dsen)
Repository: ambari
Updated Branches:
refs/heads/trunk fa32fec6d -> d252665ce
AMBARI-19987 Oozie start failed after enabling credential store (dsen)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/d252665c
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/d252665c
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/d252665c
Branch: refs/heads/trunk
Commit: d252665ce94f532b08efb9bc5f31f7b8f6cde97a
Parents: fa32fec
Author: Dmytro Sen <ds...@apache.org>
Authored: Mon Feb 13 19:42:59 2017 +0200
Committer: Dmytro Sen <ds...@apache.org>
Committed: Mon Feb 13 19:42:59 2017 +0200
----------------------------------------------------------------------
.../ambari_agent/CustomServiceOrchestrator.py | 12 +++++-
.../ambari_commons/credential_store_helper.py | 45 ++++++++++++++++++++
.../query/render/ClusterBlueprintRenderer.java | 8 ++--
.../internal/ServiceResourceProvider.java | 1 -
.../orm/entities/ServiceDesiredStateEntity.java | 21 ---------
.../org/apache/ambari/server/state/Service.java | 8 ----
.../apache/ambari/server/state/ServiceImpl.java | 40 +++--------------
.../server/upgrade/UpgradeCatalog250.java | 5 ---
.../main/resources/Ambari-DDL-Derby-CREATE.sql | 1 -
.../main/resources/Ambari-DDL-MySQL-CREATE.sql | 1 -
.../main/resources/Ambari-DDL-Oracle-CREATE.sql | 1 -
.../resources/Ambari-DDL-Postgres-CREATE.sql | 1 -
.../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 1 -
.../resources/Ambari-DDL-SQLServer-CREATE.sql | 1 -
.../0.12.0.2.0/package/scripts/params_linux.py | 35 +++------------
.../4.0.0.2.0/package/scripts/params_linux.py | 20 ++++++++-
.../server/upgrade/UpgradeCatalog250Test.java | 12 +-----
17 files changed, 90 insertions(+), 123 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py
----------------------------------------------------------------------
diff --git a/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py b/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py
index bacda46..9f2852b 100644
--- a/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py
+++ b/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py
@@ -238,6 +238,7 @@ class CustomServiceOrchestrator():
value_names.append(value_name) # Gather the value_name for deletion
if len(credentials) > 0:
configtype_credentials[config_type] = credentials
+ logger.info("Identifying config {0} for CS: ".format(config_type))
for value_name in value_names:
# Remove the clear text password
config.pop(value_name, None)
@@ -255,8 +256,11 @@ class CustomServiceOrchestrator():
roleCommand = None
if 'roleCommand' in commandJson:
roleCommand = commandJson['roleCommand']
+ task_id = None
+ if 'taskId' in commandJson:
+ task_id = commandJson['taskId']
- logger.info('generateJceks: roleCommand={0}'.format(roleCommand))
+ logger.info('Generating the JCEKS file: roleCommand={0} and taskId = {1}'.format(roleCommand, task_id))
# Set up the variables for the external command to generate a JCEKS file
java_home = commandJson['hostLevelParams']['java_home']
@@ -267,6 +271,12 @@ class CustomServiceOrchestrator():
# Gather the password values and remove them from the configuration
configtype_credentials = self.getConfigTypeCredentials(commandJson)
+
+ # CS is enabled but no config property is available for this command
+ if len(configtype_credentials) == 0:
+ logger.info("Credential store is enabled but no property are found that can be encrypted.")
+ commandJson['credentialStoreEnabled'] = "false"
+
for config_type, credentials in configtype_credentials.items():
config = commandJson['configurations'][config_type]
file_path = os.path.join(self.getProviderDirectory(serviceName), "{0}.jceks".format(config_type))
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-common/src/main/python/ambari_commons/credential_store_helper.py
----------------------------------------------------------------------
diff --git a/ambari-common/src/main/python/ambari_commons/credential_store_helper.py b/ambari-common/src/main/python/ambari_commons/credential_store_helper.py
new file mode 100644
index 0000000..914c1c7
--- /dev/null
+++ b/ambari-common/src/main/python/ambari_commons/credential_store_helper.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+import os
+
+from resource_management.core.resources.system import File
+from resource_management.core.shell import checked_call
+from resource_management.core.source import DownloadSource
+
+credential_util_cmd = 'org.apache.ambari.server.credentialapi.CredentialUtil'
+credential_util_jar = 'CredentialUtil.jar'
+
+def get_password_from_credential_store(alias, provider_path, cs_lib_path, java_home, jdk_location):
+ # Try to download CredentialUtil.jar from ambari-server resources
+ credential_util_dir = cs_lib_path.split('*')[0] # Remove the trailing '*'
+ credential_util_path = os.path.join(credential_util_dir, credential_util_jar)
+ credential_util_url = jdk_location + credential_util_jar
+ File(credential_util_path,
+ content = DownloadSource(credential_util_url),
+ mode = 0755,
+ )
+
+ # Execute a get command on the CredentialUtil CLI to get the password for the specified alias
+ java_bin = '{java_home}/bin/java'.format(java_home=java_home)
+ cmd = (java_bin, '-cp', cs_lib_path, credential_util_cmd, 'get', alias, '-provider', provider_path)
+ cmd_result, std_out_msg = checked_call(cmd)
+ std_out_lines = std_out_msg.split('\n')
+ return std_out_lines[-1] # Get the last line of the output, to skip warnings if any.
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java b/ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java
index 4091ee8..5e19a6c 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java
@@ -286,11 +286,9 @@ public class ClusterBlueprintRenderer extends BaseRenderer implements Renderer {
//service_settings population
property = new HashMap<>();
- if (ServiceInfoMap.get("credential_store_supported").equals("true")) {
- if (ServiceInfoMap.get("credential_store_enabled").equals("true")) {
- property.put("name", ServiceInfoMap.get("service_name").toString());
- property.put("credential_store_enabled", "true");
- }
+ if (ServiceInfoMap.get("credential_store_enabled").equals("true")) {
+ property.put("name", ServiceInfoMap.get("service_name").toString());
+ property.put("credential_store_enabled", "true");
}
//Fetch the service Components to obtain ServiceComponentInfo
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java
index 0d5c174..99a81c1 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java
@@ -368,7 +368,6 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
AmbariMetaInfo ambariMetaInfo = getManagementController().getAmbariMetaInfo();
ServiceInfo serviceInfo = ambariMetaInfo.getService(stackId.getStackName(),
stackId.getStackVersion(), request.getServiceName());
- s.setCredentialStoreSupported(serviceInfo.isCredentialStoreSupported());
LOG.info("Service: {}, credential_store_supported from stack definition:{}", request.getServiceName(),
serviceInfo.isCredentialStoreSupported());
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ServiceDesiredStateEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ServiceDesiredStateEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ServiceDesiredStateEntity.java
index e4401a1..885f995 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ServiceDesiredStateEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ServiceDesiredStateEntity.java
@@ -67,9 +67,6 @@ public class ServiceDesiredStateEntity {
@Enumerated(value = EnumType.STRING)
private SecurityState securityState = SecurityState.UNSECURED;
- @Column(name = "credential_store_supported", nullable = false, insertable = true, updatable = true)
- private short credentialStoreSupported = 0;
-
@Column(name = "credential_store_enabled", nullable = false, insertable = true, updatable = true)
private short credentialStoreEnabled = 0;
@@ -138,24 +135,6 @@ public class ServiceDesiredStateEntity {
}
/**
- * Gets a value indicating if credential store is supported or not.
- *
- * @return true or false
- */
- public boolean isCredentialStoreSupported() {
- return credentialStoreSupported != 0;
- }
-
- /**
- * Sets a value indicating if credential store is supported or not.
- *
- * @param credentialStoreSupported
- */
- public void setCredentialStoreSupported(boolean credentialStoreSupported) {
- this.credentialStoreSupported = (short)((credentialStoreSupported == false) ? 0 : 1);
- }
-
- /**
* Gets a value indicating if credential store use is enabled or not.
*
* @return true or false
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/state/Service.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/state/Service.java b/ambari-server/src/main/java/org/apache/ambari/server/state/Service.java
index cf36a8b..0f425a4 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/state/Service.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/state/Service.java
@@ -110,14 +110,6 @@ public interface Service {
boolean isCredentialStoreSupported();
/**
- * Set a true or false value specifying if this
- * service supports credential store.
- *
- * @param credentialStoreSupported - true or false
- */
- void setCredentialStoreSupported(boolean credentialStoreSupported);
-
- /**
* Get a true or false value specifying whether
* credential store use is enabled for this service.
*
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java
index e223eed..713c189 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java
@@ -70,6 +70,7 @@ public class ServiceImpl implements Service {
private final Cluster cluster;
private final ConcurrentMap<String, ServiceComponent> components = new ConcurrentHashMap<>();
private final boolean isClientOnlyService;
+ private final boolean isCredentialStoreSupported;
@Inject
private ServiceConfigDAO serviceConfigDAO;
@@ -130,6 +131,8 @@ public class ServiceImpl implements Service {
isClientOnlyService = sInfo.isClientOnlyService();
+ isCredentialStoreSupported = sInfo.isCredentialStoreSupported();
+
persist(serviceEntity);
}
@@ -174,6 +177,7 @@ public class ServiceImpl implements Service {
ServiceInfo sInfo = ambariMetaInfo.getService(stackId.getStackName(),
stackId.getStackVersion(), getName());
isClientOnlyService = sInfo.isClientOnlyService();
+ isCredentialStoreSupported = sInfo.isCredentialStoreSupported();
}
@Override
@@ -327,45 +331,11 @@ public class ServiceImpl implements Service {
*/
@Override
public boolean isCredentialStoreSupported() {
- ServiceDesiredStateEntity desiredStateEntity = getServiceDesiredStateEntity();
-
- if (desiredStateEntity != null) {
- return desiredStateEntity.isCredentialStoreSupported();
- } else {
- LOG.warn("Trying to fetch a member from an entity object that may " +
- "have been previously deleted, serviceName = " + getName());
- }
- return false;
+ return isCredentialStoreSupported;
}
- /**
- * Set a true or false value specifying whether this
- * service supports credential store.
- *
- * @param credentialStoreSupported - true or false
- */
- @Override
- public void setCredentialStoreSupported(boolean credentialStoreSupported) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Setting CredentialStoreEnabled of Service" + ", clusterName="
- + cluster.getClusterName() + ", clusterId="
- + cluster.getClusterId() + ", serviceName=" + getName()
- + ", oldCredentialStoreSupported=" + isCredentialStoreSupported()
- + ", newCredentialStoreSupported=" + credentialStoreSupported);
- }
-
- ServiceDesiredStateEntity desiredStateEntity = getServiceDesiredStateEntity();
-
- if (desiredStateEntity != null) {
- desiredStateEntity.setCredentialStoreSupported(credentialStoreSupported);
- desiredStateEntity = serviceDesiredStateDAO.merge(desiredStateEntity);
- } else {
- LOG.warn("Setting a member on an entity object that may have been "
- + "previously deleted, serviceName = " + getName());
- }
- }
/**
* Get a true or false value specifying whether
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
index 2082048..1f93f1f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
@@ -83,7 +83,6 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog {
public static final String COMPONENT_VERSION_FK_REPO_VERSION = "FK_scv_repo_version_id";
protected static final String SERVICE_DESIRED_STATE_TABLE = "servicedesiredstate";
- protected static final String CREDENTIAL_STORE_SUPPORTED_COL = "credential_store_supported";
protected static final String CREDENTIAL_STORE_ENABLED_COL = "credential_store_enabled";
protected static final String HOST_COMPONENT_DESIREDSTATE_TABLE = "hostcomponentdesiredstate";
@@ -547,12 +546,8 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog {
*/
private void updateServiceDesiredStateTable() throws SQLException {
// ALTER TABLE servicedesiredstate ADD COLUMN
- // credential_store_supported SMALLINT DEFAULT 0 NOT NULL
// credential_store_enabled SMALLINT DEFAULT 0 NOT NULL
dbAccessor.addColumn(SERVICE_DESIRED_STATE_TABLE,
- new DBColumnInfo(CREDENTIAL_STORE_SUPPORTED_COL, Short.class, null, 0, false));
-
- dbAccessor.addColumn(SERVICE_DESIRED_STATE_TABLE,
new DBColumnInfo(CREDENTIAL_STORE_ENABLED_COL, Short.class, null, 0, false));
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
index b79c945..c7d7990 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
@@ -262,7 +262,6 @@ CREATE TABLE servicedesiredstate (
service_name VARCHAR(255) NOT NULL,
maintenance_state VARCHAR(32) NOT NULL,
security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED',
- credential_store_supported SMALLINT NOT NULL DEFAULT 0,
credential_store_enabled SMALLINT NOT NULL DEFAULT 0,
CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name),
CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
index 1c502bc..de79328 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
@@ -272,7 +272,6 @@ CREATE TABLE servicedesiredstate (
service_name VARCHAR(255) NOT NULL,
maintenance_state VARCHAR(32) NOT NULL DEFAULT 'ACTIVE',
security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED',
- credential_store_supported SMALLINT NOT NULL DEFAULT 0,
credential_store_enabled SMALLINT NOT NULL DEFAULT 0,
CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name),
CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
index c6d4ad0..16c5864 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
@@ -252,7 +252,6 @@ CREATE TABLE servicedesiredstate (
service_name VARCHAR2(255) NOT NULL,
maintenance_state VARCHAR2(32) NOT NULL,
security_state VARCHAR2(32) DEFAULT 'UNSECURED' NOT NULL,
- credential_store_supported SMALLINT DEFAULT 0 NOT NULL,
credential_store_enabled SMALLINT DEFAULT 0 NOT NULL,
CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name),
CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
index 1be87bb..91610bb 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
@@ -261,7 +261,6 @@ CREATE TABLE servicedesiredstate (
service_name VARCHAR(255) NOT NULL,
maintenance_state VARCHAR(32) NOT NULL,
security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED',
- credential_store_supported SMALLINT NOT NULL DEFAULT 0,
credential_store_enabled SMALLINT NOT NULL DEFAULT 0,
CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name),
CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
index abe48e8..aebbcb0 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
@@ -250,7 +250,6 @@ CREATE TABLE servicedesiredstate (
service_name VARCHAR(255) NOT NULL,
maintenance_state VARCHAR(32) NOT NULL DEFAULT 'ACTIVE',
security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED',
- credential_store_supported SMALLINT NOT NULL DEFAULT 0,
credential_store_enabled SMALLINT NOT NULL DEFAULT 0,
CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name),
CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
index 169a464..d3eaa6c 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
@@ -265,7 +265,6 @@ CREATE TABLE servicedesiredstate (
service_name VARCHAR(255) NOT NULL,
maintenance_state VARCHAR(32) NOT NULL,
security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED',
- credential_store_supported SMALLINT NOT NULL DEFAULT 0,
credential_store_enabled SMALLINT NOT NULL DEFAULT 0,
CONSTRAINT PK_servicedesiredstate PRIMARY KEY CLUSTERED (cluster_id,service_name),
CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py
index a32fbfb..ba610a0 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py
@@ -48,9 +48,7 @@ from resource_management.libraries.functions.get_architecture import get_archite
from resource_management.core.utils import PasswordString
from resource_management.core.shell import checked_call
-from resource_management.core.logger import Logger
-from resource_management.core.resources.system import File
-from resource_management.core.source import DownloadSource
+from ambari_commons.credential_store_helper import get_password_from_credential_store
# Default log4j version; put config files under /etc/hive/conf
log4j_version = '1'
@@ -230,36 +228,15 @@ hive_jdbc_connection_url = config['configurations']['hive-site']['javax.jdo.opti
jdk_location = config['hostLevelParams']['jdk_location']
-credential_util_cmd = 'org.apache.ambari.server.credentialapi.CredentialUtil'
-credential_util_jar = 'CredentialUtil.jar'
-
-# Gets the hive metastore password from its JCEKS provider, if available.
-def getHiveMetastorePassword():
- passwd = ''
+if credential_store_enabled:
if 'hadoop.security.credential.provider.path' in config['configurations']['hive-site']:
- # Try to download CredentialUtil.jar from ambari-server resources
cs_lib_path = config['configurations']['hive-site']['credentialStoreClassPath']
- credential_util_dir = cs_lib_path.split('*')[0] # Remove the trailing '*'
- credential_util_path = os.path.join(credential_util_dir, credential_util_jar)
- credential_util_url = jdk_location + credential_util_jar
- File(credential_util_path,
- content = DownloadSource(credential_util_url),
- mode = 0644,
- )
-
- # Execute a get command on the CredentialUtil CLI to get the password for the specified alias
java_home = config['hostLevelParams']['java_home']
- java_bin = '{java_home}/bin/java'.format(java_home=java_home)
alias = 'javax.jdo.option.ConnectionPassword'
provider_path = config['configurations']['hive-site']['hadoop.security.credential.provider.path']
- cmd = (java_bin, '-cp', cs_lib_path, credential_util_cmd, 'get', alias, '-provider', provider_path)
- cmd_result, std_out_msg = checked_call(cmd)
- std_out_lines = std_out_msg.split('\n')
- passwd = std_out_lines[-1] # Get the last line of the output, to skip warnings if any.
- return passwd
-
-if credential_store_enabled:
- hive_metastore_user_passwd = PasswordString(getHiveMetastorePassword())
+ hive_metastore_user_passwd = PasswordString(get_password_from_credential_store(alias, provider_path, cs_lib_path, java_home, jdk_location))
+ else:
+ raise Exception("hadoop.security.credential.provider.path property should be set")
else:
hive_metastore_user_passwd = config['configurations']['hive-site']['javax.jdo.option.ConnectionPassword']
hive_metastore_user_passwd = unicode(hive_metastore_user_passwd) if not is_empty(hive_metastore_user_passwd) else hive_metastore_user_passwd
@@ -843,4 +820,4 @@ if enable_ranger_hive:
if has_ranger_admin and stack_supports_ranger_audit_db and xa_audit_db_flavor.lower() == 'sqla':
xa_audit_db_is_enabled = False
-# ranger hive plugin section end
\ No newline at end of file
+# ranger hive plugin section end
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py
index eb438e7..d30a465 100644
--- a/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py
+++ b/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py
@@ -34,6 +34,8 @@ from resource_management.libraries.resources.hdfs_resource import HdfsResource
from resource_management.libraries.functions.get_architecture import get_architecture
from resource_management.libraries.functions.stack_features import get_stack_feature_version
+from resource_management.core.utils import PasswordString
+from ambari_commons.credential_store_helper import get_password_from_credential_store
from urlparse import urlparse
import status_params
@@ -166,6 +168,10 @@ zk_connection_string = default('/configurations/oozie-site/oozie.zookeeper.conne
jaas_file = os.path.join(conf_dir, 'zkmigrator_jaas.conf')
stack_supports_zk_security = check_stack_feature(StackFeature.SECURE_ZOOKEEPER, version_for_stack_feature_checks)
+credential_store_enabled = False
+if 'credentialStoreEnabled' in config:
+ credential_store_enabled = config['credentialStoreEnabled']
+
if security_enabled:
oozie_site = dict(config['configurations']['oozie-site'])
oozie_principal_with_host = oozie_principal.replace('_HOST', hostname)
@@ -195,7 +201,19 @@ oozie_env_sh_template = config['configurations']['oozie-env']['content']
oracle_driver_jar_name = "ojdbc6.jar"
oozie_metastore_user_name = config['configurations']['oozie-site']['oozie.service.JPAService.jdbc.username']
-oozie_metastore_user_passwd = default("/configurations/oozie-site/oozie.service.JPAService.jdbc.password","")
+
+if credential_store_enabled:
+ if 'hadoop.security.credential.provider.path' in config['configurations']['oozie-site']:
+ cs_lib_path = config['configurations']['oozie-site']['credentialStoreClassPath']
+ java_home = config['hostLevelParams']['java_home']
+ alias = 'oozie.service.JPAService.jdbc.password'
+ provider_path = config['configurations']['oozie-site']['hadoop.security.credential.provider.path']
+ oozie_metastore_user_passwd = PasswordString(get_password_from_credential_store(alias, provider_path, cs_lib_path, java_home, jdk_location))
+ else:
+ raise Exception("hadoop.security.credential.provider.path property should be set")
+else:
+ oozie_metastore_user_passwd = default("/configurations/oozie-site/oozie.service.JPAService.jdbc.password","")
+
oozie_jdbc_connection_url = default("/configurations/oozie-site/oozie.service.JPAService.jdbc.url", "")
oozie_log_dir = config['configurations']['oozie-env']['oozie_log_dir']
oozie_data_dir = config['configurations']['oozie-env']['oozie_data_dir']
http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java
index 1c742ef..cee490b 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java
@@ -189,9 +189,7 @@ public class UpgradeCatalog250Test {
eq("repo_version"), eq("repo_version_id"), eq(false));
// servicedesiredstate table
- Capture<DBAccessor.DBColumnInfo> capturedCredentialStoreSupportedCol = newCapture();
Capture<DBAccessor.DBColumnInfo> capturedCredentialStoreEnabledCol = newCapture();
- dbAccessor.addColumn(eq(UpgradeCatalog250.SERVICE_DESIRED_STATE_TABLE), capture(capturedCredentialStoreSupportedCol));
dbAccessor.addColumn(eq(UpgradeCatalog250.SERVICE_DESIRED_STATE_TABLE), capture(capturedCredentialStoreEnabledCol));
expect(dbAccessor.getConnection()).andReturn(connection).anyTimes();
@@ -253,16 +251,8 @@ public class UpgradeCatalog250Test {
// did we get them all?
Assert.assertEquals(0, expected.size());
- // Verify if credential_store_supported & credential_store_enabled columns
+ // Verify if credential_store_enabled columns
// were added to servicedesiredstate table
- DBAccessor.DBColumnInfo capturedCredentialStoreSupportedColValues = capturedCredentialStoreSupportedCol.getValue();
- Assert.assertNotNull(capturedCredentialStoreSupportedColValues);
-
- Assert.assertEquals(UpgradeCatalog250.CREDENTIAL_STORE_SUPPORTED_COL, capturedCredentialStoreSupportedColValues.getName());
- Assert.assertEquals(null, capturedCredentialStoreSupportedColValues.getLength());
- Assert.assertEquals(Short.class, capturedCredentialStoreSupportedColValues.getType());
- Assert.assertEquals(0, capturedCredentialStoreSupportedColValues.getDefaultValue());
- Assert.assertEquals(false, capturedCredentialStoreSupportedColValues.isNullable());
DBAccessor.DBColumnInfo capturedCredentialStoreEnabledColValues = capturedCredentialStoreEnabledCol.getValue();
Assert.assertNotNull(capturedCredentialStoreEnabledColValues);