You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2017/11/10 16:43:39 UTC
Review Request 63735: Ambari checks fail with FIPS mode is activated
on the OS
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63735/
-----------------------------------------------------------
Review request for Ambari, Attila Magyar, Andrew Onischuk, Balázs Bence Sári, Eugene Chekanskiy, Jonathan Hurley, Robert Nettleton, Swapan Shridhar, and Vitalyi Brodetskyi.
Bugs: AMBARI-22417
https://issues.apache.org/jira/browse/AMBARI-22417
Repository: ambari
Description
-------
Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables weak ciphers (such as MD5).
Ambari code is doing
```
ccache_file_name = _md5("
{0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so ambari throws errors.
```
- All service checks fail, Ranger KMS start fails via ambari.
- However all the services are actually running and fine.
- Also Ranger KMS succesfully started from command Line
Here is the stack trace from Ambari
```
service_check
params.kinit_path_local, False, None, params.smoke_user)
File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py", line 109, in curl_krb_request
ccache_file_name = _md5("{0}
|
{1}
".format(principal, keytab)).hexdigest()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
```
Fix:
MD5 is disabled on the OS, Code needs to be updated to use SHA?
This is required when FIPS mode is enabled on the RHEL OS
Diffs
-----
ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 95e8625d67
Diff: https://reviews.apache.org/r/63735/diff/1/
Testing
-------
Manually tested
Thanks,
Robert Levas
Re: Review Request 63735: Ambari checks fail with FIPS mode is
activated on the OS
Posted by Robert Levas <rl...@hortonworks.com>.
> On Nov. 10, 2017, 11:57 a.m., Robert Levas wrote:
> > ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py
> > Line 35 (original), 37 (patched)
> > <https://reviews.apache.org/r/63735/diff/1/?file=1888554#file1888554line39>
> >
> > Using `sha224` rather than `sha156` to keep the generated string smaller since it will be part of a path. For example:
> >
> > SHA224
> > ```
> > web_alert_ambari-qa_cc_e9e01054f2ce1b0a41f59c30a282cd6e8a0aacc207f6be80b3b5fc57
> > ```
> >
> > SHA256
> > ```
> > web_alert_ambari-qa_cc_90a8d884d4b9c869a647be5d9690386b2c1e7352e876fba54b96438a648b1d7d
> > ```
Correction: `sha156` --> `sha256`
- Robert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63735/#review190733
-----------------------------------------------------------
On Nov. 10, 2017, 11:43 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63735/
> -----------------------------------------------------------
>
> (Updated Nov. 10, 2017, 11:43 a.m.)
>
>
> Review request for Ambari, Attila Magyar, Andrew Onischuk, Balázs Bence Sári, Eugene Chekanskiy, Jonathan Hurley, Robert Nettleton, Swapan Shridhar, and Vitalyi Brodetskyi.
>
>
> Bugs: AMBARI-22417
> https://issues.apache.org/jira/browse/AMBARI-22417
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables weak ciphers (such as MD5).
> Ambari code is doing
>
> ```
> ccache_file_name = _md5("
> {0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so ambari throws errors.
> ```
>
> - All service checks fail, Ranger KMS start fails via ambari.
> - However all the services are actually running and fine.
>
> - Also Ranger KMS succesfully started from command Line
>
> Here is the stack trace from Ambari
>
> ```
> service_check
> params.kinit_path_local, False, None, params.smoke_user)
> File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py", line 109, in curl_krb_request
> ccache_file_name = _md5("{0}
> |
> {1}
> ".format(principal, keytab)).hexdigest()
> ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
> ```
>
> Fix:
> MD5 is disabled on the OS, Code needs to be updated to use SHA?
>
> This is required when FIPS mode is enabled on the RHEL OS
>
>
> Diffs
> -----
>
> ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 95e8625d67
>
>
> Diff: https://reviews.apache.org/r/63735/diff/1/
>
>
> Testing
> -------
>
> Manually tested
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 63735: Ambari checks fail with FIPS mode is
activated on the OS
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63735/#review190733
-----------------------------------------------------------
ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py
Line 35 (original), 37 (patched)
<https://reviews.apache.org/r/63735/#comment268340>
Using `sha224` rather than `sha156` to keep the generated string smaller since it will be part of a path. For example:
SHA224
```
web_alert_ambari-qa_cc_e9e01054f2ce1b0a41f59c30a282cd6e8a0aacc207f6be80b3b5fc57
```
SHA256
```
web_alert_ambari-qa_cc_90a8d884d4b9c869a647be5d9690386b2c1e7352e876fba54b96438a648b1d7d
```
- Robert Levas
On Nov. 10, 2017, 11:43 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63735/
> -----------------------------------------------------------
>
> (Updated Nov. 10, 2017, 11:43 a.m.)
>
>
> Review request for Ambari, Attila Magyar, Andrew Onischuk, Balázs Bence Sári, Eugene Chekanskiy, Jonathan Hurley, Robert Nettleton, Swapan Shridhar, and Vitalyi Brodetskyi.
>
>
> Bugs: AMBARI-22417
> https://issues.apache.org/jira/browse/AMBARI-22417
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables weak ciphers (such as MD5).
> Ambari code is doing
>
> ```
> ccache_file_name = _md5("
> {0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so ambari throws errors.
> ```
>
> - All service checks fail, Ranger KMS start fails via ambari.
> - However all the services are actually running and fine.
>
> - Also Ranger KMS succesfully started from command Line
>
> Here is the stack trace from Ambari
>
> ```
> service_check
> params.kinit_path_local, False, None, params.smoke_user)
> File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py", line 109, in curl_krb_request
> ccache_file_name = _md5("{0}
> |
> {1}
> ".format(principal, keytab)).hexdigest()
> ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
> ```
>
> Fix:
> MD5 is disabled on the OS, Code needs to be updated to use SHA?
>
> This is required when FIPS mode is enabled on the RHEL OS
>
>
> Diffs
> -----
>
> ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 95e8625d67
>
>
> Diff: https://reviews.apache.org/r/63735/diff/1/
>
>
> Testing
> -------
>
> Manually tested
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 63735: Ambari checks fail with FIPS mode is
activated on the OS
Posted by Attila Magyar <am...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63735/#review190734
-----------------------------------------------------------
Ship it!
Ship It!
- Attila Magyar
On Nov. 10, 2017, 4:43 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63735/
> -----------------------------------------------------------
>
> (Updated Nov. 10, 2017, 4:43 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Andrew Onischuk, Balázs Bence Sári, Eugene Chekanskiy, Jonathan Hurley, Robert Nettleton, Swapan Shridhar, and Vitalyi Brodetskyi.
>
>
> Bugs: AMBARI-22417
> https://issues.apache.org/jira/browse/AMBARI-22417
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables weak ciphers (such as MD5).
> Ambari code is doing
>
> ```
> ccache_file_name = _md5("
> {0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so ambari throws errors.
> ```
>
> - All service checks fail, Ranger KMS start fails via ambari.
> - However all the services are actually running and fine.
>
> - Also Ranger KMS succesfully started from command Line
>
> Here is the stack trace from Ambari
>
> ```
> service_check
> params.kinit_path_local, False, None, params.smoke_user)
> File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py", line 109, in curl_krb_request
> ccache_file_name = _md5("{0}
> |
> {1}
> ".format(principal, keytab)).hexdigest()
> ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
> ```
>
> Fix:
> MD5 is disabled on the OS, Code needs to be updated to use SHA?
>
> This is required when FIPS mode is enabled on the RHEL OS
>
>
> Diffs
> -----
>
> ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 95e8625d67
>
>
> Diff: https://reviews.apache.org/r/63735/diff/1/
>
>
> Testing
> -------
>
> Manually tested
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 63735: Ambari checks fail with FIPS mode is
activated on the OS
Posted by Balázs Bence Sári <bs...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63735/#review190739
-----------------------------------------------------------
Ship it!
Ship It!
- Balázs Bence Sári
On Nov. 10, 2017, 4:43 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63735/
> -----------------------------------------------------------
>
> (Updated Nov. 10, 2017, 4:43 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Andrew Onischuk, Balázs Bence Sári, Eugene Chekanskiy, Jonathan Hurley, Robert Nettleton, Swapan Shridhar, and Vitalyi Brodetskyi.
>
>
> Bugs: AMBARI-22417
> https://issues.apache.org/jira/browse/AMBARI-22417
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables weak ciphers (such as MD5).
> Ambari code is doing
>
> ```
> ccache_file_name = _md5("
> {0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so ambari throws errors.
> ```
>
> - All service checks fail, Ranger KMS start fails via ambari.
> - However all the services are actually running and fine.
>
> - Also Ranger KMS succesfully started from command Line
>
> Here is the stack trace from Ambari
>
> ```
> service_check
> params.kinit_path_local, False, None, params.smoke_user)
> File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py", line 109, in curl_krb_request
> ccache_file_name = _md5("{0}
> |
> {1}
> ".format(principal, keytab)).hexdigest()
> ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
> ```
>
> Fix:
> MD5 is disabled on the OS, Code needs to be updated to use SHA?
>
> This is required when FIPS mode is enabled on the RHEL OS
>
>
> Diffs
> -----
>
> ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 95e8625d67
>
>
> Diff: https://reviews.apache.org/r/63735/diff/1/
>
>
> Testing
> -------
>
> Manually tested
>
>
> Thanks,
>
> Robert Levas
>
>