You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2017/11/10 16:43:39 UTC

Review Request 63735: Ambari checks fail with FIPS mode is activated on the OS

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63735/
-----------------------------------------------------------

Review request for Ambari, Attila Magyar, Andrew Onischuk, Balázs Bence Sári, Eugene Chekanskiy, Jonathan Hurley, Robert Nettleton, Swapan Shridhar, and Vitalyi Brodetskyi.


Bugs: AMBARI-22417
    https://issues.apache.org/jira/browse/AMBARI-22417


Repository: ambari


Description
-------

Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables weak ciphers (such as MD5). 
Ambari code is doing 

```
ccache_file_name = _md5("
{0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so ambari throws errors.
```

- All service checks fail, Ranger KMS start fails via ambari. 
- However all the services are actually running and fine. 

- Also Ranger KMS succesfully started from command Line

Here is the stack trace from Ambari

```
service_check
params.kinit_path_local, False, None, params.smoke_user)
File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py", line 109, in curl_krb_request
ccache_file_name = _md5("{0}
|
{1}
".format(principal, keytab)).hexdigest()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
```

Fix: 
MD5 is disabled on the OS, Code needs to be updated to use SHA?

This is required when FIPS mode is enabled on the RHEL OS


Diffs
-----

  ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 95e8625d67 


Diff: https://reviews.apache.org/r/63735/diff/1/


Testing
-------

Manually tested


Thanks,

Robert Levas

Re: Review Request 63735: Ambari checks fail with FIPS mode is activated on the OS

Posted by Robert Levas <rl...@hortonworks.com>.


> On Nov. 10, 2017, 11:57 a.m., Robert Levas wrote:
> > ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py
> > Line 35 (original), 37 (patched)
> > <https://reviews.apache.org/r/63735/diff/1/?file=1888554#file1888554line39>
> >
> >     Using `sha224` rather than `sha156` to keep the generated string smaller since it will be part of a path. For example:
> >     
> >     SHA224
> >     ```
> >     web_alert_ambari-qa_cc_e9e01054f2ce1b0a41f59c30a282cd6e8a0aacc207f6be80b3b5fc57
> >     ```
> >     
> >     SHA256
> >     ```
> >     web_alert_ambari-qa_cc_90a8d884d4b9c869a647be5d9690386b2c1e7352e876fba54b96438a648b1d7d
> >     ```

Correction: `sha156` --> `sha256`


- Robert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63735/#review190733
-----------------------------------------------------------


On Nov. 10, 2017, 11:43 a.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63735/
> -----------------------------------------------------------
> 
> (Updated Nov. 10, 2017, 11:43 a.m.)
> 
> 
> Review request for Ambari, Attila Magyar, Andrew Onischuk, Balázs Bence Sári, Eugene Chekanskiy, Jonathan Hurley, Robert Nettleton, Swapan Shridhar, and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-22417
>     https://issues.apache.org/jira/browse/AMBARI-22417
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables weak ciphers (such as MD5). 
> Ambari code is doing 
> 
> ```
> ccache_file_name = _md5("
> {0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so ambari throws errors.
> ```
> 
> - All service checks fail, Ranger KMS start fails via ambari. 
> - However all the services are actually running and fine. 
> 
> - Also Ranger KMS succesfully started from command Line
> 
> Here is the stack trace from Ambari
> 
> ```
> service_check
> params.kinit_path_local, False, None, params.smoke_user)
> File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py", line 109, in curl_krb_request
> ccache_file_name = _md5("{0}
> |
> {1}
> ".format(principal, keytab)).hexdigest()
> ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
> ```
> 
> Fix: 
> MD5 is disabled on the OS, Code needs to be updated to use SHA?
> 
> This is required when FIPS mode is enabled on the RHEL OS
> 
> 
> Diffs
> -----
> 
>   ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 95e8625d67 
> 
> 
> Diff: https://reviews.apache.org/r/63735/diff/1/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 63735: Ambari checks fail with FIPS mode is activated on the OS

Posted by Robert Levas <rl...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63735/#review190733
-----------------------------------------------------------




ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py
Line 35 (original), 37 (patched)
<https://reviews.apache.org/r/63735/#comment268340>

    Using `sha224` rather than `sha156` to keep the generated string smaller since it will be part of a path. For example:
    
    SHA224
    ```
    web_alert_ambari-qa_cc_e9e01054f2ce1b0a41f59c30a282cd6e8a0aacc207f6be80b3b5fc57
    ```
    
    SHA256
    ```
    web_alert_ambari-qa_cc_90a8d884d4b9c869a647be5d9690386b2c1e7352e876fba54b96438a648b1d7d
    ```


- Robert Levas


On Nov. 10, 2017, 11:43 a.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63735/
> -----------------------------------------------------------
> 
> (Updated Nov. 10, 2017, 11:43 a.m.)
> 
> 
> Review request for Ambari, Attila Magyar, Andrew Onischuk, Balázs Bence Sári, Eugene Chekanskiy, Jonathan Hurley, Robert Nettleton, Swapan Shridhar, and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-22417
>     https://issues.apache.org/jira/browse/AMBARI-22417
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables weak ciphers (such as MD5). 
> Ambari code is doing 
> 
> ```
> ccache_file_name = _md5("
> {0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so ambari throws errors.
> ```
> 
> - All service checks fail, Ranger KMS start fails via ambari. 
> - However all the services are actually running and fine. 
> 
> - Also Ranger KMS succesfully started from command Line
> 
> Here is the stack trace from Ambari
> 
> ```
> service_check
> params.kinit_path_local, False, None, params.smoke_user)
> File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py", line 109, in curl_krb_request
> ccache_file_name = _md5("{0}
> |
> {1}
> ".format(principal, keytab)).hexdigest()
> ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
> ```
> 
> Fix: 
> MD5 is disabled on the OS, Code needs to be updated to use SHA?
> 
> This is required when FIPS mode is enabled on the RHEL OS
> 
> 
> Diffs
> -----
> 
>   ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 95e8625d67 
> 
> 
> Diff: https://reviews.apache.org/r/63735/diff/1/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 63735: Ambari checks fail with FIPS mode is activated on the OS

Posted by Attila Magyar <am...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63735/#review190734
-----------------------------------------------------------


Ship it!




Ship It!

- Attila Magyar


On Nov. 10, 2017, 4:43 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63735/
> -----------------------------------------------------------
> 
> (Updated Nov. 10, 2017, 4:43 p.m.)
> 
> 
> Review request for Ambari, Attila Magyar, Andrew Onischuk, Balázs Bence Sári, Eugene Chekanskiy, Jonathan Hurley, Robert Nettleton, Swapan Shridhar, and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-22417
>     https://issues.apache.org/jira/browse/AMBARI-22417
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables weak ciphers (such as MD5). 
> Ambari code is doing 
> 
> ```
> ccache_file_name = _md5("
> {0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so ambari throws errors.
> ```
> 
> - All service checks fail, Ranger KMS start fails via ambari. 
> - However all the services are actually running and fine. 
> 
> - Also Ranger KMS succesfully started from command Line
> 
> Here is the stack trace from Ambari
> 
> ```
> service_check
> params.kinit_path_local, False, None, params.smoke_user)
> File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py", line 109, in curl_krb_request
> ccache_file_name = _md5("{0}
> |
> {1}
> ".format(principal, keytab)).hexdigest()
> ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
> ```
> 
> Fix: 
> MD5 is disabled on the OS, Code needs to be updated to use SHA?
> 
> This is required when FIPS mode is enabled on the RHEL OS
> 
> 
> Diffs
> -----
> 
>   ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 95e8625d67 
> 
> 
> Diff: https://reviews.apache.org/r/63735/diff/1/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 63735: Ambari checks fail with FIPS mode is activated on the OS

Posted by Balázs Bence Sári <bs...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63735/#review190739
-----------------------------------------------------------


Ship it!




Ship It!

- Balázs Bence Sári


On Nov. 10, 2017, 4:43 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63735/
> -----------------------------------------------------------
> 
> (Updated Nov. 10, 2017, 4:43 p.m.)
> 
> 
> Review request for Ambari, Attila Magyar, Andrew Onischuk, Balázs Bence Sári, Eugene Chekanskiy, Jonathan Hurley, Robert Nettleton, Swapan Shridhar, and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-22417
>     https://issues.apache.org/jira/browse/AMBARI-22417
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables weak ciphers (such as MD5). 
> Ambari code is doing 
> 
> ```
> ccache_file_name = _md5("
> {0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so ambari throws errors.
> ```
> 
> - All service checks fail, Ranger KMS start fails via ambari. 
> - However all the services are actually running and fine. 
> 
> - Also Ranger KMS succesfully started from command Line
> 
> Here is the stack trace from Ambari
> 
> ```
> service_check
> params.kinit_path_local, False, None, params.smoke_user)
> File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py", line 109, in curl_krb_request
> ccache_file_name = _md5("{0}
> |
> {1}
> ".format(principal, keytab)).hexdigest()
> ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
> ```
> 
> Fix: 
> MD5 is disabled on the OS, Code needs to be updated to use SHA?
> 
> This is required when FIPS mode is enabled on the RHEL OS
> 
> 
> Diffs
> -----
> 
>   ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 95e8625d67 
> 
> 
> Diff: https://reviews.apache.org/r/63735/diff/1/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> 
> Thanks,
> 
> Robert Levas
> 
>