You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/03/09 20:07:14 UTC
[2/2] ambari git commit: AMBARI-9937. Ambari must support deployment
on separate host (rlevas)
AMBARI-9937. Ambari must support deployment on separate host (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/8b4ef2b6
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/8b4ef2b6
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/8b4ef2b6
Branch: refs/heads/branch-2.0.0
Commit: 8b4ef2b694b316a89f365d7329a9db4e2162f7c0
Parents: ba69c1d
Author: Robert Levas <rl...@hortonworks.com>
Authored: Mon Mar 9 15:06:55 2015 -0400
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Mon Mar 9 15:06:55 2015 -0400
----------------------------------------------------------------------
ambari-server/conf/unix/ambari.properties | 3 +
ambari-server/conf/windows/ambari.properties | 3 +
ambari-server/pom.xml | 7 +
.../server/configuration/Configuration.java | 12 +
.../server/controller/KerberosHelper.java | 63 ++--
.../kerberos/CreateKeytabFilesServerAction.java | 305 ++++++++++++++-----
.../kerberos/DestroyPrincipalsServerAction.java | 17 +-
.../kerberos/KerberosActionDataFile.java | 1 +
.../kerberos/KerberosActionDataFileBuilder.java | 11 +-
.../kerberos/KerberosOperationHandler.java | 228 ++++++++++----
.../kerberos/KerberosServerAction.java | 4 -
.../kerberos/MITKerberosOperationHandler.java | 27 ++
.../kerberos/KerberosKeytabDescriptor.java | 33 ++
.../python/ambari_server/serverConfiguration.py | 2 +
.../1.10.3-10/configuration/kerberos-env.xml | 18 +-
.../1.10.3-10/configuration/krb5-conf.xml | 114 +------
.../1.10.3-10/package/scripts/params.py | 36 +--
.../1.10.3-10/package/templates/krb5_conf.j2 | 27 +-
.../KERBEROS/configuration/krb5-conf.xml | 92 +-----
.../services/KERBEROS/package/scripts/params.py | 39 +--
.../KERBEROS/package/templates/krb5_conf.j2 | 27 +-
.../server/agent/TestHeartbeatHandler.java | 2 +-
.../server/controller/KerberosHelperTest.java | 14 +-
.../ADKerberosOperationHandlerTest.java | 1 -
.../kerberos/KerberosActionDataFileTest.java | 10 +-
.../kerberos/KerberosOperationHandlerTest.java | 24 +-
.../kerberos/KerberosServerActionTest.java | 2 +-
.../MITKerberosOperationHandlerTest.java | 4 +-
.../UpdateKerberosConfigsServerActionTest.java | 2 +-
.../python/stacks/2.2/KERBEROS/use_cases.py | 36 +--
.../journalnode-upgrade-hdfs-secure.json | 24 +-
.../stacks/2.2/configs/journalnode-upgrade.json | 24 +-
.../2.2/configs/pig-service-check-secure.json | 28 +-
.../2.2/configs/ranger-admin-upgrade.json | 26 +-
.../2.2/configs/ranger-usersync-upgrade.json | 28 +-
.../wizard/stack/hdp/version2.0.1/KERBEROS.json | 148 +--------
ambari-web/app/data/HDP2/site_properties.js | 34 +--
37 files changed, 720 insertions(+), 756 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/conf/unix/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties
index ec51278..251f068 100644
--- a/ambari-server/conf/unix/ambari.properties
+++ b/ambari-server/conf/unix/ambari.properties
@@ -66,6 +66,9 @@ server.execution.scheduler.maxThreads=5
server.execution.scheduler.maxDbConnections=5
server.execution.scheduler.misfire.toleration.minutes=480
+# Kerberos settings
+kerberos.keytab.cache.dir = /var/lib/ambari-server/data/cache
+
# Default timeout in seconds before task is killed
agent.task.timeout=900
# Default timeout in seconds before package installation task is killed
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/conf/windows/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/windows/ambari.properties b/ambari-server/conf/windows/ambari.properties
index ff69f67..cfe9c3d 100644
--- a/ambari-server/conf/windows/ambari.properties
+++ b/ambari-server/conf/windows/ambari.properties
@@ -50,6 +50,9 @@ server.execution.scheduler.maxThreads=5
server.execution.scheduler.maxDbConnections=5
server.execution.scheduler.misfire.toleration.minutes=480
+# Kerberos settings
+kerberos.keytab.cache.dir = data\\cache
+
recommendations.dir=\\var\\run\\ambari-server\\stack-recommendations
stackadvisor.script=resources\\scripts\\stack_advisor.py
server.tmp.dir=\\var\\run\\ambari-server\\tmp
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/pom.xml
----------------------------------------------------------------------
diff --git a/ambari-server/pom.xml b/ambari-server/pom.xml
index 2bbb0ee..7a13936 100644
--- a/ambari-server/pom.xml
+++ b/ambari-server/pom.xml
@@ -486,6 +486,12 @@
<groupname>root</groupname>
</mapping>
<mapping>
+ <directory>/var/lib/ambari-server/data/cache</directory>
+ <filemode>700</filemode>
+ <username>root</username>
+ <groupname>root</groupname>
+ </mapping>
+ <mapping>
<directory>/var/lib/ambari-server/resources/apps</directory>
<filemode>755</filemode>
<username>root</username>
@@ -667,6 +673,7 @@
<path>/var/log/ambari-server</path>
<path>/var/lib/ambari-server/resources/upgrade</path>
<path>/var/lib/ambari-server/data/tmp</path>
+ <path>/var/lib/ambari-server/data/cache</path>
</paths>
</data>
<!-- TODO: should be included all subdirs, if exists-->
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index c5595e6..8060c80 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -234,6 +234,8 @@ public class Configuration {
public static final String KDC_PORT_KEY_DEFAULT = "88";
public static final String KDC_CONNECTION_CHECK_TIMEOUT_KEY = "kdcserver.connection.check.timeout";
public static final String KDC_CONNECTION_CHECK_TIMEOUT_DEFAULT = "10000";
+ public static final String KERBEROS_KEYTAB_CACHE_DIR_KEY = "kerberos.keytab.cache.dir";
+ public static final String KERBEROS_KEYTAB_CACHE_DIR_DEFAULT = "/var/lib/ambari-server/data/cache";
/**
* This key defines whether stages of parallel requests are executed in
* parallel or sequentally. Only stages from different requests
@@ -1324,6 +1326,16 @@ public class Configuration {
}
/**
+ * Gets the directory where Ambari is to store cached keytab files.
+ *
+ * @return a File containing the path to the directory to use to store cached keytab files
+ */
+ public File getKerberosKeytabCacheDir() {
+ String fileName = properties.getProperty(KERBEROS_KEYTAB_CACHE_DIR_KEY, KERBEROS_KEYTAB_CACHE_DIR_DEFAULT);
+ return new File(fileName);
+ }
+
+ /**
* Gets the type of database by examining the {@link #getDatabaseUrl()} JDBC
* URL.
*
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
index e01d38d..cf73236 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
@@ -156,6 +156,9 @@ public class KerberosHelper {
private ConfigHelper configHelper;
@Inject
+ private Configuration configuration;
+
+ @Inject
private KerberosOperationHandlerFactory kerberosOperationHandlerFactory;
@Inject
@@ -191,7 +194,7 @@ public class KerberosHelper {
* executed to complete this task; or null if no stages need to be executed.
* @throws AmbariException
* @throws KerberosInvalidConfigurationException if an issue occurs trying to get the
- * Kerberos-specific configuration details
+ * Kerberos-specific configuration details
* @throws KerberosOperationException
*/
public RequestStageContainer toggleKerberos(Cluster cluster, SecurityType securityType,
@@ -228,7 +231,7 @@ public class KerberosHelper {
* @throws AmbariException
* @throws KerberosOperationException
* @throws KerberosInvalidConfigurationException if an issue occurs trying to get the
- * Kerberos-specific configuration details
+ * Kerberos-specific configuration details
*/
public RequestStageContainer executeCustomOperations(Cluster cluster, Map<String, String> requestProperties,
RequestStageContainer requestStageContainer)
@@ -313,7 +316,7 @@ public class KerberosHelper {
throws AmbariException, KerberosOperationException {
return handle(cluster, getKerberosDetails(cluster), serviceComponentFilter, identityFilter,
hostsToForceKerberosOperations, requestStageContainer, new CreatePrincipalsAndKeytabsHandler(false));
- }
+ }
/**
* Deletes the set of filtered principals and keytabs from the cluster.
@@ -455,7 +458,6 @@ public class KerberosHelper {
* Validate the KDC admin credentials.
*
* @param cluster associated cluster
- *
* @throws AmbariException if any other error occurs while trying to validate the credentials
*/
public void validateKDCCredentials(Cluster cluster) throws KerberosMissingAdminCredentialsException,
@@ -641,28 +643,28 @@ public class KerberosHelper {
* need to be done. Calls into the Handler implementation to provide guidance and set up stages
* to perform the work needed to complete the relative action.
*
- * @param cluster the relevant Cluster
- * @param kerberosDetails a KerberosDetails containing information about relevant Kerberos configuration
- * @param serviceComponentFilter a Map of service names to component names indicating the relevant
- * set of services and components - if null, no filter is relevant;
- * if empty, the filter indicates no relevant services or components
- * @param identityFilter a Collection of identity names indicating the relevant identities -
- * if null, no filter is relevant; if empty, the filter indicates no
- * relevant identities
- * @param requestStageContainer a RequestStageContainer to place generated stages, if needed -
- * if null a new RequestStageContainer will be created.
+ * @param cluster the relevant Cluster
+ * @param kerberosDetails a KerberosDetails containing information about relevant Kerberos configuration
+ * @param serviceComponentFilter a Map of service names to component names indicating the relevant
+ * set of services and components - if null, no filter is relevant;
+ * if empty, the filter indicates no relevant services or components
+ * @param identityFilter a Collection of identity names indicating the relevant identities -
+ * if null, no filter is relevant; if empty, the filter indicates no
+ * relevant identities
+ * @param requestStageContainer a RequestStageContainer to place generated stages, if needed -
+ * if null a new RequestStageContainer will be created.
* @param hostsToForceKerberosOperations a set of host names on which it is expected that the
* Kerberos client is or will be in the INSTALLED state by
* the time the operations targeted for them are to be
* executed - if empty or null, this no hosts will be
* "forced"
- * @param handler a Handler to use to provide guidance and set up stages
- * to perform the work needed to complete the relative action
+ * @param handler a Handler to use to provide guidance and set up stages
+ * to perform the work needed to complete the relative action
* @return the updated or a new RequestStageContainer containing the stages that need to be
* executed to complete this task; or null if no stages need to be executed.
* @throws AmbariException
* @throws KerberosInvalidConfigurationException if an issue occurs trying to get the
- * Kerberos-specific configuration details
+ * Kerberos-specific configuration details
*/
@Transactional
private RequestStageContainer handle(Cluster cluster,
@@ -695,7 +697,7 @@ public class KerberosHelper {
// Ensure that that hosts that should be assumed to be in the correct state when needed are
// in the hostsWithValidKerberosClient collection.
- if(hostsToForceKerberosOperations != null) {
+ if (hostsToForceKerberosOperations != null) {
hostsWithValidKerberosClient.addAll(hostsToForceKerberosOperations);
}
@@ -733,7 +735,7 @@ public class KerberosHelper {
// If the current ServiceComponentHost represents the KERBEROS/KERBEROS_CLIENT and
// indicates that the KERBEROS_CLIENT component is in the INSTALLED state, add the
// current host to the set of hosts that should be handled...
- if(Service.Type.KERBEROS.name().equals(serviceName) &&
+ if (Service.Type.KERBEROS.name().equals(serviceName) &&
Role.KERBEROS_CLIENT.name().equals(componentName) &&
(sch.getState() == State.INSTALLED)) {
hostsWithValidKerberosClient.add(hostname);
@@ -915,7 +917,7 @@ public class KerberosHelper {
Map<String, String> commandParameters, RequestStageContainer requestStageContainer,
Handler handler) throws AmbariException, KerberosOperationException {
- if(commandParameters == null) {
+ if (commandParameters == null) {
throw new AmbariException("The properties map must not be null. It is needed to store data related to the service check identity");
}
@@ -969,6 +971,8 @@ public class KerberosHelper {
put("name", "${cluster-env/user_group}");
put("access", "r");
}});
+
+ put("cachable", "false");
}
});
}
@@ -1005,7 +1009,7 @@ public class KerberosHelper {
// If the current ServiceComponentHost represents the KERBEROS/KERBEROS_CLIENT and
// indicates that the KERBEROS_CLIENT component is in the INSTALLED state, add the
// current host to the set of hosts that should be handled...
- if(Service.Type.KERBEROS.name().equals(serviceName) &&
+ if (Service.Type.KERBEROS.name().equals(serviceName) &&
Role.KERBEROS_CLIENT.name().equals(componentName) &&
(sch.getState() == State.INSTALLED)) {
hostsWithValidKerberosClient.add(hostname);
@@ -1023,7 +1027,7 @@ public class KerberosHelper {
if (identitiesAdded > 0) {
// Add the relevant principal name and keytab file data to the command params state
- if(!commandParameters.containsKey("principal_name") || !commandParameters.containsKey("keytab_file")) {
+ if (!commandParameters.containsKey("principal_name") || !commandParameters.containsKey("keytab_file")) {
commandParameters.put("principal_name",
KerberosDescriptor.replaceVariables(identity.getPrincipalDescriptor().getValue(), configurations));
commandParameters.put("keytab_file",
@@ -1154,7 +1158,7 @@ public class KerberosHelper {
KDCType kdcType;
String kdcTypeProperty = kerberosEnvProperties.get("kdc_type");
- if(kdcTypeProperty == null) {
+ if (kdcTypeProperty == null) {
String message = "The 'kerberos-env/kdc_type' value must be set to a valid KDC type";
LOG.error(message);
throw new KerberosInvalidConfigurationException(message);
@@ -1290,7 +1294,12 @@ public class KerberosHelper {
* @throws AmbariException if a new temporary directory cannot be created
*/
private File createTemporaryDirectory() throws AmbariException {
- String tempDirectoryPath = System.getProperty("java.io.tmpdir");
+ String tempDirectoryPath = configuration.getProperty(Configuration.SERVER_TMP_DIR_KEY);
+
+ if ((tempDirectoryPath == null) || tempDirectoryPath.isEmpty()) {
+ tempDirectoryPath = System.getProperty("java.io.tmpdir");
+ }
+
try {
if (tempDirectoryPath == null) {
throw new IOException("The System property 'java.io.tmpdir' does not specify a temporary directory");
@@ -1316,8 +1325,7 @@ public class KerberosHelper {
}
return directory;
- }
- catch (IOException e) {
+ } catch (IOException e) {
String message = "Failed to create the temporary data directory.";
LOG.error(message, e);
throw new AmbariException(message, e);
@@ -1451,7 +1459,8 @@ public class KerberosHelper {
keytabFileOwnerAccess,
keytabFileGroupName,
keytabFileGroupAccess,
- keytabFileConfiguration);
+ keytabFileConfiguration,
+ (keytabDescriptor.isCachable()) ? "true" : "false");
identitiesAdded++;
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
index 6ea33b0..3e94cd6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
@@ -22,20 +22,25 @@ import com.google.inject.Inject;
import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.actionmanager.HostRoleStatus;
import org.apache.ambari.server.agent.CommandReport;
+import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.orm.dao.KerberosPrincipalDAO;
import org.apache.ambari.server.orm.dao.KerberosPrincipalHostDAO;
import org.apache.ambari.server.orm.entities.KerberosPrincipalEntity;
import org.apache.commons.codec.digest.DigestUtils;
-import org.apache.commons.io.FileUtils;
+import org.apache.directory.server.kerberos.shared.keytab.Keytab;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.IOException;
+import java.util.HashMap;
+import java.util.HashSet;
import java.util.Map;
+import java.util.Set;
import java.util.concurrent.ConcurrentMap;
import static org.apache.ambari.server.serveraction.kerberos.KerberosActionDataFile.HOSTNAME;
+import static org.apache.ambari.server.serveraction.kerberos.KerberosActionDataFile.KEYTAB_FILE_IS_CACHABLE;
import static org.apache.ambari.server.serveraction.kerberos.KerberosActionDataFile.KEYTAB_FILE_PATH;
/**
@@ -64,6 +69,18 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
private KerberosPrincipalHostDAO kerberosPrincipalHostDAO;
/**
+ * Configuration used to get the configured properties such as the keytab file cache directory
+ */
+ @Inject
+ private Configuration configuration;
+
+ /**
+ * A map of data used to track what has been processed in order to optimize the creation of keytabs
+ * such as knowing when to create a cached keytab file or use a cached keytab file.
+ */
+ Map<String, Set<String>> visitedIdentities = new HashMap<String, Set<String>>();
+
+ /**
* Called to execute this action. Upon invocation, calls
* {@link org.apache.ambari.server.serveraction.kerberos.KerberosServerAction#processIdentities(java.util.Map)} )}
* to iterate through the Kerberos identity metadata and call
@@ -126,9 +143,7 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
CommandReport commandReport = null;
if (identityRecord != null) {
- String message = String.format("Creating keytab file for %s", evaluatedPrincipal);
- LOG.info(message);
- actionLog.writeStdOut(message);
+ String message;
if (operationHandler == null) {
message = String.format("Failed to create keytab file for %s, missing KerberosOperationHandler", evaluatedPrincipal);
@@ -143,84 +158,157 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
String keytabFilePath = identityRecord.get(KEYTAB_FILE_PATH);
if ((host != null) && !host.isEmpty() && (keytabFilePath != null) && !keytabFilePath.isEmpty()) {
- // Look up the current evaluatedPrincipal's password.
- // If found create th keytab file, else skip it.
- String password = principalPasswordMap.get(evaluatedPrincipal);
-
- // Determine where to store the keytab file. It should go into a host-specific
- // directory under the previously determined data directory.
- File hostDirectory = new File(getDataDirectoryPath(), host);
-
- // Ensure the host directory exists...
- if (hostDirectory.exists() || hostDirectory.mkdirs()) {
- File keytabFile = new File(hostDirectory, DigestUtils.sha1Hex(keytabFilePath));
-
- if (password == null) {
- if (kerberosPrincipalHostDAO.exists(evaluatedPrincipal, host)) {
- // There is nothing to do for this since it must already exist and we don't want to
- // regenerate the keytab
- message = String.format("Skipping keytab file for %s, missing password indicates nothing to do", evaluatedPrincipal);
- LOG.debug(message);
- } else {
- KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
- String cachedKeytabPath = (principalEntity == null) ? null : principalEntity.getCachedKeytabPath();
-
- if (cachedKeytabPath == null) {
- message = String.format("Failed to create keytab file for %s, missing password", evaluatedPrincipal);
- actionLog.writeStdErr(message);
- LOG.error(message);
- commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
+ Set<String> visitedPrincipalKeys = visitedIdentities.get(evaluatedPrincipal);
+ String visitationKey = String.format("%s|%s", host, keytabFilePath);
+
+ if ((visitedPrincipalKeys == null) || !visitedPrincipalKeys.contains(visitationKey)) {
+ // Look up the current evaluatedPrincipal's password.
+ // If found create the keytab file, else try to find it in the cache.
+ String password = principalPasswordMap.get(evaluatedPrincipal);
+
+ message = String.format("Creating keytab file for %s on host %s", evaluatedPrincipal, host);
+ LOG.info(message);
+ actionLog.writeStdOut(message);
+
+ // Determine where to store the keytab file. It should go into a host-specific
+ // directory under the previously determined data directory.
+ File hostDirectory = new File(getDataDirectoryPath(), host);
+
+ // Ensure the host directory exists...
+ if (!hostDirectory.exists() && hostDirectory.mkdirs()) {
+ // Make sure only Ambari has access to this directory.
+ ensureAmbariOnlyAccess(hostDirectory);
+ }
+
+ if (hostDirectory.exists()) {
+ File destinationKeytabFile = new File(hostDirectory, DigestUtils.sha1Hex(keytabFilePath));
+
+ if (password == null) {
+ if (kerberosPrincipalHostDAO.exists(evaluatedPrincipal, host)) {
+ // There is nothing to do for this since it must already exist and we don't want to
+ // regenerate the keytab
+ message = String.format("Skipping keytab file for %s, missing password indicates nothing to do", evaluatedPrincipal);
+ LOG.debug(message);
} else {
+ KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
+ String cachedKeytabPath = (principalEntity == null) ? null : principalEntity.getCachedKeytabPath();
+
+ if (cachedKeytabPath == null) {
+ message = String.format("Failed to create keytab for %s, missing cached file", evaluatedPrincipal);
+ actionLog.writeStdErr(message);
+ LOG.error(message);
+ commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
+ } else {
+ try {
+ operationHandler.createKeytabFile(new File(cachedKeytabPath), destinationKeytabFile);
+ } catch (KerberosOperationException e) {
+ message = String.format("Failed to create keytab file for %s - %s", evaluatedPrincipal, e.getMessage());
+ actionLog.writeStdErr(message);
+ LOG.error(message, e);
+ commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
+ }
+ }
+ }
+ } else {
+ Keytab keytab = null;
+
+ // Possibly get the keytab from the cache
+ if (visitedPrincipalKeys != null) {
+ // Since we have visited this principal before, attempt to pull the keytab from the
+ // cache...
+ KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
+ String cachedKeytabPath = (principalEntity == null) ? null : principalEntity.getCachedKeytabPath();
+
+ if (cachedKeytabPath != null) {
+ try {
+ keytab = Keytab.read(new File(cachedKeytabPath));
+ } catch (IOException e) {
+ message = String.format("Failed to read the cached keytab for %s, recreating if possible - %s",
+ evaluatedPrincipal, e.getMessage());
+
+ if (LOG.isDebugEnabled()) {
+ LOG.warn(message, e);
+ } else {
+ LOG.warn(message, e);
+ }
+ }
+ }
+ }
+
+ // If the keytab was not retrieved from the cache... create it.
+ if (keytab == null) {
+ Integer keyNumber = principalKeyNumberMap.get(evaluatedPrincipal);
+
try {
- FileUtils.copyFile(new File(cachedKeytabPath), keytabFile);
- message = String.format("Using cached keytab file for %s at %s", evaluatedPrincipal, keytabFile.getAbsolutePath());
- LOG.debug(message);
- } catch (IOException e) {
- message = String.format("Failed to use cached keytab file for %s at %s: %s", evaluatedPrincipal, keytabFile.getAbsolutePath(), e.getMessage());
+ keytab = operationHandler.createKeytab(evaluatedPrincipal, password, keyNumber);
+
+ // If the current identity does not represent a service, copy it to a secure location
+ // and store that location so it can be reused rather than recreate it.
+ KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
+ if (principalEntity != null) {
+ if (!principalEntity.isService() && ("true".equalsIgnoreCase(identityRecord.get(KEYTAB_FILE_IS_CACHABLE)))) {
+ File cachedKeytabFile = cacheKeytab(evaluatedPrincipal, keytab);
+ String previousCachedFilePath = principalEntity.getCachedKeytabPath();
+ String cachedKeytabFilePath = ((cachedKeytabFile == null) || !cachedKeytabFile.exists())
+ ? null
+ : cachedKeytabFile.getAbsolutePath();
+
+ principalEntity.setCachedKeytabPath(cachedKeytabFilePath);
+ kerberosPrincipalDAO.merge(principalEntity);
+
+ if(previousCachedFilePath != null) {
+ if(!new File(previousCachedFilePath).delete()) {
+ LOG.debug(String.format("Failed to remove orphaned cache file %s", previousCachedFilePath));
+ }
+ }
+ }
+ }
+ } catch (KerberosOperationException e) {
+ message = String.format("Failed to create keytab file for %s - %s", evaluatedPrincipal, e.getMessage());
actionLog.writeStdErr(message);
- LOG.warn(message);
+ LOG.error(message, e);
commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
}
}
- }
- } else {
- Integer keyNumber = principalKeyNumberMap.get(evaluatedPrincipal);
- try {
- if (operationHandler.createKeytabFile(evaluatedPrincipal, password, keyNumber, keytabFile)) {
- message = String.format("Successfully created keytab file for %s at %s", evaluatedPrincipal, keytabFile.getAbsolutePath());
- LOG.debug(message);
+ if (keytab != null) {
+ try {
+ if (operationHandler.createKeytabFile(keytab, destinationKeytabFile)) {
+ ensureAmbariOnlyAccess(destinationKeytabFile);
- // If the current identity does not represent a service, store the location of the
- // keytab file so it can be reused rather than recreate it.
- // Note: for now we are using the keytab's destination directory on the Ambari
- // server
- KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
- if (principalEntity != null) {
- if (!principalEntity.isService()) {
- principalEntity.setCachedKeytabPath(keytabFilePath);
- kerberosPrincipalDAO.merge(principalEntity);
+ message = String.format("Successfully created keytab file for %s at %s", evaluatedPrincipal, destinationKeytabFile.getAbsolutePath());
+ LOG.debug(message);
+ } else {
+ message = String.format("Failed to create keytab file for %s at %s", evaluatedPrincipal, destinationKeytabFile.getAbsolutePath());
+ actionLog.writeStdErr(message);
+ LOG.error(message);
+ commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
}
+ } catch (KerberosOperationException e) {
+ message = String.format("Failed to create keytab file for %s - %s", evaluatedPrincipal, e.getMessage());
+ actionLog.writeStdErr(message);
+ LOG.error(message, e);
+ commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
}
- } else {
- message = String.format("Failed to create keytab file for %s at %s", evaluatedPrincipal, keytabFile.getAbsolutePath());
- actionLog.writeStdErr(message);
- LOG.error(message);
- commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
}
- } catch (KerberosOperationException e) {
- message = String.format("Failed to create keytab file for %s - %s", evaluatedPrincipal, e.getMessage());
- actionLog.writeStdErr(message);
- LOG.error(message, e);
- commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
}
+ } else {
+ message = String.format("Failed to create keytab file for %s, the container directory does not exist: %s",
+ evaluatedPrincipal, hostDirectory.getAbsolutePath());
+ actionLog.writeStdErr(message);
+ LOG.error(message);
+ commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
}
- } else {
- message = String.format("Failed to create keytab file for %s, the container directory does not exist: %s",
- evaluatedPrincipal, hostDirectory.getAbsolutePath());
- actionLog.writeStdErr(message);
- LOG.error(message);
- commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
+
+ if(visitedPrincipalKeys == null) {
+ visitedPrincipalKeys = new HashSet<String>();
+ visitedIdentities.put(evaluatedPrincipal, visitedPrincipalKeys);
+ }
+
+ visitedPrincipalKeys.add(visitationKey);
+ }
+ else {
+ LOG.debug(String.format("Skipping previously processed keytab for %s on host %s", evaluatedPrincipal, host));
}
}
}
@@ -228,4 +316,83 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
return commandReport;
}
+
+ /**
+ * Cache a keytab given its relative principal name and the keytab data.
+ * <p/>
+ * The specified keytab is stored in a file in a location derived using the configured keytab
+ * cache directory and the seeded hash of the principal name - this is to add a slight level
+ * of obscurity so that it cannot be determined what keytab data is in the file based on its name.
+ * The file is the set readable by only the Ambari server process owner.
+ *
+ * @param principal the principal name related to the keytab data
+ * @param keytab the keytab data to cache
+ * @return a File pointing to the cached keytab file
+ * @throws AmbariException if a failure occurs while creating the cache file containing the the keytab data
+ */
+ private File cacheKeytab(String principal, Keytab keytab) throws AmbariException {
+ File cacheDirectory = configuration.getKerberosKeytabCacheDir();
+
+ if (cacheDirectory == null) {
+ String message = "The Kerberos keytab cache directory is not configured in the Ambari properties";
+ LOG.error(message);
+ throw new AmbariException(message);
+ }
+
+ if (!cacheDirectory.exists()) {
+ // If the cache directory does not exist, create it and ensure only Ambari has access to it
+ if (cacheDirectory.mkdirs()) {
+ ensureAmbariOnlyAccess(cacheDirectory);
+
+ if (!cacheDirectory.exists()) {
+ String message = String.format("Failed to create the keytab cache directory %s",
+ cacheDirectory.getAbsolutePath());
+ LOG.error(message);
+ throw new AmbariException(message);
+ }
+ }
+ }
+
+ File cachedKeytabFile = new File(cacheDirectory, DigestUtils.sha1Hex(principal + String.valueOf(System.currentTimeMillis())));
+
+ try {
+ keytab.write(cachedKeytabFile);
+ ensureAmbariOnlyAccess(cachedKeytabFile);
+ } catch (IOException e) {
+ String message = String.format("Failed to write the keytab for %s to the cache location (%s)",
+ principal, cachedKeytabFile.getAbsolutePath());
+ LOG.error(message, e);
+ throw new AmbariException(message, e);
+ }
+
+ return cachedKeytabFile;
+ }
+
+ /**
+ * Ensures that the owner of the Ambari server process is the only local user account able to
+ * read and write to the specified file or read, write to, and execute the specified directory.
+ *
+ * @param file the file or directory for which to modify access
+ */
+ private void ensureAmbariOnlyAccess(File file) {
+ if (file.exists()) {
+ if (!file.setReadable(false, false) || !file.setReadable(true, true)) {
+ LOG.warn(String.format("Failed to set %s readable only by Ambari", file.getAbsolutePath()));
+ }
+
+ if (!file.setWritable(false, false) || !file.setWritable(true, true)) {
+ LOG.warn(String.format("Failed to set %s writable only by Ambari", file.getAbsolutePath()));
+ }
+
+ if (file.isDirectory()) {
+ if (!file.setExecutable(false, false) && !file.setExecutable(true, true)) {
+ LOG.warn(String.format("Failed to set %s executable by Ambari", file.getAbsolutePath()));
+ }
+ } else {
+ if (!file.setExecutable(false, false)) {
+ LOG.warn(String.format("Failed to set %s not executable", file.getAbsolutePath()));
+ }
+ }
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java
index caf8c78..a215a56 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java
@@ -22,9 +22,11 @@ import com.google.inject.Inject;
import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.agent.CommandReport;
import org.apache.ambari.server.orm.dao.KerberosPrincipalDAO;
+import org.apache.ambari.server.orm.entities.KerberosPrincipalEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.io.File;
import java.util.Map;
import java.util.concurrent.ConcurrentMap;
@@ -95,7 +97,20 @@ public class DestroyPrincipalsServerAction extends KerberosServerAction {
}
try {
- kerberosPrincipalDAO.remove(evaluatedPrincipal);
+ KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
+
+ if(principalEntity != null) {
+ String cachedKeytabPath = principalEntity.getCachedKeytabPath();
+
+ kerberosPrincipalDAO.remove(principalEntity);
+
+ // If a cached keytabs file exists for this principal, delete it.
+ if (cachedKeytabPath != null) {
+ if (!new File(cachedKeytabPath).delete()) {
+ LOG.debug(String.format("Failed to remove cached keytab for %s", evaluatedPrincipal));
+ }
+ }
+ }
}
catch (Throwable t) {
message = String.format("Failed to remove identity for %s from the Ambari database - %s", evaluatedPrincipal, t.getMessage());
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFile.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFile.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFile.java
index 40b3353..e85048d 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFile.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFile.java
@@ -37,4 +37,5 @@ public class KerberosActionDataFile {
public static final String KEYTAB_FILE_GROUP_NAME = "keytab_file_group_name";
public static final String KEYTAB_FILE_GROUP_ACCESS = "keytab_file_group_access";
public static final String KEYTAB_FILE_CONFIGURATION = "keytab_file_configuration";
+ public static final String KEYTAB_FILE_IS_CACHABLE = "keytab_file_is_cachable";
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFileBuilder.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFileBuilder.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFileBuilder.java
index 8888f82..31e62be 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFileBuilder.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFileBuilder.java
@@ -70,13 +70,16 @@ public class KerberosActionDataFileBuilder extends AbstractKerberosDataFileBuild
* (expected to be the type and name of the configuration property
* to use to store the keytab file's absolute path in
* - i.e., config-type/property)
+ * @param keytabFileCanCache a String containing a boolean value (true, false) indicating
+ * whether the generated keytab can be cached or not
* @throws IOException
*/
public void addRecord(String hostName, String serviceName, String serviceComponentName,
String principal, String principalType, String principalConfiguration,
String keytabFilePath, String keytabFileOwnerName,
String keytabFileOwnerAccess, String keytabFileGroupName,
- String keytabFileGroupAccess, String keytabFileConfiguration)
+ String keytabFileGroupAccess, String keytabFileConfiguration,
+ String keytabFileCanCache)
throws IOException {
super.appendRecord(hostName,
serviceName,
@@ -89,7 +92,8 @@ public class KerberosActionDataFileBuilder extends AbstractKerberosDataFileBuild
keytabFileOwnerAccess,
keytabFileGroupName,
keytabFileGroupAccess,
- keytabFileConfiguration);
+ keytabFileConfiguration,
+ keytabFileCanCache);
}
@Override
@@ -105,6 +109,7 @@ public class KerberosActionDataFileBuilder extends AbstractKerberosDataFileBuild
KEYTAB_FILE_OWNER_ACCESS,
KEYTAB_FILE_GROUP_NAME,
KEYTAB_FILE_GROUP_ACCESS,
- KEYTAB_FILE_CONFIGURATION);
+ KEYTAB_FILE_CONFIGURATION,
+ KEYTAB_FILE_IS_CACHABLE);
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
index b62f6f9..d5384d2 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
@@ -40,6 +40,7 @@ import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -80,6 +81,16 @@ public abstract class KerberosOperationHandler {
public final static String KERBEROS_ENV_ENCRYPTION_TYPES = "encryption_types";
/**
+ * Kerberos-env configuration property name: kdc_host
+ */
+ public final static String KERBEROS_ENV_KDC_HOST = "kdc_host";
+
+ /**
+ * Kerberos-env configuration property name: admin_server_host
+ */
+ public final static String KERBEROS_ENV_ADMIN_SERVER_HOST = "admin_server_host";
+
+ /**
* The set of available characters to use when generating a secure password
*/
private final static char[] SECURE_PASSWORD_CHARS =
@@ -317,94 +328,185 @@ public abstract class KerberosOperationHandler {
}
/**
- * Create or append to a keytab file using the specified principal and password.
+ * Create a keytab using the specified principal and password.
*
- * @param principal a String containing the principal to test
- * @param password a String containing the password to use when creating the principal
- * @param keytabFile a File containing the absolute path to the keytab file
- * @return true if the keytab file was successfully created; false otherwise
+ * @param principal a String containing the principal to test
+ * @param password a String containing the password to use when creating the principal
+ * @param keyNumber a Integer indicating the key number for the keytab entries
+ * @return the created Keytab
* @throws KerberosOperationException
*/
- public boolean createKeytabFile(String principal, String password, Integer keyNumber, File keytabFile)
+ protected Keytab createKeytab(String principal, String password, Integer keyNumber)
throws KerberosOperationException {
- boolean success = false;
if ((principal == null) || principal.isEmpty()) {
throw new KerberosOperationException("Failed to create keytab file, missing principal");
- } else if (password == null) {
+ }
+
+ if (password == null) {
throw new KerberosOperationException(String.format("Failed to create keytab file for %s, missing password", principal));
- } else if (keytabFile == null) {
- throw new KerberosOperationException(String.format("Failed to create keytab file for %s, missing file path", principal));
- } else {
- Keytab keytab;
- Set<EncryptionType> ciphers = new HashSet<EncryptionType>(keyEncryptionTypes);
- List<KeytabEntry> keytabEntries = new ArrayList<KeytabEntry>();
-
- if (keytabFile.exists() && keytabFile.canRead() && (keytabFile.length() > 0)) {
- // If the keytab file already exists, read it in and append the new keytabs to it so that
- // potentially important data is not lost
- try {
- keytab = Keytab.read(keytabFile);
- } catch (IOException e) {
- // There was an issue reading in the existing keytab file... we might loose some keytabs
- // but that is unlikely...
- keytab = new Keytab();
- }
+ }
- // In case there were any existing keytab entries, add them to the new entries list so
- // they are not lost. While at it, remove ciphers that already exist for the given principal
- // so duplicate entries aren't added to the file.
- List<KeytabEntry> existingEntries = keytab.getEntries();
- if ((existingEntries != null) && !existingEntries.isEmpty()) {
+ Set<EncryptionType> ciphers = new HashSet<EncryptionType>(keyEncryptionTypes);
+ List<KeytabEntry> keytabEntries = new ArrayList<KeytabEntry>();
+ Keytab keytab = new Keytab();
- for (KeytabEntry entry : existingEntries) {
- // Remove ciphers that will cause duplicate entries
- if (principal.equals(entry.getPrincipalName())) {
- ciphers.remove(entry.getKey().getKeyType());
- }
- keytabEntries.add(entry);
- }
+ if (!ciphers.isEmpty()) {
+ // Create a set of keys and relevant keytab entries
+ Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory.getKerberosKeys(principal, password, ciphers);
+
+ if (keys != null) {
+ byte keyVersion = (keyNumber == null) ? 0 : keyNumber.byteValue();
+ KerberosTime timestamp = new KerberosTime();
+
+ for (EncryptionKey encryptionKey : keys.values()) {
+ keytabEntries.add(new KeytabEntry(principal, 1, timestamp, keyVersion, encryptionKey));
}
- } else {
- keytab = new Keytab();
+
+ keytab.setEntries(keytabEntries);
}
+ }
- if (ciphers.isEmpty()) {
- // There are no new keys to create
- success = true;
- } else {
- // Create a set of keys and relevant keytab entries
- Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory.getKerberosKeys(principal, password, ciphers);
+ return keytab;
+ }
- if (keys != null) {
- byte keyVersion = (keyNumber == null) ? 0 : keyNumber.byteValue();
- KerberosTime timestamp = new KerberosTime();
+ /**
+ * Create or append to a keytab file using keytab data from another keytab file.
+ * <p/>
+ * If the destination keytab file contains keytab data, that data will be merged with the new data
+ * to create a composite set of keytab entries.
+ *
+ * @param sourceKeytabFile a File containing the absolute path to the file with the keytab data to store
+ * @param destinationKeytabFile a File containing the absolute path to where the keytab data is to be stored
+ * @return true if the keytab file was successfully created; false otherwise
+ * @throws KerberosOperationException
+ * @see #createKeytabFile(org.apache.directory.server.kerberos.shared.keytab.Keytab, java.io.File)
+ */
+ protected boolean createKeytabFile(File sourceKeytabFile, File destinationKeytabFile)
+ throws KerberosOperationException {
+ return createKeytabFile(readKeytabFile(sourceKeytabFile), destinationKeytabFile);
+ }
- for (EncryptionKey encryptionKey : keys.values()) {
- keytabEntries.add(new KeytabEntry(principal, 1, timestamp, keyVersion, encryptionKey));
- }
+ /**
+ * Create or append to a keytab file using the specified principal and password.
+ * <p/>
+ * If the destination keytab file contains keytab data, that data will be merged with the new data
+ * to create a composite set of keytab entries.
+ *
+ * @param principal a String containing the principal to test
+ * @param password a String containing the password to use when creating the principal
+ * @param keyNumber an Integer declaring the relevant key number to use for the keytabs entries
+ * @param destinationKeytabFile a File containing the absolute path to where the keytab data is to be stored
+ * @return true if the keytab file was successfully created; false otherwise
+ * @throws KerberosOperationException
+ * @see #createKeytabFile(org.apache.directory.server.kerberos.shared.keytab.Keytab, java.io.File)
+ */
+ protected boolean createKeytabFile(String principal, String password, Integer keyNumber, File destinationKeytabFile)
+ throws KerberosOperationException {
+ return createKeytabFile(createKeytab(principal, password, keyNumber), destinationKeytabFile);
+ }
- keytab.setEntries(keytabEntries);
+ /**
+ * Create or append to a keytab file using the specified Keytab
+ * <p/>
+ * If the destination keytab file contains keytab data, that data will be merged with the new data
+ * to create a composite set of keytab entries.
+ *
+ * @param keytab the Keytab containing the data to add to the keytab file
+ * @param destinationKeytabFile a File containing the absolute path to where the keytab data is to be stored
+ * @return true if the keytab file was successfully created; false otherwise
+ * @throws KerberosOperationException
+ */
+ protected boolean createKeytabFile(Keytab keytab, File destinationKeytabFile)
+ throws KerberosOperationException {
- try {
- keytab.write(keytabFile);
- success = true;
- } catch (IOException e) {
- String message = String.format("Failed to export keytab file for %s", principal);
- LOG.error(message, e);
+ if (destinationKeytabFile == null) {
+ throw new KerberosOperationException("The destination file path is null");
+ }
+
+ try {
+ mergeKeytabs(readKeytabFile(destinationKeytabFile), keytab).write(destinationKeytabFile);
+ return true;
+ } catch (IOException e) {
+ String message = "Failed to export keytab file";
+ LOG.error(message, e);
- if (!keytabFile.delete()) {
- keytabFile.deleteOnExit();
- }
+ if (!destinationKeytabFile.delete()) {
+ destinationKeytabFile.deleteOnExit();
+ }
- throw new KerberosOperationException(message, e);
+ throw new KerberosOperationException(message, e);
+ }
+ }
+
+ /**
+ * Merge the keytab data from one keytab with the keytab data from a different keytab.
+ * <p/>
+ * If similar key entries exist for the same principal, the updated values will be used
+ *
+ * @param keytab a Keytab with the base keytab data
+ * @param updates a Keytab containing the updated keytab data
+ * @return a Keytab with the merged data
+ */
+ protected Keytab mergeKeytabs(Keytab keytab, Keytab updates) {
+ List<KeytabEntry> keytabEntries = (keytab == null)
+ ? Collections.<KeytabEntry>emptyList()
+ : new ArrayList<KeytabEntry>(keytab.getEntries());
+ List<KeytabEntry> updateEntries = (updates == null)
+ ? Collections.<KeytabEntry>emptyList()
+ : new ArrayList<KeytabEntry>(updates.getEntries());
+ List<KeytabEntry> mergedEntries = new ArrayList<KeytabEntry>();
+
+ if (keytabEntries.isEmpty()) {
+ mergedEntries.addAll(updateEntries);
+ } else if (updateEntries.isEmpty()) {
+ mergedEntries.addAll(keytabEntries);
+ } else {
+ Iterator<KeytabEntry> iterator = keytabEntries.iterator();
+
+ while (iterator.hasNext()) {
+ KeytabEntry keytabEntry = iterator.next();
+
+ for (KeytabEntry entry : updateEntries) {
+ if (entry.getPrincipalName().equals(keytabEntry.getPrincipalName()) &&
+ entry.getKey().getKeyType().equals(keytabEntry.getKey().getKeyType())) {
+ iterator.remove();
+ break;
}
}
}
+
+ mergedEntries.addAll(keytabEntries);
+ mergedEntries.addAll(updateEntries);
+ }
+
+ Keytab mergedKeytab = new Keytab();
+ mergedKeytab.setEntries(mergedEntries);
+ return mergedKeytab;
+ }
+
+ /**
+ * Reads a file containing keytab data into a new Keytab
+ *
+ * @param file A File containing the path to the file from which to read keytab data
+ * @return a Keytab or null if the file was not readable
+ */
+ protected Keytab readKeytabFile(File file) {
+ Keytab keytab;
+
+ if (file.exists() && file.canRead() && (file.length() > 0)) {
+ try {
+ keytab = Keytab.read(file);
+ } catch (IOException e) {
+ // There was an issue reading in the existing keytab file... quietly assume no data
+ keytab = null;
+ }
+ } else {
+ keytab = null;
}
- return success;
+ return keytab;
}
public KerberosCredential getAdministratorCredentials() {
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
index fc1729b..73a4ad6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
@@ -491,10 +491,6 @@ public abstract class KerberosServerAction extends AbstractServerAction {
// by replacing the _HOST and _REALM variables.
String evaluatedPrincipal = principal.replace("_HOST", host).replace("_REALM", defaultRealm);
- String message = String.format("Processing identity for %s", evaluatedPrincipal);
- actionLog.writeStdOut(message);
- LOG.info(message);
-
commandReport = processIdentity(record, evaluatedPrincipal, operationHandler, requestSharedDataContext);
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
index 0b9227f..69b0292 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
@@ -54,6 +54,8 @@ public class MITKerberosOperationHandler extends KerberosOperationHandler {
@Inject
private Configuration configuration;
+ private String adminServerHost = null;
+
/**
* Prepares and creates resources to be used by this KerberosOperationHandler
* <p/>
@@ -80,6 +82,7 @@ public class MITKerberosOperationHandler extends KerberosOperationHandler {
if (kerberosConfiguration != null) {
setKeyEncryptionTypes(translateEncryptionTypes(kerberosConfiguration.get(KERBEROS_ENV_ENCRYPTION_TYPES), "\\s+"));
+ setAdminServerHost(kerberosConfiguration.get(KERBEROS_ENV_ADMIN_SERVER_HOST));
}
setOpen(true);
@@ -339,6 +342,12 @@ public class MITKerberosOperationHandler extends KerberosOperationHandler {
// Set the kdamin interface to be kadmin
command.add(pathToCommand + "kadmin");
+ // Add explicit KDC admin host, if available
+ if(getAdminServerHost() != null) {
+ command.add("-s");
+ command.add(getAdminServerHost());
+ }
+
// Add the administrative principal
command.add("-p");
command.add(adminPrincipal);
@@ -439,4 +448,22 @@ public class MITKerberosOperationHandler extends KerberosOperationHandler {
return result;
}
+
+ /**
+ * Sets the KDC administrator server host address
+ *
+ * @param adminServerHost the ip address or FQDN of the KDC administrator server
+ */
+ public void setAdminServerHost(String adminServerHost) {
+ this.adminServerHost = adminServerHost;
+ }
+
+ /**
+ * Gets the IP address or FQDN of the KDC administrator server
+ *
+ * @return the IP address or FQDN of the KDC administrator server
+ */
+ public String getAdminServerHost() {
+ return adminServerHost;
+ }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosKeytabDescriptor.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosKeytabDescriptor.java b/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosKeytabDescriptor.java
index 59e6104..79537d4 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosKeytabDescriptor.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosKeytabDescriptor.java
@@ -31,6 +31,7 @@ import java.util.Map;
* <li>owner {name, access}</li>
* <li>group {name, access}</li>
* <li>configuration</li>
+ * <li>cachable</li>
* </ul>
* <p/>
* The following JSON Schema will yield a valid KerberosPrincipalDescriptor
@@ -81,6 +82,11 @@ import java.util.Map;
* - format: config-type/property.name",
* "type": "string"
* }
+ * "cachable" : {
+ * "description": "Indicates whether the generated keytab is allowed to be cached by the
+ * Ambari server (true) or not (false)",
+ * "type": "boolean"
+ * }
* }
* }
* </pre>
@@ -143,6 +149,12 @@ public class KerberosKeytabDescriptor extends AbstractKerberosDescriptor {
/**
+ * A boolean value indicating whether the generated keytab is allowed to be cached by the Ambari
+ * server or not.
+ */
+ private boolean cachable = true;
+
+ /**
* Creates a new KerberosKeytabDescriptor
* <p/>
* See {@link org.apache.ambari.server.state.kerberos.KerberosKeytabDescriptor} for the JSON
@@ -174,6 +186,9 @@ public class KerberosKeytabDescriptor extends AbstractKerberosDescriptor {
}
setConfiguration(getStringValue(data, "configuration"));
+
+ // If the "cachable" value is anything but false, set it to true
+ setCachable(!"false".equalsIgnoreCase(getStringValue(data, "cachable")));
}
}
@@ -310,6 +325,24 @@ public class KerberosKeytabDescriptor extends AbstractKerberosDescriptor {
}
/**
+ * Indicates whether the generated keytab is allowed to be cached by the Ambari server or not
+ *
+ * @return true if allowed to be cached; false otherwise
+ */
+ public boolean isCachable() {
+ return cachable;
+ }
+
+ /**
+ * Sets whether the generated keytab is allowed to be cached by the Ambari server or not
+ *
+ * @param cachable true if allowed to be cached; false otherwise
+ */
+ public void setCachable(boolean cachable) {
+ this.cachable = cachable;
+ }
+
+ /**
* Updates this KerberosKeytabDescriptor with data from another KerberosKeytabDescriptor
* <p/>
* Properties will be updated if the relevant updated values are not null.
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/python/ambari_server/serverConfiguration.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/serverConfiguration.py b/ambari-server/src/main/python/ambari_server/serverConfiguration.py
index 9dfda01..c5c7ff3 100644
--- a/ambari-server/src/main/python/ambari_server/serverConfiguration.py
+++ b/ambari-server/src/main/python/ambari_server/serverConfiguration.py
@@ -322,6 +322,8 @@ class ServerConfigDefaultsLinux(ServerConfigDefaults):
("/var/run/ambari-server/stack-recommendations/", "755", "{0}", False),
("/var/lib/ambari-server/data/tmp/", "644", "{0}", True),
("/var/lib/ambari-server/data/tmp/", "755", "{0}", False),
+ ("/var/lib/ambari-server/data/cache/", "600", "{0}", True),
+ ("/var/lib/ambari-server/data/cache/", "700", "{0}", False),
# Also, /etc/ambari-server/conf/password.dat
# is generated later at store_password_file
]
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
index 15a39d9..31833cb 100644
--- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
+++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
@@ -61,8 +61,24 @@
<value/>
</property>
+ <property require-input="true">
+ <name>kdc_host</name>
+ <description>
+ The IP address or FQDN for the KDC host. Optionally a port number may be included.
+ </description>
+ <value/>
+ </property>
+
+ <property>
+ <name>admin_server_host</name>
+ <description>
+ The IP address or FQDN for the KDC Kerberos administrative host. Optionally a port number may be included.
+ </description>
+ <value/>
+ </property>
+
- <property require-input="true">
+ <property require-input="true">
<name>create_attributes_template</name>
<description>
A Velocity template to use to generate a JSON-formatted document containing the set of
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml
index 02d78b8..3a6207b 100644
--- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml
+++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml
@@ -21,79 +21,6 @@
-->
<configuration>
- <property>
- <name>logging_default</name>
- <description>
- Default Kerberos library log location.
- </description>
- <value>FILE:/var/log/krb5libs.log</value>
- </property>
- <property>
- <name>logging_kdc</name>
- <description>
- KDC log location.
- </description>
- <value>FILE:/var/log/krb5kdc.log</value>
- </property>
- <property>
- <name>logging_admin_server</name>
- <description>
- Admin server log location.
- </description>
- <value>FILE:/var/log/kadmind.log</value>
- </property>
-
- <property>
- <name>libdefaults_dns_lookup_realm</name>
- <description>
- If true, DNS TXT records will be used to determine the Kerberos realm of a host.
- </description>
- <value>false</value>
- </property>
- <property>
- <name>libdefaults_dns_lookup_kdc</name>
- <description>
- If true, DNS SRV records will be used to locate the KDCs and other servers for the realm.
- </description>
- <value>false</value>
- </property>
- <property>
- <name>libdefaults_ticket_lifetime</name>
- <description>
- Default lifetime of a ticket.
- </description>
- <value>24h</value>
- </property>
- <property>
- <name>libdefaults_renew_lifetime</name>
- <description>
- Default renewable lifetime for initial tickets.
- </description>
- <value>7d</value>
- </property>
- <property>
- <name>libdefaults_forwardable</name>
- <description>
- If true, initial tickets will be forwardable.
- </description>
- <value>true</value>
- </property>
- <property require-input="false">
- <name>libdefaults_default_tgs_enctypes</name>
- <description>
- A space-delimited list of session key encryption types supported by the KDC or Active
- Directory
- </description>
- <value/>
- </property>
- <property require-input="false">
- <name>libdefaults_default_tkt_enctypes</name>
- <description>
- A space-delimited list of session key encryption types supported by the KDC or Active
- Directory.
- </description>
- <value/>
- </property>
<property require-input="false">
<name>domains</name>
<description>
@@ -101,20 +28,6 @@
</description>
<value/>
</property>
- <property require-input="true">
- <name>kdc_host</name>
- <description>
- The IP address or FQDN for the KDC host. Optionally a port number may be included.
- </description>
- <value/>
- </property>
- <property>
- <name>admin_server_host</name>
- <description>
- The IP address or FQDN for the KDC Kerberos administrative host. Optionally a port number may be included.
- </description>
- <value/>
- </property>
<property>
<name>manage_krb5_conf</name>
@@ -134,18 +47,14 @@
<description>Customizable krb5.conf template (Jinja template engine)</description>
<value>
[libdefaults]
- renew_lifetime = {{libdefaults_renew_lifetime}}
- forwardable = {{libdefaults_forwardable}}
+ renew_lifetime = 7d
+ forwardable = true
default_realm = {{realm|upper()}}
- ticket_lifetime = {{libdefaults_ticket_lifetime}}
- dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
- dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
- {% if libdefaults_default_tgs_enctypes %}
- default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
- {% endif %}
- {% if libdefaults_default_tkt_enctypes %}
- default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
- {% endif %}
+ ticket_lifetime = 24h
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ #default_tgs_enctypes = {{encryption_types}}
+ #default_tkt_enctypes = {{encryption_types}}
{% if domains %}
[domain_realm]
@@ -155,12 +64,9 @@
{% endif %}
[logging]
- default = {{logging_default}}
-{#
-# The following options are unused unless a managed KDC is installed
- admin_server = {{logging_admin_server}}
- kdc = {{logging_admin_kdc}}
-#}
+ default = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+ kdc = FILE:/var/log/krb5kdc.log
[realms]
{{realm}} = {
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py
index 3ccbc3e..18255bd 100644
--- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py
@@ -99,17 +99,6 @@ if config is not None:
# ################################################################################################
# Get krb5.conf template data
# ################################################################################################
- logging_default = 'FILE:/var/log/krb5libs.log'
- logging_kdc = 'FILE:/var/log/krb5kdc.log'
- logging_admin_server = 'FILE:/var/log/kadmind.log'
- libdefaults_dns_lookup_realm = 'false'
- libdefaults_dns_lookup_kdc = 'false'
- libdefaults_ticket_lifetime = '24h'
- libdefaults_renew_lifetime = '7d'
- libdefaults_forwardable = 'true'
- libdefaults_default_tgs_enctypes = None
- libdefaults_default_tkt_enctypes = None
-
realm = 'EXAMPLE.COM'
domains = ''
kdc_host = 'localhost'
@@ -132,33 +121,12 @@ if config is not None:
if kerberos_env is not None:
encryption_types = get_property_value(kerberos_env, "encryption_types", None, True, None)
realm = get_property_value(kerberos_env, "realm", None, True, None)
+ kdc_host = get_property_value(kerberos_env, 'kdc_host', kdc_host)
+ admin_server_host = get_property_value(kerberos_env, 'admin_server_host', admin_server_host)
if krb5_conf_data is not None:
- logging_default = get_property_value(krb5_conf_data, 'logging_default', logging_default)
- logging_kdc = get_property_value(krb5_conf_data, 'logging_kdc', logging_kdc)
- logging_admin_server = get_property_value(krb5_conf_data, 'logging_admin_server',
- logging_admin_server)
- libdefaults_dns_lookup_realm = get_property_value(krb5_conf_data,
- 'libdefaults_dns_lookup_realm',
- libdefaults_dns_lookup_realm)
- libdefaults_dns_lookup_kdc = get_property_value(krb5_conf_data, 'libdefaults_dns_lookup_kdc',
- libdefaults_dns_lookup_kdc)
- libdefaults_ticket_lifetime = get_property_value(krb5_conf_data, 'libdefaults_ticket_lifetime',
- libdefaults_ticket_lifetime)
- libdefaults_renew_lifetime = get_property_value(krb5_conf_data, 'libdefaults_renew_lifetime',
- libdefaults_renew_lifetime)
- libdefaults_forwardable = get_property_value(krb5_conf_data, 'libdefaults_forwardable',
- libdefaults_forwardable)
- libdefaults_default_tgs_enctypes = get_property_value(krb5_conf_data,
- 'libdefaults_default_tgs_enctypes',
- libdefaults_default_tgs_enctypes)
- libdefaults_default_tkt_enctypes = get_property_value(krb5_conf_data,
- 'libdefaults_default_tkt_enctypes',
- libdefaults_default_tkt_enctypes)
realm = get_property_value(krb5_conf_data, 'realm', realm)
domains = get_property_value(krb5_conf_data, 'domains', domains)
- kdc_host = get_property_value(krb5_conf_data, 'kdc_host', kdc_host)
- admin_server_host = get_property_value(krb5_conf_data, 'admin_server_host', admin_server_host)
admin_principal = get_property_value(krb5_conf_data, 'admin_principal', admin_principal, True,
None)
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2 b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2
index 0d915ba..cc6f63a 100644
--- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2
+++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2
@@ -16,18 +16,14 @@
# limitations under the License.
#}
[libdefaults]
- renew_lifetime = {{libdefaults_renew_lifetime}}
- forwardable = {{libdefaults_forwardable}}
+ renew_lifetime = 7d
+ forwardable = true
default_realm = {{realm|upper()}}
- ticket_lifetime = {{libdefaults_ticket_lifetime}}
- dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
- dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
- {% if libdefaults_default_tgs_enctypes %}
- default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
- {% endif %}
- {% if libdefaults_default_tkt_enctypes %}
- default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
- {% endif %}
+ ticket_lifetime = 24h
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ #default_tgs_enctypes = {{encryption_types}}
+ #default_tkt_enctypes = {{encryption_types}}
{% if domains %}
[domain_realm]
@@ -37,12 +33,9 @@
{% endif %}
[logging]
- default = {{logging_default}}
-{#
-# The following options are unused unless a managed KDC is installed
- admin_server = {{logging_admin_server}}
- kdc = {{logging_admin_kdc}}
-#}
+ default = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+ kdc = FILE:/var/log/krb5kdc.log
[realms]
{{realm}} = {
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml
index 43050bd..8622e13 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml
@@ -21,55 +21,6 @@
-->
<configuration>
- <property>
- <name>logging_default</name>
- <value>FILE:/var/log/krb5libs.log</value>
- </property>
- <property>
- <name>logging_kdc</name>
- <value>FILE:/var/log/krb5kdc.log</value>
- </property>
- <property>
- <name>logging_admin_server</name>
- <value>FILE:/var/log/kadmind.log</value>
- </property>
-
- <property>
- <name>libdefaults_dns_lookup_realm</name>
- <value>false</value>
- </property>
- <property>
- <name>libdefaults_dns_lookup_kdc</name>
- <value>false</value>
- </property>
- <property>
- <name>libdefaults_ticket_lifetime</name>
- <value>24h</value>
- </property>
- <property>
- <name>libdefaults_renew_lifetime</name>
- <value>7d</value>
- </property>
- <property>
- <name>libdefaults_forwardable</name>
- <value>true</value>
- </property>
- <property require-input="false">
- <name>libdefaults_default_tgs_enctypes</name>
- <description>
- A space-delimited list of session key encryption types supported by the KDC or Active
- Directory
- </description>
- <value/>
- </property>
- <property require-input="false">
- <name>libdefaults_default_tkt_enctypes</name>
- <description>
- A space-delimited list of session key encryption types supported by the KDC or Active
- Directory
- </description>
- <value/>
- </property>
<property require-input="false">
<name>domains</name>
<description>
@@ -77,22 +28,6 @@
</description>
<value/>
</property>
- <property require-input="true">
- <name>kdc_host</name>
- <description>
- The IP address or FQDN of the KDC or Active Directory server, optionally a port number may be
- provided
- </description>
- <value/>
- </property>
- <property>
- <name>admin_server_host</name>
- <description>
- The IP address or FQDN of the administrative Kerberos server, optionally a port number may be
- provided
- </description>
- <value/>
- </property>
<property>
<name>test_principal</name>
<description>
@@ -138,18 +73,14 @@
<description>The jinja template for the krb5.conf file</description>
<value>
[libdefaults]
- renew_lifetime = {{libdefaults_renew_lifetime}}
- forwardable = {{libdefaults_forwardable}}
+ renew_lifetime = 7d
+ forwardable = true
default_realm = {{realm|upper()}}
- ticket_lifetime = {{libdefaults_ticket_lifetime}}
- dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
- dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
- {% if libdefaults_default_tgs_enctypes %}
- default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
- {% endif %}
- {% if libdefaults_default_tkt_enctypes %}
- default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
- {% endif %}
+ ticket_lifetime = 24h
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ #default_tgs_enctypes = {{encryption_types}}
+ #default_tkt_enctypes = {{encryption_types}}
{% if domains %}
[domain_realm]
@@ -159,12 +90,9 @@
{% endif %}
[logging]
- default = {{logging_default}}
-{#
-# The following options are unused unless a managed KDC is installed
- admin_server = {{logging_admin_server}}
- kdc = {{logging_admin_kdc}}
-#}
+ default = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+ kdc = FILE:/var/log/krb5kdc.log
[realms]
{{realm}} = {
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/params.py b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/params.py
index 31e4134..1c2061a 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/params.py
+++ b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/params.py
@@ -88,20 +88,6 @@ if config is not None:
# ################################################################################################
# Get krb5.conf template data
# ################################################################################################
- logging_default = 'FILE:/var/log/krb5libs.log'
- logging_kdc = 'FILE:/var/log/krb5kdc.log'
- logging_admin_server = 'FILE:/var/log/kadmind.log'
- libdefaults_dns_lookup_realm = 'false'
- libdefaults_dns_lookup_kdc = 'false'
- libdefaults_ticket_lifetime = '24h'
- libdefaults_renew_lifetime = '7d'
- libdefaults_forwardable = 'true'
- libdefaults_default_tgs_enctypes = 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 ' \
- 'arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac ' \
- 'des-cbc-crc des-cbc-md5 des-cbc-md4'
- libdefaults_default_tkt_enctypes = 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 ' \
- 'arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac ' \
- 'des-cbc-crc des-cbc-md5 des-cbc-md4'
realm = 'EXAMPLE.COM'
domains = ''
kdc_host = 'localhost'
@@ -127,33 +113,12 @@ if config is not None:
if kerberos_env is not None:
encryption_types = get_property_value(kerberos_env, "encryption_types", None)
realm = get_property_value(kerberos_env, "realm", None)
+ kdc_host = get_property_value(kerberos_env, 'kdc_host', kdc_host)
+ admin_server_host = get_property_value(kerberos_env, 'admin_server_host', admin_server_host)
if krb5_conf_data is not None:
- logging_default = get_property_value(krb5_conf_data, 'logging_default', logging_default)
- logging_kdc = get_property_value(krb5_conf_data, 'logging_kdc', logging_kdc)
- logging_admin_server = get_property_value(krb5_conf_data, 'logging_admin_server',
- logging_admin_server)
- libdefaults_dns_lookup_realm = get_property_value(krb5_conf_data,
- 'libdefaults_dns_lookup_realm',
- libdefaults_dns_lookup_realm)
- libdefaults_dns_lookup_kdc = get_property_value(krb5_conf_data, 'libdefaults_dns_lookup_kdc',
- libdefaults_dns_lookup_kdc)
- libdefaults_ticket_lifetime = get_property_value(krb5_conf_data, 'libdefaults_ticket_lifetime',
- libdefaults_ticket_lifetime)
- libdefaults_renew_lifetime = get_property_value(krb5_conf_data, 'libdefaults_renew_lifetime',
- libdefaults_renew_lifetime)
- libdefaults_forwardable = get_property_value(krb5_conf_data, 'libdefaults_forwardable',
- libdefaults_forwardable)
- libdefaults_default_tgs_enctypes = get_property_value(krb5_conf_data,
- 'libdefaults_default_tgs_enctypes',
- encryption_types)
- libdefaults_default_tkt_enctypes = get_property_value(krb5_conf_data,
- 'libdefaults_default_tkt_enctypes',
- encryption_types)
realm = get_property_value(krb5_conf_data, 'realm', realm)
domains = get_property_value(krb5_conf_data, 'domains', domains)
- kdc_host = get_property_value(krb5_conf_data, 'kdc_host', kdc_host)
- admin_server_host = get_property_value(krb5_conf_data, 'admin_server_host', admin_server_host)
admin_principal = get_property_value(krb5_conf_data, 'admin_principal', admin_principal)
admin_password = get_property_value(krb5_conf_data, 'admin_password', admin_password)
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2 b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2
index 0d915ba..cc6f63a 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2
+++ b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2
@@ -16,18 +16,14 @@
# limitations under the License.
#}
[libdefaults]
- renew_lifetime = {{libdefaults_renew_lifetime}}
- forwardable = {{libdefaults_forwardable}}
+ renew_lifetime = 7d
+ forwardable = true
default_realm = {{realm|upper()}}
- ticket_lifetime = {{libdefaults_ticket_lifetime}}
- dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
- dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
- {% if libdefaults_default_tgs_enctypes %}
- default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
- {% endif %}
- {% if libdefaults_default_tkt_enctypes %}
- default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
- {% endif %}
+ ticket_lifetime = 24h
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ #default_tgs_enctypes = {{encryption_types}}
+ #default_tkt_enctypes = {{encryption_types}}
{% if domains %}
[domain_realm]
@@ -37,12 +33,9 @@
{% endif %}
[logging]
- default = {{logging_default}}
-{#
-# The following options are unused unless a managed KDC is installed
- admin_server = {{logging_admin_server}}
- kdc = {{logging_admin_kdc}}
-#}
+ default = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+ kdc = FILE:/var/log/krb5kdc.log
[realms]
{{realm}} = {
http://git-wip-us.apache.org/repos/asf/ambari/blob/8b4ef2b6/ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java b/ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java
index 03d3a91..5541523 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java
@@ -2619,7 +2619,7 @@ public class TestHeartbeatHandler {
kerberosActionDataFileBuilder.addRecord("c6403.ambari.apache.org", "HDFS", "DATANODE",
"dn/_HOST@_REALM", "service", "hdfs-site/dfs.namenode.kerberos.principal",
"/etc/security/keytabs/dn.service.keytab",
- "hdfs", "r", "hadoop", "", "hdfs-site/dfs.namenode.keytab.file");
+ "hdfs", "r", "hadoop", "", "hdfs-site/dfs.namenode.keytab.file", "false");
kerberosActionDataFileBuilder.close();