You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by mu...@apache.org on 2017/02/14 05:02:29 UTC
ambari git commit: AMBARI-19897 : Provide user-warning while
upgrading clusters to move certificates/keystores/truststores out of conf
folder (Vishal Suvagia via mugdha)
Repository: ambari
Updated Branches:
refs/heads/trunk 399b70835 -> 31944e382
AMBARI-19897 : Provide user-warning while upgrading clusters to move certificates/keystores/truststores out of conf folder (Vishal Suvagia via mugdha)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/31944e38
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/31944e38
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/31944e38
Branch: refs/heads/trunk
Commit: 31944e382019482ee40e8ec4c691b6aea7fce230
Parents: 399b708
Author: Vishal Suvagia <vi...@yahoo.com>
Authored: Fri Feb 10 16:37:38 2017 +0530
Committer: Mugdha Varadkar <mu...@apache.org>
Committed: Tue Feb 14 10:31:39 2017 +0530
----------------------------------------------------------------------
.../ambari/server/checks/CheckDescription.java | 7 +
.../server/checks/RangerSSLConfigCheck.java | 81 ++++++++++
.../HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml | 1 +
.../stacks/HDP/2.3/upgrades/upgrade-2.6.xml | 1 +
.../HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml | 1 +
.../stacks/HDP/2.4/upgrades/upgrade-2.6.xml | 1 +
.../HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml | 1 +
.../stacks/HDP/2.5/upgrades/upgrade-2.6.xml | 1 +
.../server/checks/RangerSSLConfigCheckTest.java | 150 +++++++++++++++++++
9 files changed, 244 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/java/org/apache/ambari/server/checks/CheckDescription.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/checks/CheckDescription.java b/ambari-server/src/main/java/org/apache/ambari/server/checks/CheckDescription.java
index 8d8f540..2d1468f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/checks/CheckDescription.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/checks/CheckDescription.java
@@ -320,6 +320,13 @@ public class CheckDescription {
.put(AbstractCheckDescriptor.DEFAULT,
"Auto-Start must be disabled before performing an Upgrade").build());
+ public static CheckDescription RANGER_SSL_CONFIG_CHECK = new CheckDescription("RANGER_SSL_CONFIG_CHECK",
+ PrereqCheckType.SERVICE,
+ "Change Ranger SSL configuration path for Keystore and Truststore.",
+ new ImmutableMap.Builder<String, String>()
+ .put(AbstractCheckDescriptor.DEFAULT,
+ "As Ranger is SSL enabled, Ranger SSL configurations will need to be changed from default value of /etc/ranger/*/conf folder to /etc/ranger/security. " +
+ "Since the certificates/keystores/truststores in this path may affect the upgrade/downgrade process, it is recommended to manually move the certificates/keystores/truststores out of the conf folders and change the appropriate config values before proceeding.").build());
private String m_name;
private PrereqCheckType m_type;
http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/java/org/apache/ambari/server/checks/RangerSSLConfigCheck.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/checks/RangerSSLConfigCheck.java b/ambari-server/src/main/java/org/apache/ambari/server/checks/RangerSSLConfigCheck.java
new file mode 100644
index 0000000..02f6559
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/checks/RangerSSLConfigCheck.java
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.checks;
+
+
+import java.util.Arrays;
+
+import org.apache.ambari.server.AmbariException;
+import org.apache.ambari.server.controller.PrereqCheckRequest;
+import org.apache.ambari.server.state.stack.PrereqCheckStatus;
+import org.apache.ambari.server.state.stack.PrerequisiteCheck;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.inject.Singleton;
+
+
+/**
+ * This service check will mainly be for 2.6 stacks so as to encourage user
+ * to move the certificate, keystore and truststore from the default conf dir to
+ * an external directory untoched while RU/EU during upgrades/downgrades.
+ */
+@Singleton
+@UpgradeCheck(group = UpgradeCheckGroup.INFORMATIONAL_WARNING)
+public class RangerSSLConfigCheck extends AbstractCheckDescriptor {
+
+ private static final Logger LOG = LoggerFactory.getLogger(RangerSSLConfigCheck.class);
+ private static final String serviceName = "RANGER";
+
+
+ /**
+ * Constructor
+ */
+ public RangerSSLConfigCheck() {
+ super(CheckDescription.RANGER_SSL_CONFIG_CHECK);
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public boolean isApplicable(PrereqCheckRequest request) throws AmbariException {
+ return super.isApplicable(request, Arrays.asList(serviceName), true);
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public void perform(PrerequisiteCheck prerequisiteCheck, PrereqCheckRequest request) throws AmbariException {
+ String isRangerHTTPEnabled = getProperty(request, "ranger-admin-site", "ranger.service.http.enabled");
+ String isRangerSSLEnabled = getProperty(request, "ranger-admin-site", "ranger.service.https.attrib.ssl.enabled");
+ String rangerSSLKeystoreFile = getProperty(request, "ranger-admin-site", "ranger.https.attrib.keystore.file");
+
+ if (("false").equalsIgnoreCase(isRangerHTTPEnabled) && ("true").equalsIgnoreCase(isRangerSSLEnabled) && rangerSSLKeystoreFile.contains("/etc/ranger/admin/conf") ) {
+ LOG.info("Ranger is SSL enabled, need to show Configuration changes warning before upragade proceeds.");
+ prerequisiteCheck.getFailedOn().add(serviceName);
+ prerequisiteCheck.setStatus(PrereqCheckStatus.WARNING);
+ prerequisiteCheck.setFailReason(getFailReason(prerequisiteCheck, request));
+ } else {
+ LOG.info("Ranger is not SSL enabled, no need to show Configuration changes warning before upragade proceeds.");
+ }
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml
index 0d4e3b8..d5ddeeb 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml
@@ -23,6 +23,7 @@
<prerequisite-checks>
<check>org.apache.ambari.server.checks.RangerAuditDbCheck</check>
<check>org.apache.ambari.server.checks.ServicePresenceCheck</check>
+ <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check>
<configuration>
<!-- Configuration properties for all pre-reqs including required pre-reqs -->
<check-properties name="org.apache.ambari.server.checks.HiveDynamicServiceDiscoveryCheck">
http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml
index 58db4a9..88486e6 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml
@@ -35,6 +35,7 @@
<check>org.apache.ambari.server.checks.YarnTimelineServerStatePreservingCheck</check>
<check>org.apache.ambari.server.checks.ServicePresenceCheck</check>
<check>org.apache.ambari.server.checks.RangerAuditDbCheck</check>
+ <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check>
<!-- Specific to HDP 2.5, Storm is not rolling -->
<check>org.apache.ambari.server.checks.StormShutdownWarning</check>
http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml
index eedf98c..94b19c6 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml
@@ -23,6 +23,7 @@
<prerequisite-checks>
<check>org.apache.ambari.server.checks.RangerAuditDbCheck</check>
<check>org.apache.ambari.server.checks.ServicePresenceCheck</check>
+ <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check>
<configuration>
<!-- Configuration properties for all pre-reqs including required pre-reqs -->
http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml
index 392e0fa..626bc63 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml
@@ -36,6 +36,7 @@
<check>org.apache.ambari.server.checks.YarnTimelineServerStatePreservingCheck</check>
<check>org.apache.ambari.server.checks.ServicePresenceCheck</check>
<check>org.apache.ambari.server.checks.RangerAuditDbCheck</check>
+ <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check>
<!-- Specific to HDP 2.5, Storm is not rolling -->
<check>org.apache.ambari.server.checks.StormShutdownWarning</check>
http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
index 8c7a9b1..e92b115 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
@@ -21,6 +21,7 @@
<target-stack>HDP-2.6</target-stack>
<type>NON_ROLLING</type>
<prerequisite-checks>
+ <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check>
<configuration>
<!-- Configuration properties for all pre-reqs including required pre-reqs -->
<check-properties name="org.apache.ambari.server.checks.HiveDynamicServiceDiscoveryCheck">
http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml
index b83525a..818a6c0 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml
@@ -33,6 +33,7 @@
<check>org.apache.ambari.server.checks.ServicesYarnWorkPreservingCheck</check>
<check>org.apache.ambari.server.checks.YarnRMHighAvailabilityCheck</check>
<check>org.apache.ambari.server.checks.YarnTimelineServerStatePreservingCheck</check>
+ <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check>
<configuration>
<!-- Configuration properties for all pre-reqs including required pre-reqs -->
http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/test/java/org/apache/ambari/server/checks/RangerSSLConfigCheckTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/checks/RangerSSLConfigCheckTest.java b/ambari-server/src/test/java/org/apache/ambari/server/checks/RangerSSLConfigCheckTest.java
new file mode 100644
index 0000000..2af5502
--- /dev/null
+++ b/ambari-server/src/test/java/org/apache/ambari/server/checks/RangerSSLConfigCheckTest.java
@@ -0,0 +1,150 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.checks;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.controller.PrereqCheckRequest;
+import org.apache.ambari.server.state.Cluster;
+import org.apache.ambari.server.state.Clusters;
+import org.apache.ambari.server.state.Config;
+import org.apache.ambari.server.state.DesiredConfig;
+import org.apache.ambari.server.state.Service;
+import org.apache.ambari.server.state.stack.PrereqCheckStatus;
+import org.apache.ambari.server.state.stack.PrerequisiteCheck;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import com.google.inject.Provider;
+
+
+/* Test for RangerSSLConfigCheck */
+public class RangerSSLConfigCheckTest {
+
+ private final Clusters clusters = Mockito.mock(Clusters.class);
+ private final RangerSSLConfigCheck rangerSSLConfigCheck = new RangerSSLConfigCheck();
+
+ @Before
+ public void setup() {
+ rangerSSLConfigCheck.clustersProvider = new Provider<Clusters>() {
+ @Override
+ public Clusters get() {
+ return clusters;
+ }
+ };
+ Configuration config = Mockito.mock(Configuration.class);
+ rangerSSLConfigCheck.config = config;
+ }
+
+ @Test
+ public void testIsApplicable() throws Exception {
+ final Cluster cluster = Mockito.mock(Cluster.class);
+ final Map<String, Service> services = new HashMap<>();
+ final Service service = Mockito.mock(Service.class);
+
+ services.put("RANGER", service);
+
+ Mockito.when(cluster.getServices()).thenReturn(services);
+ Mockito.when(cluster.getClusterId()).thenReturn(1L);
+ Mockito.when(clusters.getCluster("cluster")).thenReturn(cluster);
+
+ Assert.assertTrue(rangerSSLConfigCheck.isApplicable(new PrereqCheckRequest("cluster")));
+
+ services.remove("RANGER");
+ Assert.assertFalse(rangerSSLConfigCheck.isApplicable(new PrereqCheckRequest("cluster")));
+
+ }
+
+ @Test
+ public void testPerform() throws Exception {
+ final Cluster cluster = Mockito.mock(Cluster.class);
+ final Map<String, Service> services = new HashMap<>();
+ final Service service = Mockito.mock(Service.class);
+
+ services.put("RANGER", service);
+
+ Mockito.when(cluster.getServices()).thenReturn(services);
+ Mockito.when(cluster.getClusterId()).thenReturn(1L);
+ Mockito.when(clusters.getCluster("cluster")).thenReturn(cluster);
+
+ final DesiredConfig desiredConfig = Mockito.mock(DesiredConfig.class);
+ Mockito.when(desiredConfig.getTag()).thenReturn("tag");
+ Map<String, DesiredConfig> configMap = new HashMap<String, DesiredConfig>();
+ configMap.put("ranger-admin-site", desiredConfig);
+
+ Mockito.when(cluster.getDesiredConfigs()).thenReturn(configMap);
+ final Config config = Mockito.mock(Config.class);
+ Mockito.when(cluster.getConfig(Mockito.anyString(), Mockito.anyString())).thenReturn(config);
+ final Map<String, String> properties = new HashMap<String, String>();
+ Mockito.when(config.getProperties()).thenReturn(properties);
+
+ properties.put("ranger.service.http.enabled","true");
+ properties.put("ranger.service.https.attrib.ssl.enabled","true");
+ properties.put("ranger.https.attrib.keystore.file","/etc/ranger/security/ranger-admin-keystore.jks");
+ PrerequisiteCheck check = new PrerequisiteCheck(null, null);
+ rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster"));
+ Assert.assertEquals(PrereqCheckStatus.PASS, check.getStatus());
+
+ properties.put("ranger.service.http.enabled","true");
+ properties.put("ranger.service.https.attrib.ssl.enabled","true");
+ properties.put("ranger.https.attrib.keystore.file","/etc/ranger/security/ranger-admin-keystore.jks");
+ check = new PrerequisiteCheck(null, null);
+ rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster"));
+ Assert.assertEquals(PrereqCheckStatus.PASS, check.getStatus());
+
+
+ properties.put("ranger.service.http.enabled","true");
+ properties.put("ranger.service.https.attrib.ssl.enabled","fasle");
+ properties.put("ranger.https.attrib.keystore.file","/etc/ranger/security/ranger-admin-keystore.jks");
+ check = new PrerequisiteCheck(null, null);
+ rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster"));
+ Assert.assertEquals(PrereqCheckStatus.PASS, check.getStatus());
+
+
+ properties.put("ranger.service.http.enabled","false");
+ properties.put("ranger.service.https.attrib.ssl.enabled","true");
+ properties.put("ranger.https.attrib.keystore.file","/etc/ranger/admin/conf/ranger-admin-keystore.jks");
+ check = new PrerequisiteCheck(null, null);
+ rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster"));
+ Assert.assertEquals(PrereqCheckStatus.WARNING, check.getStatus());
+
+ properties.put("ranger.service.http.enabled","false");
+ properties.put("ranger.service.https.attrib.ssl.enabled","true");
+ properties.put("ranger.https.attrib.keystore.file","/etc/ranger/security/ranger-admin-keystore.jks");
+ check = new PrerequisiteCheck(null, null);
+ rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster"));
+ Assert.assertEquals(PrereqCheckStatus.PASS, check.getStatus());
+
+
+ properties.put("ranger.service.http.enabled","false");
+ properties.put("ranger.service.https.attrib.ssl.enabled","false");
+ properties.put("ranger.https.attrib.keystore.file","/etc/ranger/security/ranger-admin-keystore.jks");
+ check = new PrerequisiteCheck(null, null);
+ rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster"));
+ Assert.assertEquals(PrereqCheckStatus.PASS, check.getStatus());
+
+
+
+ }
+}
+
+