You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/01/07 15:17:19 UTC
ambari git commit: AMBARI-8941. Distributed keytab files have the
incorrect owner and group access controls (rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk be2adc4d2 -> ad75eeb03
AMBARI-8941. Distributed keytab files have the incorrect owner and group access controls (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/ad75eeb0
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/ad75eeb0
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/ad75eeb0
Branch: refs/heads/trunk
Commit: ad75eeb0336e69ff880f6a23f07490c68909653c
Parents: be2adc4
Author: Robert Levas <rl...@hortonworks.com>
Authored: Wed Jan 7 09:16:56 2015 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Wed Jan 7 09:16:56 2015 -0500
----------------------------------------------------------------------
.../package/scripts/kerberos_common.py | 59 ++++------
.../main/resources/stacks/HDP/2.2/kerberos.json | 2 +-
.../stacks/2.2/KERBEROS/test_kerberos_client.py | 115 ++++++++++++++++++-
3 files changed, 138 insertions(+), 38 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/ad75eeb0/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py
index 42e195c..54b7411 100644
--- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py
+++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py
@@ -350,6 +350,7 @@ class KerberosScript(Script):
@staticmethod
def write_keytab_file():
import params
+ import stat
if params.kerberos_command_params is not None:
for item in params.kerberos_command_params:
@@ -358,41 +359,27 @@ class KerberosScript(Script):
keytab_file_path = get_property_value(item, 'keytab_file_path')
if (keytab_file_path is not None) and (len(keytab_file_path) > 0):
head, tail = os.path.split(keytab_file_path)
- if head and not os.path.isdir(head):
- os.makedirs(head)
- with open(keytab_file_path, 'w') as f:
- f.write(base64.b64decode(keytab_content_base64))
- owner = get_property_value(item, 'keytab_file_owner')
+ if head:
+ Directory(head, recursive=True, mode=0755, owner="root", group="root")
+
+ owner = get_property_value(item, 'keytab_file_owner_name')
owner_access = get_property_value(item, 'keytab_file_owner_access')
- group = get_property_value(item, 'keytab_file_group')
+ group = get_property_value(item, 'keytab_file_group_name')
group_access = get_property_value(item, 'keytab_file_group_access')
- KerberosScript._set_file_access(keytab_file_path, owner, owner_access, group, group_access)
-
-
- @staticmethod
- def _set_file_access(file_path, owner, owner_access='rw', group=None, group_access=''):
- if (file_path is not None) and os.path.isfile(file_path) and (owner is not None):
- import stat
- import pwd
- import grp
-
- pwnam = pwd.getpwnam(owner) if (owner is not None) and (len(owner) > 0) else None
- uid = pwnam.pw_uid if pwnam is not None else os.geteuid()
-
- grnam = grp.getgrnam(group) if (group is not None) and (len(group) > 0) else None
- gid = grnam.gr_gid if grnam is not None else os.getegid()
-
- chmod = 0
-
- if owner_access == 'r':
- chmod |= stat.S_IREAD
- else:
- chmod |= stat.S_IREAD | stat.S_IWRITE
-
- if group_access == 'rw':
- chmod |= stat.S_IRGRP | stat.S_IWGRP
- elif group_access == 'r':
- chmod |= stat.S_IRGRP
-
- os.chmod(file_path, chmod)
- os.chown(file_path, uid, gid)
+ mode = 0
+
+ if owner_access == 'rw':
+ mode |= stat.S_IREAD | stat.S_IWRITE
+ else:
+ mode |= stat.S_IREAD
+
+ if group_access == 'rw':
+ mode |= stat.S_IRGRP | stat.S_IWGRP
+ elif group_access == 'r':
+ mode |= stat.S_IRGRP
+
+ File(keytab_file_path,
+ content=base64.b64decode(keytab_content_base64),
+ mode=mode,
+ owner=owner,
+ group=group)
http://git-wip-us.apache.org/repos/asf/ambari/blob/ad75eeb0/ambari-server/src/main/resources/stacks/HDP/2.2/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.2/kerberos.json
index fcbd669..9d3a38f 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.2/kerberos.json
+++ b/ambari-server/src/main/resources/stacks/HDP/2.2/kerberos.json
@@ -16,7 +16,7 @@
"access": "r"
},
"group": {
- "name": "${hadoop-env/user_group}",
+ "name": "${cluster-env/user_group}",
"access": "r"
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/ad75eeb0/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py b/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py
index 022d2f4..9531c33 100644
--- a/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py
+++ b/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py
@@ -17,9 +17,10 @@ limitations under the License.
"""
+import json
import os
-import use_cases
import sys
+import use_cases
from stacks.utils.RMFTestCase import *
class TestKerberosClient(RMFTestCase):
@@ -183,3 +184,115 @@ class TestKerberosClient(RMFTestCase):
self.assertEqual(None, get_property_value(d, 'none', None, False, "I'm empty"))
self.assertEqual("I'm empty", get_property_value(d, 'none', '', True, "I'm empty"))
self.assertEqual("", get_property_value(d, 'none', '', False, "I'm empty"))
+
+ def test_set_keytab(self):
+ import base64
+
+ config_file = "stacks/2.2/configs/default.json"
+ with open(config_file, "r") as f:
+ json_data = json.load(f)
+
+ json_data['kerberosCommandParams'] = []
+ json_data['kerberosCommandParams'].append({
+ "keytab_file_configuration": "hdfs-site/dfs.web.authentication.kerberos.keytab",
+ "service": "HDFS",
+ "keytab_content_base64": "BQIAAABbAAIAC0VYQU1QTEUuQ09NAARIVFRQABdjNjU"
+ "wMS5hbWJhcmkuYXBhY2hlLm9yZwAAAAFUodgKAQASAC"
+ "A5N4gKUJsizCzwRD11Q/6sdZhJjlJmuuMeMKw/WefIb"
+ "gAAAFMAAgALRVhBTVBMRS5DT00ABEhUVFAAF2M2NTAx"
+ "LmFtYmFyaS5hcGFjaGUub3JnAAAAAVSh2AoBABAAGLA"
+ "3huUxDmRK2da5Z7WPZ+zTbdnBkXCrKgAAAEsAAgALRV"
+ "hBTVBMRS5DT00ABEhUVFAAF2M2NTAxLmFtYmFyaS5hc"
+ "GFjaGUub3JnAAAAAVSh2AoBABcAEIT0yzbx1fnhmuaG"
+ "5qtg444AAABDAAIAC0VYQU1QTEUuQ09NAARIVFRQABd"
+ "jNjUwMS5hbWJhcmkuYXBhY2hlLm9yZwAAAAFUodgKAQ"
+ "ADAAiov1LleuaMgwAAAEsAAgALRVhBTVBMRS5DT00AB"
+ "EhUVFAAF2M2NTAxLmFtYmFyaS5hcGFjaGUub3JnAAAA"
+ "AVSh2AoBABEAECBTe9uCaSiPxnoGRldhAks=",
+ "keytab_file_group_access": "r",
+ "hostname": "c6501.ambari.apache.org",
+ "component": "NAMENODE",
+ "keytab_file_owner_name": "root",
+ "keytab_file_path": "/etc/security/keytabs/spnego.service.keytab",
+ "principal_configuration": "hdfs-site/dfs.web.authentication.kerberos.principal",
+ "keytab_file_owner_access": "r",
+ "keytab_file_group_name": "hadoop",
+ "principal": "HTTP/_HOST@EXAMPLE.COM"
+ })
+
+ json_data['kerberosCommandParams'].append({
+ "keytab_file_configuration": "cluster-env/smokeuser_keytab",
+ "service": "HDFS",
+ "keytab_content_base64": "BQIAAABHAAEAC0VYQU1QTEUuQ09NAAlhbWJhcmktcWEAAAA"
+ "BVKHYCgEAEgAg3OBDOecGoznTHZiPwmlmK4TI6bdRdrl/6q"
+ "TV8Kml2TAAAAA/AAEAC0VYQU1QTEUuQ09NAAlhbWJhcmktc"
+ "WEAAAABVKHYCgEAEAAYzqEjkX/xDoO8ij0cJmc3ZG7Qfzgl"
+ "/SN2AAAANwABAAtFWEFNUExFLkNPTQAJYW1iYXJpLXFhAAA"
+ "AAVSh2AoBABcAEHzLG1kfqxhEoTe4erUldvQAAAAvAAEAC0"
+ "VYQU1QTEUuQ09NAAlhbWJhcmktcWEAAAABVKHYCgEAAwAIO"
+ "PK6UkwyUSMAAAA3AAEAC0VYQU1QTEUuQ09NAAlhbWJhcmkt"
+ "cWEAAAABVKHYCgEAEQAQVqISRJwXIQnG28lI34mfeA==",
+ "keytab_file_group_access": "",
+ "hostname": "c6501.ambari.apache.org",
+ "component": "NAMENODE",
+ "keytab_file_owner_name": "ambari-qa",
+ "keytab_file_path": "/etc/security/keytabs/smokeuser.headless.keytab",
+ "principal_configuration": "cluster-env/smokeuser_principal_name",
+ "keytab_file_owner_access": "r",
+ "keytab_file_group_name": "hadoop",
+ "principal": "ambari-qa@EXAMPLE.COM"
+ })
+
+ self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/kerberos_client.py",
+ classname="KerberosClient",
+ command="set_keytab",
+ config_dict=json_data,
+ hdp_stack_version = self.STACK_VERSION,
+ target = RMFTestCase.TARGET_COMMON_SERVICES
+ )
+
+ self.assertResourceCalled('Directory', "/etc/security/keytabs",
+ owner='root',
+ group='root',
+ mode=0755,
+ recursive=True)
+
+ self.assertResourceCalled('File', "/etc/security/keytabs/spnego.service.keytab",
+ owner='root',
+ group='hadoop',
+ mode=0440,
+ content=base64.b64decode("BQIAAABbAAIAC0VYQU1QTEUuQ09NAARIVFRQABdjNjU"
+ "wMS5hbWJhcmkuYXBhY2hlLm9yZwAAAAFUodgKAQASAC"
+ "A5N4gKUJsizCzwRD11Q/6sdZhJjlJmuuMeMKw/WefIb"
+ "gAAAFMAAgALRVhBTVBMRS5DT00ABEhUVFAAF2M2NTAx"
+ "LmFtYmFyaS5hcGFjaGUub3JnAAAAAVSh2AoBABAAGLA"
+ "3huUxDmRK2da5Z7WPZ+zTbdnBkXCrKgAAAEsAAgALRV"
+ "hBTVBMRS5DT00ABEhUVFAAF2M2NTAxLmFtYmFyaS5hc"
+ "GFjaGUub3JnAAAAAVSh2AoBABcAEIT0yzbx1fnhmuaG"
+ "5qtg444AAABDAAIAC0VYQU1QTEUuQ09NAARIVFRQABd"
+ "jNjUwMS5hbWJhcmkuYXBhY2hlLm9yZwAAAAFUodgKAQ"
+ "ADAAiov1LleuaMgwAAAEsAAgALRVhBTVBMRS5DT00AB"
+ "EhUVFAAF2M2NTAxLmFtYmFyaS5hcGFjaGUub3JnAAAA"
+ "AVSh2AoBABEAECBTe9uCaSiPxnoGRldhAks=")
+ )
+
+ self.assertResourceCalled('Directory', "/etc/security/keytabs",
+ owner='root',
+ group='root',
+ mode=0755,
+ recursive=True)
+
+ self.assertResourceCalled('File', "/etc/security/keytabs/smokeuser.headless.keytab",
+ owner='ambari-qa',
+ group='hadoop',
+ mode=0400,
+ content=base64.b64decode("BQIAAABHAAEAC0VYQU1QTEUuQ09NAAlhbWJhcmktcWEAAAA"
+ "BVKHYCgEAEgAg3OBDOecGoznTHZiPwmlmK4TI6bdRdrl/6q"
+ "TV8Kml2TAAAAA/AAEAC0VYQU1QTEUuQ09NAAlhbWJhcmktc"
+ "WEAAAABVKHYCgEAEAAYzqEjkX/xDoO8ij0cJmc3ZG7Qfzgl"
+ "/SN2AAAANwABAAtFWEFNUExFLkNPTQAJYW1iYXJpLXFhAAA"
+ "AAVSh2AoBABcAEHzLG1kfqxhEoTe4erUldvQAAAAvAAEAC0"
+ "VYQU1QTEUuQ09NAAlhbWJhcmktcWEAAAABVKHYCgEAAwAIO"
+ "PK6UkwyUSMAAAA3AAEAC0VYQU1QTEUuQ09NAAlhbWJhcmkt"
+ "cWEAAAABVKHYCgEAEQAQVqISRJwXIQnG28lI34mfeA==")
+ )