You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by am...@apache.org on 2018/01/05 07:56:24 UTC
[28/45] ambari git commit: AMBARI-22719. Regenerate Keytabs resets
security.inter.broker.protocol to PLAINTEXTSASL
AMBARI-22719. Regenerate Keytabs resets security.inter.broker.protocol to PLAINTEXTSASL
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e2be62d5
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e2be62d5
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e2be62d5
Branch: refs/heads/branch-feature-AMBARI-22008-isilon
Commit: e2be62d598054c822ecc0c7039ed8a433e1212d9
Parents: 13056cf
Author: Doroszlai, Attila <ad...@hortonworks.com>
Authored: Wed Jan 3 11:13:16 2018 +0100
Committer: Doroszlai, Attila <ad...@hortonworks.com>
Committed: Thu Jan 4 12:53:12 2018 +0100
----------------------------------------------------------------------
.../stacks/HDP/2.3/services/stack_advisor.py | 9 ++++++++-
.../python/stacks/2.3/common/test_stack_advisor.py | 17 +++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/e2be62d5/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
index 201efff..c4c493d 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
+++ b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
@@ -339,7 +339,14 @@ class HDP23StackAdvisor(HDP22StackAdvisor):
putKafkaBrokerProperty("super.users", kafka_super_users)
putKafkaBrokerProperty("principal.to.local.class", "kafka.security.auth.KerberosPrincipalToLocal")
- putKafkaBrokerProperty("security.inter.broker.protocol", "PLAINTEXTSASL")
+
+ recommended_inter_broker_protocol = 'PLAINTEXTSASL'
+ if 'security.inter.broker.protocol' in kafka_broker:
+ current_inter_broker_protocol = kafka_broker['security.inter.broker.protocol']
+ if current_inter_broker_protocol in ('PLAINTEXTSASL', 'SASL_PLAINTEXT', 'SASL_SSL'):
+ recommended_inter_broker_protocol = current_inter_broker_protocol
+ putKafkaBrokerProperty("security.inter.broker.protocol", recommended_inter_broker_protocol)
+
putKafkaBrokerProperty("zookeeper.set.acl", "true")
else: # not security_enabled
http://git-wip-us.apache.org/repos/asf/ambari/blob/e2be62d5/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py b/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py
index 2112fa0..1a58522 100644
--- a/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py
+++ b/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py
@@ -364,6 +364,22 @@ class TestHDP23StackAdvisor(TestCase):
self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None)
self.assertEquals(configurations['kafka-broker']['properties']['authorizer.class.name'], 'kafka.security.auth.SimpleAclAuthorizer' , "Test authorizer.class.name with Ranger Kafka plugin disabled in kerberos environment")
+ # Advise 'PLAINTEXTSASL' for secure cluster by default
+ services['configurations']['cluster-env']['properties']['security_enabled'] = "true"
+ configurations['kafka-broker']['properties'] = {}
+ configurations['kafka-broker']['property_attributes'] = {}
+ self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None)
+ self.assertEqual(configurations['kafka-broker']['properties']['security.inter.broker.protocol'], 'PLAINTEXTSASL')
+
+ # Secure security.inter.broker.protocol values should be retained by stack advisor
+ services['configurations']['cluster-env']['properties']['security_enabled'] = "true"
+ configurations['kafka-broker']['properties'] = {}
+ configurations['kafka-broker']['property_attributes'] = {}
+ for proto in ('PLAINTEXTSASL', 'SASL_PLAINTEXT', 'SASL_SSL'):
+ services['configurations']['kafka-broker']['properties']['security.inter.broker.protocol'] = proto
+ self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None)
+ self.assertEqual(configurations['kafka-broker']['properties']['security.inter.broker.protocol'], proto)
+
# Test authorizer.class.name with Ranger Kafka plugin enabled in non-kerberos environment
services['configurations']['cluster-env']['properties']['security_enabled'] = "false"
configurations['kafka-broker']['properties'] = {}
@@ -383,6 +399,7 @@ class TestHDP23StackAdvisor(TestCase):
self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None)
self.assertEquals(configurations['kafka-broker']['properties']['authorizer.class.name'], 'org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer', "Test authorizer.class.name with Ranger Kafka plugin enabled in kerberos environment")
self.assertEquals(configurations['ranger-kafka-plugin-properties']['properties']['zookeeper.connect'], 'host1:2181')
+ self.assertTrue('security.inter.broker.protocol' not in configurations['kafka-broker']['properties'])
# Test kafka-log4j content when Ranger plugin for Kafka is enabled