You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by am...@apache.org on 2018/01/05 07:56:24 UTC

[28/45] ambari git commit: AMBARI-22719. Regenerate Keytabs resets security.inter.broker.protocol to PLAINTEXTSASL

AMBARI-22719. Regenerate Keytabs resets security.inter.broker.protocol to PLAINTEXTSASL


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e2be62d5
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e2be62d5
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e2be62d5

Branch: refs/heads/branch-feature-AMBARI-22008-isilon
Commit: e2be62d598054c822ecc0c7039ed8a433e1212d9
Parents: 13056cf
Author: Doroszlai, Attila <ad...@hortonworks.com>
Authored: Wed Jan 3 11:13:16 2018 +0100
Committer: Doroszlai, Attila <ad...@hortonworks.com>
Committed: Thu Jan 4 12:53:12 2018 +0100

----------------------------------------------------------------------
 .../stacks/HDP/2.3/services/stack_advisor.py       |  9 ++++++++-
 .../python/stacks/2.3/common/test_stack_advisor.py | 17 +++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/e2be62d5/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
index 201efff..c4c493d 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
+++ b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
@@ -339,7 +339,14 @@ class HDP23StackAdvisor(HDP22StackAdvisor):
         putKafkaBrokerProperty("super.users", kafka_super_users)
 
       putKafkaBrokerProperty("principal.to.local.class", "kafka.security.auth.KerberosPrincipalToLocal")
-      putKafkaBrokerProperty("security.inter.broker.protocol", "PLAINTEXTSASL")
+
+      recommended_inter_broker_protocol = 'PLAINTEXTSASL'
+      if 'security.inter.broker.protocol' in kafka_broker:
+        current_inter_broker_protocol = kafka_broker['security.inter.broker.protocol']
+        if current_inter_broker_protocol in ('PLAINTEXTSASL', 'SASL_PLAINTEXT', 'SASL_SSL'):
+          recommended_inter_broker_protocol = current_inter_broker_protocol
+      putKafkaBrokerProperty("security.inter.broker.protocol", recommended_inter_broker_protocol)
+
       putKafkaBrokerProperty("zookeeper.set.acl", "true")
 
     else:  # not security_enabled

http://git-wip-us.apache.org/repos/asf/ambari/blob/e2be62d5/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py b/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py
index 2112fa0..1a58522 100644
--- a/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py
+++ b/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py
@@ -364,6 +364,22 @@ class TestHDP23StackAdvisor(TestCase):
     self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None)
     self.assertEquals(configurations['kafka-broker']['properties']['authorizer.class.name'], 'kafka.security.auth.SimpleAclAuthorizer' , "Test authorizer.class.name with Ranger Kafka plugin disabled in kerberos environment")
 
+    # Advise 'PLAINTEXTSASL' for secure cluster by default
+    services['configurations']['cluster-env']['properties']['security_enabled'] = "true"
+    configurations['kafka-broker']['properties'] = {}
+    configurations['kafka-broker']['property_attributes'] = {}
+    self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None)
+    self.assertEqual(configurations['kafka-broker']['properties']['security.inter.broker.protocol'], 'PLAINTEXTSASL')
+
+    # Secure security.inter.broker.protocol values should be retained by stack advisor
+    services['configurations']['cluster-env']['properties']['security_enabled'] = "true"
+    configurations['kafka-broker']['properties'] = {}
+    configurations['kafka-broker']['property_attributes'] = {}
+    for proto in ('PLAINTEXTSASL', 'SASL_PLAINTEXT', 'SASL_SSL'):
+      services['configurations']['kafka-broker']['properties']['security.inter.broker.protocol'] = proto
+      self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None)
+      self.assertEqual(configurations['kafka-broker']['properties']['security.inter.broker.protocol'], proto)
+
     # Test authorizer.class.name with Ranger Kafka plugin enabled in non-kerberos environment
     services['configurations']['cluster-env']['properties']['security_enabled'] = "false"
     configurations['kafka-broker']['properties'] = {}
@@ -383,6 +399,7 @@ class TestHDP23StackAdvisor(TestCase):
     self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None)
     self.assertEquals(configurations['kafka-broker']['properties']['authorizer.class.name'], 'org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer', "Test authorizer.class.name with Ranger Kafka plugin enabled in kerberos environment")
     self.assertEquals(configurations['ranger-kafka-plugin-properties']['properties']['zookeeper.connect'], 'host1:2181')
+    self.assertTrue('security.inter.broker.protocol' not in configurations['kafka-broker']['properties'])
 
     # Test kafka-log4j content when Ranger plugin for Kafka is enabled