Repository: ambari Updated Branches: refs/heads/trunk be2adc4d2 -> ad75eeb03
AMBARI-8941. Distributed keytab files have the incorrect owner and group access controls (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/ad75eeb0 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/ad75eeb0 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/ad75eeb0 Branch: refs/heads/trunk Commit: ad75eeb0336e69ff880f6a23f07490c68909653c Parents: be2adc4 Author: Robert Levas <[email protected]> Authored: Wed Jan 7 09:16:56 2015 -0500 Committer: Robert Levas <[email protected]> Committed: Wed Jan 7 09:16:56 2015 -0500 ---------------------------------------------------------------------- .../package/scripts/kerberos_common.py | 59 ++++------ .../main/resources/stacks/HDP/2.2/kerberos.json | 2 +- .../stacks/2.2/KERBEROS/test_kerberos_client.py | 115 ++++++++++++++++++- 3 files changed, 138 insertions(+), 38 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/ad75eeb0/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py index 42e195c..54b7411 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py @@ -350,6 +350,7 @@ class KerberosScript(Script): @staticmethod def write_keytab_file(): import params + import stat if params.kerberos_command_params is not None: for item in params.kerberos_command_params: @@ -358,41 +359,27 @@ class KerberosScript(Script): keytab_file_path = get_property_value(item, 'keytab_file_path') if (keytab_file_path is not None) and (len(keytab_file_path) > 0): head, tail = os.path.split(keytab_file_path) - if head and not os.path.isdir(head): - os.makedirs(head) - with open(keytab_file_path, 'w') as f: - f.write(base64.b64decode(keytab_content_base64)) - owner = get_property_value(item, 'keytab_file_owner') + if head: + Directory(head, recursive=True, mode=0755, owner="root", group="root") + + owner = get_property_value(item, 'keytab_file_owner_name') owner_access = get_property_value(item, 'keytab_file_owner_access') - group = get_property_value(item, 'keytab_file_group') + group = get_property_value(item, 'keytab_file_group_name') group_access = get_property_value(item, 'keytab_file_group_access') - KerberosScript._set_file_access(keytab_file_path, owner, owner_access, group, group_access) - - - @staticmethod - def _set_file_access(file_path, owner, owner_access='rw', group=None, group_access=''): - if (file_path is not None) and os.path.isfile(file_path) and (owner is not None): - import stat - import pwd - import grp - - pwnam = pwd.getpwnam(owner) if (owner is not None) and (len(owner) > 0) else None - uid = pwnam.pw_uid if pwnam is not None else os.geteuid() - - grnam = grp.getgrnam(group) if (group is not None) and (len(group) > 0) else None - gid = grnam.gr_gid if grnam is not None else os.getegid() - - chmod = 0 - - if owner_access == 'r': - chmod |= stat.S_IREAD - else: - chmod |= stat.S_IREAD | stat.S_IWRITE - - if group_access == 'rw': - chmod |= stat.S_IRGRP | stat.S_IWGRP - elif group_access == 'r': - chmod |= stat.S_IRGRP - - os.chmod(file_path, chmod) - os.chown(file_path, uid, gid) + mode = 0 + + if owner_access == 'rw': + mode |= stat.S_IREAD | stat.S_IWRITE + else: + mode |= stat.S_IREAD + + if group_access == 'rw': + mode |= stat.S_IRGRP | stat.S_IWGRP + elif group_access == 'r': + mode |= stat.S_IRGRP + + File(keytab_file_path, + content=base64.b64decode(keytab_content_base64), + mode=mode, + owner=owner, + group=group) http://git-wip-us.apache.org/repos/asf/ambari/blob/ad75eeb0/ambari-server/src/main/resources/stacks/HDP/2.2/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.2/kerberos.json index fcbd669..9d3a38f 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/kerberos.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/kerberos.json @@ -16,7 +16,7 @@ "access": "r" }, "group": { - "name": "${hadoop-env/user_group}", + "name": "${cluster-env/user_group}", "access": "r" } } http://git-wip-us.apache.org/repos/asf/ambari/blob/ad75eeb0/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py b/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py index 022d2f4..9531c33 100644 --- a/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py +++ b/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py @@ -17,9 +17,10 @@ limitations under the License. """ +import json import os -import use_cases import sys +import use_cases from stacks.utils.RMFTestCase import * class TestKerberosClient(RMFTestCase): @@ -183,3 +184,115 @@ class TestKerberosClient(RMFTestCase): self.assertEqual(None, get_property_value(d, 'none', None, False, "I'm empty")) self.assertEqual("I'm empty", get_property_value(d, 'none', '', True, "I'm empty")) self.assertEqual("", get_property_value(d, 'none', '', False, "I'm empty")) + + def test_set_keytab(self): + import base64 + + config_file = "stacks/2.2/configs/default.json" + with open(config_file, "r") as f: + json_data = json.load(f) + + json_data['kerberosCommandParams'] = [] + json_data['kerberosCommandParams'].append({ + "keytab_file_configuration": "hdfs-site/dfs.web.authentication.kerberos.keytab", + "service": "HDFS", + "keytab_content_base64": "BQIAAABbAAIAC0VYQU1QTEUuQ09NAARIVFRQABdjNjU" + "wMS5hbWJhcmkuYXBhY2hlLm9yZwAAAAFUodgKAQASAC" + "A5N4gKUJsizCzwRD11Q/6sdZhJjlJmuuMeMKw/WefIb" + "gAAAFMAAgALRVhBTVBMRS5DT00ABEhUVFAAF2M2NTAx" + "LmFtYmFyaS5hcGFjaGUub3JnAAAAAVSh2AoBABAAGLA" + "3huUxDmRK2da5Z7WPZ+zTbdnBkXCrKgAAAEsAAgALRV" + "hBTVBMRS5DT00ABEhUVFAAF2M2NTAxLmFtYmFyaS5hc" + "GFjaGUub3JnAAAAAVSh2AoBABcAEIT0yzbx1fnhmuaG" + "5qtg444AAABDAAIAC0VYQU1QTEUuQ09NAARIVFRQABd" + "jNjUwMS5hbWJhcmkuYXBhY2hlLm9yZwAAAAFUodgKAQ" + "ADAAiov1LleuaMgwAAAEsAAgALRVhBTVBMRS5DT00AB" + "EhUVFAAF2M2NTAxLmFtYmFyaS5hcGFjaGUub3JnAAAA" + "AVSh2AoBABEAECBTe9uCaSiPxnoGRldhAks=", + "keytab_file_group_access": "r", + "hostname": "c6501.ambari.apache.org", + "component": "NAMENODE", + "keytab_file_owner_name": "root", + "keytab_file_path": "/etc/security/keytabs/spnego.service.keytab", + "principal_configuration": "hdfs-site/dfs.web.authentication.kerberos.principal", + "keytab_file_owner_access": "r", + "keytab_file_group_name": "hadoop", + "principal": "HTTP/[email protected]" + }) + + json_data['kerberosCommandParams'].append({ + "keytab_file_configuration": "cluster-env/smokeuser_keytab", + "service": "HDFS", + "keytab_content_base64": "BQIAAABHAAEAC0VYQU1QTEUuQ09NAAlhbWJhcmktcWEAAAA" + "BVKHYCgEAEgAg3OBDOecGoznTHZiPwmlmK4TI6bdRdrl/6q" + "TV8Kml2TAAAAA/AAEAC0VYQU1QTEUuQ09NAAlhbWJhcmktc" + "WEAAAABVKHYCgEAEAAYzqEjkX/xDoO8ij0cJmc3ZG7Qfzgl" + "/SN2AAAANwABAAtFWEFNUExFLkNPTQAJYW1iYXJpLXFhAAA" + "AAVSh2AoBABcAEHzLG1kfqxhEoTe4erUldvQAAAAvAAEAC0" + "VYQU1QTEUuQ09NAAlhbWJhcmktcWEAAAABVKHYCgEAAwAIO" + "PK6UkwyUSMAAAA3AAEAC0VYQU1QTEUuQ09NAAlhbWJhcmkt" + "cWEAAAABVKHYCgEAEQAQVqISRJwXIQnG28lI34mfeA==", + "keytab_file_group_access": "", + "hostname": "c6501.ambari.apache.org", + "component": "NAMENODE", + "keytab_file_owner_name": "ambari-qa", + "keytab_file_path": "/etc/security/keytabs/smokeuser.headless.keytab", + "principal_configuration": "cluster-env/smokeuser_principal_name", + "keytab_file_owner_access": "r", + "keytab_file_group_name": "hadoop", + "principal": "[email protected]" + }) + + self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/kerberos_client.py", + classname="KerberosClient", + command="set_keytab", + config_dict=json_data, + hdp_stack_version = self.STACK_VERSION, + target = RMFTestCase.TARGET_COMMON_SERVICES + ) + + self.assertResourceCalled('Directory', "/etc/security/keytabs", + owner='root', + group='root', + mode=0755, + recursive=True) + + self.assertResourceCalled('File', "/etc/security/keytabs/spnego.service.keytab", + owner='root', + group='hadoop', + mode=0440, + content=base64.b64decode("BQIAAABbAAIAC0VYQU1QTEUuQ09NAARIVFRQABdjNjU" + "wMS5hbWJhcmkuYXBhY2hlLm9yZwAAAAFUodgKAQASAC" + "A5N4gKUJsizCzwRD11Q/6sdZhJjlJmuuMeMKw/WefIb" + "gAAAFMAAgALRVhBTVBMRS5DT00ABEhUVFAAF2M2NTAx" + "LmFtYmFyaS5hcGFjaGUub3JnAAAAAVSh2AoBABAAGLA" + "3huUxDmRK2da5Z7WPZ+zTbdnBkXCrKgAAAEsAAgALRV" + "hBTVBMRS5DT00ABEhUVFAAF2M2NTAxLmFtYmFyaS5hc" + "GFjaGUub3JnAAAAAVSh2AoBABcAEIT0yzbx1fnhmuaG" + "5qtg444AAABDAAIAC0VYQU1QTEUuQ09NAARIVFRQABd" + "jNjUwMS5hbWJhcmkuYXBhY2hlLm9yZwAAAAFUodgKAQ" + "ADAAiov1LleuaMgwAAAEsAAgALRVhBTVBMRS5DT00AB" + "EhUVFAAF2M2NTAxLmFtYmFyaS5hcGFjaGUub3JnAAAA" + "AVSh2AoBABEAECBTe9uCaSiPxnoGRldhAks=") + ) + + self.assertResourceCalled('Directory', "/etc/security/keytabs", + owner='root', + group='root', + mode=0755, + recursive=True) + + self.assertResourceCalled('File', "/etc/security/keytabs/smokeuser.headless.keytab", + owner='ambari-qa', + group='hadoop', + mode=0400, + content=base64.b64decode("BQIAAABHAAEAC0VYQU1QTEUuQ09NAAlhbWJhcmktcWEAAAA" + "BVKHYCgEAEgAg3OBDOecGoznTHZiPwmlmK4TI6bdRdrl/6q" + "TV8Kml2TAAAAA/AAEAC0VYQU1QTEUuQ09NAAlhbWJhcmktc" + "WEAAAABVKHYCgEAEAAYzqEjkX/xDoO8ij0cJmc3ZG7Qfzgl" + "/SN2AAAANwABAAtFWEFNUExFLkNPTQAJYW1iYXJpLXFhAAA" + "AAVSh2AoBABcAEHzLG1kfqxhEoTe4erUldvQAAAAvAAEAC0" + "VYQU1QTEUuQ09NAAlhbWJhcmktcWEAAAABVKHYCgEAAwAIO" + "PK6UkwyUSMAAAA3AAEAC0VYQU1QTEUuQ09NAAlhbWJhcmkt" + "cWEAAAABVKHYCgEAEQAQVqISRJwXIQnG28lI34mfeA==") + )
