Repository: ambari Updated Branches: refs/heads/trunk 759edd4d3 -> e22b67103
AMBARI-10266. Cannot enable kerberos with Ambari server running non-root (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e22b6710 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e22b6710 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e22b6710 Branch: refs/heads/trunk Commit: e22b671035bcaa026f2ce5c3b77e1d49b3c74c73 Parents: 759edd4 Author: Robert Levas <[email protected]> Authored: Wed Apr 1 16:21:34 2015 -0400 Committer: Robert Levas <[email protected]> Committed: Wed Apr 1 16:21:34 2015 -0400 ---------------------------------------------------------------------- ambari-server/conf/unix/ambari.properties | 2 +- ambari-server/conf/windows/ambari.properties | 2 +- .../kerberos/CreateKeytabFilesServerAction.java | 23 +++-- .../CreateKeytabFilesServerActionTest.java | 91 ++++++++++++++++++++ 4 files changed, 109 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/conf/unix/ambari.properties ---------------------------------------------------------------------- diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties index 44aea5c..eee3bb2 100644 --- a/ambari-server/conf/unix/ambari.properties +++ b/ambari-server/conf/unix/ambari.properties @@ -48,7 +48,7 @@ bootstrap.script=/usr/lib/python2.6/site-packages/ambari_server/bootstrap.py bootstrap.setup_agent.script=/usr/lib/python2.6/site-packages/ambari_server/setupAgent.py recommendations.dir=/var/run/ambari-server/stack-recommendations stackadvisor.script=/var/lib/ambari-server/resources/scripts/stack_advisor.py -server.tmp.dir=/var/lib/ambari-server/tmp +server.tmp.dir=/var/lib/ambari-server/data/tmp ambari.python.wrap=ambari-python-wrap api.authenticate=true http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/conf/windows/ambari.properties ---------------------------------------------------------------------- diff --git a/ambari-server/conf/windows/ambari.properties b/ambari-server/conf/windows/ambari.properties index cfe9c3d..d0fb6dd 100644 --- a/ambari-server/conf/windows/ambari.properties +++ b/ambari-server/conf/windows/ambari.properties @@ -55,7 +55,7 @@ kerberos.keytab.cache.dir = data\\cache recommendations.dir=\\var\\run\\ambari-server\\stack-recommendations stackadvisor.script=resources\\scripts\\stack_advisor.py -server.tmp.dir=\\var\\run\\ambari-server\\tmp +server.tmp.dir=\\var\\run\\ambari-server\\data\\tmp views.dir=resources\\views ambari.python.wrap=python.exe http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java index a1ff364..5e8b451 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java @@ -353,7 +353,6 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction { try { keytab.write(cachedKeytabFile); - ensureAmbariOnlyAccess(cachedKeytabFile); } catch (IOException e) { String message = String.format("Failed to write the keytab for %s to the cache location (%s)", principal, cachedKeytabFile.getAbsolutePath()); @@ -361,6 +360,8 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction { throw new AmbariException(message, e); } + ensureAmbariOnlyAccess(cachedKeytabFile); + return cachedKeytabFile; } @@ -370,23 +371,31 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction { * * @param file the file or directory for which to modify access */ - private void ensureAmbariOnlyAccess(File file) { + protected void ensureAmbariOnlyAccess(File file) throws AmbariException { if (file.exists()) { if (!file.setReadable(false, false) || !file.setReadable(true, true)) { - LOG.warn(String.format("Failed to set %s readable only by Ambari", file.getAbsolutePath())); + String message = String.format("Failed to set %s readable only by Ambari", file.getAbsolutePath()); + LOG.warn(message); + throw new AmbariException(message); } if (!file.setWritable(false, false) || !file.setWritable(true, true)) { - LOG.warn(String.format("Failed to set %s writable only by Ambari", file.getAbsolutePath())); + String message = String.format("Failed to set %s writable only by Ambari", file.getAbsolutePath()); + LOG.warn(message); + throw new AmbariException(message); } if (file.isDirectory()) { - if (!file.setExecutable(false, false) && !file.setExecutable(true, true)) { - LOG.warn(String.format("Failed to set %s executable by Ambari", file.getAbsolutePath())); + if (!file.setExecutable(false, false) || !file.setExecutable(true, true)) { + String message = String.format("Failed to set %s executable by Ambari", file.getAbsolutePath()); + LOG.warn(message); + throw new AmbariException(message); } } else { if (!file.setExecutable(false, false)) { - LOG.warn(String.format("Failed to set %s not executable", file.getAbsolutePath())); + String message = String.format("Failed to set %s not executable", file.getAbsolutePath()); + LOG.warn(message); + throw new AmbariException(message); } } } http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java new file mode 100644 index 0000000..d2252a9 --- /dev/null +++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java @@ -0,0 +1,91 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ambari.server.serveraction.kerberos; + +import junit.framework.Assert; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import java.io.File; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.nio.file.attribute.PosixFilePermission; +import java.util.Set; + +public class CreateKeytabFilesServerActionTest { + + @Rule + public TemporaryFolder testFolder = new TemporaryFolder(); + + @Test + public void testEnsureAmbariOnlyAccess() throws Exception { + Path path; + Set<PosixFilePermission> permissions; + + File directory = testFolder.newFolder(); + Assert.assertNotNull(directory); + + new CreateKeytabFilesServerAction().ensureAmbariOnlyAccess(directory); + + // The directory is expected to have the following permissions: rwx------ (700) + path = Paths.get(directory.getAbsolutePath()); + Assert.assertNotNull(path); + + permissions = Files.getPosixFilePermissions(path); + Assert.assertNotNull(permissions); + + Assert.assertNotNull(permissions); + Assert.assertEquals(3, permissions.size()); + Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_READ)); + Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_WRITE)); + Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_EXECUTE)); + Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_READ)); + Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_WRITE)); + Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_EXECUTE)); + Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_READ)); + Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_WRITE)); + Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_EXECUTE)); + + File file = File.createTempFile("temp_", "", directory); + Assert.assertNotNull(file); + Assert.assertTrue(file.exists()); + + new CreateKeytabFilesServerAction().ensureAmbariOnlyAccess(file); + + // The file is expected to have the following permissions: rw------- (600) + path = Paths.get(file.getAbsolutePath()); + Assert.assertNotNull(path); + + permissions = Files.getPosixFilePermissions(path); + Assert.assertNotNull(permissions); + + Assert.assertEquals(2, permissions.size()); + Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_READ)); + Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_WRITE)); + Assert.assertFalse(permissions.contains(PosixFilePermission.OWNER_EXECUTE)); + Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_READ)); + Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_WRITE)); + Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_EXECUTE)); + Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_READ)); + Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_WRITE)); + Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_EXECUTE)); + } +} \ No newline at end of file
