Repository: ambari Updated Branches: refs/heads/trunk 0f2a90489 -> 2e6d9d61f
AMBARI-10479. Add the ability to enable Kerberos and not manage identities (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/2e6d9d61 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/2e6d9d61 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/2e6d9d61 Branch: refs/heads/trunk Commit: 2e6d9d61f8b7e11f548b3f12da49edd9d1f8843a Parents: 0f2a904 Author: Robert Levas <[email protected]> Authored: Fri Apr 17 17:15:50 2015 -0400 Committer: Robert Levas <[email protected]> Committed: Fri Apr 17 17:15:56 2015 -0400 ---------------------------------------------------------------------- .../server/controller/KerberosHelper.java | 328 ++++++++--------- .../1.10.3-10/package/scripts/params.py | 210 ++++++----- .../1.10.3-10/package/scripts/service_check.py | 18 +- .../server/controller/KerberosHelperTest.java | 364 ++++++++++--------- 4 files changed, 484 insertions(+), 436 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/2e6d9d61/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java index 5cd75bb..1bb0d0f 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java @@ -947,6 +947,8 @@ public class KerberosHelper { * Performs operations needed to process Kerberos related tasks to manage a (unique) test identity * on the relevant cluster. * + * If Ambari is not managing Kerberos identities, than this method does nothing. + * * @param cluster the relevant Cluster * @param kerberosDetails a KerberosDetails containing information about relevant Kerberos * configuration @@ -966,191 +968,193 @@ public class KerberosHelper { Map<String, String> commandParameters, RequestStageContainer requestStageContainer, Handler handler) throws AmbariException, KerberosOperationException { - if (commandParameters == null) { - throw new AmbariException("The properties map must not be null. It is needed to store data related to the service check identity"); - } - - Map<String, Service> services = cluster.getServices(); - - if ((services != null) && !services.isEmpty()) { - String clusterName = cluster.getClusterName(); - Map<String, Host> hosts = clusters.getHostsForCluster(clusterName); - - if ((hosts != null) && !hosts.isEmpty()) { - List<ServiceComponentHost> serviceComponentHostsToProcess = new ArrayList<ServiceComponentHost>(); - KerberosDescriptor kerberosDescriptor = getKerberosDescriptor(cluster); - KerberosIdentityDataFileWriter kerberosIdentityDataFileWriter = null; - Map<String, String> kerberosDescriptorProperties = kerberosDescriptor.getProperties(); - - // While iterating over all the ServiceComponentHosts find hosts that have KERBEROS_CLIENT - // components in the INSTALLED state and add them to the hostsWithValidKerberosClient Set. - // This is needed to help determine which hosts to perform actions for and create tasks for. - Set<String> hostsWithValidKerberosClient = new HashSet<String>(); - - // Create a temporary directory to store metadata needed to complete this task. Information - // such as which principals and keytabs files to create as well as what configurations need - // to be update are stored in data files in this directory. Any keytab files are stored in - // this directory until they are distributed to their appropriate hosts. - File dataDirectory = createTemporaryDirectory(); - - // Create the file used to store details about principals and keytabs to create - File identityDataFile = new File(dataDirectory, KerberosIdentityDataFileWriter.DATA_FILE_NAME); - - // Create a special identity for the test user - KerberosIdentityDescriptor identity = new KerberosIdentityDescriptor(new HashMap<String, Object>() { - { - put("principal", - new HashMap<String, Object>() { - { - put("value", "${cluster-env/smokeuser}_${service_check_id}@${realm}"); - put("type", "user"); - } - }); - put("keytab", - new HashMap<String, Object>() { - { - put("file", "${keytab_dir}/kerberos.service_check.${service_check_id}.keytab"); - - put("owner", new HashMap<String, Object>() {{ - put("name", "${cluster-env/smokeuser}"); - put("access", "rw"); - }}); - - put("group", new HashMap<String, Object>() {{ - put("name", "${cluster-env/user_group}"); - put("access", "r"); - }}); - - put("cachable", "false"); - } - }); - } - }); - - // Get or create the unique service check identifier - String serviceCheckId = getKerberosServiceCheckIdentifier(cluster, true); + if(kerberosDetails.manageIdentities()) { + if (commandParameters == null) { + throw new AmbariException("The properties map must not be null. It is needed to store data related to the service check identity"); + } - try { - // Iterate over the hosts in the cluster to find the components installed in each. For each - // component (aka service component host - sch) determine the configuration updates and - // and the principals an keytabs to create. - for (Host host : hosts.values()) { - String hostname = host.getHostName(); + Map<String, Service> services = cluster.getServices(); + + if ((services != null) && !services.isEmpty()) { + String clusterName = cluster.getClusterName(); + Map<String, Host> hosts = clusters.getHostsForCluster(clusterName); + + if ((hosts != null) && !hosts.isEmpty()) { + List<ServiceComponentHost> serviceComponentHostsToProcess = new ArrayList<ServiceComponentHost>(); + KerberosDescriptor kerberosDescriptor = getKerberosDescriptor(cluster); + KerberosIdentityDataFileWriter kerberosIdentityDataFileWriter = null; + Map<String, String> kerberosDescriptorProperties = kerberosDescriptor.getProperties(); + + // While iterating over all the ServiceComponentHosts find hosts that have KERBEROS_CLIENT + // components in the INSTALLED state and add them to the hostsWithValidKerberosClient Set. + // This is needed to help determine which hosts to perform actions for and create tasks for. + Set<String> hostsWithValidKerberosClient = new HashSet<String>(); + + // Create a temporary directory to store metadata needed to complete this task. Information + // such as which principals and keytabs files to create as well as what configurations need + // to be update are stored in data files in this directory. Any keytab files are stored in + // this directory until they are distributed to their appropriate hosts. + File dataDirectory = createTemporaryDirectory(); + + // Create the file used to store details about principals and keytabs to create + File identityDataFile = new File(dataDirectory, KerberosIdentityDataFileWriter.DATA_FILE_NAME); + + // Create a special identity for the test user + KerberosIdentityDescriptor identity = new KerberosIdentityDescriptor(new HashMap<String, Object>() { + { + put("principal", + new HashMap<String, Object>() { + { + put("value", "${cluster-env/smokeuser}_${service_check_id}@${realm}"); + put("type", "user"); + } + }); + put("keytab", + new HashMap<String, Object>() { + { + put("file", "${keytab_dir}/kerberos.service_check.${service_check_id}.keytab"); + + put("owner", new HashMap<String, Object>() {{ + put("name", "${cluster-env/smokeuser}"); + put("access", "rw"); + }}); + + put("group", new HashMap<String, Object>() {{ + put("name", "${cluster-env/user_group}"); + put("access", "r"); + }}); + + put("cachable", "false"); + } + }); + } + }); - // Get a list of components on the current host - List<ServiceComponentHost> serviceComponentHosts = cluster.getServiceComponentHosts(hostname); + // Get or create the unique service check identifier + String serviceCheckId = getKerberosServiceCheckIdentifier(cluster, true); - if ((serviceComponentHosts != null) && !serviceComponentHosts.isEmpty()) { - // Calculate the current host-specific configurations. These will be used to replace - // variables within the Kerberos descriptor data - Map<String, Map<String, String>> configurations = calculateConfigurations(cluster, hostname, kerberosDescriptorProperties); - - // Set the unique service check identifier - configurations.get("").put("service_check_id", serviceCheckId); + try { + // Iterate over the hosts in the cluster to find the components installed in each. For each + // component (aka service component host - sch) determine the configuration updates and + // and the principals an keytabs to create. + for (Host host : hosts.values()) { + String hostname = host.getHostName(); + + // Get a list of components on the current host + List<ServiceComponentHost> serviceComponentHosts = cluster.getServiceComponentHosts(hostname); + + if ((serviceComponentHosts != null) && !serviceComponentHosts.isEmpty()) { + // Calculate the current host-specific configurations. These will be used to replace + // variables within the Kerberos descriptor data + Map<String, Map<String, String>> configurations = calculateConfigurations(cluster, hostname, kerberosDescriptorProperties); + + // Set the unique service check identifier + configurations.get("").put("service_check_id", serviceCheckId); + + // Iterate over the components installed on the current host to get the service and + // component-level Kerberos descriptors in order to determine which principals, + // keytab files, and configurations need to be created or updated. + for (ServiceComponentHost sch : serviceComponentHosts) { + String serviceName = sch.getServiceName(); + String componentName = sch.getServiceComponentName(); + + // If the current ServiceComponentHost represents the KERBEROS/KERBEROS_CLIENT and + // indicates that the KERBEROS_CLIENT component is in the INSTALLED state, add the + // current host to the set of hosts that should be handled... + if (Service.Type.KERBEROS.name().equals(serviceName) && + Role.KERBEROS_CLIENT.name().equals(componentName) && + (sch.getState() == State.INSTALLED)) { + hostsWithValidKerberosClient.add(hostname); - // Iterate over the components installed on the current host to get the service and - // component-level Kerberos descriptors in order to determine which principals, - // keytab files, and configurations need to be created or updated. - for (ServiceComponentHost sch : serviceComponentHosts) { - String serviceName = sch.getServiceName(); - String componentName = sch.getServiceComponentName(); + int identitiesAdded = 0; - // If the current ServiceComponentHost represents the KERBEROS/KERBEROS_CLIENT and - // indicates that the KERBEROS_CLIENT component is in the INSTALLED state, add the - // current host to the set of hosts that should be handled... - if (Service.Type.KERBEROS.name().equals(serviceName) && - Role.KERBEROS_CLIENT.name().equals(componentName) && - (sch.getState() == State.INSTALLED)) { - hostsWithValidKerberosClient.add(hostname); + // Lazily create the KerberosIdentityDataFileWriter instance... + if (kerberosIdentityDataFileWriter == null) { + kerberosIdentityDataFileWriter = kerberosIdentityDataFileWriterFactory.createKerberosIdentityDataFileWriter(identityDataFile); + } - int identitiesAdded = 0; + // Add service-level principals (and keytabs) + identitiesAdded += addIdentities(kerberosIdentityDataFileWriter, Collections.singleton(identity), + null, hostname, serviceName, componentName, null, configurations); - // Lazily create the KerberosIdentityDataFileWriter instance... - if (kerberosIdentityDataFileWriter == null) { - kerberosIdentityDataFileWriter = kerberosIdentityDataFileWriterFactory.createKerberosIdentityDataFileWriter(identityDataFile); - } + if (identitiesAdded > 0) { + // Add the relevant principal name and keytab file data to the command params state + if (!commandParameters.containsKey("principal_name") || !commandParameters.containsKey("keytab_file")) { + commandParameters.put("principal_name", + KerberosDescriptor.replaceVariables(identity.getPrincipalDescriptor().getValue(), configurations)); + commandParameters.put("keytab_file", + KerberosDescriptor.replaceVariables(identity.getKeytabDescriptor().getFile(), configurations)); + } - // Add service-level principals (and keytabs) - identitiesAdded += addIdentities(kerberosIdentityDataFileWriter, Collections.singleton(identity), - null, hostname, serviceName, componentName, null, configurations); - - if (identitiesAdded > 0) { - // Add the relevant principal name and keytab file data to the command params state - if (!commandParameters.containsKey("principal_name") || !commandParameters.containsKey("keytab_file")) { - commandParameters.put("principal_name", - KerberosDescriptor.replaceVariables(identity.getPrincipalDescriptor().getValue(), configurations)); - commandParameters.put("keytab_file", - KerberosDescriptor.replaceVariables(identity.getKeytabDescriptor().getFile(), configurations)); + serviceComponentHostsToProcess.add(sch); } - - serviceComponentHostsToProcess.add(sch); } } } } - } - } catch (IOException e) { - String message = String.format("Failed to write index file - %s", identityDataFile.getAbsolutePath()); - LOG.error(message); - throw new AmbariException(message, e); - } finally { - if (kerberosIdentityDataFileWriter != null) { - // Make sure the data file is closed - try { - kerberosIdentityDataFileWriter.close(); - } catch (IOException e) { - LOG.warn("Failed to close the index file writer", e); + } catch (IOException e) { + String message = String.format("Failed to write index file - %s", identityDataFile.getAbsolutePath()); + LOG.error(message); + throw new AmbariException(message, e); + } finally { + if (kerberosIdentityDataFileWriter != null) { + // Make sure the data file is closed + try { + kerberosIdentityDataFileWriter.close(); + } catch (IOException e) { + LOG.warn("Failed to close the index file writer", e); + } } } - } - // If there are ServiceComponentHosts to process, make sure the administrator credentials - // are available - if (!serviceComponentHostsToProcess.isEmpty()) { - try { - validateKDCCredentials(kerberosDetails, cluster); - } catch (KerberosOperationException e) { + // If there are ServiceComponentHosts to process, make sure the administrator credentials + // are available + if (!serviceComponentHostsToProcess.isEmpty()) { try { - FileUtils.deleteDirectory(dataDirectory); - } catch (Throwable t) { - LOG.warn(String.format("The data directory (%s) was not deleted due to an error condition - {%s}", - dataDirectory.getAbsolutePath(), t.getMessage()), t); + validateKDCCredentials(kerberosDetails, cluster); + } catch (KerberosOperationException e) { + try { + FileUtils.deleteDirectory(dataDirectory); + } catch (Throwable t) { + LOG.warn(String.format("The data directory (%s) was not deleted due to an error condition - {%s}", + dataDirectory.getAbsolutePath(), t.getMessage()), t); + } + + throw e; } + } - throw e; + // Always set up the necessary stages to perform the tasks needed to complete the operation. + // Some stages may be no-ops, this is expected. + // Gather data needed to create stages and tasks... + Map<String, Set<String>> clusterHostInfo = StageUtils.getClusterHostInfo(hosts, cluster); + String clusterHostInfoJson = StageUtils.getGson().toJson(clusterHostInfo); + Map<String, String> hostParams = customCommandExecutionHelper.createDefaultHostParams(cluster); + String hostParamsJson = StageUtils.getGson().toJson(hostParams); + String ambariServerHostname = StageUtils.getHostName(); + ServiceComponentHostServerActionEvent event = new ServiceComponentHostServerActionEvent( + "AMBARI_SERVER", + ambariServerHostname, // TODO: Choose a random hostname from the cluster. All tasks for the AMBARI_SERVER service will be executed on this Ambari server + System.currentTimeMillis()); + RoleCommandOrder roleCommandOrder = ambariManagementController.getRoleCommandOrder(cluster); + + // If a RequestStageContainer does not already exist, create a new one... + if (requestStageContainer == null) { + requestStageContainer = new RequestStageContainer( + actionManager.getNextRequestId(), + null, + requestFactory, + actionManager); } - } - // Always set up the necessary stages to perform the tasks needed to complete the operation. - // Some stages may be no-ops, this is expected. - // Gather data needed to create stages and tasks... - Map<String, Set<String>> clusterHostInfo = StageUtils.getClusterHostInfo(hosts, cluster); - String clusterHostInfoJson = StageUtils.getGson().toJson(clusterHostInfo); - Map<String, String> hostParams = customCommandExecutionHelper.createDefaultHostParams(cluster); - String hostParamsJson = StageUtils.getGson().toJson(hostParams); - String ambariServerHostname = StageUtils.getHostName(); - ServiceComponentHostServerActionEvent event = new ServiceComponentHostServerActionEvent( - "AMBARI_SERVER", - ambariServerHostname, // TODO: Choose a random hostname from the cluster. All tasks for the AMBARI_SERVER service will be executed on this Ambari server - System.currentTimeMillis()); - RoleCommandOrder roleCommandOrder = ambariManagementController.getRoleCommandOrder(cluster); + // Use the handler implementation to setup the relevant stages. + handler.createStages(cluster, hosts, Collections.<String, Map<String, String>>emptyMap(), + clusterHostInfoJson, hostParamsJson, event, roleCommandOrder, kerberosDetails, + dataDirectory, requestStageContainer, serviceComponentHostsToProcess, hostsWithValidKerberosClient); - // If a RequestStageContainer does not already exist, create a new one... - if (requestStageContainer == null) { - requestStageContainer = new RequestStageContainer( - actionManager.getNextRequestId(), - null, - requestFactory, - actionManager); + handler.addFinalizeOperationStage(cluster, clusterHostInfoJson, hostParamsJson, event, + dataDirectory, roleCommandOrder, requestStageContainer); } - - // Use the handler implementation to setup the relevant stages. - handler.createStages(cluster, hosts, Collections.<String, Map<String, String>>emptyMap(), - clusterHostInfoJson, hostParamsJson, event, roleCommandOrder, kerberosDetails, - dataDirectory, requestStageContainer, serviceComponentHostsToProcess, hostsWithValidKerberosClient); - - handler.addFinalizeOperationStage(cluster, clusterHostInfoJson, hostParamsJson, event, - dataDirectory, roleCommandOrder, requestStageContainer); } } http://git-wip-us.apache.org/repos/asf/ambari/blob/2e6d9d61/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py index 5482f6c..fa5dd18 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py @@ -41,11 +41,9 @@ kadm5_acl_path = kadm5_acl_dir + '/' + kadm5_acl_file config = Script.get_config() tmp_dir = Script.get_tmp_dir() -command_params = None configurations = None keytab_details = None default_group = None -cluster_env = None kdc_server_host = None cluster_host_info = None @@ -59,35 +57,13 @@ krb5kdc_pid_path = '/var/run/krb5kdc.pid' smoke_test_principal = None smoke_test_keytab_file = None -smoke_user = config['configurations']['cluster-env']['smokeuser'] - -# If a test keytab file is available, simply use it +smoke_user = 'ambari-qa' +manage_identities = 'true' if config is not None: - command_params = get_property_value(config, 'commandParams') - if command_params is not None: - keytab_details = get_unstructured_data(command_params, 'keytab') - smoke_test_principal = get_property_value(command_params, 'principal_name', None, True, None) - smoke_test_keytab_file = get_property_value(command_params, 'keytab_file', None, True, None) - kerberos_command_params = get_property_value(config, 'kerberosCommandParams') - configurations = get_property_value(config, 'configurations') - if configurations is not None: - cluster_env = get_property_value(configurations, 'cluster-env') - - if cluster_env is not None: - if smoke_test_principal is None: - smoke_test_principal = get_property_value(cluster_env, 'smokeuser_principal_name', None, True, None) - if smoke_test_keytab_file is None: - smoke_test_keytab_file = get_property_value(cluster_env, 'smokeuser_keytab', None, True, None) - - default_group = get_property_value(cluster_env, 'user_group') - - if default_group is None: - default_group = get_property_value(cluster_env, 'user-group') - cluster_host_info = get_property_value(config, 'clusterHostInfo') if cluster_host_info is not None: kdc_server_hosts = get_property_value(cluster_host_info, 'kdc_server_hosts') @@ -95,93 +71,111 @@ if config is not None: if (kdc_server_hosts is not None) and (len(kdc_server_hosts) > 0): kdc_server_host = kdc_server_hosts[0] - # ################################################################################################ - # Get krb5.conf template data - # ################################################################################################ - realm = 'EXAMPLE.COM' - domains = '' - kdc_host = 'localhost' - admin_server_host = None - admin_principal = None - admin_password = None - admin_keytab = None - test_principal = None - test_password = None - test_keytab = None - test_keytab_file = None - encryption_types = None - manage_krb5_conf = "true" - krb5_conf_template = None - - krb5_conf_data = get_property_value(configurations, 'krb5-conf') - - kerberos_env = get_property_value(configurations, "kerberos-env") - - if kerberos_env is not None: - encryption_types = get_property_value(kerberos_env, "encryption_types", None, True, None) - realm = get_property_value(kerberos_env, "realm", None, True, None) - kdc_host = get_property_value(kerberos_env, 'kdc_host', kdc_host) - admin_server_host = get_property_value(kerberos_env, 'admin_server_host', admin_server_host) - - if krb5_conf_data is not None: - realm = get_property_value(krb5_conf_data, 'realm', realm) - domains = get_property_value(krb5_conf_data, 'domains', domains) - - admin_principal = get_property_value(krb5_conf_data, 'admin_principal', admin_principal, True, - None) - admin_password = get_property_value(krb5_conf_data, 'admin_password', admin_password, True, - None) - admin_keytab = get_property_value(krb5_conf_data, 'admin_keytab', admin_keytab, True, None) - - test_principal = get_property_value(krb5_conf_data, 'test_principal', test_principal, True, - None) - test_password = get_property_value(krb5_conf_data, 'test_password', test_password, True, None) - test_keytab = get_property_value(krb5_conf_data, 'test_keytab', test_keytab, True, None) - test_keytab_file = get_property_value(krb5_conf_data, 'test_keytab_file', test_keytab_file, - True, None) - - krb5_conf_template = get_property_value(krb5_conf_data, 'content', krb5_conf_template) - krb5_conf_dir = get_property_value(krb5_conf_data, 'conf_dir', krb5_conf_dir) - krb5_conf_file = get_property_value(krb5_conf_data, 'conf_file', krb5_conf_file) - krb5_conf_path = krb5_conf_dir + '/' + krb5_conf_file - - manage_krb5_conf = get_property_value(krb5_conf_data, 'manage_krb5_conf', - "true") - - - # ################################################################################################ - # Get kdc.conf template data - # ################################################################################################ - kdcdefaults_kdc_ports = "88" - kdcdefaults_kdc_tcp_ports = "88" + configurations = get_property_value(config, 'configurations') + if configurations is not None: + cluster_env = get_property_value(configurations, 'cluster-env') - kdc_conf_template = None + if cluster_env is not None: + smoke_test_principal = get_property_value(cluster_env, 'smokeuser_principal_name', None, True, None) + smoke_test_keytab_file = get_property_value(cluster_env, 'smokeuser_keytab', None, True, None) + smoke_user = get_property_value(cluster_env, 'smokeuser', smoke_user, True, smoke_user) - kdc_conf_data = get_property_value(configurations, 'kdc-conf') + default_group = get_property_value(cluster_env, 'user_group') - if kdc_conf_data is not None: - kdcdefaults_kdc_ports = get_property_value(kdc_conf_data, 'kdcdefaults_kdc_ports', - kdcdefaults_kdc_ports) - kdcdefaults_kdc_tcp_ports = get_property_value(kdc_conf_data, 'kdcdefaults_kdc_tcp_ports', - kdcdefaults_kdc_tcp_ports) + if default_group is None: + default_group = get_property_value(cluster_env, 'user-group') - kdc_conf_template = get_property_value(kdc_conf_data, 'content', kdc_conf_template) - kdc_conf_dir = get_property_value(kdc_conf_data, 'conf_dir', kdc_conf_dir) - kdc_conf_file = get_property_value(kdc_conf_data, 'conf_file', kdc_conf_file) - kdc_conf_path = kdc_conf_dir + '/' + kdc_conf_file + # ############################################################################################## + # Get krb5.conf template data + # ############################################################################################## + realm = 'EXAMPLE.COM' + domains = '' + kdc_host = 'localhost' + admin_server_host = None + admin_principal = None + admin_password = None + admin_keytab = None + test_principal = None + test_password = None + test_keytab = None + test_keytab_file = None + encryption_types = None + manage_krb5_conf = "true" + krb5_conf_template = None + + krb5_conf_data = get_property_value(configurations, 'krb5-conf') + + kerberos_env = get_property_value(configurations, "kerberos-env") + + if kerberos_env is not None: + manage_identities = get_property_value(kerberos_env, "manage_identities", "true", True, "true") + encryption_types = get_property_value(kerberos_env, "encryption_types", None, True, None) + realm = get_property_value(kerberos_env, "realm", None, True, None) + kdc_host = get_property_value(kerberos_env, 'kdc_host', kdc_host) + admin_server_host = get_property_value(kerberos_env, 'admin_server_host', admin_server_host) + + if krb5_conf_data is not None: + realm = get_property_value(krb5_conf_data, 'realm', realm) + domains = get_property_value(krb5_conf_data, 'domains', domains) + + admin_principal = get_property_value(krb5_conf_data, 'admin_principal', admin_principal, True, None) + admin_password = get_property_value(krb5_conf_data, 'admin_password', admin_password, True, None) + admin_keytab = get_property_value(krb5_conf_data, 'admin_keytab', admin_keytab, True, None) + + test_principal = get_property_value(krb5_conf_data, 'test_principal', test_principal, True, None) + test_password = get_property_value(krb5_conf_data, 'test_password', test_password, True, None) + test_keytab = get_property_value(krb5_conf_data, 'test_keytab', test_keytab, True, None) + test_keytab_file = get_property_value(krb5_conf_data, 'test_keytab_file', test_keytab_file, True, None) + + krb5_conf_template = get_property_value(krb5_conf_data, 'content', krb5_conf_template) + krb5_conf_dir = get_property_value(krb5_conf_data, 'conf_dir', krb5_conf_dir) + krb5_conf_file = get_property_value(krb5_conf_data, 'conf_file', krb5_conf_file) + krb5_conf_path = krb5_conf_dir + '/' + krb5_conf_file + + manage_krb5_conf = get_property_value(krb5_conf_data, 'manage_krb5_conf', "true") + + # ############################################################################################## + # Get kdc.conf template data + # ############################################################################################## + kdcdefaults_kdc_ports = "88" + kdcdefaults_kdc_tcp_ports = "88" + + kdc_conf_template = None + + kdc_conf_data = get_property_value(configurations, 'kdc-conf') + + if kdc_conf_data is not None: + kdcdefaults_kdc_ports = get_property_value(kdc_conf_data, 'kdcdefaults_kdc_ports', kdcdefaults_kdc_ports) + kdcdefaults_kdc_tcp_ports = get_property_value(kdc_conf_data, 'kdcdefaults_kdc_tcp_ports', kdcdefaults_kdc_tcp_ports) + + kdc_conf_template = get_property_value(kdc_conf_data, 'content', kdc_conf_template) + kdc_conf_dir = get_property_value(kdc_conf_data, 'conf_dir', kdc_conf_dir) + kdc_conf_file = get_property_value(kdc_conf_data, 'conf_file', kdc_conf_file) + kdc_conf_path = kdc_conf_dir + '/' + kdc_conf_file + + # ############################################################################################## + # Get kadm5.acl template data + # ############################################################################################## + kdcdefaults_kdc_ports = '88' + kdcdefaults_kdc_tcp_ports = '88' + + kadm5_acl_template = None + + kadm5_acl_data = get_property_value(configurations, 'kadm5-acl') + + if kadm5_acl_data is not None: + kadm5_acl_template = get_property_value(kadm5_acl_data, 'content', kadm5_acl_template) + kadm5_acl_dir = get_property_value(kadm5_acl_data, 'conf_dir', kadm5_acl_dir) + kadm5_acl_file = get_property_value(kadm5_acl_data, 'conf_file', kadm5_acl_file) + kadm5_acl_path = kadm5_acl_dir + '/' + kadm5_acl_file # ################################################################################################ - # Get kadm5.acl template data + # Get commandParams # ################################################################################################ - kdcdefaults_kdc_ports = '88' - kdcdefaults_kdc_tcp_ports = '88' - - kadm5_acl_template = None - - kadm5_acl_data = get_property_value(configurations, 'kadm5-acl') + command_params = get_property_value(config, 'commandParams') + if command_params is not None: + keytab_details = get_unstructured_data(command_params, 'keytab') - if kadm5_acl_data is not None: - kadm5_acl_template = get_property_value(kadm5_acl_data, 'content', kadm5_acl_template) - kadm5_acl_dir = get_property_value(kadm5_acl_data, 'conf_dir', kadm5_acl_dir) - kadm5_acl_file = get_property_value(kadm5_acl_data, 'conf_file', kadm5_acl_file) - kadm5_acl_path = kadm5_acl_dir + '/' + kadm5_acl_file + if manage_identities: + smoke_test_principal = get_property_value(command_params, 'principal_name', smoke_test_principal) + smoke_test_keytab_file = get_property_value(command_params, 'keytab_file', smoke_test_keytab_file) http://git-wip-us.apache.org/repos/asf/ambari/blob/2e6d9d61/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py index b8cb384..412d12d 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py @@ -37,6 +37,16 @@ class KerberosServiceCheck(KerberosScript): def service_check(self, env): import params + # If Ambari IS managing Kerberos identities (kerberos-env/manage_identities = true), it is + # expected that a (smoke) test principal and its associated keytab file is available for use + # ** If not available, this service check will fail + # ** If available, this service check will execute + # + # If Ambari IS NOT managing Kerberos identities (kerberos-env/manage_identities = false), the + # smoke test principal and its associated keytab file may not be available + # ** If not available, this service check will execute + # ** If available, this service check will execute + if ((params.smoke_test_principal is not None) and (params.smoke_test_keytab_file is not None) and os.path.isfile(params.smoke_test_keytab_file)): @@ -54,9 +64,15 @@ class KerberosServiceCheck(KerberosScript): finally: if os.path.isfile(ccache_file_path): # Since kinit might fail to write to the cache file for various reasons, an existence check should be done before cleanup os.remove(ccache_file_path) - else: + elif params.manage_identities: err_msg = Logger.filter_text("Failed to execute kinit test due to principal or keytab not found or available") raise Fail(err_msg) + else: + # Ambari is not managing identities so if the smoke user does not exist, indicate why.... + print "Skipping this service check since Ambari is not managing Kerberos identities and the smoke user " \ + "credentials are not available. To execute this service check, the smoke user principal name " \ + "and keytab file location must be set in the cluster_env and the smoke user's keytab file must" \ + "exist in the configured location." if __name__ == "__main__": KerberosServiceCheck().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/2e6d9d61/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java index ee11ee7..1cc9637 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java @@ -377,13 +377,33 @@ public class KerberosHelperTest extends EasyMockSupport { } @Test - public void testCreateTestIdentity() throws Exception { - testCreateTestIdentity(new KerberosCredential("principal", "password", "keytab")); + public void testCreateTestIdentity_ManageIdentitiesDefault() throws Exception { + testCreateTestIdentity(new KerberosCredential("principal", "password", "keytab"), null); } - @Test (expected = KerberosMissingAdminCredentialsException.class) - public void testCreateTestIdentityNoCredentials() throws Exception { - testCreateTestIdentity(null); + @Test + public void testCreateTestIdentity_ManageIdentitiesTrue() throws Exception { + testCreateTestIdentity(new KerberosCredential("principal", "password", "keytab"), Boolean.TRUE); + } + + @Test + public void testCreateTestIdentity_ManageIdentitiesFalse() throws Exception { + testCreateTestIdentity(new KerberosCredential("principal", "password", "keytab"), Boolean.FALSE); + } + + @Test(expected = KerberosMissingAdminCredentialsException.class) + public void testCreateTestIdentityNoCredentials_ManageIdentitiesDefault() throws Exception { + testCreateTestIdentity(null, null); + } + + @Test(expected = KerberosMissingAdminCredentialsException.class) + public void testCreateTestIdentityNoCredentials_ManageIdentitiesTrue() throws Exception { + testCreateTestIdentity(null, Boolean.TRUE); + } + + @Test + public void testCreateTestIdentityNoCredentials_ManageIdentitiesFalse() throws Exception { + testCreateTestIdentity(null, Boolean.FALSE); } @Test @@ -2025,59 +2045,20 @@ public class KerberosHelperTest extends EasyMockSupport { verifyAll(); } - private void testCreateTestIdentity(final KerberosCredential kerberosCredential) throws Exception { + private void testCreateTestIdentity(final KerberosCredential kerberosCredential, Boolean manageIdentities) throws Exception { KerberosHelper kerberosHelper = injector.getInstance(KerberosHelper.class); - - final ServiceComponentHost schKerberosClient = createMock(ServiceComponentHost.class); - expect(schKerberosClient.getServiceName()).andReturn(Service.Type.KERBEROS.name()).anyTimes(); - expect(schKerberosClient.getServiceComponentName()).andReturn(Role.KERBEROS_CLIENT.name()).anyTimes(); - expect(schKerberosClient.getHostName()).andReturn("host1").anyTimes(); - expect(schKerberosClient.getState()).andReturn(State.INSTALLED).anyTimes(); - - final ServiceComponentHost sch1 = createMock(ServiceComponentHost.class); - expect(sch1.getServiceName()).andReturn("SERVICE1").anyTimes(); - expect(sch1.getServiceComponentName()).andReturn("COMPONENT1").anyTimes(); - expect(sch1.getHostName()).andReturn("host1").anyTimes(); - - final ServiceComponentHost sch2 = createStrictMock(ServiceComponentHost.class); - expect(sch2.getServiceName()).andReturn("SERVICE2").anyTimes(); - expect(sch2.getServiceComponentName()).andReturn("COMPONENT3").anyTimes(); - - final ServiceComponentHost sch3 = createStrictMock(ServiceComponentHost.class); - expect(sch3.getServiceName()).andReturn("SERVICE3").anyTimes(); - expect(sch3.getServiceComponentName()).andReturn("COMPONENT3").anyTimes(); - expect(sch3.getHostName()).andReturn("host1").anyTimes(); - - final Host host = createNiceMock(Host.class); - expect(host.getHostName()).andReturn("host1").anyTimes(); - expect(host.getState()).andReturn(HostState.HEALTHY).anyTimes(); - - final ServiceComponent serviceComponentKerberosClient = createNiceMock(ServiceComponent.class); - expect(serviceComponentKerberosClient.getName()).andReturn(Role.KERBEROS_CLIENT.name()).anyTimes(); - expect(serviceComponentKerberosClient.getServiceComponentHosts()).andReturn(Collections.singletonMap("host1", schKerberosClient)).anyTimes(); - - final Service serviceKerberos = createStrictMock(Service.class); - expect(serviceKerberos.getName()).andReturn(Service.Type.KERBEROS.name()).anyTimes(); - expect(serviceKerberos.getServiceComponents()) - .andReturn(Collections.singletonMap(Role.KERBEROS_CLIENT.name(), serviceComponentKerberosClient)) - .times(2); - - final Service service1 = createStrictMock(Service.class); - expect(service1.getName()).andReturn("SERVICE1").anyTimes(); - expect(service1.getServiceComponents()) - .andReturn(Collections.<String, ServiceComponent>emptyMap()) - .times(2); - - final Service service2 = createStrictMock(Service.class); - expect(service2.getName()).andReturn("SERVICE2").anyTimes(); - expect(service2.getServiceComponents()) - .andReturn(Collections.<String, ServiceComponent>emptyMap()) - .times(2); + boolean managingIdentities = !Boolean.FALSE.equals(manageIdentities); final Map<String, String> kerberosEnvProperties = createNiceMock(Map.class); expect(kerberosEnvProperties.get("kdc_type")).andReturn("mit-kdc").anyTimes(); expect(kerberosEnvProperties.get("realm")).andReturn("FOOBAR.COM").anyTimes(); + if (manageIdentities != null) { + expect(kerberosEnvProperties.get("manage_identities")) + .andReturn((manageIdentities) ? "true" : "false") + .anyTimes(); + } + final Config kerberosEnvConfig = createNiceMock(Config.class); expect(kerberosEnvConfig.getProperties()).andReturn(kerberosEnvProperties).anyTimes(); @@ -2096,120 +2077,171 @@ public class KerberosHelperTest extends EasyMockSupport { final Cluster cluster = createNiceMock(Cluster.class); expect(cluster.getDesiredConfigByType("krb5-conf")).andReturn(krb5ConfConfig).anyTimes(); expect(cluster.getDesiredConfigByType("kerberos-env")).andReturn(kerberosEnvConfig).anyTimes(); - expect(cluster.getClusterName()).andReturn("c1").anyTimes(); - expect(cluster.getServices()) - .andReturn(new HashMap<String, Service>() { - { - put(Service.Type.KERBEROS.name(), serviceKerberos); - put("SERVICE1", service1); - put("SERVICE2", service2); - } - }) - .anyTimes(); - expect(cluster.getServiceComponentHosts("host1")) - .andReturn(new ArrayList<ServiceComponentHost>() { - { - add(sch1); - add(sch2); - add(sch3); - add(schKerberosClient); - } - }) - .once(); - expect(cluster.getCurrentStackVersion()) - .andReturn(new StackId("HDP", "2.2")) - .anyTimes(); - expect(cluster.getSessionAttributes()).andReturn(attributeMap).anyTimes(); - cluster.setSessionAttribute(anyObject(String.class), anyObject()); - expectLastCall().andAnswer(new IAnswer<Object>() { - @Override - public Object answer() throws Throwable { - Object[] args = getCurrentArguments(); - attributeMap.put((String) args[0], args[1]); - return null; - } - }).anyTimes(); - - final Clusters clusters = injector.getInstance(Clusters.class); - expect(clusters.getHostsForCluster("c1")) - .andReturn(new HashMap<String, Host>() { - { - put("host1", host); - } - }) - .once(); - expect(clusters.getHost("host1")) - .andReturn(host) - .once(); - - final AmbariManagementController ambariManagementController = injector.getInstance(AmbariManagementController.class); - expect(ambariManagementController.findConfigurationTagsWithOverrides(cluster, "host1")) - .andReturn(Collections.<String, Map<String, String>>emptyMap()) - .once(); - expect(ambariManagementController.findConfigurationTagsWithOverrides(cluster, null)) - .andReturn(Collections.<String, Map<String, String>>emptyMap()) - .once(); - expect(ambariManagementController.getRoleCommandOrder(cluster)) - .andReturn(createNiceMock(RoleCommandOrder.class)) - .once(); + // This is a STRICT mock to help ensure that the end result is what we want. + final RequestStageContainer requestStageContainer = createStrictMock(RequestStageContainer.class); - final ConfigHelper configHelper = injector.getInstance(ConfigHelper.class); - expect(configHelper.getEffectiveConfigProperties(anyObject(Cluster.class), anyObject(Map.class))) - .andReturn(new HashMap<String, Map<String, String>>() { - { - put("cluster-env", new HashMap<String, String>() {{ - put("kerberos_domain", "FOOBAR.COM"); - }}); - } - }) - .times(1); + if(managingIdentities) { + final Host host = createNiceMock(Host.class); + expect(host.getHostName()).andReturn("host1").anyTimes(); + expect(host.getState()).andReturn(HostState.HEALTHY).anyTimes(); + + final ServiceComponentHost schKerberosClient = createMock(ServiceComponentHost.class); + expect(schKerberosClient.getServiceName()).andReturn(Service.Type.KERBEROS.name()).anyTimes(); + expect(schKerberosClient.getServiceComponentName()).andReturn(Role.KERBEROS_CLIENT.name()).anyTimes(); + expect(schKerberosClient.getHostName()).andReturn("host1").anyTimes(); + expect(schKerberosClient.getState()).andReturn(State.INSTALLED).anyTimes(); + + final ServiceComponentHost sch1 = createMock(ServiceComponentHost.class); + expect(sch1.getServiceName()).andReturn("SERVICE1").anyTimes(); + expect(sch1.getServiceComponentName()).andReturn("COMPONENT1").anyTimes(); + expect(sch1.getHostName()).andReturn("host1").anyTimes(); + + final ServiceComponentHost sch2 = createStrictMock(ServiceComponentHost.class); + expect(sch2.getServiceName()).andReturn("SERVICE2").anyTimes(); + expect(sch2.getServiceComponentName()).andReturn("COMPONENT3").anyTimes(); + + final ServiceComponentHost sch3 = createStrictMock(ServiceComponentHost.class); + expect(sch3.getServiceName()).andReturn("SERVICE3").anyTimes(); + expect(sch3.getServiceComponentName()).andReturn("COMPONENT3").anyTimes(); + expect(sch3.getHostName()).andReturn("host1").anyTimes(); + + final ServiceComponent serviceComponentKerberosClient = createNiceMock(ServiceComponent.class); + expect(serviceComponentKerberosClient.getName()).andReturn(Role.KERBEROS_CLIENT.name()).anyTimes(); + expect(serviceComponentKerberosClient.getServiceComponentHosts()).andReturn(Collections.singletonMap("host1", schKerberosClient)).anyTimes(); + + final Service serviceKerberos = createStrictMock(Service.class); + expect(serviceKerberos.getName()).andReturn(Service.Type.KERBEROS.name()).anyTimes(); + expect(serviceKerberos.getServiceComponents()) + .andReturn(Collections.singletonMap(Role.KERBEROS_CLIENT.name(), serviceComponentKerberosClient)) + .times(2); + + final Service service1 = createStrictMock(Service.class); + expect(service1.getName()).andReturn("SERVICE1").anyTimes(); + expect(service1.getServiceComponents()) + .andReturn(Collections.<String, ServiceComponent>emptyMap()) + .times(2); + + final Service service2 = createStrictMock(Service.class); + expect(service2.getName()).andReturn("SERVICE2").anyTimes(); + expect(service2.getServiceComponents()) + .andReturn(Collections.<String, ServiceComponent>emptyMap()) + .times(2); + + + expect(cluster.getClusterName()).andReturn("c1").anyTimes(); + expect(cluster.getServices()) + .andReturn(new HashMap<String, Service>() { + { + put(Service.Type.KERBEROS.name(), serviceKerberos); + put("SERVICE1", service1); + put("SERVICE2", service2); + } + }) + .anyTimes(); + expect(cluster.getServiceComponentHosts("host1")) + .andReturn(new ArrayList<ServiceComponentHost>() { + { + add(sch1); + add(sch2); + add(sch3); + add(schKerberosClient); + } + }) + .once(); + expect(cluster.getCurrentStackVersion()) + .andReturn(new StackId("HDP", "2.2")) + .anyTimes(); + expect(cluster.getSessionAttributes()).andReturn(attributeMap).anyTimes(); + + cluster.setSessionAttribute(anyObject(String.class), anyObject()); + expectLastCall().andAnswer(new IAnswer<Object>() { + @Override + public Object answer() throws Throwable { + Object[] args = getCurrentArguments(); + attributeMap.put((String) args[0], args[1]); + return null; + } + }).anyTimes(); - final KerberosDescriptor kerberosDescriptor = createStrictMock(KerberosDescriptor.class); - expect(kerberosDescriptor.getProperties()).andReturn(null).once(); + final Clusters clusters = injector.getInstance(Clusters.class); + expect(clusters.getHostsForCluster("c1")) + .andReturn(new HashMap<String, Host>() { + { + put("host1", host); + } + }) + .once(); + expect(clusters.getHost("host1")) + .andReturn(host) + .once(); + + final AmbariManagementController ambariManagementController = injector.getInstance(AmbariManagementController.class); + expect(ambariManagementController.findConfigurationTagsWithOverrides(cluster, "host1")) + .andReturn(Collections.<String, Map<String, String>>emptyMap()) + .once(); + expect(ambariManagementController.findConfigurationTagsWithOverrides(cluster, null)) + .andReturn(Collections.<String, Map<String, String>>emptyMap()) + .once(); + expect(ambariManagementController.getRoleCommandOrder(cluster)) + .andReturn(createNiceMock(RoleCommandOrder.class)) + .once(); + + final ConfigHelper configHelper = injector.getInstance(ConfigHelper.class); + expect(configHelper.getEffectiveConfigProperties(anyObject(Cluster.class), anyObject(Map.class))) + .andReturn(new HashMap<String, Map<String, String>>() { + { + put("cluster-env", new HashMap<String, String>() {{ + put("kerberos_domain", "FOOBAR.COM"); + }}); + } + }) + .times(1); - setupGetDescriptorFromCluster(kerberosDescriptor); + final KerberosDescriptor kerberosDescriptor = createStrictMock(KerberosDescriptor.class); + expect(kerberosDescriptor.getProperties()).andReturn(null).once(); - final StageFactory stageFactory = injector.getInstance(StageFactory.class); - expect(stageFactory.createNew(anyLong(), anyObject(String.class), anyObject(String.class), - anyLong(), anyObject(String.class), anyObject(String.class), anyObject(String.class), - anyObject(String.class))) - .andAnswer(new IAnswer<Stage>() { - @Override - public Stage answer() throws Throwable { - Stage stage = createNiceMock(Stage.class); + setupGetDescriptorFromCluster(kerberosDescriptor); - expect(stage.getHostRoleCommands()) - .andReturn(Collections.<String, Map<String, HostRoleCommand>>emptyMap()) - .anyTimes(); - replay(stage); - return stage; - } - }) - .anyTimes(); + final StageFactory stageFactory = injector.getInstance(StageFactory.class); + expect(stageFactory.createNew(anyLong(), anyObject(String.class), anyObject(String.class), + anyLong(), anyObject(String.class), anyObject(String.class), anyObject(String.class), + anyObject(String.class))) + .andAnswer(new IAnswer<Stage>() { + @Override + public Stage answer() throws Throwable { + Stage stage = createNiceMock(Stage.class); + + expect(stage.getHostRoleCommands()) + .andReturn(Collections.<String, Map<String, HostRoleCommand>>emptyMap()) + .anyTimes(); + replay(stage); + return stage; + } + }) + .anyTimes(); - // This is a STRICT mock to help ensure that the end result is what we want. - final RequestStageContainer requestStageContainer = createStrictMock(RequestStageContainer.class); - // Create Principals Stage - expect(requestStageContainer.getLastStageId()).andReturn(-1L).anyTimes(); - expect(requestStageContainer.getId()).andReturn(1L).once(); - requestStageContainer.addStages(anyObject(List.class)); - expectLastCall().once(); - // Create Keytabs Stage - expect(requestStageContainer.getLastStageId()).andReturn(-1L).anyTimes(); - expect(requestStageContainer.getId()).andReturn(1L).once(); - requestStageContainer.addStages(anyObject(List.class)); - expectLastCall().once(); - // Distribute Keytabs Stage - expect(requestStageContainer.getLastStageId()).andReturn(-1L).anyTimes(); - expect(requestStageContainer.getId()).andReturn(1L).once(); - requestStageContainer.addStages(anyObject(List.class)); - expectLastCall().once(); - // Clean-up/Finalize Stage - expect(requestStageContainer.getLastStageId()).andReturn(-1L).anyTimes(); - expect(requestStageContainer.getId()).andReturn(1L).once(); - requestStageContainer.addStages(anyObject(List.class)); - expectLastCall().once(); + // Create Principals Stage + expect(requestStageContainer.getLastStageId()).andReturn(-1L).anyTimes(); + expect(requestStageContainer.getId()).andReturn(1L).once(); + requestStageContainer.addStages(anyObject(List.class)); + expectLastCall().once(); + // Create Keytabs Stage + expect(requestStageContainer.getLastStageId()).andReturn(-1L).anyTimes(); + expect(requestStageContainer.getId()).andReturn(1L).once(); + requestStageContainer.addStages(anyObject(List.class)); + expectLastCall().once(); + // Distribute Keytabs Stage + expect(requestStageContainer.getLastStageId()).andReturn(-1L).anyTimes(); + expect(requestStageContainer.getId()).andReturn(1L).once(); + requestStageContainer.addStages(anyObject(List.class)); + expectLastCall().once(); + // Clean-up/Finalize Stage + expect(requestStageContainer.getLastStageId()).andReturn(-1L).anyTimes(); + expect(requestStageContainer.getId()).andReturn(1L).once(); + requestStageContainer.addStages(anyObject(List.class)); + expectLastCall().once(); + } replayAll(); @@ -2221,14 +2253,16 @@ public class KerberosHelperTest extends EasyMockSupport { verifyAll(); - String serviceCheckID = (String)cluster.getSessionAttributes().get("_kerberos_internal_service_check_identifier"); - Assert.assertNotNull(serviceCheckID); + if (managingIdentities) { + String serviceCheckID = (String) cluster.getSessionAttributes().get("_kerberos_internal_service_check_identifier"); + Assert.assertNotNull(serviceCheckID); - Assert.assertTrue(commandParamsStage.containsKey("principal_name")); - Assert.assertEquals("${cluster-env/smokeuser}_" + serviceCheckID + "@${realm}", commandParamsStage.get("principal_name")); + Assert.assertTrue(commandParamsStage.containsKey("principal_name")); + Assert.assertEquals("${cluster-env/smokeuser}_" + serviceCheckID + "@${realm}", commandParamsStage.get("principal_name")); - Assert.assertTrue(commandParamsStage.containsKey("keytab_file")); - Assert.assertEquals("${keytab_dir}/kerberos.service_check." + serviceCheckID + ".keytab", commandParamsStage.get("keytab_file")); + Assert.assertTrue(commandParamsStage.containsKey("keytab_file")); + Assert.assertEquals("${keytab_dir}/kerberos.service_check." + serviceCheckID + ".keytab", commandParamsStage.get("keytab_file")); + } } private void testDeleteTestIdentity(final KerberosCredential kerberosCredential) throws Exception {
