Repository: ambari Updated Branches: refs/heads/trunk 34c1e9b2c -> 6691a1742
Revert "AMBARI-10018. Kerberos: Password generator needs to generate passwords based on rules to satisfy password policy (rlevas)" This reverts commit 7b822e42b2faf2910d4776d8651f841e621eeb2d. Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/c775434e Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/c775434e Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/c775434e Branch: refs/heads/trunk Commit: c775434edc34e2cc0a51f78a7b3eedb2415dc1c6 Parents: 34c1e9b Author: Robert Levas <[email protected]> Authored: Thu May 7 14:43:32 2015 -0400 Committer: Robert Levas <[email protected]> Committed: Thu May 7 14:43:53 2015 -0400 ---------------------------------------------------------------------- .../kerberos/CleanupServerAction.java | 10 +- .../kerberos/CreateKeytabFilesServerAction.java | 8 +- .../kerberos/CreatePrincipalsServerAction.java | 64 +---------- .../kerberos/DestroyPrincipalsServerAction.java | 8 +- .../kerberos/FinalizeKerberosServerAction.java | 5 +- .../kerberos/KerberosOperationHandler.java | 54 ++++++++- .../kerberos/KerberosServerAction.java | 25 ++--- .../1.10.3-10/configuration/kerberos-env.xml | 48 -------- .../ADKerberosOperationHandlerTest.java | 14 +-- .../kerberos/KerberosOperationHandlerTest.java | 54 +++++++-- .../kerberos/KerberosServerActionTest.java | 1 - ambari-web/app/data/HDP2/site_properties.js | 112 ++----------------- 12 files changed, 139 insertions(+), 264 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CleanupServerAction.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CleanupServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CleanupServerAction.java index 64ebe0f..52ac8ac 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CleanupServerAction.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CleanupServerAction.java @@ -49,18 +49,13 @@ public class CleanupServerAction extends KerberosServerAction { * @param operationHandler a KerberosOperationHandler used to perform Kerberos-related * tasks for specific Kerberos implementations * (MIT, Active Directory, etc...) - * @param kerberosConfiguration a Map of configuration properties from kerberos-env * @param requestSharedDataContext a Map to be used a shared data among all ServerActions related * to a given request * @return null, always - * @throws AmbariException if an error occurs while processing the identity record + * @throws AmbariException */ @Override - protected CommandReport processIdentity(Map<String, String> identityRecord, String evaluatedPrincipal, - KerberosOperationHandler operationHandler, - Map<String, String> kerberosConfiguration, - Map<String, Object> requestSharedDataContext) - throws AmbariException { + protected CommandReport processIdentity(Map<String, String> identityRecord, String evaluatedPrincipal, KerberosOperationHandler operationHandler, Map<String, Object> requestSharedDataContext) throws AmbariException { return null; } @@ -110,5 +105,4 @@ public class CleanupServerAction extends KerberosServerAction { throw new AmbariException("An unknown error occurred while trying to delete the cluster Kerberos descriptor", e); } } - } http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java index 34780d6..f48c4cf 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java @@ -48,7 +48,7 @@ import java.util.concurrent.ConcurrentMap; * This class mainly relies on the KerberosServerAction to iterate through metadata identifying * the Kerberos keytab files that need to be created. For each identity in the metadata, this * implementation's - * {@link KerberosServerAction#processIdentity(Map, String, KerberosOperationHandler, Map, Map)} + * {@link KerberosServerAction#processIdentity(java.util.Map, String, KerberosOperationHandler, java.util.Map)} * is invoked attempting the creation of the relevant keytab file. */ public class CreateKeytabFilesServerAction extends KerberosServerAction { @@ -134,16 +134,14 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction { * @param operationHandler a KerberosOperationHandler used to perform Kerberos-related * tasks for specific Kerberos implementations * (MIT, Active Directory, etc...) - * @param kerberosConfiguration a Map of configuration properties from kerberos-env * @param requestSharedDataContext a Map to be used a shared data among all ServerActions related - * to a given request @return a CommandReport, indicating an error - * condition; or null, indicating a success condition + * to a given request + * @return a CommandReport, indicating an error condition; or null, indicating a success condition * @throws AmbariException if an error occurs while processing the identity record */ @Override protected CommandReport processIdentity(Map<String, String> identityRecord, String evaluatedPrincipal, KerberosOperationHandler operationHandler, - Map<String, String> kerberosConfiguration, Map<String, Object> requestSharedDataContext) throws AmbariException { CommandReport commandReport = null; http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java index f5282af..13fb49b 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java @@ -24,7 +24,6 @@ import org.apache.ambari.server.actionmanager.HostRoleStatus; import org.apache.ambari.server.agent.CommandReport; import org.apache.ambari.server.orm.dao.KerberosPrincipalDAO; import org.apache.ambari.server.orm.dao.KerberosPrincipalHostDAO; -import org.apache.ambari.server.security.SecurePasswordHelper; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -36,7 +35,7 @@ import java.util.concurrent.ConcurrentMap; * <p/> * This class mainly relies on the KerberosServerAction to iterate through metadata identifying * the Kerberos principals that need to be created. For each identity in the metadata, this implementation's - * {@link KerberosServerAction#processIdentity(Map, String, KerberosOperationHandler, Map, Map)} + * {@link KerberosServerAction#processIdentity(java.util.Map, String, KerberosOperationHandler, java.util.Map)} * is invoked attempting the creation of the relevant principal. */ public class CreatePrincipalsServerAction extends KerberosServerAction { @@ -55,12 +54,6 @@ public class CreatePrincipalsServerAction extends KerberosServerAction { private KerberosPrincipalHostDAO kerberosPrincipalHostDAO; /** - * SecurePasswordHelper used to generate secure passwords for newly created principals - */ - @Inject - private SecurePasswordHelper securePasswordHelper; - - /** * Called to execute this action. Upon invocation, calls * {@link org.apache.ambari.server.serveraction.kerberos.KerberosServerAction#processIdentities(java.util.Map)} * to iterate through the Kerberos identity metadata and call @@ -85,7 +78,7 @@ public class CreatePrincipalsServerAction extends KerberosServerAction { * an assume to be configured KDC. * <p/> * If a password has not been previously created the current evaluatedPrincipal, create a "secure" - * password using {@link SecurePasswordHelper#createSecurePassword()}. Then if the principal + * password using {@link KerberosOperationHandler#createSecurePassword()}. Then if the principal * does not exist in the KDC, create it using the generated password; else if it does exist update * its password. Finally store the generated password in the shared principal-to-password map and * store the new key numbers in the shared principal-to-key_number map so that subsequent process @@ -96,16 +89,14 @@ public class CreatePrincipalsServerAction extends KerberosServerAction { * @param operationHandler a KerberosOperationHandler used to perform Kerberos-related * tasks for specific Kerberos implementations * (MIT, Active Directory, etc...) - * @param kerberosConfiguration a Map of configuration properties from kerberos-env * @param requestSharedDataContext a Map to be used a shared data among all ServerActions related - * to a given request @return a CommandReport, indicating an error - * condition; or null, indicating a success condition + * to a given request + * @return a CommandReport, indicating an error condition; or null, indicating a success condition * @throws AmbariException if an error occurs while processing the identity record */ @Override protected CommandReport processIdentity(Map<String, String> identityRecord, String evaluatedPrincipal, KerberosOperationHandler operationHandler, - Map<String, String> kerberosConfiguration, Map<String, Object> requestSharedDataContext) throws AmbariException { CommandReport commandReport = null; @@ -123,31 +114,7 @@ public class CreatePrincipalsServerAction extends KerberosServerAction { LOG.info(message); actionLog.writeStdOut(message); - Integer length; - Integer minLowercaseLetters; - Integer minUppercaseLetters; - Integer minDigits; - Integer minPunctuation; - Integer minWhitespace; - - if(kerberosConfiguration == null) { - length = null; - minLowercaseLetters= null; - minUppercaseLetters= null; - minDigits= null; - minPunctuation= null; - minWhitespace= null; - } - else { - length = toInt(kerberosConfiguration.get("password_length")); - minLowercaseLetters = toInt(kerberosConfiguration.get("password_min_lowercase_letters")); - minUppercaseLetters = toInt(kerberosConfiguration.get("password_min_uppercase_letters")); - minDigits = toInt(kerberosConfiguration.get("password_min_digits")); - minPunctuation = toInt(kerberosConfiguration.get("password_min_punctuation")); - minWhitespace = toInt(kerberosConfiguration.get("password_min_whitespace")); - } - - password = securePasswordHelper.createSecurePassword(length, minLowercaseLetters, minUppercaseLetters, minDigits, minPunctuation, minWhitespace); + password = operationHandler.createSecurePassword(); try { boolean servicePrincipal = "service".equalsIgnoreCase(identityRecord.get(KerberosIdentityDataFileReader.PRINCIPAL_TYPE)); @@ -205,25 +172,4 @@ public class CreatePrincipalsServerAction extends KerberosServerAction { return commandReport; } - - /** - * Translates a String containing an integer value to an Integer. - * <p/> - * If the string is null, empty or not a number, returns null; otherwise returns an Integer value - * representing the integer value of the string. - * - * @param string the string to parse - * @return an Integer or null - */ - private Integer toInt(String string) { - if ((string == null) || string.isEmpty()) { - return null; - } else { - try { - return Integer.parseInt(string); - } catch (NumberFormatException e) { - return null; - } - } - } } http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java index 93daae8..a215a56 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java @@ -36,7 +36,7 @@ import java.util.concurrent.ConcurrentMap; * This class mainly relies on the KerberosServerAction to iterate through metadata identifying * the Kerberos principals that need to be removed from the relevant KDC. For each identity in the * metadata, this implementation's - * {@link KerberosServerAction#processIdentity(Map, String, KerberosOperationHandler, Map, Map)} + * {@link org.apache.ambari.server.serveraction.kerberos.KerberosServerAction#processIdentity(java.util.Map, String, org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler, java.util.Map)} * is invoked attempting the removal of the relevant principal. */ public class DestroyPrincipalsServerAction extends KerberosServerAction { @@ -73,16 +73,14 @@ public class DestroyPrincipalsServerAction extends KerberosServerAction { * @param operationHandler a KerberosOperationHandler used to perform Kerberos-related * tasks for specific Kerberos implementations * (MIT, Active Directory, etc...) - * @param kerberosConfiguration a Map of configuration properties from kerberos-env * @param requestSharedDataContext a Map to be used a shared data among all ServerActions related - * to a given request @return a CommandReport, indicating an error - * condition; or null, indicating a success condition + * to a given request + * @return a CommandReport, indicating an error condition; or null, indicating a success condition * @throws org.apache.ambari.server.AmbariException if an error occurs while processing the identity record */ @Override protected CommandReport processIdentity(Map<String, String> identityRecord, String evaluatedPrincipal, KerberosOperationHandler operationHandler, - Map<String, String> kerberosConfiguration, Map<String, Object> requestSharedDataContext) throws AmbariException { http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/FinalizeKerberosServerAction.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/FinalizeKerberosServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/FinalizeKerberosServerAction.java index c710b8e..4925582 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/FinalizeKerberosServerAction.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/FinalizeKerberosServerAction.java @@ -48,15 +48,14 @@ public class FinalizeKerberosServerAction extends KerberosServerAction { * @param operationHandler a KerberosOperationHandler used to perform Kerberos-related * tasks for specific Kerberos implementations * (MIT, Active Directory, etc...) - * @param kerberosConfiguration a Map of configuration properties from kerberos-env * @param requestSharedDataContext a Map to be used a shared data among all ServerActions related - * to a given request @return null, always + * to a given request + * @return null, always * @throws AmbariException */ @Override protected CommandReport processIdentity(Map<String, String> identityRecord, String evaluatedPrincipal, KerberosOperationHandler operationHandler, - Map<String, String> kerberosConfiguration, Map<String, Object> requestSharedDataContext) throws AmbariException { http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java index 20426f0..ed31ccf 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java @@ -18,7 +18,6 @@ package org.apache.ambari.server.serveraction.kerberos; -import org.apache.ambari.server.security.SecurePasswordHelper; import org.apache.ambari.server.utils.ShellCommandUtil; import org.apache.commons.codec.binary.Base64; import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory; @@ -35,6 +34,7 @@ import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.io.OutputStream; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.Collections; import java.util.EnumSet; @@ -53,6 +53,13 @@ import java.util.Set; public abstract class KerberosOperationHandler { private final static Logger LOG = LoggerFactory.getLogger(KerberosOperationHandler.class); + private final static SecureRandom SECURE_RANDOM = new SecureRandom(); + + /** + * The number of characters to generate for a secure password + */ + protected final static int SECURE_PASSWORD_LENGTH = 18; + /** * Kerberos-env configuration property name: ldap_url */ @@ -89,6 +96,12 @@ public abstract class KerberosOperationHandler { public final static String KERBEROS_ENV_EXECUTABLE_SEARCH_PATHS = "executable_search_paths"; /** + * The set of available characters to use when generating a secure password + */ + private final static char[] SECURE_PASSWORD_CHARS = + "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890?.!$%^*()-_+=~".toCharArray(); + + /** * An array of String values declaring the default (ordered) list of path to search for executables */ private static final String[] DEFAULT_EXECUTABLE_SEARCH_PATHS = {"/usr/bin", "/usr/kerberos/bin", "/usr/sbin", "/usr/lib/mit/bin", "/usr/lib/mit/sbin"}; @@ -197,6 +210,45 @@ public abstract class KerberosOperationHandler { /** + * Create a secure (random) password using a secure random number generator and a set of (reasonable) + * characters. + * + * @return a String containing the new password + */ + public String createSecurePassword() { + return createSecurePassword(SECURE_PASSWORD_LENGTH); + } + + /** + * Create a secure (random) password using a secure random number generator and a set of (reasonable) + * characters. + * + * @param length an integer value declaring the length of the password to create, + * if <1, a default will be used. + * @return a String containing the new password + */ + public String createSecurePassword(int length) { + StringBuilder passwordBuilder; + + // If the supplied length is less than 1 use the default value. + if (length < 1) { + length = SECURE_PASSWORD_LENGTH; + } + + // Create a new StringBuilder and ensure its capacity is set for the length of the password to + // be generated + passwordBuilder = new StringBuilder(length); + + // For each character to be added to the password, (securely) generate a random number to pull + // a random character from the character array + for (int i = 0; i < length; i++) { + passwordBuilder.append(SECURE_PASSWORD_CHARS[SECURE_RANDOM.nextInt(SECURE_PASSWORD_CHARS.length)]); + } + + return passwordBuilder.toString(); + } + + /** * Prepares and creates resources to be used by this KerberosOperationHandler. * Implementation in this class is ignoring parameters ldapUrl and principalContainerDn and delegate to * <code>open(KerberosCredential administratorCredentials, String defaultRealm)</code> http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java index 55018de..a92fb12 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java @@ -316,7 +316,7 @@ public abstract class KerberosServerAction extends AbstractServerAction { * Using the "data_directory" value from this action's command parameters map, creates a * {@link KerberosIdentityDataFileReader} to parse * the relative identity.dat file and iterate through its "records". Each "record" is process using - * {@link #processRecord(Map, String, KerberosOperationHandler, Map, Map)}. + * {@link #processRecord(java.util.Map, String, KerberosOperationHandler, java.util.Map)}. * * @param requestSharedDataContext a Map to be used a shared data among all ServerActions related * to a given request @@ -372,10 +372,8 @@ public abstract class KerberosServerAction extends AbstractServerAction { throw new AmbariException(message); } - Map<String, String> kerberosConfiguration = getConfiguration("kerberos-env"); - try { - handler.open(administratorCredential, defaultRealm, kerberosConfiguration); + handler.open(administratorCredential, defaultRealm, getConfiguration("kerberos-env")); } catch (KerberosOperationException e) { String message = String.format("Failed to process the identities, could not properly open the KDC operation handler: %s", e.getMessage()); @@ -390,7 +388,7 @@ public abstract class KerberosServerAction extends AbstractServerAction { reader = kerberosIdentityDataFileReaderFactory.createKerberosIdentityDataFileReader(identityDataFile); for (Map<String, String> record : reader) { // Process the current record - commandReport = processRecord(record, defaultRealm, handler, kerberosConfiguration, requestSharedDataContext); + commandReport = processRecord(record, defaultRealm, handler, requestSharedDataContext); // If the principal processor returns a CommandReport, than it is time to stop since // an error condition has probably occurred, else all is assumed to be well. @@ -454,16 +452,14 @@ public abstract class KerberosServerAction extends AbstractServerAction { * @param operationHandler a KerberosOperationHandler used to perform Kerberos-related * tasks for specific Kerberos implementations * (MIT, Active Directory, etc...) - * @param kerberosConfiguration a Map of configuration properties from kerberos-env * @param requestSharedDataContext a Map to be used a shared data among all ServerActions related - * to a given request @return a CommandReport, indicating an error - * condition; or null, indicating a success condition + * to a given request + * @return a CommandReport, indicating an error condition; or null, indicating a success condition * @throws AmbariException if an error occurs while processing the identity record */ protected abstract CommandReport processIdentity(Map<String, String> identityRecord, String evaluatedPrincipal, KerberosOperationHandler operationHandler, - Map<String, String> kerberosConfiguration, Map<String, Object> requestSharedDataContext) throws AmbariException; @@ -472,7 +468,7 @@ public abstract class KerberosServerAction extends AbstractServerAction { * <p/> * Given the data from the record Map, attempts to replace variables in the principal pattern to * generate a concrete principal value to further process. This "evaluated principal" is then passed to - * {@link #processIdentity(Map, String, KerberosOperationHandler, Map, Map)} + * {@link #processIdentity(java.util.Map, String, KerberosOperationHandler, java.util.Map)} * to be handled as needed. * * @param record a Map containing the data for the current identity record @@ -480,15 +476,14 @@ public abstract class KerberosServerAction extends AbstractServerAction { * @param operationHandler a KerberosOperationHandler used to perform Kerberos-related * tasks for specific Kerberos implementations * (MIT, Active Directory, etc...) - * @param kerberosConfiguration a Map of configuration properties from kerberos-env * @param requestSharedDataContext a Map to be used a shared data among all ServerActions related - * to a given request @return a CommandReport, indicating an error - * condition; or null, indicating a success condition + * to a given request + * @return a CommandReport, indicating an error condition; or null, indicating a success condition * @throws AmbariException if an error occurs while processing the identity record */ private CommandReport processRecord(Map<String, String> record, String defaultRealm, KerberosOperationHandler operationHandler, - Map<String, String> kerberosConfiguration, Map<String, Object> requestSharedDataContext) + Map<String, Object> requestSharedDataContext) throws AmbariException { CommandReport commandReport = null; @@ -501,7 +496,7 @@ public abstract class KerberosServerAction extends AbstractServerAction { // by replacing the _HOST and _REALM variables. String evaluatedPrincipal = principal.replace("_HOST", host).replace("_REALM", defaultRealm); - commandReport = processIdentity(record, evaluatedPrincipal, operationHandler, kerberosConfiguration, requestSharedDataContext); + commandReport = processIdentity(record, evaluatedPrincipal, operationHandler, requestSharedDataContext); } } http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml index ec50f69..682d675 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml @@ -104,54 +104,6 @@ <value>/usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin</value> </property> - <property> - <name>password_length</name> - <description> - The length required length for generated passwords. - </description> - <value>20</value> - </property> - - <property> - <name>password_min_lowercase_letters</name> - <description> - The minimum number of lowercase letters (a-z) required in generated passwords - </description> - <value>1</value> - </property> - - <property> - <name>password_min_uppercase_letters</name> - <description> - The minimum number of uppercase letters (A-Z) required in generated passwords - </description> - <value>1</value> - </property> - - <property> - <name>password_min_digits</name> - <description> - The minimum number of digits (0-9) required in generated passwords - </description> - <value>1</value> - </property> - - <property> - <name>password_min_punctuation</name> - <description> - The minimum number of punctuation characters (?.!$%^*()-_+=~) required in generated passwords - </description> - <value>1</value> - </property> - - <property> - <name>password_min_whitespace</name> - <description> - The minimum number of whitespace characters required in generated passwords - </description> - <value>0</value> - </property> - <property require-input="true"> <name>create_attributes_template</name> <description> http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java index 48bf473..d833c35 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java @@ -511,16 +511,16 @@ public class ADKerberosOperationHandlerTest extends KerberosOperationHandlerTest evaluatedPrincipal = "nn/c6501.ambari.apache.org@" + DEFAULT_REALM; if (handler.principalExists(evaluatedPrincipal)) { - handler.setPrincipalPassword(evaluatedPrincipal, "some password"); + handler.setPrincipalPassword(evaluatedPrincipal, handler.createSecurePassword()); } else { - handler.createPrincipal(evaluatedPrincipal, "some password", true); + handler.createPrincipal(evaluatedPrincipal, handler.createSecurePassword(), true); } evaluatedPrincipal = "hdfs@" + DEFAULT_REALM; if (handler.principalExists(evaluatedPrincipal)) { - handler.setPrincipalPassword(evaluatedPrincipal, "some password"); + handler.setPrincipalPassword(evaluatedPrincipal, handler.createSecurePassword()); } else { - handler.createPrincipal(evaluatedPrincipal, "some password", true); + handler.createPrincipal(evaluatedPrincipal, handler.createSecurePassword(), true); } kerberosEnvMap.put(ADKerberosOperationHandler.KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE, @@ -552,11 +552,11 @@ public class ADKerberosOperationHandlerTest extends KerberosOperationHandlerTest handler.removePrincipal("abcdefg"); handler.removePrincipal("abcdefg/c1509.ambari.apache.org@" + DEFAULT_REALM); - handler.createPrincipal("abcdefg/c1509.ambari.apache.org@" + DEFAULT_REALM, "some password", true); - handler.createPrincipal("abcdefg@" + DEFAULT_REALM, "some password", false); + handler.createPrincipal("abcdefg/c1509.ambari.apache.org@" + DEFAULT_REALM, handler.createSecurePassword(), true); + handler.createPrincipal("abcdefg@" + DEFAULT_REALM, handler.createSecurePassword(), false); //update the password - handler.setPrincipalPassword("abcdefg/c1509.ambari.apache.org@" + DEFAULT_REALM, "some password"); + handler.setPrincipalPassword("abcdefg/c1509.ambari.apache.org@" + DEFAULT_REALM, handler.createSecurePassword()); handler.close(); } http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java index 410eced..07094a7 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java @@ -42,6 +42,44 @@ public abstract class KerberosOperationHandlerTest extends EasyMockSupport { public TemporaryFolder folder = new TemporaryFolder(); @Test + public void testCreateSecurePassword() throws Exception { + + KerberosOperationHandler handler1 = createHandler(); + KerberosOperationHandler handler2 = createHandler(); + + String password1 = handler1.createSecurePassword(); + Assert.assertNotNull(password1); + Assert.assertEquals(KerberosOperationHandler.SECURE_PASSWORD_LENGTH, password1.length()); + + String password2 = handler2.createSecurePassword(); + Assert.assertNotNull(password2); + Assert.assertEquals(KerberosOperationHandler.SECURE_PASSWORD_LENGTH, password2.length()); + + // Make sure the passwords are different... if they are the same, that indicated the random + // number generators are generating using the same pattern and that is not secure. + Assert.assertFalse((password1.equals(password2))); + } + + @Test + public void testCreateSecurePasswordWithSize() throws Exception { + KerberosOperationHandler handler = createHandler(); + + String password; + + password = handler.createSecurePassword(10); + Assert.assertNotNull(password); + Assert.assertEquals(10, password.length()); + + password = handler.createSecurePassword(0); + Assert.assertNotNull(password); + Assert.assertEquals(KerberosOperationHandler.SECURE_PASSWORD_LENGTH, password.length()); + + password = handler.createSecurePassword(-20); + Assert.assertNotNull(password); + Assert.assertEquals(KerberosOperationHandler.SECURE_PASSWORD_LENGTH, password.length()); + } + + @Test public void testCreateKeytabFileOneAtATime() throws Exception { KerberosOperationHandler handler = createHandler(); File file = folder.newFile(); @@ -49,7 +87,7 @@ public abstract class KerberosOperationHandlerTest extends EasyMockSupport { final String principal2 = "[email protected]"; int count; - Assert.assertTrue(handler.createKeytabFile(principal1, "some password", 0, file)); + Assert.assertTrue(handler.createKeytabFile(principal1, handler.createSecurePassword(), 0, file)); Keytab keytab = Keytab.read(file); Assert.assertNotNull(keytab); @@ -64,7 +102,7 @@ public abstract class KerberosOperationHandlerTest extends EasyMockSupport { Assert.assertEquals(principal1, entry.getPrincipalName()); } - Assert.assertTrue(handler.createKeytabFile(principal2, "some password", 0, file)); + Assert.assertTrue(handler.createKeytabFile(principal2, handler.createSecurePassword(), 0, file)); keytab = Keytab.read(file); Assert.assertNotNull(keytab); @@ -84,11 +122,11 @@ public abstract class KerberosOperationHandlerTest extends EasyMockSupport { final String principal2 = "[email protected]"; Set<String> seenEntries = new HashSet<String>(); - Assert.assertTrue(handler.createKeytabFile(principal1, "some password", 0, file)); - Assert.assertTrue(handler.createKeytabFile(principal2, "some password", 0, file)); + Assert.assertTrue(handler.createKeytabFile(principal1, handler.createSecurePassword(), 0, file)); + Assert.assertTrue(handler.createKeytabFile(principal2, handler.createSecurePassword(), 0, file)); // Attempt to add duplicate entries - Assert.assertTrue(handler.createKeytabFile(principal2, "some password", 0, file)); + Assert.assertTrue(handler.createKeytabFile(principal2, handler.createSecurePassword(), 0, file)); Keytab keytab = Keytab.read(file); Assert.assertNotNull(keytab); @@ -111,7 +149,7 @@ public abstract class KerberosOperationHandlerTest extends EasyMockSupport { final String principal1 = "[email protected]"; try { - handler.createKeytabFile(null, "some password", 0, file); + handler.createKeytabFile(null, handler.createSecurePassword(), 0, file); Assert.fail("KerberosOperationException not thrown with null principal"); } catch (Throwable t) { Assert.assertEquals(KerberosOperationException.class, t.getClass()); @@ -125,7 +163,7 @@ public abstract class KerberosOperationHandlerTest extends EasyMockSupport { } try { - handler.createKeytabFile(principal1, "some password", 0, null); + handler.createKeytabFile(principal1, handler.createSecurePassword(), 0, null); Assert.fail("KerberosOperationException not thrown with null file"); } catch (Throwable t) { Assert.assertEquals(KerberosOperationException.class, t.getClass()); @@ -138,7 +176,7 @@ public abstract class KerberosOperationHandlerTest extends EasyMockSupport { File file = folder.newFile(); final String principal = "[email protected]"; - Assert.assertTrue(handler.createKeytabFile(principal, "some password", 0, file)); + Assert.assertTrue(handler.createKeytabFile(principal, handler.createSecurePassword(), 0, file)); FileInputStream fis = new FileInputStream(file); byte[] data = new byte[(int) file.length()]; http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java index 8fc5325..336090b 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java @@ -73,7 +73,6 @@ public class KerberosServerActionTest { @Override protected CommandReport processIdentity(Map<String, String> identityRecord, String evaluatedPrincipal, KerberosOperationHandler operationHandler, - Map<String, String> kerberosConfiguration, Map<String, Object> requestSharedDataContext) throws AmbariException { Assert.assertNotNull(requestSharedDataContext); http://git-wip-us.apache.org/repos/asf/ambari/blob/c775434e/ambari-web/app/data/HDP2/site_properties.js ---------------------------------------------------------------------- diff --git a/ambari-web/app/data/HDP2/site_properties.js b/ambari-web/app/data/HDP2/site_properties.js index 661e49e..ae6051f 100644 --- a/ambari-web/app/data/HDP2/site_properties.js +++ b/ambari-web/app/data/HDP2/site_properties.js @@ -1171,7 +1171,7 @@ var hdp2properties = [ }, { "id": "site property", - "isOverridable": false, + "isOverrideable": false, "serviceName": "STORM", "category": "SUPERVISOR", "displayName": "supervisor.childopts", @@ -1983,132 +1983,36 @@ var hdp2properties = [ "name": "manage_identities", "displayName": "Manage Kerberos Identities", "displayType": "checkbox", - "isOverridable": false, - "isVisible": true, "serviceName": "KERBEROS", "filename": "kerberos-env.xml", - "category": "Advanced kerberos-env", - "index" : 0 + "category": "Advanced kerberos-env" }, { "id": "puppet var", "name": "install_packages", "displayName": "Install OS-specific Kerberos client package(s)", "displayType": "checkbox", - "isOverridable": false, - "isVisible": true, "serviceName": "KERBEROS", "filename": "kerberos-env.xml", - "category": "Advanced kerberos-env", - "index" : 1 + "category": "Advanced kerberos-env" }, { "id": "puppet var", - "name": "executable_search_paths", - "displayName": "Executable Search Paths", - "displayType": "multiline", - "isOverridable": false, - "isVisible": true, + "name": "create_attributes_template", + "displayName": "Attribute template", "serviceName": "KERBEROS", "filename": "kerberos-env.xml", - "category": "Advanced kerberos-env", - "index" : 2 + "displayType": "content", + "category": "Advanced kerberos-env" }, { "id": "puppet var", "name": "encryption_types", "displayName": "Encryption Types", - "isOverridable": false, - "isVisible": true, "serviceName": "KERBEROS", "filename": "kerberos-env.xml", "displayType": "multiLine", - "category": "Advanced kerberos-env", - "index" : 3 - }, - { - "id": "puppet var", - "name": "password_length", - "displayName": "Password Length", - "displayType": "int", - "isOverridable": false, - "isVisible": true, - "serviceName": "KERBEROS", - "filename": "kerberos-env.xml", - "category": "Advanced kerberos-env", - "index" : 4 - }, - { - "id": "puppet var", - "name": "password_min_lowercase_letters", - "displayName": "Password Minimum # Lowercase Letters", - "displayType": "int", - "isOverridable": false, - "isVisible": true, - "serviceName": "KERBEROS", - "filename": "kerberos-env.xml", - "category": "Advanced kerberos-env", - "index" : 5 - }, - { - "id": "puppet var", - "name": "password_min_uppercase_letters", - "displayName": "Password Minimum # Uppercase Letters", - "displayType": "int", - "isOverridable": false, - "isVisible": true, - "serviceName": "KERBEROS", - "filename": "kerberos-env.xml", - "category": "Advanced kerberos-env", - "index" : 6 - }, - { - "id": "puppet var", - "name": "password_min_digits", - "displayName": "Password Minimum # Digits", - "displayType": "int", - "isOverridable": false, - "isVisible": true, - "serviceName": "KERBEROS", - "filename": "kerberos-env.xml", - "category": "Advanced kerberos-env", - "index" : 7 - }, - { - "id": "puppet var", - "name": "password_min_punctuation", - "displayName": "Password Minimum # Punctuation Characters", - "displayType": "int", - "isOverridable": false, - "isVisible": true, - "serviceName": "KERBEROS", - "filename": "kerberos-env.xml", - "category": "Advanced kerberos-env", - "index" : 8 - }, - { - "id": "puppet var", - "name": "password_min_whitespace", - "displayName": "Password Minimum # Whitespace Characters", - "displayType": "int", - "isOverridable": false, - "isVisible": true, - "serviceName": "KERBEROS", - "filename": "kerberos-env.xml", - "category": "Advanced kerberos-env", - "index" : 9 - }, - { - "id": "puppet var", - "name": "create_attributes_template", - "displayName": "Attribute template", - "displayType": "content", - "isOverridable": false, - "isVisible": true, - "serviceName": "KERBEROS", - "filename": "kerberos-env.xml", - "category": "Advanced kerberos-env", - "index" : 10 + "category": "Advanced kerberos-env" }, { "id": "puppet var",
