Repository: ambari Updated Branches: refs/heads/trunk c6e61d8bb -> 9b6d33d0c
AMBARI-13060. Kerberos: Allow user to specify additional realms for auth-to-local rules (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/9b6d33d0 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/9b6d33d0 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/9b6d33d0 Branch: refs/heads/trunk Commit: 9b6d33d0cb8635ca13f23b468c32bb31c30bd966 Parents: c6e61d8 Author: Robert Levas <[email protected]> Authored: Mon Sep 14 17:57:15 2015 -0400 Committer: Robert Levas <[email protected]> Committed: Mon Sep 14 17:57:26 2015 -0400 ---------------------------------------------------------------------- .../server/controller/AuthToLocalBuilder.java | 33 +++++++- .../server/controller/KerberosHelperImpl.java | 5 +- .../HDFS/2.1.0.2.0/kerberos.json | 1 - .../resources/stacks/HDP/2.0.6/kerberos.json | 3 +- .../server/api/services/AmbariMetaInfoTest.java | 2 +- .../controller/AuthToLocalBuilderTest.java | 85 +++++++++++++++++++- .../server/controller/KerberosHelperTest.java | 1 + .../resources/stacks/HDP/2.0.8/kerberos.json | 3 +- .../app/mixins/wizard/addSecurityConfigs.js | 1 + 9 files changed, 126 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java index 00e8291..a8fc487 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java @@ -20,6 +20,7 @@ package org.apache.ambari.server.controller; import java.util.Arrays; import java.util.Collections; +import java.util.HashSet; import java.util.List; import java.util.Set; import java.util.TreeSet; @@ -66,14 +67,36 @@ public class AuthToLocalBuilder { private boolean caseInsensitiveUser; /** + * A set of additional realm names to reference when generating rules. + */ + private Set<String> additionalRealms = new HashSet<String>(); + + /** * Default constructor. Case insensitive support false by default */ public AuthToLocalBuilder() { - this.caseInsensitiveUser = false; + this(false, null); } - public AuthToLocalBuilder(boolean caseInsensitiveUserSupport) { + /** + * Constructs a new AuthToLocalBuilder. + * + * @param caseInsensitiveUserSupport true indicating that case-insensitivity should be enabled; + * false otherwise + * @param additionalRealms a String containing a comma-delimited list of realm names to generate + * default auth-to-local rules for + */ + public AuthToLocalBuilder(boolean caseInsensitiveUserSupport, String additionalRealms) { this.caseInsensitiveUser = caseInsensitiveUserSupport; + + if ((additionalRealms != null) && !additionalRealms.isEmpty()) { + for (String realm : additionalRealms.split("\\s*(?:\\r?\\n|,)\\s*")) { + realm = realm.trim(); + if (!realm.isEmpty()) { + this.additionalRealms.add(realm); + } + } + } } /** @@ -161,6 +184,11 @@ public class AuthToLocalBuilder { // ensure that a default rule is added for this realm setRules.add(createDefaultRealmRule(realm)); + // ensure that a default realm rule is added for the specified additional realms + for (String additionalRealm : additionalRealms) { + setRules.add(createDefaultRealmRule(additionalRealm)); + } + if (concatenationType == null) { concatenationType = DEFAULT_CONCATENATION_TYPE; } @@ -269,6 +297,7 @@ public class AuthToLocalBuilder { copy.setRules.add(rule); } copy.caseInsensitiveUser = this.caseInsensitiveUser; + copy.additionalRealms.addAll(this.additionalRealms); return copy; } http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java index 11f578f..a1cd5b8 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java @@ -395,8 +395,11 @@ public class KerberosHelperImpl implements KerberosHelper { // the 'kerberos-env' structure is expected to be available here as it was previously validated boolean caseInsensitiveUser = Boolean.valueOf(existingConfigurations.get("kerberos-env").get("case_insensitive_username_rules")); + // Additional realms that need to be handled according to the Kerberos Descriptor + String additionalRealms = kerberosDescriptor.getProperty("additional_realms"); + // Determine which properties need to be set - AuthToLocalBuilder authToLocalBuilder = new AuthToLocalBuilder(caseInsensitiveUser); + AuthToLocalBuilder authToLocalBuilder = new AuthToLocalBuilder(caseInsensitiveUser, additionalRealms); addIdentities(authToLocalBuilder, kerberosDescriptor.getIdentities(), null, existingConfigurations); authToLocalProperties = kerberosDescriptor.getAuthToLocalProperties(); http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json index df99bce..df83969 100644 --- a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json @@ -45,7 +45,6 @@ "core-site": { "hadoop.security.authentication": "kerberos", "hadoop.security.authorization": "true", - "hadoop.security.auth_to_local": "", "hadoop.proxyuser.HTTP.groups": "${hadoop-env/proxyuser_group}" } } http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json index 03198dc..52e7ee0 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json @@ -1,7 +1,8 @@ { "properties": { "realm": "${kerberos-env/realm}", - "keytab_dir": "/etc/security/keytabs" + "keytab_dir": "/etc/security/keytabs", + "additional_realms": "" }, "identities": [ { http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java b/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java index 26253da..cf7c8cd 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java @@ -1846,7 +1846,7 @@ public class AmbariMetaInfoTest { Assert.assertNotNull(descriptor); Assert.assertNotNull(descriptor.getProperties()); - Assert.assertEquals(2, descriptor.getProperties().size()); + Assert.assertEquals(3, descriptor.getProperties().size()); Assert.assertNotNull(descriptor.getIdentities()); Assert.assertEquals(1, descriptor.getIdentities().size()); http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java index 9e65b5e..cbcffe6 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java @@ -57,7 +57,7 @@ public class AuthToLocalBuilderTest { @Test public void testRuleGeneration_caseInsensitiveSupport() { - AuthToLocalBuilder builder = new AuthToLocalBuilder(true); + AuthToLocalBuilder builder = new AuthToLocalBuilder(true, null); builder.addRule("nn/[email protected]", "hdfs"); // Duplicate principal for secondary namenode, should be filtered out... @@ -312,4 +312,87 @@ public class AuthToLocalBuilderTest { assertEquals(copy.generate("EXAMPLE.COM"), builder.generate("EXAMPLE.COM")); } + + @Test + public void testAdditionalRealms() { + AuthToLocalBuilder builder = new AuthToLocalBuilder(false, "REALM2,REALM3, REALM1 "); + + builder.addRules( + "RULE:[1:$1@$0](.*@FOOBAR.COM)s/@.*//\n" + + "DEFAULT"); + + builder.addRule("nn/[email protected]", "hdfs"); + builder.addRule("dn/[email protected]", "hdfs"); + builder.addRule("jn/[email protected]", "hdfs"); + builder.addRule("rm/[email protected]", "yarn"); + builder.addRule("jhs/[email protected]", "mapred"); + builder.addRule("hm/[email protected]", "hbase"); + builder.addRule("rs/[email protected]", "hbase"); + + assertEquals( + "RULE:[1:$1@$0](.*@FOOBAR.COM)s/@.*//\n" + + "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" + + "RULE:[1:$1@$0](.*@REALM2)s/@.*//\n" + + "RULE:[1:$1@$0](.*@REALM1)s/@.*//\n" + + "RULE:[1:$1@$0](.*@REALM3)s/@.*//\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hdfs/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hbase/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/mapred/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hdfs/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hdfs/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/yarn/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hbase/\n" + + "DEFAULT", + builder.generate("EXAMPLE.COM")); + } + + @Test + public void testAdditionalRealms_Null() { + AuthToLocalBuilder builder = new AuthToLocalBuilder(false, null); + + builder.addRule("nn/[email protected]", "hdfs"); + builder.addRule("dn/[email protected]", "hdfs"); + builder.addRule("jn/[email protected]", "hdfs"); + builder.addRule("rm/[email protected]", "yarn"); + builder.addRule("jhs/[email protected]", "mapred"); + builder.addRule("hm/[email protected]", "hbase"); + builder.addRule("rs/[email protected]", "hbase"); + + assertEquals( + "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hdfs/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hbase/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/mapred/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hdfs/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hdfs/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/yarn/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hbase/\n" + + "DEFAULT", + builder.generate("EXAMPLE.COM")); + } + + @Test + public void testAdditionalRealms_Empty() { + AuthToLocalBuilder builder = new AuthToLocalBuilder(false, ""); + + builder.addRule("nn/[email protected]", "hdfs"); + builder.addRule("dn/[email protected]", "hdfs"); + builder.addRule("jn/[email protected]", "hdfs"); + builder.addRule("rm/[email protected]", "yarn"); + builder.addRule("jhs/[email protected]", "mapred"); + builder.addRule("hm/[email protected]", "hbase"); + builder.addRule("rs/[email protected]", "hbase"); + + assertEquals( + "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hdfs/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hbase/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/mapred/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hdfs/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hdfs/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/yarn/\n" + + "RULE:[2:$1@$0]([email protected])s/.*/hbase/\n" + + "DEFAULT", + builder.generate("EXAMPLE.COM")); + } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java index f28a19b..7144ad0 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java @@ -1625,6 +1625,7 @@ public class KerberosHelperTest extends EasyMockSupport { ))).times(1); final KerberosDescriptor kerberosDescriptor = createMock(KerberosDescriptor.class); + expect(kerberosDescriptor.getProperty("additional_realms")).andReturn(null).times(1); expect(kerberosDescriptor.getIdentities()).andReturn(null).times(1); expect(kerberosDescriptor.getAuthToLocalProperties()).andReturn(null).times(1); expect(kerberosDescriptor.getServices()).andReturn(Collections.singletonMap("SERVICE1", serviceDescriptor1)).times(1); http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json b/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json index cf49786..14eefbf 100644 --- a/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json +++ b/ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json @@ -1,7 +1,8 @@ { "properties": { "realm": "${cluster-env/kerberos_domain}", - "keytab_dir": "/etc/security/keytabs" + "keytab_dir": "/etc/security/keytabs", + "additional_realms": "" }, "identities": [ { http://git-wip-us.apache.org/repos/asf/ambari/blob/9b6d33d0/ambari-web/app/mixins/wizard/addSecurityConfigs.js ---------------------------------------------------------------------- diff --git a/ambari-web/app/mixins/wizard/addSecurityConfigs.js b/ambari-web/app/mixins/wizard/addSecurityConfigs.js index d14d09e..3d2b11a 100644 --- a/ambari-web/app/mixins/wizard/addSecurityConfigs.js +++ b/ambari-web/app/mixins/wizard/addSecurityConfigs.js @@ -215,6 +215,7 @@ App.AddSecurityConfigs = Em.Mixin.create({ displayName: serviceName == "Cluster" ? App.format.normalizeName(propertyName) : propertyName, isOverridable: false, isEditable: propertyName != 'realm', + isRequired: propertyName != 'additional_realms', isSecureConfig: true }; configs.push(App.ServiceConfigProperty.create(propertyObject));
