Repository: ambari Updated Branches: refs/heads/branch-2.4 1f7a4ee91 -> d3de20c45
AMBARI-17952. Add nimbus.impersontation.acl on upgrade (Sriharsha Chintalapani via alejandro) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/d3de20c4 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/d3de20c4 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/d3de20c4 Branch: refs/heads/branch-2.4 Commit: d3de20c45a27170c66aa4324c8a60bf98565a175 Parents: 1f7a4ee Author: Alejandro Fernandez <[email protected]> Authored: Fri Aug 5 15:09:46 2016 -0700 Committer: Alejandro Fernandez <[email protected]> Committed: Fri Aug 5 15:09:46 2016 -0700 ---------------------------------------------------------------------- .../stacks/HDP/2.3/upgrades/config-upgrade.xml | 17 +++++++++++++++++ .../HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml | 3 +++ .../stacks/HDP/2.3/upgrades/upgrade-2.5.xml | 1 + .../stacks/HDP/2.4/upgrades/config-upgrade.xml | 19 +++++++++++++++++++ .../HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml | 2 ++ .../stacks/HDP/2.4/upgrades/upgrade-2.5.xml | 1 + .../stacks/HDP/2.5/services/stack_advisor.py | 8 +++++--- 7 files changed, 48 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/d3de20c4/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml index 9b4ef8c..50f2011 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml @@ -494,6 +494,23 @@ replace-with="org.apache.storm.security.auth.KerberosPrincipalToLocal" /> <set key="client.jartransformer.class" value="org.apache.storm.hack.StormShadeTransformer" /> </definition> + <definition xsi:type="configure" id="hdp_2_5_0_0_add_storm_security_configs"> + <condition type="cluster-env" key="security_enabled" value="true"> + <type>storm-site</type> + <key>nimbus.impersonation.authorizer</key> + <value>org.apache.storm.security.auth.authorizer.ImpersonationAuthorizer</value> + </condition> + <condition type="cluster-env" key="security_enabled" value="true"> + <type>storm-site</type> + <key>nimbus.impersonation.acl</key> + <value>"{ {{storm_bare_jaas_principal}} : {hosts: ['*'], groups: ['*']}}"</value> + </condition> + <condition type="cluster-env" key="security_enabled" value="true"> + <type>storm-site</type> + <key>nimbus.admins</key> + <value>"['{{storm_bare_jaas_principal}}', '{{ambari_bare_jaas_principal}}']"</value> + </condition> + </definition> <!-- All of these configs are present in Atlas' application.properties file instead and then copied to the hook's atlas-application.properties file. --> <definition xsi:type="configure" id="hdp_2_5_0_0_remove_storm_atlas_configs"> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3de20c4/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml index 4c09f43..0d15c14 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml @@ -1,3 +1,4 @@ + <?xml version="1.0"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more @@ -431,6 +432,8 @@ <execute-stage service="STORM" component="NIMBUS" title="Apply config changes for Storm"> <!-- Remove Atlas configs that were incorrectly added to storm-site instead of Atlas' application.properties. --> <task xsi:type="configure" id="hdp_2_5_0_0_remove_storm_atlas_configs"/> + <!-- Add nimbus.impersonation acls . --> + <task xsi:type="configure" id="hdp_2_5_0_0_add_storm_security_configs" /> </execute-stage> </group> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3de20c4/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml index c4f7a4e..b36bd25 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml @@ -1010,6 +1010,7 @@ <script>scripts/storm_upgrade.py</script> <function>delete_storm_local_data</function> </task> + <task xsi:type="configure" id="hdp_2_5_0_0_add_storm_security_configs" /> </pre-upgrade> <pre-downgrade> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3de20c4/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml index 29134a3..abd8b1f 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml @@ -269,6 +269,7 @@ <transfer operation="delete" delete-key="xasecure.audit.credential.provider.file" /> <transfer operation="delete" delete-key="xasecure.audit.destination.db.batch.filespool.dir" /> </definition> + <definition xsi:type="configure" id="hdp_2_5_0_0_upgrade_storm_1.0"> <type>storm-site</type> @@ -296,6 +297,24 @@ replace-with="org.apache.storm.security.auth.KerberosPrincipalToLocal" /> <set key="client.jartransformer.class" value="org.apache.storm.hack.StormShadeTransformer" /> </definition> + + <definition xsi:type="configure" id="hdp_2_5_0_0_add_storm_security_configs"> + <condition type="cluster-env" key="security_enabled" value="true"> + <type>storm-site</type> + <key>nimbus.impersonation.authorizer</key> + <value>org.apache.storm.security.auth.authorizer.ImpersonationAuthorizer</value> + </condition> + <condition type="cluster-env" key="security_enabled" value="true"> + <type>storm-site</type> + <key>nimbus.impersonation.acl</key> + <value>"{ {{storm_bare_jaas_principal}} : {hosts: ['*'], groups: ['*']}}"</value> + </condition> + <condition type="cluster-env" key="security_enabled" value="true"> + <type>storm-site</type> + <key>nimbus.admins</key> + <value>"['{{storm_bare_jaas_principal}}', '{{ambari_bare_jaas_principal}}']"</value> + </condition> + </definition> <!-- All of these configs are present in Atlas' application.properties file instead and then copied to the hook's atlas-application.properties file. --> <definition xsi:type="configure" id="hdp_2_5_0_0_remove_storm_atlas_configs"> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3de20c4/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml index a58161f..baf13b8 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml @@ -381,6 +381,8 @@ <execute-stage service="STORM" component="NIMBUS" title="Apply config changes for Storm"> <!-- Remove Atlas configs that were incorrectly added to storm-site instead of Atlas' application.properties. --> <task xsi:type="configure" id="hdp_2_5_0_0_remove_storm_atlas_configs"/> + <!-- Add nimbus.impersonation acls . --> + <task xsi:type="configure" id="hdp_2_5_0_0_add_storm_security_configs" /> </execute-stage> <!-- KAFKA --> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3de20c4/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml index 5eec929..cc15bbd 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml @@ -966,6 +966,7 @@ <script>scripts/storm_upgrade.py</script> <function>delete_storm_local_data</function> </task> + <task xsi:type="configure" id="hdp_2_5_0_0_add_storm_security_configs" /> </pre-upgrade> <pre-downgrade> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3de20c4/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py index e982285..1c66931 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py @@ -419,12 +419,14 @@ class HDP25StackAdvisor(HDP24StackAdvisor): putStormSiteProperty = self.putProperty(configurations, "storm-site", services) putStormSiteAttributes = self.putPropertyAttribute(configurations, "storm-site") security_enabled = (storm_site is not None and "storm.zookeeper.superACL" in storm_site) + if security_enabled: _storm_principal_name = services['configurations']['storm-env']['properties']['storm_principal_name'] storm_bare_jaas_principal = get_bare_principal(_storm_principal_name) - storm_nimbus_impersonation_acl = storm_site["nimbus.impersonation.acl"] - storm_nimbus_impersonation_acl.replace('{{storm_bare_jaas_principal}}', storm_bare_jaas_principal) - putStormSiteProperty('nimbus.impersonation.acl', storm_nimbus_impersonation_acl) + if 'nimbus.impersonation.acl' in storm_site: + storm_nimbus_impersonation_acl = storm_site["nimbus.impersonation.acl"] + storm_nimbus_impersonation_acl.replace('{{storm_bare_jaas_principal}}', storm_bare_jaas_principal) + putStormSiteProperty('nimbus.impersonation.acl', storm_nimbus_impersonation_acl) rangerPluginEnabled = '' if 'ranger-storm-plugin-properties' in configurations and 'ranger-storm-plugin-enabled' in configurations['ranger-storm-plugin-properties']['properties']: rangerPluginEnabled = configurations['ranger-storm-plugin-properties']['properties']['ranger-storm-plugin-enabled']
