Repository: ambari
Updated Branches:
  refs/heads/trunk 6038e0120 -> dcf779d28


Revert "AMBARI-18406. Create authentication filter to perform Kerberos 
authentication for Ambari (rlevas)"

This reverts commit b4320b5a8d29b812e9fe86da69a219a17d5e4ea7.


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/dcf779d2
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/dcf779d2
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/dcf779d2

Branch: refs/heads/trunk
Commit: dcf779d28e511b07821e6f54702b918a87b22d02
Parents: 6038e01
Author: Robert Levas <rle...@hortonworks.com>
Authored: Wed Sep 21 10:42:10 2016 -0400
Committer: Robert Levas <rle...@hortonworks.com>
Committed: Wed Sep 21 10:42:54 2016 -0400

----------------------------------------------------------------------
 ambari-project/pom.xml                          |   5 -
 ambari-server/pom.xml                           |   6 +-
 .../server/configuration/Configuration.java     |  30 +--
 .../server/controller/KerberosHelper.java       |   2 -
 .../server/controller/KerberosHelperImpl.java   |  18 +-
 .../server/security/AmbariEntryPoint.java       |  15 +-
 .../AmbariAuthToLocalUserDetailsService.java    | 139 -----------
 .../AmbariKerberosAuthenticationFilter.java     | 172 --------------
 .../kerberos/AmbariKerberosTicketValidator.java |  93 --------
 .../AbstractPrepareKerberosServerAction.java    |  10 +-
 .../ConfigureAmbariIdentitiesServerAction.java  | 235 -------------------
 .../ConfigureAmbariIndetityServerAction.java    | 208 ++++++++++++++++
 .../kerberos/CreatePrincipalsServerAction.java  |   5 +-
 .../kerberos/KerberosServerAction.java          |  12 +-
 .../webapp/WEB-INF/spring-security.xml          |  32 +--
 .../server/controller/KerberosHelperTest.java   |   6 +-
 ...AmbariAuthToLocalUserDetailsServiceTest.java |  92 --------
 .../AmbariKerberosAuthenticationFilterTest.java | 133 -----------
 .../AmbariKerberosTicketValidatorTest.java      |  49 ----
 19 files changed, 241 insertions(+), 1021 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-project/pom.xml
----------------------------------------------------------------------
diff --git a/ambari-project/pom.xml b/ambari-project/pom.xml
index 4f045fe..2615b46 100644
--- a/ambari-project/pom.xml
+++ b/ambari-project/pom.xml
@@ -132,11 +132,6 @@
         <version>3.1.2.RELEASE</version>
       </dependency>
       <dependency>
-        <groupId>org.springframework.security.kerberos</groupId>
-        <artifactId>spring-security-kerberos-web</artifactId>
-        <version>1.0.1.RELEASE</version>
-      </dependency>
-      <dependency>
         <groupId>org.springframework</groupId>
         <artifactId>spring-mock</artifactId>
         <version>2.0.8</version>

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/pom.xml
----------------------------------------------------------------------
diff --git a/ambari-server/pom.xml b/ambari-server/pom.xml
index 5731c9d..197c992 100644
--- a/ambari-server/pom.xml
+++ b/ambari-server/pom.xml
@@ -44,7 +44,7 @@
     
<stacksSrcLocation>src/main/resources/stacks/${stack.distribution}</stacksSrcLocation>
     <tarballResourcesFolder>src/main/resources</tarballResourcesFolder>
     <skipPythonTests>false</skipPythonTests>
-    <hadoop.version>2.7.2</hadoop.version>
+    <hadoop.version>2.7.1</hadoop.version>
     <empty.dir>src/main/package</empty.dir> <!-- any directory in project with 
not very big amount of files (not to waste-load them) -->
     <el.log>ALL</el.log> <!-- log level for EclipseLink 
eclipselink-staticweave-maven-plugin -->
   </properties>
@@ -986,10 +986,6 @@
       <artifactId>spring-security-web</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.springframework.security.kerberos</groupId>
-      <artifactId>spring-security-kerberos-web</artifactId>
-    </dependency>
-    <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-mock</artifactId>
       <scope>test</scope>

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index f1058b6..b2fa4c0 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -5284,11 +5284,9 @@ public class Configuration {
         try {
           orderedUserTypes.add(UserType.valueOf(type.toUpperCase()));
         } catch (IllegalArgumentException e) {
-          String message = String.format("While processing ordered user types 
from %s, " +
+          throw new IllegalArgumentException(String.format("While processing 
ordered user types from %s, " +
                   "%s was found to be an invalid user type.",
-              KERBEROS_AUTH_USER_TYPES.getKey(), type);
-          LOG.error(message);
-          throw new IllegalArgumentException(message, e);
+              KERBEROS_AUTH_USER_TYPES.getKey(), type), e);
         }
       }
     }
@@ -5322,11 +5320,9 @@ public class Configuration {
     // Validate the SPNEGO principal name to ensure it was set.
     // Log any found issues.
     if (StringUtils.isEmpty(kerberosAuthProperties.getSpnegoPrincipalName())) {
-      String message = String.format("The SPNEGO principal name specified in 
%s is empty. " +
+      throw new IllegalArgumentException(String.format("The SPNEGO principal 
name specified in %s is empty. " +
               "This will cause issues authenticating users using Kerberos.",
-          KERBEROS_AUTH_SPNEGO_PRINCIPAL.getKey());
-      LOG.error(message);
-      throw new IllegalArgumentException(message);
+          KERBEROS_AUTH_SPNEGO_PRINCIPAL.getKey()));
     }
 
     // Get the SPNEGO keytab file. There is nothing special to process for 
this value.
@@ -5335,25 +5331,19 @@ public class Configuration {
     // Validate the SPNEGO keytab file to ensure it was set, it exists and it 
is readable by Ambari.
     // Log any found issues.
     if (StringUtils.isEmpty(kerberosAuthProperties.getSpnegoKeytabFilePath())) 
{
-      String message = String.format("The SPNEGO keytab file path specified in 
%s is empty. " +
+      throw new IllegalArgumentException(String.format("The SPNEGO keytab file 
path specified in %s is empty. " +
               "This will cause issues authenticating users using Kerberos.",
-          KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey());
-      LOG.error(message);
-      throw new IllegalArgumentException(message);
+          KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey()));
     } else {
       File keytabFile = new 
File(kerberosAuthProperties.getSpnegoKeytabFilePath());
       if (!keytabFile.exists()) {
-        String message = String.format("The SPNEGO keytab file path (%s) 
specified in %s does not exist. " +
+        throw new IllegalArgumentException(String.format("The SPNEGO keytab 
file path (%s) specified in %s does not exist. " +
                 "This will cause issues authenticating users using Kerberos.",
-            keytabFile.getAbsolutePath(), 
KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey());
-        LOG.error(message);
-        throw new IllegalArgumentException(message);
+            keytabFile.getAbsolutePath(), 
KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey()));
       } else if (!keytabFile.canRead()) {
-        String message = String.format("The SPNEGO keytab file path (%s) 
specified in %s cannot be read. " +
+        throw new IllegalArgumentException(String.format("The SPNEGO keytab 
file path (%s) specified in %s cannot be read. " +
                 "This will cause issues authenticating users using Kerberos.",
-            keytabFile.getAbsolutePath(), 
KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey());
-        LOG.error(message);
-        throw new IllegalArgumentException(message);
+            keytabFile.getAbsolutePath(), 
KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey()));
       }
     }
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
index 1153d01..c4d21fc 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
@@ -70,8 +70,6 @@ public interface KerberosHelper {
 
   String AMBARI_IDENTITY_NAME = "ambari-server";
 
-  String SPNEGO_IDENTITY_NAME = "spnego";
-
   String CREATE_AMBARI_PRINCIPAL = "create_ambari_principal";
 
   String MANAGE_IDENTITIES = "manage_identities";

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
index a3c6fd4..5bc5cd8 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
@@ -61,7 +61,7 @@ import 
org.apache.ambari.server.security.encryption.CredentialStoreService;
 import org.apache.ambari.server.serveraction.ActionLog;
 import org.apache.ambari.server.serveraction.ServerAction;
 import org.apache.ambari.server.serveraction.kerberos.CleanupServerAction;
-import 
org.apache.ambari.server.serveraction.kerberos.ConfigureAmbariIdentitiesServerAction;
+import 
org.apache.ambari.server.serveraction.kerberos.ConfigureAmbariIndetityServerAction;
 import 
org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction;
 import 
org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction;
 import 
org.apache.ambari.server.serveraction.kerberos.DestroyPrincipalsServerAction;
@@ -761,7 +761,7 @@ public class KerberosHelperImpl implements KerberosHelper {
    * @param ambariServerIdentity the ambari server's {@link 
KerberosIdentityDescriptor}
    * @param configurations       a map of compiled configrations used for 
variable replacment
    * @throws AmbariException
-   * @see 
ConfigureAmbariIdentitiesServerAction#installAmbariServerIdentity(String, 
String, String, ActionLog)
+   * @see 
ConfigureAmbariIndetityServerAction#installAmbariServerIdentity(String, String, 
String, ActionLog)
    */
   private void installAmbariIdentity(KerberosIdentityDescriptor 
ambariServerIdentity,
                                      Map<String, Map<String, String>> 
configurations) throws AmbariException {
@@ -775,7 +775,7 @@ public class KerberosHelperImpl implements KerberosHelper {
         if(keytabDescriptor != null) {
           String keytabFilePath = 
variableReplacementHelper.replaceVariables(keytabDescriptor.getFile(), 
configurations);
 
-          injector.getInstance(ConfigureAmbariIdentitiesServerAction.class)
+          injector.getInstance(ConfigureAmbariIndetityServerAction.class)
               .installAmbariServerIdentity(principal, 
ambariServerPrincipalEntity.getCachedKeytabPath(), keytabFilePath, null);
         }
       }
@@ -1259,7 +1259,7 @@ public class KerberosHelperImpl implements KerberosHelper 
{
                 serviceName, componentName, kerberosDescriptor, filterContext);
 
             if (hostname.equals(ambariServerHostname)) {
-              addAmbariServerIdentities(kerberosEnvConfig.getProperties(), 
kerberosDescriptor, identities);
+              addAmbariServerIdentity(kerberosEnvConfig.getProperties(), 
kerberosDescriptor, identities);
             }
 
             if (!identities.isEmpty()) {
@@ -1346,7 +1346,7 @@ public class KerberosHelperImpl implements KerberosHelper 
{
    * @param kerberosDescriptor    the kerberos descriptor
    * @param identities            the collection of identities to add to
    */
-  void addAmbariServerIdentities(Map<String, String> kerberosEnvProperties, 
KerberosDescriptor kerberosDescriptor, List<KerberosIdentityDescriptor> 
identities) {
+  void addAmbariServerIdentity(Map<String, String> kerberosEnvProperties, 
KerberosDescriptor kerberosDescriptor, List<KerberosIdentityDescriptor> 
identities) {
     // Determine if we should _calculate_ the Ambari service identity.
     // If kerberos-env/create_ambari_principal is not set to false the 
identity should be calculated.
     boolean createAmbariPrincipal = (kerberosEnvProperties == null) || 
!"false".equalsIgnoreCase(kerberosEnvProperties.get(CREATE_AMBARI_PRINCIPAL));
@@ -1357,12 +1357,6 @@ public class KerberosHelperImpl implements 
KerberosHelper {
       if (ambariServerIdentity != null) {
         identities.add(ambariServerIdentity);
       }
-
-      // Add the spnego principal for the Ambari server host....
-      KerberosIdentityDescriptor spnegoIdentity = 
kerberosDescriptor.getIdentity(KerberosHelper.SPNEGO_IDENTITY_NAME);
-      if (spnegoIdentity != null) {
-        identities.add(spnegoIdentity);
-      }
     }
   }
 
@@ -2805,7 +2799,7 @@ public class KerberosHelperImpl implements KerberosHelper 
{
           clusterHostInfoJson,
           "{}",
           hostParamsJson,
-          ConfigureAmbariIdentitiesServerAction.class,
+          ConfigureAmbariIndetityServerAction.class,
           event,
           commandParameters,
           "Configure Ambari Identity",

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java
index e37976f..2028f46 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java
@@ -28,19 +28,6 @@ import java.io.IOException;
 public class AmbariEntryPoint implements AuthenticationEntryPoint {
   @Override
   public void commence(HttpServletRequest request, HttpServletResponse 
response, AuthenticationException authException) throws IOException, 
ServletException {
-    /* 
*****************************************************************************************
-     * To maintain backward compatibility and respond with the appropriate 
response when
-     * authentication is needed, by default return an HTTP 403 status.
-     *
-     * However if requested by the user, respond such that the client is 
challenged to Negotiate
-     * and reissue the request with a Kerberos token.  This response is an 
HTTP 401 status with the
-     * WWW-Authenticate: Negotiate" header.
-     * 
******************************************************************************************
 */
-    if 
("true".equalsIgnoreCase(request.getHeader("X-Negotiate-Authentication"))) {
-      response.setHeader("WWW-Authenticate", "Negotiate");
-      response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication 
requested");
-    } else {
-      response.sendError(HttpServletResponse.SC_FORBIDDEN, 
authException.getMessage());
-    }
+    response.sendError(HttpServletResponse.SC_FORBIDDEN, 
authException.getMessage());
   }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
deleted file mode 100644
index 3c62646..0000000
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import org.apache.ambari.server.AmbariException;
-import org.apache.ambari.server.configuration.Configuration;
-import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
-import org.apache.ambari.server.security.authorization.UserType;
-import org.apache.ambari.server.security.authorization.Users;
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.security.authentication.util.KerberosName;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.core.userdetails.UsernameNotFoundException;
-
-import java.io.IOException;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-
-/**
- * AmbariAuthToLocalUserDetailsService is a {@link UserDetailsService} that 
translates
- * a Kerberos principal name into a local username that may be used when 
looking up
- * and Ambari user account.
- */
-public class AmbariAuthToLocalUserDetailsService implements UserDetailsService 
{
-  private static final Logger LOG = 
LoggerFactory.getLogger(AmbariAuthToLocalUserDetailsService.class);
-
-  private final Users users;
-
-  private final List<UserType> userTypeOrder;
-
-  /**
-   * Constructor.
-   * <p>
-   * Given the Ambari {@link Configuration}, initializes the {@link 
KerberosName} class using
-   * the <code>auth-to-local</code> rules from {@link 
AmbariKerberosAuthenticationProperties#getAuthToLocalRules()}.
-   *
-   * @param configuration the Ambari configuration data
-   * @param users         the Ambari users access object
-   * @throws AmbariException if an error occurs parsing the user-provided 
auth-to-local rules
-   */
-  public AmbariAuthToLocalUserDetailsService(Configuration configuration, 
Users users) throws AmbariException {
-    String authToLocalRules = null;
-    List<UserType> orderedUserTypes = null;
-
-    if (configuration != null) {
-      AmbariKerberosAuthenticationProperties properties = 
configuration.getKerberosAuthenticationProperties();
-
-      if (properties != null) {
-        authToLocalRules = properties.getAuthToLocalRules();
-        orderedUserTypes = properties.getOrderedUserTypes();
-      }
-    }
-
-    if (StringUtils.isEmpty(authToLocalRules)) {
-      authToLocalRules = "DEFAULT";
-    }
-
-    if ((orderedUserTypes == null) || orderedUserTypes.isEmpty()) {
-      orderedUserTypes = Collections.singletonList(UserType.LDAP);
-    }
-
-    KerberosName.setRules(authToLocalRules);
-
-    this.users = users;
-    this.userTypeOrder = orderedUserTypes;
-  }
-
-  @Override
-  public UserDetails loadUserByUsername(String principal) throws 
UsernameNotFoundException {
-    KerberosName kerberosName = new KerberosName(principal);
-
-    try {
-      String username = kerberosName.getShortName();
-
-      if (username == null) {
-        String message = String.format("Failed to translate %s to a local 
username during Kerberos authentication.", principal);
-        LOG.warn(message);
-        throw new UsernameNotFoundException(message);
-      }
-
-      LOG.info("Translated {} to {} using auth-to-local rules during Kerberos 
authentication.", principal, username);
-      return createUser(username);
-    } catch (IOException e) {
-      String message = String.format("Failed to translate %s to a local 
username during Kerberos authentication: %s", principal, 
e.getLocalizedMessage());
-      LOG.warn(message);
-      throw new UsernameNotFoundException(message, e);
-    }
-  }
-
-  /**
-   * Given a username, finds an appropriate account in the Ambari database.
-   * <p>
-   * User accounts are searched in order of preferred user type as specified 
in the Ambari configuration
-   * ({@link Configuration#KERBEROS_AUTH_USER_TYPES}).
-   *
-   * @param username a username
-   * @return the user details of the found user, or <code>null</code> if an 
appropriate user was not found
-   */
-  private UserDetails createUser(String username) {
-    // Iterate over the ordered user types... when an account for the 
username/type combination is
-    // found, build the related AmbariUserAuthentication instance and return 
it.  Only the first
-    // match matters... this may be an issue and cause some ambiguity in the 
event multiple user
-    // types are specified in the configuration and multiple accounts for the 
same username, but
-    // different types (LOCAL vs LDAP, etc...).
-    for (UserType userType : userTypeOrder) {
-      org.apache.ambari.server.security.authorization.User user = 
users.getUser(username, userType);
-
-      if (user != null) {
-        Collection<AmbariGrantedAuthority> userAuthorities = 
users.getUserAuthorities(user.getUserName(), user.getUserType());
-        return new User(username, "", userAuthorities);
-      }
-    }
-
-    String message = String.format("Failed find user account for user with 
username of %s during Kerberos authentication.", username);
-    LOG.warn(message);
-    throw new UsernameNotFoundException(message);
-  }
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilter.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilter.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilter.java
deleted file mode 100644
index a5a3922..0000000
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilter.java
+++ /dev/null
@@ -1,172 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import org.apache.ambari.server.audit.AuditLogger;
-import org.apache.ambari.server.audit.event.AuditEvent;
-import org.apache.ambari.server.audit.event.LoginAuditEvent;
-import org.apache.ambari.server.configuration.Configuration;
-import 
org.apache.ambari.server.security.authentication.AmbariAuthenticationFilter;
-import org.apache.ambari.server.security.authorization.AuthorizationHelper;
-import org.apache.ambari.server.security.authorization.PermissionHelper;
-import org.apache.ambari.server.utils.RequestUtils;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-import 
org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
-import org.springframework.security.web.AuthenticationEntryPoint;
-import 
org.springframework.security.web.authentication.AuthenticationFailureHandler;
-import 
org.springframework.security.web.authentication.AuthenticationSuccessHandler;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-
-/**
- * AmbariKerberosAuthenticationFilter extends the {@link 
SpnegoAuthenticationProcessingFilter} class
- * to perform Kerberos-based authentication for Ambari.
- * <p>
- * If configured, auditing is performed using {@link AuditLogger}.
- */
-public class AmbariKerberosAuthenticationFilter extends 
SpnegoAuthenticationProcessingFilter implements AmbariAuthenticationFilter {
-
-  /**
-   * Audit logger
-   */
-  private final AuditLogger auditLogger;
-
-  /**
-   * A Boolean value indicating whether Kerberos authentication is enabled or 
not.
-   */
-  private final boolean kerberosAuthenticationEnabled;
-
-  /**
-   * Constructor.
-   * <p>
-   * Given supplied data, sets up the the {@link 
SpnegoAuthenticationProcessingFilter} to perform
-   * authentication and audit logging if configured do to so.
-   *
-   * @param authenticationManager the Spring authentication manager
-   * @param entryPoint            the Spring entry point
-   * @param configuration         the Ambari configuration data
-   * @param auditLogger           an audit logger
-   * @param permissionHelper      a permission helper to aid in audit logging
-   */
-  public AmbariKerberosAuthenticationFilter(AuthenticationManager 
authenticationManager, final AuthenticationEntryPoint entryPoint, Configuration 
configuration, final AuditLogger auditLogger, final PermissionHelper 
permissionHelper) {
-    AmbariKerberosAuthenticationProperties kerberosAuthenticationProperties = 
(configuration == null)
-        ? null
-        : configuration.getKerberosAuthenticationProperties();
-
-    kerberosAuthenticationEnabled = (kerberosAuthenticationProperties != null) 
&& kerberosAuthenticationProperties.isKerberosAuthenticationEnabled();
-
-    this.auditLogger = auditLogger;
-
-    setAuthenticationManager(authenticationManager);
-
-    setFailureHandler(new AuthenticationFailureHandler() {
-      @Override
-      public void onAuthenticationFailure(HttpServletRequest 
httpServletRequest, HttpServletResponse httpServletResponse, 
AuthenticationException e) throws IOException, ServletException {
-        if (auditLogger.isEnabled()) {
-          AuditEvent loginFailedAuditEvent = LoginAuditEvent.builder()
-              .withRemoteIp(RequestUtils.getRemoteAddress(httpServletRequest))
-              .withTimestamp(System.currentTimeMillis())
-              .withReasonOfFailure(e.getLocalizedMessage())
-              .build();
-          auditLogger.log(loginFailedAuditEvent);
-        }
-
-        entryPoint.commence(httpServletRequest, httpServletResponse, e);
-      }
-    });
-
-    setSuccessHandler(new AuthenticationSuccessHandler() {
-      @Override
-      public void onAuthenticationSuccess(HttpServletRequest 
httpServletRequest, HttpServletResponse httpServletResponse, Authentication 
authentication) throws IOException, ServletException {
-        if (auditLogger.isEnabled()) {
-          AuditEvent loginSucceededAuditEvent = LoginAuditEvent.builder()
-              .withRemoteIp(RequestUtils.getRemoteAddress(httpServletRequest))
-              .withUserName(authentication.getName())
-              .withTimestamp(System.currentTimeMillis())
-              .withRoles(permissionHelper.getPermissionLabels(authentication))
-              .build();
-          auditLogger.log(loginSucceededAuditEvent);
-        }
-      }
-    });
-  }
-
-  /**
-   * Tests to determine if this authentication filter is applicable given the 
Ambari configuration
-   * and the user's HTTP request.
-   * <p>
-   * If the Ambari configuration indicates the Kerberos authentication is 
enabled and the HTTP request
-   * contains the appropriate <code>Authorization</code> header, than this 
filter may be applied;
-   * otherwise it should be skipped.
-   *
-   * @param httpServletRequest the request
-   * @return true if this filter should be applied; false otherwise
-   */
-  @Override
-  public boolean shouldApply(HttpServletRequest httpServletRequest) {
-    if (kerberosAuthenticationEnabled) {
-      String header = httpServletRequest.getHeader("Authorization");
-      return (header != null) && (header.startsWith("Negotiate ") || 
header.startsWith("Kerberos "));
-    } else {
-      return false;
-    }
-  }
-
-  /**
-   * Performs the logic for this filter.
-   * <p>
-   * Checks whether the authentication information is filled. If it is not, 
then a login failed audit event is logged.
-   * <p>
-   * Then, forwards the workflow to {@link 
SpnegoAuthenticationProcessingFilter#doFilter(ServletRequest, ServletResponse, 
FilterChain)}
-   *
-   * @param servletRequest  the request
-   * @param servletResponse the response
-   * @param filterChain     the Spring filter chain
-   * @throws IOException
-   * @throws ServletException
-   */
-  @Override
-  public void doFilter(ServletRequest servletRequest, ServletResponse 
servletResponse, FilterChain filterChain) throws IOException, ServletException {
-    HttpServletRequest httpServletRequest = (HttpServletRequest) 
servletRequest;
-
-    if (shouldApply(httpServletRequest)) {
-      if (auditLogger.isEnabled() && 
(AuthorizationHelper.getAuthenticatedName() == null)) {
-        AuditEvent loginFailedAuditEvent = LoginAuditEvent.builder()
-            .withRemoteIp(RequestUtils.getRemoteAddress(httpServletRequest))
-            .withTimestamp(System.currentTimeMillis())
-            .withReasonOfFailure("Authentication required")
-            .withUserName(null)
-            .build();
-        auditLogger.log(loginFailedAuditEvent);
-      }
-
-      super.doFilter(servletRequest, servletResponse, filterChain);
-    } else {
-      filterChain.doFilter(servletRequest, servletResponse);
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidator.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidator.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidator.java
deleted file mode 100644
index bb57108..0000000
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidator.java
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import org.apache.ambari.server.configuration.Configuration;
-import org.springframework.beans.factory.InitializingBean;
-import org.springframework.core.io.FileSystemResource;
-import org.springframework.core.io.Resource;
-import org.springframework.security.authentication.BadCredentialsException;
-import 
org.springframework.security.kerberos.authentication.KerberosTicketValidation;
-import 
org.springframework.security.kerberos.authentication.KerberosTicketValidator;
-import 
org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
-
-/**
- * AmbariKerberosTicketValidator is a {@link KerberosTicketValidator} 
implementation that delegates
- * to a {@link SunJaasKerberosTicketValidator}, if Kerberos authentication is 
enabled.
- * <p>
- * If Kerberos authentication is enabled, the following properties are set:
- * <ul>
- * <li>{@link SunJaasKerberosTicketValidator#setServicePrincipal(String)} 
using the Ambari server property from {@link 
Configuration#KERBEROS_AUTH_SPNEGO_PRINCIPAL}</li>
- * <li>{@link SunJaasKerberosTicketValidator#setKeyTabLocation(Resource)} 
using the Ambari server property from {@link 
Configuration#KERBEROS_AUTH_SPNEGO_KEYTAB_FILE}</li>
- * </ul>
- */
-public class AmbariKerberosTicketValidator implements KerberosTicketValidator, 
InitializingBean {
-
-  private final SunJaasKerberosTicketValidator kerberosTicketValidator;
-
-  /**
-   * Creates a new AmbariKerberosTicketValidator
-   *
-   * @param configuration the Ambari server configuration
-   */
-  public AmbariKerberosTicketValidator(Configuration configuration) {
-
-    AmbariKerberosAuthenticationProperties properties = (configuration == null)
-        ? null
-        : configuration.getKerberosAuthenticationProperties();
-
-    if ((properties != null) && properties.isKerberosAuthenticationEnabled()) {
-      kerberosTicketValidator = new SunJaasKerberosTicketValidator();
-      
kerberosTicketValidator.setServicePrincipal(properties.getSpnegoPrincipalName());
-
-      if (properties.getSpnegoKeytabFilePath() != null) {
-        kerberosTicketValidator.setKeyTabLocation(new 
FileSystemResource(properties.getSpnegoKeytabFilePath()));
-      }
-    } else {
-      // Don't create the SunJaasKerberosTicketValidator if Kerberos 
authentication is not enabled.
-      kerberosTicketValidator = null;
-    }
-  }
-
-  @Override
-  public void afterPropertiesSet() throws Exception {
-    // If Kerberos authentication is enabled, forward this method invocation 
to the backing
-    // SunJaasKerberosTicketValidator instance.
-    if (kerberosTicketValidator != null) {
-      kerberosTicketValidator.afterPropertiesSet();
-    }
-  }
-
-  @Override
-  public KerberosTicketValidation validateTicket(byte[] bytes) throws 
BadCredentialsException {
-    // If Kerberos authentication is enabled, forward this method invocation 
to the backing
-    // SunJaasKerberosTicketValidator instance.
-    return (kerberosTicketValidator == null)
-        ? null
-        : kerberosTicketValidator.validateTicket(bytes);
-  }
-
-  public void setDebug(boolean debug) {
-    // If Kerberos authentication is enabled, forward this method invocation 
to the backing
-    // SunJaasKerberosTicketValidator instance.
-    if (kerberosTicketValidator != null) {
-      kerberosTicketValidator.setDebug(debug);
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
index c283a65..b6b0713 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
@@ -156,15 +156,7 @@ public abstract class AbstractPrepareKerberosServerAction 
extends KerberosServer
             if (ambariServerIdentity != null) {
               List<KerberosIdentityDescriptor> componentIdentities = 
Collections.singletonList(ambariServerIdentity);
               kerberosHelper.addIdentities(kerberosIdentityDataFileWriter, 
componentIdentities,
-                identityFilter, KerberosHelper.AMBARI_SERVER_HOST_NAME, 
"AMBARI_SERVER", "AMBARI_SERVER", kerberosConfigurations, configurations);
-              propertiesToIgnore = 
gatherPropertiesToIgnore(componentIdentities, propertiesToIgnore);
-            }
-
-            KerberosIdentityDescriptor spnegoIdentity = 
kerberosDescriptor.getIdentity(KerberosHelper.SPNEGO_IDENTITY_NAME);
-            if (spnegoIdentity != null) {
-              List<KerberosIdentityDescriptor> componentIdentities = 
Collections.singletonList(spnegoIdentity);
-              kerberosHelper.addIdentities(kerberosIdentityDataFileWriter, 
componentIdentities,
-                identityFilter, KerberosHelper.AMBARI_SERVER_HOST_NAME, 
"AMBARI_SERVER", "SPNEGO", kerberosConfigurations, configurations);
+                identityFilter, KerberosHelper.AMBARI_SERVER_HOST_NAME, 
"AMBARI_SEVER", "AMBARI_SEVER", kerberosConfigurations, configurations);
               propertiesToIgnore = 
gatherPropertiesToIgnore(componentIdentities, propertiesToIgnore);
             }
           }

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIdentitiesServerAction.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIdentitiesServerAction.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIdentitiesServerAction.java
deleted file mode 100644
index 9c2c622..0000000
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIdentitiesServerAction.java
+++ /dev/null
@@ -1,235 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.serveraction.kerberos;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Map;
-import java.util.concurrent.ConcurrentMap;
-
-import com.google.inject.Inject;
-import org.apache.ambari.server.AmbariException;
-import org.apache.ambari.server.actionmanager.HostRoleStatus;
-import org.apache.ambari.server.agent.CommandReport;
-import org.apache.ambari.server.controller.KerberosHelper;
-import org.apache.ambari.server.controller.utilities.KerberosChecker;
-import org.apache.ambari.server.orm.dao.HostDAO;
-import org.apache.ambari.server.orm.dao.KerberosPrincipalHostDAO;
-import org.apache.ambari.server.orm.entities.HostEntity;
-import org.apache.ambari.server.serveraction.ActionLog;
-import org.apache.ambari.server.utils.ShellCommandUtil;
-import org.apache.ambari.server.utils.StageUtils;
-import org.apache.commons.codec.digest.DigestUtils;
-import org.apache.commons.io.FileUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * ConfigureAmbariIdentitiesServerAction is a ServerAction implementation that 
creates keytab files as
- * instructed.
- * <p/>
- * This class mainly relies on the KerberosServerAction to iterate through 
metadata identifying
- * the Kerberos keytab files that need to be created. For each identity in the 
metadata, this
- * implementation's
- * {@link KerberosServerAction#processIdentity(Map, String, 
KerberosOperationHandler, Map, Map)}
- * is invoked attempting the creation of the relevant keytab file.
- */
-public class ConfigureAmbariIdentitiesServerAction extends 
KerberosServerAction {
-
-
-  private static final String KEYTAB_PATTERN = "keyTab=\"(.+)?\"";
-  private static final String PRINCIPAL_PATTERN = "principal=\"(.+)?\"";
-
-  private final static Logger LOG = 
LoggerFactory.getLogger(ConfigureAmbariIdentitiesServerAction.class);
-
-  @Inject
-  private KerberosPrincipalHostDAO kerberosPrincipalHostDAO;
-
-  @Inject
-  private HostDAO hostDAO;
-
-  /**
-   * Called to execute this action.  Upon invocation, calls
-   * {@link KerberosServerAction#processIdentities(Map)} )}
-   * to iterate through the Kerberos identity metadata and call
-   * {@link ConfigureAmbariIdentitiesServerAction#processIdentities(Map)}
-   * for each identity to process.
-   *
-   * @param requestSharedDataContext a Map to be used a shared data among all 
ServerActions related
-   *                                 to a given request
-   * @return a CommandReport indicating the result of this action
-   * @throws AmbariException
-   * @throws InterruptedException
-   */
-  @Override
-  public CommandReport execute(ConcurrentMap<String, Object> 
requestSharedDataContext) throws
-      AmbariException, InterruptedException {
-    return processIdentities(requestSharedDataContext);
-  }
-
-
-  /**
-   * Creates keytab file for ambari-server identity.
-   * <p/>
-   * It is expected that the {@link CreatePrincipalsServerAction}
-   * (or similar) and {@link CreateKeytabFilesServerAction} has executed 
before this action.
-   *
-   * @param identityRecord           a Map containing the data for the current 
identity record
-   * @param evaluatedPrincipal       a String indicating the relevant principal
-   * @param operationHandler         a KerberosOperationHandler used to 
perform Kerberos-related
-   *                                 tasks for specific Kerberos 
implementations
-   *                                 (MIT, Active Directory, etc...)
-   * @param kerberosConfiguration    a Map of configuration properties from 
kerberos-env
-   * @param requestSharedDataContext a Map to be used a shared data among all 
ServerActions related
-   *                                 to a given request  @return a 
CommandReport, indicating an error
-   *                                 condition; or null, indicating a success 
condition
-   * @throws AmbariException if an error occurs while processing the identity 
record
-   */
-  @Override
-  protected CommandReport processIdentity(Map<String, String> identityRecord, 
String evaluatedPrincipal,
-                                          KerberosOperationHandler 
operationHandler,
-                                          Map<String, String> 
kerberosConfiguration,
-                                          Map<String, Object> 
requestSharedDataContext)
-      throws AmbariException {
-    CommandReport commandReport = null;
-
-    if (identityRecord != null) {
-      String message;
-      String dataDirectory = getDataDirectoryPath();
-
-      if (dataDirectory == null) {
-        message = "The data directory has not been set. Generated keytab files 
can not be stored.";
-        LOG.error(message);
-        commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", 
actionLog.getStdOut(), actionLog.getStdErr());
-      } else {
-
-        String hostName = 
identityRecord.get(KerberosIdentityDataFileReader.HOSTNAME);
-        if (hostName != null && 
hostName.equalsIgnoreCase(KerberosHelper.AMBARI_SERVER_HOST_NAME)) {
-          String destKeytabFilePath = 
identityRecord.get(KerberosIdentityDataFileReader.KEYTAB_FILE_PATH);
-          File hostDirectory = new File(dataDirectory, hostName);
-          File srcKeytabFile = new File(hostDirectory, 
DigestUtils.sha1Hex(destKeytabFilePath));
-
-          if (srcKeytabFile.exists()) {
-            installAmbariServerIdentity(evaluatedPrincipal, 
srcKeytabFile.getAbsolutePath(), destKeytabFilePath, actionLog);
-
-            if 
("AMBARI_SERVER".equals(identityRecord.get(KerberosIdentityDataFileReader.COMPONENT)))
 {
-              // Create/update the JAASFile...
-              configureJAAS(evaluatedPrincipal, destKeytabFilePath, actionLog);
-            }
-          }
-        }
-      }
-    }
-
-    return commandReport;
-  }
-
-  /**
-   * Installs the Ambari Server Kerberos identity by copying its keytab file 
to the specified location
-   * and then creating the Ambari Server JAAS File.
-   *
-   * @param principal          the ambari server principal name
-   * @param srcKeytabFilePath  the source location of the ambari server keytab 
file
-   * @param destKeytabFilePath the destination location of the ambari server 
keytab file
-   * @param actionLog          the logger
-   * @return true if success; false otherwise
-   * @throws AmbariException
-   */
-  public boolean installAmbariServerIdentity(String principal,
-                                             String srcKeytabFilePath,
-                                             String destKeytabFilePath,
-                                             ActionLog actionLog) throws 
AmbariException {
-
-    // Use sudo to copy the file into place....
-    try {
-      ShellCommandUtil.Result result;
-
-      // Ensure the parent directory exists...
-      File destKeytabFile = new File(destKeytabFilePath);
-      result = ShellCommandUtil.mkdir(destKeytabFile.getParent(), true);
-      if (!result.isSuccessful()) {
-        throw new AmbariException(result.getStderr());
-      }
-
-      // Copy the keytab file into place...
-      result = ShellCommandUtil.copyFile(srcKeytabFilePath, 
destKeytabFilePath, true, true);
-      if (!result.isSuccessful()) {
-        throw new AmbariException(result.getStderr());
-      } else {
-        String ambariServerHostName = StageUtils.getHostName();
-        HostEntity ambariServerHostEntity = 
hostDAO.findByName(ambariServerHostName);
-        Long ambariServerHostID = (ambariServerHostEntity == null)
-            ? null
-            : ambariServerHostEntity.getHostId();
-
-        if (ambariServerHostID == null) {
-          String message = String.format("Failed to add the 
kerberos_principal_host record for %s on " +
-                  "the Ambari server host since the host id for Ambari server 
host, %s, was not found." +
-                  "  This is not an error if an Ambari agent is not installed 
on the Ambari server host.",
-              principal, ambariServerHostName);
-          LOG.warn(message);
-          actionLog.writeStdErr(message);
-        } else if (!kerberosPrincipalHostDAO.exists(principal, 
ambariServerHostID)) {
-          kerberosPrincipalHostDAO.create(principal, ambariServerHostID);
-        }
-
-        actionLog.writeStdOut(String.format("Created Ambari server keytab file 
for %s at %s", principal, destKeytabFile));
-      }
-    } catch (InterruptedException | IOException e) {
-      throw new AmbariException(e.getLocalizedMessage(), e);
-    }
-
-    return true;
-  }
-
-  private void configureJAAS(String evaluatedPrincipal, String keytabFilePath, 
ActionLog actionLog) {
-    String jaasConfPath = 
System.getProperty(KerberosChecker.JAVA_SECURITY_AUTH_LOGIN_CONFIG);
-    if (jaasConfPath != null) {
-      File jaasConfigFile = new File(jaasConfPath);
-      try {
-        String jaasConfig = FileUtils.readFileToString(jaasConfigFile);
-        File oldJaasConfigFile = new File(jaasConfPath + ".bak");
-        FileUtils.writeStringToFile(oldJaasConfigFile, jaasConfig);
-        jaasConfig = jaasConfig.replaceFirst(KEYTAB_PATTERN, "keyTab=\"" + 
keytabFilePath + "\"");
-        jaasConfig = jaasConfig.replaceFirst(PRINCIPAL_PATTERN, "principal=\"" 
+ evaluatedPrincipal + "\"");
-        FileUtils.writeStringToFile(jaasConfigFile, jaasConfig);
-        String message = String.format("JAAS config file %s modified 
successfully for principal %s.", jaasConfigFile
-            .getName(), evaluatedPrincipal);
-        if (actionLog != null) {
-          actionLog.writeStdOut(message);
-        }
-      } catch (IOException e) {
-        String message = String.format("Failed to configure JAAS file %s for 
%s - %s", jaasConfigFile,
-            evaluatedPrincipal, e.getMessage());
-        if (actionLog != null) {
-          actionLog.writeStdErr(message);
-        }
-        LOG.error(message, e);
-      }
-    } else {
-      String message = String.format("Failed to configure JAAS, config file 
should be passed to Ambari server as: " +
-          "%s.", KerberosChecker.JAVA_SECURITY_AUTH_LOGIN_CONFIG);
-      if (actionLog != null) {
-        actionLog.writeStdErr(message);
-      }
-      LOG.error(message);
-    }
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIndetityServerAction.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIndetityServerAction.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIndetityServerAction.java
new file mode 100644
index 0000000..96540ef
--- /dev/null
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIndetityServerAction.java
@@ -0,0 +1,208 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.serveraction.kerberos;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Map;
+import java.util.concurrent.ConcurrentMap;
+
+import org.apache.ambari.server.AmbariException;
+import org.apache.ambari.server.actionmanager.HostRoleStatus;
+import org.apache.ambari.server.agent.CommandReport;
+import org.apache.ambari.server.controller.KerberosHelper;
+import org.apache.ambari.server.controller.utilities.KerberosChecker;
+import org.apache.ambari.server.serveraction.ActionLog;
+import org.apache.ambari.server.utils.ShellCommandUtil;
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.io.FileUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * ConfigureAmbariIndetityServerAction is a ServerAction implementation that 
creates keytab files as
+ * instructed.
+ * <p/>
+ * This class mainly relies on the KerberosServerAction to iterate through 
metadata identifying
+ * the Kerberos keytab files that need to be created. For each identity in the 
metadata, this
+ * implementation's
+ * {@link KerberosServerAction#processIdentity(Map, String, 
KerberosOperationHandler, Map, Map)}
+ * is invoked attempting the creation of the relevant keytab file.
+ */
+public class ConfigureAmbariIndetityServerAction extends KerberosServerAction {
+
+
+  private static final String KEYTAB_PATTERN = "keyTab=\"(.+)?\"";
+  private static final String PRINCIPAL_PATTERN = "principal=\"(.+)?\"";
+
+  private final static Logger LOG = 
LoggerFactory.getLogger(ConfigureAmbariIndetityServerAction.class);
+
+  /**
+   * Called to execute this action.  Upon invocation, calls
+   * {@link KerberosServerAction#processIdentities(Map)} )}
+   * to iterate through the Kerberos identity metadata and call
+   * {@link ConfigureAmbariIndetityServerAction#processIdentities(Map)}
+   * for each identity to process.
+   *
+   * @param requestSharedDataContext a Map to be used a shared data among all 
ServerActions related
+   *                                 to a given request
+   * @return a CommandReport indicating the result of this action
+   * @throws AmbariException
+   * @throws InterruptedException
+   */
+  @Override
+  public CommandReport execute(ConcurrentMap<String, Object> 
requestSharedDataContext) throws
+    AmbariException, InterruptedException {
+    return processIdentities(requestSharedDataContext);
+  }
+
+
+  /**
+   * Creates keytab file for ambari-server identity.
+   * <p/>
+   * It is expected that the {@link CreatePrincipalsServerAction}
+   * (or similar) and {@link CreateKeytabFilesServerAction} has executed 
before this action.
+   *
+   * @param identityRecord           a Map containing the data for the current 
identity record
+   * @param evaluatedPrincipal       a String indicating the relevant principal
+   * @param operationHandler         a KerberosOperationHandler used to 
perform Kerberos-related
+   *                                 tasks for specific Kerberos 
implementations
+   *                                 (MIT, Active Directory, etc...)
+   * @param kerberosConfiguration    a Map of configuration properties from 
kerberos-env
+   * @param requestSharedDataContext a Map to be used a shared data among all 
ServerActions related
+   *                                 to a given request  @return a 
CommandReport, indicating an error
+   *                                 condition; or null, indicating a success 
condition
+   * @throws AmbariException if an error occurs while processing the identity 
record
+   */
+  @Override
+  protected CommandReport processIdentity(Map<String, String> identityRecord, 
String evaluatedPrincipal,
+                                          KerberosOperationHandler 
operationHandler,
+                                          Map<String, String> 
kerberosConfiguration,
+                                          Map<String, Object> 
requestSharedDataContext)
+    throws AmbariException {
+    CommandReport commandReport = null;
+
+    if (identityRecord != null) {
+      String message;
+      String dataDirectory = getDataDirectoryPath();
+
+      if (operationHandler == null) {
+        message = String.format("Failed to create keytab file for %s, missing 
KerberosOperationHandler", evaluatedPrincipal);
+        actionLog.writeStdErr(message);
+        LOG.error(message);
+        commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", 
actionLog.getStdOut(), actionLog.getStdErr());
+      } else if (dataDirectory == null) {
+        message = "The data directory has not been set. Generated keytab files 
can not be stored.";
+        LOG.error(message);
+        commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", 
actionLog.getStdOut(), actionLog.getStdErr());
+      } else {
+
+        String hostName = 
identityRecord.get(KerberosIdentityDataFileReader.HOSTNAME);
+        if (hostName != null && 
hostName.equalsIgnoreCase(KerberosHelper.AMBARI_SERVER_HOST_NAME)) {
+          String destKeytabFilePath = 
identityRecord.get(KerberosIdentityDataFileReader.KEYTAB_FILE_PATH);
+          File hostDirectory = new File(dataDirectory, hostName);
+          File srcKeytabFile = new File(hostDirectory, 
DigestUtils.sha1Hex(destKeytabFilePath));
+
+          if(srcKeytabFile.exists()) {
+            installAmbariServerIdentity(evaluatedPrincipal, 
srcKeytabFile.getAbsolutePath(), destKeytabFilePath, actionLog);
+          }
+        }
+      }
+    }
+
+    return commandReport;
+  }
+
+  /**
+   * Installs the Ambari Server Kerberos identity by copying its keytab file 
to the specified location
+   * and then creating the Ambari Server JAAS File.
+   *
+   * @param principal          the ambari server principal name
+   * @param srcKeytabFilePath  the source location of the ambari server keytab 
file
+   * @param destKeytabFilePath the destination location of the ambari server 
keytab file
+   * @param actionLog          the logger
+   * @return true if success; false otherwise
+   * @throws AmbariException
+   */
+  public boolean installAmbariServerIdentity(String principal,
+                                             String srcKeytabFilePath,
+                                             String destKeytabFilePath,
+                                             ActionLog actionLog) throws 
AmbariException {
+
+    // Use sudo to copy the file into place....
+    try {
+      ShellCommandUtil.Result result;
+
+      // Ensure the parent directory exists...
+      File destKeytabFile = new File(destKeytabFilePath);
+      result = ShellCommandUtil.mkdir(destKeytabFile.getParent(), true);
+      if (!result.isSuccessful()) {
+        throw new AmbariException(result.getStderr());
+      }
+
+      // Copy the keytab file into place...
+      result = ShellCommandUtil.copyFile(srcKeytabFilePath, 
destKeytabFilePath, true, true);
+      if (!result.isSuccessful()) {
+        throw new AmbariException(result.getStderr());
+      }
+    } catch (InterruptedException | IOException e) {
+      throw new AmbariException(e.getLocalizedMessage(), e);
+    }
+
+    // Create/update the JAASFile...
+    configureJAAS(principal, destKeytabFilePath, actionLog);
+
+    return true;
+  }
+
+  private void configureJAAS(String evaluatedPrincipal, String keytabFilePath, 
ActionLog actionLog) {
+    String jaasConfPath = 
System.getProperty(KerberosChecker.JAVA_SECURITY_AUTH_LOGIN_CONFIG);
+    if (jaasConfPath != null) {
+      File jaasConfigFile = new File(jaasConfPath);
+      try {
+        String jaasConfig = FileUtils.readFileToString(jaasConfigFile);
+        File oldJaasConfigFile = new File(jaasConfPath + ".bak");
+        FileUtils.writeStringToFile(oldJaasConfigFile, jaasConfig);
+        jaasConfig = jaasConfig.replaceFirst(KEYTAB_PATTERN, "keyTab=\"" + 
keytabFilePath + "\"");
+        jaasConfig = jaasConfig.replaceFirst(PRINCIPAL_PATTERN, "principal=\"" 
+ evaluatedPrincipal + "\"");
+        FileUtils.writeStringToFile(jaasConfigFile, jaasConfig);
+        String message = String.format("JAAS config file %s modified 
successfully for principal %s.", jaasConfigFile
+          .getName(), evaluatedPrincipal);
+        if (actionLog != null) {
+          actionLog.writeStdOut(message);
+        }
+      } catch (IOException e) {
+        String message = String.format("Failed to configure JAAS file %s for 
%s - %s", jaasConfigFile,
+          evaluatedPrincipal, e.getMessage());
+        if (actionLog != null) {
+          actionLog.writeStdErr(message);
+        }
+        LOG.error(message, e);
+      }
+    } else {
+      String message = String.format("Failed to configure JAAS, config file 
should be passed to Ambari server as: " +
+        "%s.", KerberosChecker.JAVA_SECURITY_AUTH_LOGIN_CONFIG);
+      if (actionLog != null) {
+        actionLog.writeStdErr(message);
+      }
+      LOG.error(message);
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java
index b99c25a..e31e6ff 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java
@@ -18,6 +18,7 @@
 
 package org.apache.ambari.server.serveraction.kerberos;
 
+import com.google.common.base.Optional;
 import com.google.inject.Inject;
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.actionmanager.HostRoleStatus;
@@ -144,7 +145,7 @@ public class CreatePrincipalsServerAction extends 
KerberosServerAction {
           // This principal has been processed and a keytab file has been 
distributed... do not process it.
           processPrincipal = false;
         } else {
-          // This principal has been processed but a keytab file for it has 
not been distributed... process it.
+          // This principal has been processed but a keytab file for it has 
been distributed... process it.
           processPrincipal = true;
         }
       }
@@ -231,7 +232,7 @@ public class CreatePrincipalsServerAction extends 
KerberosServerAction {
       String password = securePasswordHelper.createSecurePassword(length, 
minLowercaseLetters, minUppercaseLetters, minDigits, minPunctuation, 
minWhitespace);
 
       try {
-        /*
+        /**
          * true indicates a new principal was created, false indicates an 
existing principal was updated
          */
         boolean created;

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
index 1d8c1ca..db210e0 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
@@ -28,7 +28,6 @@ import 
org.apache.ambari.server.security.credential.PrincipalKeyCredential;
 import org.apache.ambari.server.serveraction.AbstractServerAction;
 import org.apache.ambari.server.state.Cluster;
 import org.apache.ambari.server.state.Clusters;
-import org.apache.ambari.server.utils.StageUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -515,19 +514,12 @@ public abstract class KerberosServerAction extends 
AbstractServerAction {
 
     if (record != null) {
       String principal = record.get(KerberosIdentityDataFileReader.PRINCIPAL);
+      String host = record.get(KerberosIdentityDataFileReader.HOSTNAME);
 
       if (principal != null) {
-        String hostname = record.get(KerberosIdentityDataFileReader.HOSTNAME);
-
-        if(KerberosHelper.AMBARI_SERVER_HOST_NAME.equals(hostname)) {
-          // Replace KerberosHelper.AMBARI_SERVER_HOST_NAME with the actual 
hostname where the Ambari
-          // server is... this host
-          hostname = StageUtils.getHostName();
-        }
-
         // Evaluate the principal "pattern" found in the record to generate 
the "evaluated principal"
         // by replacing the _HOST and _REALM variables.
-        String evaluatedPrincipal = principal.replace("_HOST", 
hostname).replace("_REALM", defaultRealm);
+        String evaluatedPrincipal = principal.replace("_HOST", 
host).replace("_REALM", defaultRealm);
 
         commandReport = processIdentity(record, evaluatedPrincipal, 
operationHandler, kerberosConfiguration, requestSharedDataContext);
       }

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 
b/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml
index 500c0bf..a86973c 100644
--- a/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml
+++ b/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml
@@ -30,11 +30,16 @@
     <custom-filter ref="ambariAuthorizationFilter" 
before="FILTER_SECURITY_INTERCEPTOR"/>
   </http>
 
+  <!--<ldap-server id="ldapServer" root="dc=ambari,dc=apache,dc=org"/>-->
+
   <authentication-manager alias="authenticationManager">
+
     <authentication-provider ref="ambariLocalAuthenticationProvider"/>
+
     <authentication-provider ref="ambariLdapAuthenticationProvider"/>
+
     <authentication-provider ref="ambariInternalAuthenticationProvider"/>
-    <authentication-provider ref="kerberosServiceAuthenticationProvider"/>
+
   </authentication-manager>
 
   <beans:bean id="ambariEntryPoint" 
class="org.apache.ambari.server.security.AmbariEntryPoint">
@@ -44,7 +49,6 @@
     <beans:constructor-arg>
       <beans:list>
         <beans:ref bean="ambariBasicAuthenticationFilter"/>
-        <beans:ref bean="ambariKerberosAuthenticationFilter"/>
         <beans:ref bean="ambariJwtAuthenticationFilter"/>
       </beans:list>
     </beans:constructor-arg>
@@ -65,14 +69,6 @@
     <beans:constructor-arg ref="permissionHelper"/>
   </beans:bean>
 
-  <beans:bean id="ambariKerberosAuthenticationFilter" 
class="org.apache.ambari.server.security.authentication.kerberos.AmbariKerberosAuthenticationFilter">
-    <beans:constructor-arg ref="authenticationManager"/>
-    <beans:constructor-arg ref="ambariEntryPoint"/>
-    <beans:constructor-arg ref="ambariConfiguration"/>
-    <beans:constructor-arg ref="auditLogger"/>
-    <beans:constructor-arg ref="permissionHelper"/>
-  </beans:bean>
-
   <beans:bean id="ambariAuthorizationFilter" 
class="org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter">
     <beans:constructor-arg ref="ambariEntryPoint"/>
     <beans:constructor-arg ref="ambariConfiguration"/>
@@ -81,20 +77,4 @@
     <beans:constructor-arg ref="permissionHelper"/>
   </beans:bean>
 
-  <beans:bean id="kerberosServiceAuthenticationProvider" 
class="org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider">
-    <beans:property name="ticketValidator">
-      <beans:bean 
class="org.apache.ambari.server.security.authentication.kerberos.AmbariKerberosTicketValidator">
-        <beans:constructor-arg ref="ambariConfiguration"/>
-        <beans:property name="debug" value="false"/>
-      </beans:bean>
-    </beans:property>
-
-    <beans:property name="userDetailsService" 
ref="authToLocalUserDetailsService"/>
-  </beans:bean>
-
-  <beans:bean id="authToLocalUserDetailsService" 
class="org.apache.ambari.server.security.authentication.kerberos.AmbariAuthToLocalUserDetailsService">
-    <beans:constructor-arg ref="ambariConfiguration"/>
-    <beans:constructor-arg ref="ambariUsers"/>
-  </beans:bean>
-
 </beans:beans>

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
 
b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
index 7e6a056..3c97ce9 100644
--- 
a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
+++ 
b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
@@ -104,6 +104,7 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -3754,7 +3755,6 @@ public class KerberosHelperTest extends EasyMockSupport {
     KerberosDescriptor kerberosDescriptor = 
createMock(KerberosDescriptor.class);
     if (createAmbariPrincipal) {
       
expect(kerberosDescriptor.getIdentity(KerberosHelper.AMBARI_IDENTITY_NAME)).andReturn(ambariKerberosIdentity).once();
-      
expect(kerberosDescriptor.getIdentity(KerberosHelper.SPNEGO_IDENTITY_NAME)).andReturn(ambariKerberosIdentity).once();
     }
 
     List<KerberosIdentityDescriptor> identities = new 
ArrayList<KerberosIdentityDescriptor>();
@@ -3764,12 +3764,12 @@ public class KerberosHelperTest extends EasyMockSupport 
{
     // Needed by infrastructure
     injector.getInstance(AmbariMetaInfo.class).init();
 
-    kerberosHelper.addAmbariServerIdentities(kerberosEnvProperties, 
kerberosDescriptor, identities);
+    kerberosHelper.addAmbariServerIdentity(kerberosEnvProperties, 
kerberosDescriptor, identities);
 
     verifyAll();
 
     if (createAmbariPrincipal) {
-      Assert.assertEquals(2, identities.size());
+      Assert.assertEquals(1, identities.size());
       Assert.assertSame(ambariKerberosIdentity, identities.get(0));
     } else {
       Assert.assertTrue(identities.isEmpty());

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsServiceTest.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsServiceTest.java
 
b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsServiceTest.java
deleted file mode 100644
index e980808..0000000
--- 
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsServiceTest.java
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import junit.framework.Assert;
-import org.apache.ambari.server.configuration.Configuration;
-import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
-import org.apache.ambari.server.security.authorization.User;
-import org.apache.ambari.server.security.authorization.UserType;
-import org.apache.ambari.server.security.authorization.Users;
-import org.easymock.EasyMockSupport;
-import org.junit.Test;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.core.userdetails.UsernameNotFoundException;
-
-import java.util.Collection;
-import java.util.Collections;
-
-import static org.easymock.EasyMock.expect;
-
-public class AmbariAuthToLocalUserDetailsServiceTest extends EasyMockSupport {
-  @Test
-  public void loadUserByUsernameSuccess() throws Exception {
-    AmbariKerberosAuthenticationProperties properties = new 
AmbariKerberosAuthenticationProperties();
-
-    Configuration configuration = createMock(Configuration.class);
-    
expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    User user = createMock(User.class);
-    expect(user.getUserName()).andReturn("user1").once();
-    expect(user.getUserType()).andReturn(UserType.LDAP).once();
-
-    Collection<AmbariGrantedAuthority> userAuthorities = 
Collections.singletonList(createNiceMock(AmbariGrantedAuthority.class));
-
-    Users users = createMock(Users.class);
-    expect(users.getUser("user1", UserType.LDAP)).andReturn(user).once();
-    expect(users.getUserAuthorities("user1", 
UserType.LDAP)).andReturn(userAuthorities).once();
-
-    replayAll();
-
-    UserDetailsService userdetailsService = new 
AmbariAuthToLocalUserDetailsService(configuration, users);
-
-    UserDetails userDetails = 
userdetailsService.loadUserByUsername("us...@example.com");
-
-    verifyAll();
-
-    Assert.assertNotNull(userDetails);
-    Assert.assertEquals("user1", userDetails.getUsername());
-    Assert.assertEquals(userAuthorities.size(), 
userDetails.getAuthorities().size());
-    Assert.assertEquals("", userDetails.getPassword());
-  }
-
-  @Test(expected = UsernameNotFoundException.class)
-  public void loadUserByUsernameUserNotFound() throws Exception {
-    AmbariKerberosAuthenticationProperties properties = new 
AmbariKerberosAuthenticationProperties();
-
-    Configuration configuration = createMock(Configuration.class);
-    
expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    Users users = createMock(Users.class);
-    expect(users.getUser("user1", UserType.LDAP)).andReturn(null).once();
-    expect(users.getUser("user1", UserType.LOCAL)).andReturn(null).once();
-
-    replayAll();
-
-    UserDetailsService userdetailsService = new 
AmbariAuthToLocalUserDetailsService(configuration, users);
-
-    userdetailsService.loadUserByUsername("us...@example.com");
-
-    verifyAll();
-
-    Assert.fail("UsernameNotFoundException was not thrown");
-  }
-
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilterTest.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilterTest.java
 
b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilterTest.java
deleted file mode 100644
index d855cda..0000000
--- 
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilterTest.java
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import org.apache.ambari.server.audit.AuditLogger;
-import org.apache.ambari.server.configuration.Configuration;
-import org.apache.ambari.server.security.authorization.PermissionHelper;
-import org.easymock.EasyMockSupport;
-import org.junit.Assert;
-import org.junit.Test;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.web.AuthenticationEntryPoint;
-
-import javax.servlet.http.HttpServletRequest;
-
-import static org.easymock.EasyMock.expect;
-
-public class AmbariKerberosAuthenticationFilterTest extends EasyMockSupport {
-  @Test
-  public void shouldApplyTrue() throws Exception {
-    HttpServletRequest httpServletRequest = 
createMock(HttpServletRequest.class);
-    expect(httpServletRequest.getHeader("Authorization")).andReturn("Negotiate 
.....").once();
-
-    AmbariKerberosAuthenticationProperties properties = 
createMock(AmbariKerberosAuthenticationProperties.class);
-    
expect(properties.isKerberosAuthenticationEnabled()).andReturn(true).once();
-
-    Configuration configuration = createMock(Configuration.class);
-    
expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    AuthenticationManager authenticationManager = 
createMock(AuthenticationManager.class);
-    AuthenticationEntryPoint entryPoint = 
createMock(AuthenticationEntryPoint.class);
-    AuditLogger auditLogger = createMock(AuditLogger.class);
-    PermissionHelper permissionHelper = createMock(PermissionHelper.class);
-
-    replayAll();
-
-    AmbariKerberosAuthenticationFilter filter = new 
AmbariKerberosAuthenticationFilter(
-        authenticationManager,
-        entryPoint,
-        configuration,
-        auditLogger,
-        permissionHelper
-    );
-
-    Assert.assertTrue(filter.shouldApply(httpServletRequest));
-
-    verifyAll();
-  }
-
-  @Test
-  public void shouldApplyFalseMissingHeader() throws Exception {
-    HttpServletRequest httpServletRequest = 
createMock(HttpServletRequest.class);
-    
expect(httpServletRequest.getHeader("Authorization")).andReturn(null).once();
-
-    AmbariKerberosAuthenticationProperties properties = 
createMock(AmbariKerberosAuthenticationProperties.class);
-    
expect(properties.isKerberosAuthenticationEnabled()).andReturn(true).once();
-
-    Configuration configuration = createMock(Configuration.class);
-    
expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    AuthenticationManager authenticationManager = 
createMock(AuthenticationManager.class);
-    AuthenticationEntryPoint entryPoint = 
createMock(AuthenticationEntryPoint.class);
-    AuditLogger auditLogger = createMock(AuditLogger.class);
-    PermissionHelper permissionHelper = createMock(PermissionHelper.class);
-
-    replayAll();
-
-    AmbariKerberosAuthenticationFilter filter = new 
AmbariKerberosAuthenticationFilter(
-        authenticationManager,
-        entryPoint,
-        configuration,
-        auditLogger,
-        permissionHelper
-    );
-
-    Assert.assertFalse(filter.shouldApply(httpServletRequest));
-
-    verifyAll();
-  }
-
-  @Test
-  public void shouldApplyNotFalseEnabled() throws Exception {
-    HttpServletRequest httpServletRequest = 
createMock(HttpServletRequest.class);
-
-    AmbariKerberosAuthenticationProperties properties = 
createMock(AmbariKerberosAuthenticationProperties.class);
-    
expect(properties.isKerberosAuthenticationEnabled()).andReturn(false).once();
-
-    Configuration configuration = createMock(Configuration.class);
-    
expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    AuthenticationManager authenticationManager = 
createMock(AuthenticationManager.class);
-    AuthenticationEntryPoint entryPoint = 
createMock(AuthenticationEntryPoint.class);
-    AuditLogger auditLogger = createMock(AuditLogger.class);
-    PermissionHelper permissionHelper = createMock(PermissionHelper.class);
-
-    replayAll();
-
-    AmbariKerberosAuthenticationFilter filter = new 
AmbariKerberosAuthenticationFilter(
-        authenticationManager,
-        entryPoint,
-        configuration,
-        auditLogger,
-        permissionHelper
-    );
-
-    Assert.assertFalse(filter.shouldApply(httpServletRequest));
-
-    verifyAll();
-  }
-
-  @Test
-  public void doFilter() throws Exception {
-    // Skip this test since the real work is being done by 
SpnegoAuthenticationProcessingFilter, which
-    // is a class in the Spring libraries.
-  }
-
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/dcf779d2/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidatorTest.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidatorTest.java
 
b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidatorTest.java
deleted file mode 100644
index 9bc87a4..0000000
--- 
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidatorTest.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import org.apache.ambari.server.configuration.Configuration;
-import org.easymock.EasyMockSupport;
-import org.junit.Test;
-
-import static org.easymock.EasyMock.expect;
-
-public class AmbariKerberosTicketValidatorTest extends EasyMockSupport {
-
-  /**
-   * Tests an {@link AmbariKerberosTicketValidator} to ensure that the Spnego 
identity is properly
-   * set in the base class during construction.
-   */
-  @Test
-  public void testConstructor() throws NoSuchMethodException {
-    AmbariKerberosAuthenticationProperties properties = 
createMock(AmbariKerberosAuthenticationProperties.class);
-    
expect(properties.isKerberosAuthenticationEnabled()).andReturn(true).once();
-    
expect(properties.getSpnegoPrincipalName()).andReturn("HTTP/somehost.example.com").times(1);
-    
expect(properties.getSpnegoKeytabFilePath()).andReturn("/etc/security/keytabs/spnego.service.keytab").times(2);
-
-    Configuration configuration = createMock(Configuration.class);
-    
expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    replayAll();
-
-    new AmbariKerberosTicketValidator(configuration);
-
-    verifyAll();
-  }
-}
\ No newline at end of file

Reply via email to