AMBARI-19545: Ambari-agent - In HIVE and OOZIE stack scripts, copy JCEKS file to desired location
This reverts commit e700484e80446174d72b3ce40295cbea4689a50a. Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/6ccff934 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/6ccff934 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/6ccff934 Branch: refs/heads/branch-dev-patch-upgrade Commit: 6ccff934da9f5c387dd55e37d3d478037454b12c Parents: 39174ea Author: Nahappan Somasundaram <[email protected]> Authored: Tue Jan 17 11:48:57 2017 -0800 Committer: Nahappan Somasundaram <[email protected]> Committed: Tue Jan 17 18:59:22 2017 -0800 ---------------------------------------------------------------------- .../libraries/functions/security_commons.py | 37 ++++++++++++++++++++ .../HIVE/0.12.0.2.0/package/scripts/hive.py | 7 ++++ .../OOZIE/4.0.0.2.0/package/scripts/oozie.py | 18 ++++++++-- 3 files changed, 60 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/6ccff934/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py ---------------------------------------------------------------------- diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py b/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py index 8282dc5..cca244d 100644 --- a/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py +++ b/ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py @@ -22,11 +22,48 @@ from resource_management import Execute, File from tempfile import mkstemp import os import ambari_simplejson as json # simplejson is much faster comparing to Python 2.6 json module and has the same functions set. +from resource_management.core.source import StaticFile FILE_TYPE_XML = 'XML' FILE_TYPE_PROPERTIES = 'PROPERTIES' FILE_TYPE_JAAS_CONF = 'JAAS_CONF' +# The property name used by the hadoop credential provider +HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME = 'hadoop.security.credential.provider.path' + +# Copy JCEKS provider to service specific location and update the ACL +def update_credential_provider_path(config, config_type, dest_provider_path, file_owner, file_group): + """ + Copies the JCEKS file for the specified config from the default location to the given location, + and sets the ACLs for the specified owner and group. Also updates the config type's configuration + hadoop credential store provider with the copied file name. + :param config: configurations['configurations'][config_type] + :param config_type: Like hive-site, oozie-site, etc. + :param dest_provider_path: The full path to the file where the JCEKS provider file is to be copied to. + :param file_owner: File owner + :param file_group: Group + :return: A copy of the config that was modified or the input config itself if nothing was modified. + """ + # Get the path to the provider <config_type>.jceks + if HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME in config: + provider_paths = config[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME].split(',') + for path_index in range(len(provider_paths)): + provider_path = provider_paths[path_index] + if config_type == os.path.splitext(os.path.basename(provider_path))[0]: + src_provider_path = provider_path[len('jceks://file'):] + File(dest_provider_path, + owner = file_owner, + group = file_group, + mode = 0640, + content = StaticFile(src_provider_path) + ) + provider_paths[path_index] = 'jceks://file{0}'.format(dest_provider_path) + # make a copy of the config dictionary since it is read-only + config_copy = config.copy() + config_copy[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME] = ','.join(provider_paths) + return config_copy + return config + def validate_security_config_properties(params, configuration_rules): """ Generic security configuration validation based on a set of rules and operations http://git-wip-us.apache.org/repos/asf/ambari/blob/6ccff934/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive.py index f825982..16273c7 100644 --- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive.py +++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive.py @@ -41,6 +41,7 @@ from resource_management.core.shell import quote_bash_args from resource_management.core.logger import Logger from resource_management.core import utils from resource_management.libraries.functions.setup_atlas_hook import has_atlas_in_cluster, setup_atlas_hook +from resource_management.libraries.functions.security_commons import update_credential_provider_path from ambari_commons.constants import SERVICE from ambari_commons.os_family_impl import OsFamilyFuncImpl, OsFamilyImpl @@ -64,6 +65,12 @@ def hive(name=None): for conf_dir in params.hive_conf_dirs_list: fill_conf_dir(conf_dir) + params.hive_site_config = update_credential_provider_path(params.hive_site_config, + 'hive-site', + os.path.join(params.hive_conf_dir, 'hive-site.jceks'), + params.hive_user, + params.user_group + ) XmlConfig("hive-site.xml", conf_dir=params.hive_config_dir, configurations=params.hive_site_config, http://git-wip-us.apache.org/repos/asf/ambari/blob/6ccff934/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py b/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py index 4a472ff..def0545 100644 --- a/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py +++ b/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py @@ -36,6 +36,7 @@ from resource_management.libraries.functions.oozie_prepare_war import prepare_wa from resource_management.libraries.functions.copy_tarball import get_current_version from resource_management.libraries.resources.xml_config import XmlConfig from resource_management.libraries.script.script import Script +from resource_management.libraries.functions.security_commons import update_credential_provider_path from resource_management.core.resources.packaging import Package from resource_management.core.shell import as_user, as_sudo, call from resource_management.core.exceptions import Fail @@ -50,7 +51,6 @@ from ambari_commons.inet_utils import download_file from resource_management.core import Logger - @OsFamilyFuncImpl(os_family=OSConst.WINSRV_FAMILY) def oozie(is_server=False): import params @@ -115,6 +115,14 @@ def oozie(is_server=False): owner = params.oozie_user, group = params.user_group ) + + params.oozie_site = update_credential_provider_path(params.oozie_site, + 'oozie-site', + os.path.join(params.conf_dir, 'oozie-site.jceks'), + params.oozie_user, + params.user_group + ) + XmlConfig("oozie-site.xml", conf_dir = params.conf_dir, configurations = params.oozie_site, @@ -289,9 +297,15 @@ def oozie_server_specific(): group = params.user_group ) if 'hive-site' in params.config['configurations']: + hive_site_config = update_credential_provider_path(params.config['configurations']['hive-site'], + 'hive-site', + os.path.join(params.hive_conf_dir, 'hive-site.jceks'), + params.oozie_user, + params.user_group + ) XmlConfig("hive-site.xml", conf_dir=params.hive_conf_dir, - configurations=params.config['configurations']['hive-site'], + configurations=hive_site_config, configuration_attributes=params.config['configuration_attributes']['hive-site'], owner=params.oozie_user, group=params.user_group,
