AMBARI-19987 Oozie start failed after enabling credential store (dsen)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/d252665c Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/d252665c Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/d252665c Branch: refs/heads/branch-feature-AMBARI-12556 Commit: d252665ce94f532b08efb9bc5f31f7b8f6cde97a Parents: fa32fec Author: Dmytro Sen <[email protected]> Authored: Mon Feb 13 19:42:59 2017 +0200 Committer: Dmytro Sen <[email protected]> Committed: Mon Feb 13 19:42:59 2017 +0200 ---------------------------------------------------------------------- .../ambari_agent/CustomServiceOrchestrator.py | 12 +++++- .../ambari_commons/credential_store_helper.py | 45 ++++++++++++++++++++ .../query/render/ClusterBlueprintRenderer.java | 8 ++-- .../internal/ServiceResourceProvider.java | 1 - .../orm/entities/ServiceDesiredStateEntity.java | 21 --------- .../org/apache/ambari/server/state/Service.java | 8 ---- .../apache/ambari/server/state/ServiceImpl.java | 40 +++-------------- .../server/upgrade/UpgradeCatalog250.java | 5 --- .../main/resources/Ambari-DDL-Derby-CREATE.sql | 1 - .../main/resources/Ambari-DDL-MySQL-CREATE.sql | 1 - .../main/resources/Ambari-DDL-Oracle-CREATE.sql | 1 - .../resources/Ambari-DDL-Postgres-CREATE.sql | 1 - .../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 1 - .../resources/Ambari-DDL-SQLServer-CREATE.sql | 1 - .../0.12.0.2.0/package/scripts/params_linux.py | 35 +++------------ .../4.0.0.2.0/package/scripts/params_linux.py | 20 ++++++++- .../server/upgrade/UpgradeCatalog250Test.java | 12 +----- 17 files changed, 90 insertions(+), 123 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py ---------------------------------------------------------------------- diff --git a/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py b/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py index bacda46..9f2852b 100644 --- a/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py +++ b/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py @@ -238,6 +238,7 @@ class CustomServiceOrchestrator(): value_names.append(value_name) # Gather the value_name for deletion if len(credentials) > 0: configtype_credentials[config_type] = credentials + logger.info("Identifying config {0} for CS: ".format(config_type)) for value_name in value_names: # Remove the clear text password config.pop(value_name, None) @@ -255,8 +256,11 @@ class CustomServiceOrchestrator(): roleCommand = None if 'roleCommand' in commandJson: roleCommand = commandJson['roleCommand'] + task_id = None + if 'taskId' in commandJson: + task_id = commandJson['taskId'] - logger.info('generateJceks: roleCommand={0}'.format(roleCommand)) + logger.info('Generating the JCEKS file: roleCommand={0} and taskId = {1}'.format(roleCommand, task_id)) # Set up the variables for the external command to generate a JCEKS file java_home = commandJson['hostLevelParams']['java_home'] @@ -267,6 +271,12 @@ class CustomServiceOrchestrator(): # Gather the password values and remove them from the configuration configtype_credentials = self.getConfigTypeCredentials(commandJson) + + # CS is enabled but no config property is available for this command + if len(configtype_credentials) == 0: + logger.info("Credential store is enabled but no property are found that can be encrypted.") + commandJson['credentialStoreEnabled'] = "false" + for config_type, credentials in configtype_credentials.items(): config = commandJson['configurations'][config_type] file_path = os.path.join(self.getProviderDirectory(serviceName), "{0}.jceks".format(config_type)) http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-common/src/main/python/ambari_commons/credential_store_helper.py ---------------------------------------------------------------------- diff --git a/ambari-common/src/main/python/ambari_commons/credential_store_helper.py b/ambari-common/src/main/python/ambari_commons/credential_store_helper.py new file mode 100644 index 0000000..914c1c7 --- /dev/null +++ b/ambari-common/src/main/python/ambari_commons/credential_store_helper.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +import os + +from resource_management.core.resources.system import File +from resource_management.core.shell import checked_call +from resource_management.core.source import DownloadSource + +credential_util_cmd = 'org.apache.ambari.server.credentialapi.CredentialUtil' +credential_util_jar = 'CredentialUtil.jar' + +def get_password_from_credential_store(alias, provider_path, cs_lib_path, java_home, jdk_location): + # Try to download CredentialUtil.jar from ambari-server resources + credential_util_dir = cs_lib_path.split('*')[0] # Remove the trailing '*' + credential_util_path = os.path.join(credential_util_dir, credential_util_jar) + credential_util_url = jdk_location + credential_util_jar + File(credential_util_path, + content = DownloadSource(credential_util_url), + mode = 0755, + ) + + # Execute a get command on the CredentialUtil CLI to get the password for the specified alias + java_bin = '{java_home}/bin/java'.format(java_home=java_home) + cmd = (java_bin, '-cp', cs_lib_path, credential_util_cmd, 'get', alias, '-provider', provider_path) + cmd_result, std_out_msg = checked_call(cmd) + std_out_lines = std_out_msg.split('\n') + return std_out_lines[-1] # Get the last line of the output, to skip warnings if any. \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java b/ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java index 4091ee8..5e19a6c 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java @@ -286,11 +286,9 @@ public class ClusterBlueprintRenderer extends BaseRenderer implements Renderer { //service_settings population property = new HashMap<>(); - if (ServiceInfoMap.get("credential_store_supported").equals("true")) { - if (ServiceInfoMap.get("credential_store_enabled").equals("true")) { - property.put("name", ServiceInfoMap.get("service_name").toString()); - property.put("credential_store_enabled", "true"); - } + if (ServiceInfoMap.get("credential_store_enabled").equals("true")) { + property.put("name", ServiceInfoMap.get("service_name").toString()); + property.put("credential_store_enabled", "true"); } //Fetch the service Components to obtain ServiceComponentInfo http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java index 0d5c174..99a81c1 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java @@ -368,7 +368,6 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider AmbariMetaInfo ambariMetaInfo = getManagementController().getAmbariMetaInfo(); ServiceInfo serviceInfo = ambariMetaInfo.getService(stackId.getStackName(), stackId.getStackVersion(), request.getServiceName()); - s.setCredentialStoreSupported(serviceInfo.isCredentialStoreSupported()); LOG.info("Service: {}, credential_store_supported from stack definition:{}", request.getServiceName(), serviceInfo.isCredentialStoreSupported()); http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ServiceDesiredStateEntity.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ServiceDesiredStateEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ServiceDesiredStateEntity.java index e4401a1..885f995 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ServiceDesiredStateEntity.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ServiceDesiredStateEntity.java @@ -67,9 +67,6 @@ public class ServiceDesiredStateEntity { @Enumerated(value = EnumType.STRING) private SecurityState securityState = SecurityState.UNSECURED; - @Column(name = "credential_store_supported", nullable = false, insertable = true, updatable = true) - private short credentialStoreSupported = 0; - @Column(name = "credential_store_enabled", nullable = false, insertable = true, updatable = true) private short credentialStoreEnabled = 0; @@ -138,24 +135,6 @@ public class ServiceDesiredStateEntity { } /** - * Gets a value indicating if credential store is supported or not. - * - * @return true or false - */ - public boolean isCredentialStoreSupported() { - return credentialStoreSupported != 0; - } - - /** - * Sets a value indicating if credential store is supported or not. - * - * @param credentialStoreSupported - */ - public void setCredentialStoreSupported(boolean credentialStoreSupported) { - this.credentialStoreSupported = (short)((credentialStoreSupported == false) ? 0 : 1); - } - - /** * Gets a value indicating if credential store use is enabled or not. * * @return true or false http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/state/Service.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/state/Service.java b/ambari-server/src/main/java/org/apache/ambari/server/state/Service.java index cf36a8b..0f425a4 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/state/Service.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/state/Service.java @@ -110,14 +110,6 @@ public interface Service { boolean isCredentialStoreSupported(); /** - * Set a true or false value specifying if this - * service supports credential store. - * - * @param credentialStoreSupported - true or false - */ - void setCredentialStoreSupported(boolean credentialStoreSupported); - - /** * Get a true or false value specifying whether * credential store use is enabled for this service. * http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java index e223eed..713c189 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java @@ -70,6 +70,7 @@ public class ServiceImpl implements Service { private final Cluster cluster; private final ConcurrentMap<String, ServiceComponent> components = new ConcurrentHashMap<>(); private final boolean isClientOnlyService; + private final boolean isCredentialStoreSupported; @Inject private ServiceConfigDAO serviceConfigDAO; @@ -130,6 +131,8 @@ public class ServiceImpl implements Service { isClientOnlyService = sInfo.isClientOnlyService(); + isCredentialStoreSupported = sInfo.isCredentialStoreSupported(); + persist(serviceEntity); } @@ -174,6 +177,7 @@ public class ServiceImpl implements Service { ServiceInfo sInfo = ambariMetaInfo.getService(stackId.getStackName(), stackId.getStackVersion(), getName()); isClientOnlyService = sInfo.isClientOnlyService(); + isCredentialStoreSupported = sInfo.isCredentialStoreSupported(); } @Override @@ -327,45 +331,11 @@ public class ServiceImpl implements Service { */ @Override public boolean isCredentialStoreSupported() { - ServiceDesiredStateEntity desiredStateEntity = getServiceDesiredStateEntity(); - - if (desiredStateEntity != null) { - return desiredStateEntity.isCredentialStoreSupported(); - } else { - LOG.warn("Trying to fetch a member from an entity object that may " + - "have been previously deleted, serviceName = " + getName()); - } - return false; + return isCredentialStoreSupported; } - /** - * Set a true or false value specifying whether this - * service supports credential store. - * - * @param credentialStoreSupported - true or false - */ - @Override - public void setCredentialStoreSupported(boolean credentialStoreSupported) { - if (LOG.isDebugEnabled()) { - LOG.debug("Setting CredentialStoreEnabled of Service" + ", clusterName=" - + cluster.getClusterName() + ", clusterId=" - + cluster.getClusterId() + ", serviceName=" + getName() - + ", oldCredentialStoreSupported=" + isCredentialStoreSupported() - + ", newCredentialStoreSupported=" + credentialStoreSupported); - } - - ServiceDesiredStateEntity desiredStateEntity = getServiceDesiredStateEntity(); - - if (desiredStateEntity != null) { - desiredStateEntity.setCredentialStoreSupported(credentialStoreSupported); - desiredStateEntity = serviceDesiredStateDAO.merge(desiredStateEntity); - } else { - LOG.warn("Setting a member on an entity object that may have been " - + "previously deleted, serviceName = " + getName()); - } - } /** * Get a true or false value specifying whether http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java index 2082048..1f93f1f 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java @@ -83,7 +83,6 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { public static final String COMPONENT_VERSION_FK_REPO_VERSION = "FK_scv_repo_version_id"; protected static final String SERVICE_DESIRED_STATE_TABLE = "servicedesiredstate"; - protected static final String CREDENTIAL_STORE_SUPPORTED_COL = "credential_store_supported"; protected static final String CREDENTIAL_STORE_ENABLED_COL = "credential_store_enabled"; protected static final String HOST_COMPONENT_DESIREDSTATE_TABLE = "hostcomponentdesiredstate"; @@ -547,12 +546,8 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { */ private void updateServiceDesiredStateTable() throws SQLException { // ALTER TABLE servicedesiredstate ADD COLUMN - // credential_store_supported SMALLINT DEFAULT 0 NOT NULL // credential_store_enabled SMALLINT DEFAULT 0 NOT NULL dbAccessor.addColumn(SERVICE_DESIRED_STATE_TABLE, - new DBColumnInfo(CREDENTIAL_STORE_SUPPORTED_COL, Short.class, null, 0, false)); - - dbAccessor.addColumn(SERVICE_DESIRED_STATE_TABLE, new DBColumnInfo(CREDENTIAL_STORE_ENABLED_COL, Short.class, null, 0, false)); } http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql index b79c945..c7d7990 100644 --- a/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql +++ b/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql @@ -262,7 +262,6 @@ CREATE TABLE servicedesiredstate ( service_name VARCHAR(255) NOT NULL, maintenance_state VARCHAR(32) NOT NULL, security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED', - credential_store_supported SMALLINT NOT NULL DEFAULT 0, credential_store_enabled SMALLINT NOT NULL DEFAULT 0, CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name), CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id), http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql index 1c502bc..de79328 100644 --- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql +++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql @@ -272,7 +272,6 @@ CREATE TABLE servicedesiredstate ( service_name VARCHAR(255) NOT NULL, maintenance_state VARCHAR(32) NOT NULL DEFAULT 'ACTIVE', security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED', - credential_store_supported SMALLINT NOT NULL DEFAULT 0, credential_store_enabled SMALLINT NOT NULL DEFAULT 0, CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name), CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id), http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql index c6d4ad0..16c5864 100644 --- a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql +++ b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql @@ -252,7 +252,6 @@ CREATE TABLE servicedesiredstate ( service_name VARCHAR2(255) NOT NULL, maintenance_state VARCHAR2(32) NOT NULL, security_state VARCHAR2(32) DEFAULT 'UNSECURED' NOT NULL, - credential_store_supported SMALLINT DEFAULT 0 NOT NULL, credential_store_enabled SMALLINT DEFAULT 0 NOT NULL, CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name), CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id), http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql index 1be87bb..91610bb 100644 --- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql +++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql @@ -261,7 +261,6 @@ CREATE TABLE servicedesiredstate ( service_name VARCHAR(255) NOT NULL, maintenance_state VARCHAR(32) NOT NULL, security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED', - credential_store_supported SMALLINT NOT NULL DEFAULT 0, credential_store_enabled SMALLINT NOT NULL DEFAULT 0, CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name), CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id), http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql index abe48e8..aebbcb0 100644 --- a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql +++ b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql @@ -250,7 +250,6 @@ CREATE TABLE servicedesiredstate ( service_name VARCHAR(255) NOT NULL, maintenance_state VARCHAR(32) NOT NULL DEFAULT 'ACTIVE', security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED', - credential_store_supported SMALLINT NOT NULL DEFAULT 0, credential_store_enabled SMALLINT NOT NULL DEFAULT 0, CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name), CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id), http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql index 169a464..d3eaa6c 100644 --- a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql +++ b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql @@ -265,7 +265,6 @@ CREATE TABLE servicedesiredstate ( service_name VARCHAR(255) NOT NULL, maintenance_state VARCHAR(32) NOT NULL, security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED', - credential_store_supported SMALLINT NOT NULL DEFAULT 0, credential_store_enabled SMALLINT NOT NULL DEFAULT 0, CONSTRAINT PK_servicedesiredstate PRIMARY KEY CLUSTERED (cluster_id,service_name), CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id), http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py index a32fbfb..ba610a0 100644 --- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py +++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py @@ -48,9 +48,7 @@ from resource_management.libraries.functions.get_architecture import get_archite from resource_management.core.utils import PasswordString from resource_management.core.shell import checked_call -from resource_management.core.logger import Logger -from resource_management.core.resources.system import File -from resource_management.core.source import DownloadSource +from ambari_commons.credential_store_helper import get_password_from_credential_store # Default log4j version; put config files under /etc/hive/conf log4j_version = '1' @@ -230,36 +228,15 @@ hive_jdbc_connection_url = config['configurations']['hive-site']['javax.jdo.opti jdk_location = config['hostLevelParams']['jdk_location'] -credential_util_cmd = 'org.apache.ambari.server.credentialapi.CredentialUtil' -credential_util_jar = 'CredentialUtil.jar' - -# Gets the hive metastore password from its JCEKS provider, if available. -def getHiveMetastorePassword(): - passwd = '' +if credential_store_enabled: if 'hadoop.security.credential.provider.path' in config['configurations']['hive-site']: - # Try to download CredentialUtil.jar from ambari-server resources cs_lib_path = config['configurations']['hive-site']['credentialStoreClassPath'] - credential_util_dir = cs_lib_path.split('*')[0] # Remove the trailing '*' - credential_util_path = os.path.join(credential_util_dir, credential_util_jar) - credential_util_url = jdk_location + credential_util_jar - File(credential_util_path, - content = DownloadSource(credential_util_url), - mode = 0644, - ) - - # Execute a get command on the CredentialUtil CLI to get the password for the specified alias java_home = config['hostLevelParams']['java_home'] - java_bin = '{java_home}/bin/java'.format(java_home=java_home) alias = 'javax.jdo.option.ConnectionPassword' provider_path = config['configurations']['hive-site']['hadoop.security.credential.provider.path'] - cmd = (java_bin, '-cp', cs_lib_path, credential_util_cmd, 'get', alias, '-provider', provider_path) - cmd_result, std_out_msg = checked_call(cmd) - std_out_lines = std_out_msg.split('\n') - passwd = std_out_lines[-1] # Get the last line of the output, to skip warnings if any. - return passwd - -if credential_store_enabled: - hive_metastore_user_passwd = PasswordString(getHiveMetastorePassword()) + hive_metastore_user_passwd = PasswordString(get_password_from_credential_store(alias, provider_path, cs_lib_path, java_home, jdk_location)) + else: + raise Exception("hadoop.security.credential.provider.path property should be set") else: hive_metastore_user_passwd = config['configurations']['hive-site']['javax.jdo.option.ConnectionPassword'] hive_metastore_user_passwd = unicode(hive_metastore_user_passwd) if not is_empty(hive_metastore_user_passwd) else hive_metastore_user_passwd @@ -843,4 +820,4 @@ if enable_ranger_hive: if has_ranger_admin and stack_supports_ranger_audit_db and xa_audit_db_flavor.lower() == 'sqla': xa_audit_db_is_enabled = False -# ranger hive plugin section end \ No newline at end of file +# ranger hive plugin section end http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py index eb438e7..d30a465 100644 --- a/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py +++ b/ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py @@ -34,6 +34,8 @@ from resource_management.libraries.resources.hdfs_resource import HdfsResource from resource_management.libraries.functions.get_architecture import get_architecture from resource_management.libraries.functions.stack_features import get_stack_feature_version +from resource_management.core.utils import PasswordString +from ambari_commons.credential_store_helper import get_password_from_credential_store from urlparse import urlparse import status_params @@ -166,6 +168,10 @@ zk_connection_string = default('/configurations/oozie-site/oozie.zookeeper.conne jaas_file = os.path.join(conf_dir, 'zkmigrator_jaas.conf') stack_supports_zk_security = check_stack_feature(StackFeature.SECURE_ZOOKEEPER, version_for_stack_feature_checks) +credential_store_enabled = False +if 'credentialStoreEnabled' in config: + credential_store_enabled = config['credentialStoreEnabled'] + if security_enabled: oozie_site = dict(config['configurations']['oozie-site']) oozie_principal_with_host = oozie_principal.replace('_HOST', hostname) @@ -195,7 +201,19 @@ oozie_env_sh_template = config['configurations']['oozie-env']['content'] oracle_driver_jar_name = "ojdbc6.jar" oozie_metastore_user_name = config['configurations']['oozie-site']['oozie.service.JPAService.jdbc.username'] -oozie_metastore_user_passwd = default("/configurations/oozie-site/oozie.service.JPAService.jdbc.password","") + +if credential_store_enabled: + if 'hadoop.security.credential.provider.path' in config['configurations']['oozie-site']: + cs_lib_path = config['configurations']['oozie-site']['credentialStoreClassPath'] + java_home = config['hostLevelParams']['java_home'] + alias = 'oozie.service.JPAService.jdbc.password' + provider_path = config['configurations']['oozie-site']['hadoop.security.credential.provider.path'] + oozie_metastore_user_passwd = PasswordString(get_password_from_credential_store(alias, provider_path, cs_lib_path, java_home, jdk_location)) + else: + raise Exception("hadoop.security.credential.provider.path property should be set") +else: + oozie_metastore_user_passwd = default("/configurations/oozie-site/oozie.service.JPAService.jdbc.password","") + oozie_jdbc_connection_url = default("/configurations/oozie-site/oozie.service.JPAService.jdbc.url", "") oozie_log_dir = config['configurations']['oozie-env']['oozie_log_dir'] oozie_data_dir = config['configurations']['oozie-env']['oozie_data_dir'] http://git-wip-us.apache.org/repos/asf/ambari/blob/d252665c/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java index 1c742ef..cee490b 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java @@ -189,9 +189,7 @@ public class UpgradeCatalog250Test { eq("repo_version"), eq("repo_version_id"), eq(false)); // servicedesiredstate table - Capture<DBAccessor.DBColumnInfo> capturedCredentialStoreSupportedCol = newCapture(); Capture<DBAccessor.DBColumnInfo> capturedCredentialStoreEnabledCol = newCapture(); - dbAccessor.addColumn(eq(UpgradeCatalog250.SERVICE_DESIRED_STATE_TABLE), capture(capturedCredentialStoreSupportedCol)); dbAccessor.addColumn(eq(UpgradeCatalog250.SERVICE_DESIRED_STATE_TABLE), capture(capturedCredentialStoreEnabledCol)); expect(dbAccessor.getConnection()).andReturn(connection).anyTimes(); @@ -253,16 +251,8 @@ public class UpgradeCatalog250Test { // did we get them all? Assert.assertEquals(0, expected.size()); - // Verify if credential_store_supported & credential_store_enabled columns + // Verify if credential_store_enabled columns // were added to servicedesiredstate table - DBAccessor.DBColumnInfo capturedCredentialStoreSupportedColValues = capturedCredentialStoreSupportedCol.getValue(); - Assert.assertNotNull(capturedCredentialStoreSupportedColValues); - - Assert.assertEquals(UpgradeCatalog250.CREDENTIAL_STORE_SUPPORTED_COL, capturedCredentialStoreSupportedColValues.getName()); - Assert.assertEquals(null, capturedCredentialStoreSupportedColValues.getLength()); - Assert.assertEquals(Short.class, capturedCredentialStoreSupportedColValues.getType()); - Assert.assertEquals(0, capturedCredentialStoreSupportedColValues.getDefaultValue()); - Assert.assertEquals(false, capturedCredentialStoreSupportedColValues.isNullable()); DBAccessor.DBColumnInfo capturedCredentialStoreEnabledColValues = capturedCredentialStoreEnabledCol.getValue(); Assert.assertNotNull(capturedCredentialStoreEnabledColValues);
