Repository: ambari Updated Branches: refs/heads/trunk 399b70835 -> 31944e382
AMBARI-19897 : Provide user-warning while upgrading clusters to move certificates/keystores/truststores out of conf folder (Vishal Suvagia via mugdha) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/31944e38 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/31944e38 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/31944e38 Branch: refs/heads/trunk Commit: 31944e382019482ee40e8ec4c691b6aea7fce230 Parents: 399b708 Author: Vishal Suvagia <[email protected]> Authored: Fri Feb 10 16:37:38 2017 +0530 Committer: Mugdha Varadkar <[email protected]> Committed: Tue Feb 14 10:31:39 2017 +0530 ---------------------------------------------------------------------- .../ambari/server/checks/CheckDescription.java | 7 + .../server/checks/RangerSSLConfigCheck.java | 81 ++++++++++ .../HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml | 1 + .../stacks/HDP/2.3/upgrades/upgrade-2.6.xml | 1 + .../HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml | 1 + .../stacks/HDP/2.4/upgrades/upgrade-2.6.xml | 1 + .../HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml | 1 + .../stacks/HDP/2.5/upgrades/upgrade-2.6.xml | 1 + .../server/checks/RangerSSLConfigCheckTest.java | 150 +++++++++++++++++++ 9 files changed, 244 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/java/org/apache/ambari/server/checks/CheckDescription.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/checks/CheckDescription.java b/ambari-server/src/main/java/org/apache/ambari/server/checks/CheckDescription.java index 8d8f540..2d1468f 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/checks/CheckDescription.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/checks/CheckDescription.java @@ -320,6 +320,13 @@ public class CheckDescription { .put(AbstractCheckDescriptor.DEFAULT, "Auto-Start must be disabled before performing an Upgrade").build()); + public static CheckDescription RANGER_SSL_CONFIG_CHECK = new CheckDescription("RANGER_SSL_CONFIG_CHECK", + PrereqCheckType.SERVICE, + "Change Ranger SSL configuration path for Keystore and Truststore.", + new ImmutableMap.Builder<String, String>() + .put(AbstractCheckDescriptor.DEFAULT, + "As Ranger is SSL enabled, Ranger SSL configurations will need to be changed from default value of /etc/ranger/*/conf folder to /etc/ranger/security. " + + "Since the certificates/keystores/truststores in this path may affect the upgrade/downgrade process, it is recommended to manually move the certificates/keystores/truststores out of the conf folders and change the appropriate config values before proceeding.").build()); private String m_name; private PrereqCheckType m_type; http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/java/org/apache/ambari/server/checks/RangerSSLConfigCheck.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/checks/RangerSSLConfigCheck.java b/ambari-server/src/main/java/org/apache/ambari/server/checks/RangerSSLConfigCheck.java new file mode 100644 index 0000000..02f6559 --- /dev/null +++ b/ambari-server/src/main/java/org/apache/ambari/server/checks/RangerSSLConfigCheck.java @@ -0,0 +1,81 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.ambari.server.checks; + + +import java.util.Arrays; + +import org.apache.ambari.server.AmbariException; +import org.apache.ambari.server.controller.PrereqCheckRequest; +import org.apache.ambari.server.state.stack.PrereqCheckStatus; +import org.apache.ambari.server.state.stack.PrerequisiteCheck; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.inject.Singleton; + + +/** + * This service check will mainly be for 2.6 stacks so as to encourage user + * to move the certificate, keystore and truststore from the default conf dir to + * an external directory untoched while RU/EU during upgrades/downgrades. + */ +@Singleton +@UpgradeCheck(group = UpgradeCheckGroup.INFORMATIONAL_WARNING) +public class RangerSSLConfigCheck extends AbstractCheckDescriptor { + + private static final Logger LOG = LoggerFactory.getLogger(RangerSSLConfigCheck.class); + private static final String serviceName = "RANGER"; + + + /** + * Constructor + */ + public RangerSSLConfigCheck() { + super(CheckDescription.RANGER_SSL_CONFIG_CHECK); + } + + /** + * {@inheritDoc} + */ + @Override + public boolean isApplicable(PrereqCheckRequest request) throws AmbariException { + return super.isApplicable(request, Arrays.asList(serviceName), true); + } + + /** + * {@inheritDoc} + */ + @Override + public void perform(PrerequisiteCheck prerequisiteCheck, PrereqCheckRequest request) throws AmbariException { + String isRangerHTTPEnabled = getProperty(request, "ranger-admin-site", "ranger.service.http.enabled"); + String isRangerSSLEnabled = getProperty(request, "ranger-admin-site", "ranger.service.https.attrib.ssl.enabled"); + String rangerSSLKeystoreFile = getProperty(request, "ranger-admin-site", "ranger.https.attrib.keystore.file"); + + if (("false").equalsIgnoreCase(isRangerHTTPEnabled) && ("true").equalsIgnoreCase(isRangerSSLEnabled) && rangerSSLKeystoreFile.contains("/etc/ranger/admin/conf") ) { + LOG.info("Ranger is SSL enabled, need to show Configuration changes warning before upragade proceeds."); + prerequisiteCheck.getFailedOn().add(serviceName); + prerequisiteCheck.setStatus(PrereqCheckStatus.WARNING); + prerequisiteCheck.setFailReason(getFailReason(prerequisiteCheck, request)); + } else { + LOG.info("Ranger is not SSL enabled, no need to show Configuration changes warning before upragade proceeds."); + } + + } +} http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml index 0d4e3b8..d5ddeeb 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml @@ -23,6 +23,7 @@ <prerequisite-checks> <check>org.apache.ambari.server.checks.RangerAuditDbCheck</check> <check>org.apache.ambari.server.checks.ServicePresenceCheck</check> + <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check> <configuration> <!-- Configuration properties for all pre-reqs including required pre-reqs --> <check-properties name="org.apache.ambari.server.checks.HiveDynamicServiceDiscoveryCheck"> http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml index 58db4a9..88486e6 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml @@ -35,6 +35,7 @@ <check>org.apache.ambari.server.checks.YarnTimelineServerStatePreservingCheck</check> <check>org.apache.ambari.server.checks.ServicePresenceCheck</check> <check>org.apache.ambari.server.checks.RangerAuditDbCheck</check> + <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check> <!-- Specific to HDP 2.5, Storm is not rolling --> <check>org.apache.ambari.server.checks.StormShutdownWarning</check> http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml index eedf98c..94b19c6 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml @@ -23,6 +23,7 @@ <prerequisite-checks> <check>org.apache.ambari.server.checks.RangerAuditDbCheck</check> <check>org.apache.ambari.server.checks.ServicePresenceCheck</check> + <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check> <configuration> <!-- Configuration properties for all pre-reqs including required pre-reqs --> http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml index 392e0fa..626bc63 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml @@ -36,6 +36,7 @@ <check>org.apache.ambari.server.checks.YarnTimelineServerStatePreservingCheck</check> <check>org.apache.ambari.server.checks.ServicePresenceCheck</check> <check>org.apache.ambari.server.checks.RangerAuditDbCheck</check> + <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check> <!-- Specific to HDP 2.5, Storm is not rolling --> <check>org.apache.ambari.server.checks.StormShutdownWarning</check> http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml index 8c7a9b1..e92b115 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml @@ -21,6 +21,7 @@ <target-stack>HDP-2.6</target-stack> <type>NON_ROLLING</type> <prerequisite-checks> + <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check> <configuration> <!-- Configuration properties for all pre-reqs including required pre-reqs --> <check-properties name="org.apache.ambari.server.checks.HiveDynamicServiceDiscoveryCheck"> http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml index b83525a..818a6c0 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml @@ -33,6 +33,7 @@ <check>org.apache.ambari.server.checks.ServicesYarnWorkPreservingCheck</check> <check>org.apache.ambari.server.checks.YarnRMHighAvailabilityCheck</check> <check>org.apache.ambari.server.checks.YarnTimelineServerStatePreservingCheck</check> + <check>org.apache.ambari.server.checks.RangerSSLConfigCheck</check> <configuration> <!-- Configuration properties for all pre-reqs including required pre-reqs --> http://git-wip-us.apache.org/repos/asf/ambari/blob/31944e38/ambari-server/src/test/java/org/apache/ambari/server/checks/RangerSSLConfigCheckTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/checks/RangerSSLConfigCheckTest.java b/ambari-server/src/test/java/org/apache/ambari/server/checks/RangerSSLConfigCheckTest.java new file mode 100644 index 0000000..2af5502 --- /dev/null +++ b/ambari-server/src/test/java/org/apache/ambari/server/checks/RangerSSLConfigCheckTest.java @@ -0,0 +1,150 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.ambari.server.checks; + +import java.util.HashMap; +import java.util.Map; + +import org.apache.ambari.server.configuration.Configuration; +import org.apache.ambari.server.controller.PrereqCheckRequest; +import org.apache.ambari.server.state.Cluster; +import org.apache.ambari.server.state.Clusters; +import org.apache.ambari.server.state.Config; +import org.apache.ambari.server.state.DesiredConfig; +import org.apache.ambari.server.state.Service; +import org.apache.ambari.server.state.stack.PrereqCheckStatus; +import org.apache.ambari.server.state.stack.PrerequisiteCheck; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mockito; + +import com.google.inject.Provider; + + +/* Test for RangerSSLConfigCheck */ +public class RangerSSLConfigCheckTest { + + private final Clusters clusters = Mockito.mock(Clusters.class); + private final RangerSSLConfigCheck rangerSSLConfigCheck = new RangerSSLConfigCheck(); + + @Before + public void setup() { + rangerSSLConfigCheck.clustersProvider = new Provider<Clusters>() { + @Override + public Clusters get() { + return clusters; + } + }; + Configuration config = Mockito.mock(Configuration.class); + rangerSSLConfigCheck.config = config; + } + + @Test + public void testIsApplicable() throws Exception { + final Cluster cluster = Mockito.mock(Cluster.class); + final Map<String, Service> services = new HashMap<>(); + final Service service = Mockito.mock(Service.class); + + services.put("RANGER", service); + + Mockito.when(cluster.getServices()).thenReturn(services); + Mockito.when(cluster.getClusterId()).thenReturn(1L); + Mockito.when(clusters.getCluster("cluster")).thenReturn(cluster); + + Assert.assertTrue(rangerSSLConfigCheck.isApplicable(new PrereqCheckRequest("cluster"))); + + services.remove("RANGER"); + Assert.assertFalse(rangerSSLConfigCheck.isApplicable(new PrereqCheckRequest("cluster"))); + + } + + @Test + public void testPerform() throws Exception { + final Cluster cluster = Mockito.mock(Cluster.class); + final Map<String, Service> services = new HashMap<>(); + final Service service = Mockito.mock(Service.class); + + services.put("RANGER", service); + + Mockito.when(cluster.getServices()).thenReturn(services); + Mockito.when(cluster.getClusterId()).thenReturn(1L); + Mockito.when(clusters.getCluster("cluster")).thenReturn(cluster); + + final DesiredConfig desiredConfig = Mockito.mock(DesiredConfig.class); + Mockito.when(desiredConfig.getTag()).thenReturn("tag"); + Map<String, DesiredConfig> configMap = new HashMap<String, DesiredConfig>(); + configMap.put("ranger-admin-site", desiredConfig); + + Mockito.when(cluster.getDesiredConfigs()).thenReturn(configMap); + final Config config = Mockito.mock(Config.class); + Mockito.when(cluster.getConfig(Mockito.anyString(), Mockito.anyString())).thenReturn(config); + final Map<String, String> properties = new HashMap<String, String>(); + Mockito.when(config.getProperties()).thenReturn(properties); + + properties.put("ranger.service.http.enabled","true"); + properties.put("ranger.service.https.attrib.ssl.enabled","true"); + properties.put("ranger.https.attrib.keystore.file","/etc/ranger/security/ranger-admin-keystore.jks"); + PrerequisiteCheck check = new PrerequisiteCheck(null, null); + rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster")); + Assert.assertEquals(PrereqCheckStatus.PASS, check.getStatus()); + + properties.put("ranger.service.http.enabled","true"); + properties.put("ranger.service.https.attrib.ssl.enabled","true"); + properties.put("ranger.https.attrib.keystore.file","/etc/ranger/security/ranger-admin-keystore.jks"); + check = new PrerequisiteCheck(null, null); + rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster")); + Assert.assertEquals(PrereqCheckStatus.PASS, check.getStatus()); + + + properties.put("ranger.service.http.enabled","true"); + properties.put("ranger.service.https.attrib.ssl.enabled","fasle"); + properties.put("ranger.https.attrib.keystore.file","/etc/ranger/security/ranger-admin-keystore.jks"); + check = new PrerequisiteCheck(null, null); + rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster")); + Assert.assertEquals(PrereqCheckStatus.PASS, check.getStatus()); + + + properties.put("ranger.service.http.enabled","false"); + properties.put("ranger.service.https.attrib.ssl.enabled","true"); + properties.put("ranger.https.attrib.keystore.file","/etc/ranger/admin/conf/ranger-admin-keystore.jks"); + check = new PrerequisiteCheck(null, null); + rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster")); + Assert.assertEquals(PrereqCheckStatus.WARNING, check.getStatus()); + + properties.put("ranger.service.http.enabled","false"); + properties.put("ranger.service.https.attrib.ssl.enabled","true"); + properties.put("ranger.https.attrib.keystore.file","/etc/ranger/security/ranger-admin-keystore.jks"); + check = new PrerequisiteCheck(null, null); + rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster")); + Assert.assertEquals(PrereqCheckStatus.PASS, check.getStatus()); + + + properties.put("ranger.service.http.enabled","false"); + properties.put("ranger.service.https.attrib.ssl.enabled","false"); + properties.put("ranger.https.attrib.keystore.file","/etc/ranger/security/ranger-admin-keystore.jks"); + check = new PrerequisiteCheck(null, null); + rangerSSLConfigCheck.perform(check, new PrereqCheckRequest("cluster")); + Assert.assertEquals(PrereqCheckStatus.PASS, check.getStatus()); + + + + } +} + +
