AMBARI-20063. Removing secure ACLs from Kafka znodes during dekerberization (Attila Magyar via adoroszlai)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/1ef83d76 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/1ef83d76 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/1ef83d76 Branch: refs/heads/branch-2.5 Commit: 1ef83d76c48a473c85f37d650689e56f03cd3b3e Parents: c0d94ef Author: Attila Magyar <[email protected]> Authored: Thu Feb 23 11:14:03 2017 +0100 Committer: Attila Doroszlai <[email protected]> Committed: Thu Feb 23 11:15:45 2017 +0100 ---------------------------------------------------------------------- .../0.1.0.2.3/package/scripts/metadata_server.py | 5 ++--- .../ATLAS/0.1.0.2.3/package/scripts/params.py | 1 + .../KAFKA/0.8.1/package/scripts/kafka_broker.py | 15 ++++++++++++++- .../KAFKA/0.8.1/package/scripts/params.py | 2 ++ 4 files changed, 19 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/1ef83d76/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py index 2cfb25b..d79ba3d 100644 --- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py +++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py @@ -152,14 +152,13 @@ class MetadataServer(Script): def disable_security(self, env): import params - if not params.stack_supports_zk_security: - Logger.info("Stack doesn't support zookeeper security") - return if not params.zookeeper_quorum: Logger.info("No zookeeper connection string. Skipping reverting ACL") return zkmigrator = ZkMigrator(params.zookeeper_quorum, params.java_exec, params.java64_home, params.atlas_jaas_file, params.metadata_user) zkmigrator.set_acls(params.zk_root if params.zk_root.startswith('/') else '/' + params.zk_root, 'world:anyone:crdwa') + if params.atlas_kafka_group_id: + zkmigrator.set_acls(format('/consumers/{params.atlas_kafka_group_id}'), 'world:anyone:crdwa') def status(self, env): import status_params http://git-wip-us.apache.org/repos/asf/ambari/blob/1ef83d76/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py index 5e41eac..2066b2a 100644 --- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py @@ -81,6 +81,7 @@ java_version = expect("/hostLevelParams/java_version", int) zk_root = default('/configurations/application-properties/atlas.server.ha.zookeeper.zkroot', '/apache_atlas') stack_supports_zk_security = check_stack_feature(StackFeature.SECURE_ZOOKEEPER, version_for_stack_feature_checks) +atlas_kafka_group_id = default('/configurations/application-properties/atlas.kafka.hook.group.id', None) if security_enabled: _hostname_lowercase = config['hostname'].lower() http://git-wip-us.apache.org/repos/asf/ambari/blob/1ef83d76/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/scripts/kafka_broker.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/scripts/kafka_broker.py b/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/scripts/kafka_broker.py index 024da4a..015e150 100644 --- a/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/scripts/kafka_broker.py +++ b/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/scripts/kafka_broker.py @@ -28,7 +28,6 @@ from resource_management.libraries.functions.check_process_status import check_p from resource_management.libraries.functions import StackFeature from resource_management.libraries.functions.stack_features import check_stack_feature from resource_management.libraries.functions.show_logs import show_logs -from resource_management.libraries.functions.default import default from kafka import ensure_base_directories import upgrade @@ -111,6 +110,20 @@ class KafkaBroker(Script): action = "delete" ) + def disable_security(self, env): + import params + if not params.zookeeper_connect: + Logger.info("No zookeeper connection string. Skipping reverting ACL") + return + if not params.secure_acls: + Logger.info("The zookeeper.set.acl is false. Skipping reverting ACL") + return + Execute( + "{0} --zookeeper.connect {1} --zookeeper.acl=unsecure".format(params.kafka_security_migrator, params.zookeeper_connect), \ + user=params.kafka_user, \ + environment={ 'JAVA_HOME': params.java64_home }, \ + logoutput=True, \ + tries=3) def status(self, env): import status_params http://git-wip-us.apache.org/repos/asf/ambari/blob/1ef83d76/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/scripts/params.py b/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/scripts/params.py index 6c7ff69..69d801a 100644 --- a/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/scripts/params.py @@ -102,6 +102,8 @@ kafka_hosts.sort() zookeeper_hosts = config['clusterHostInfo']['zookeeper_hosts'] zookeeper_hosts.sort() +secure_acls = default("/configurations/kafka-broker/zookeeper.set.acl", False) +kafka_security_migrator = os.path.join(kafka_home, "bin", "zookeeper-security-migration.sh") #Kafka log4j kafka_log_maxfilesize = default('/configurations/kafka-log4j/kafka_log_maxfilesize',256)
