Repository: ambari Updated Branches: refs/heads/branch-2.5 c9f9215e5 -> f7068818a
AMBARI-20152. Use storm user instead of nimbus user for ranger audit (oleewere) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/f7068818 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/f7068818 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/f7068818 Branch: refs/heads/branch-2.5 Commit: f7068818a1d8576b1c91d6b487699adb825b6608 Parents: c9f9215 Author: oleewere <[email protected]> Authored: Thu Feb 23 21:42:13 2017 +0100 Committer: oleewere <[email protected]> Committed: Sat Feb 25 20:03:16 2017 +0100 ---------------------------------------------------------------------- .../server/upgrade/UpgradeCatalog250.java | 91 ++++++++ .../ATLAS/0.1.0.2.3/kerberos.json | 5 +- .../ATLAS/0.7.0.2.5/kerberos.json | 5 +- .../LOGSEARCH/0.5.0/kerberos.json | 5 +- .../common-services/RANGER/0.6.0/kerberos.json | 5 +- .../common-services/STORM/1.0.1/kerberos.json | 2 +- .../server/upgrade/UpgradeCatalog250Test.java | 125 +++++++++-- ...test_kerberos_descriptor_2_5_infra_solr.json | 217 +++++++++++++++++++ 8 files changed, 427 insertions(+), 28 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/f7068818/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java index c488cb6..39a129d 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java @@ -24,19 +24,30 @@ import com.google.inject.Injector; import org.apache.ambari.server.AmbariException; import org.apache.ambari.server.actionmanager.CommandExecutionType; +import org.apache.ambari.server.collections.Predicate; +import org.apache.ambari.server.collections.functors.ContainsPredicate; import org.apache.ambari.server.configuration.Configuration; import org.apache.ambari.server.controller.AmbariManagementController; import org.apache.ambari.server.orm.DBAccessor; import org.apache.ambari.server.orm.DBAccessor.DBColumnInfo; import org.apache.ambari.server.orm.dao.AlertDefinitionDAO; import org.apache.ambari.server.orm.dao.AlertsDAO; +import org.apache.ambari.server.orm.dao.ArtifactDAO; import org.apache.ambari.server.orm.dao.DaoUtils; import org.apache.ambari.server.orm.entities.AlertCurrentEntity; import org.apache.ambari.server.orm.entities.AlertDefinitionEntity; import org.apache.ambari.server.orm.entities.AlertHistoryEntity; +import org.apache.ambari.server.orm.entities.ArtifactEntity; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; import org.apache.ambari.server.state.Config; +import org.apache.ambari.server.state.kerberos.KerberosComponentDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory; +import org.apache.ambari.server.state.kerberos.KerberosIdentityDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosKeytabDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosPrincipalDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor; import org.apache.commons.lang.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -179,6 +190,7 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { updateRangerUrlConfigs(); addManageServiceAutoStartPermissions(); addManageAlertNotificationsPermissions(); + updateKerberosDescriptorArtifacts(); } /** @@ -380,6 +392,82 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { } } + /** + * {@inheritDoc} + */ + @Override + protected void updateKerberosDescriptorArtifact(ArtifactDAO artifactDAO, ArtifactEntity artifactEntity) throws AmbariException { + if (artifactEntity != null) { + Map<String, Object> data = artifactEntity.getArtifactData(); + + if (data != null) { + final KerberosDescriptor kerberosDescriptor = new KerberosDescriptorFactory().createInstance(data); + + if (kerberosDescriptor != null) { + KerberosServiceDescriptor logSearchKerberosDescriptor = kerberosDescriptor.getService("LOGSEARCH"); + KerberosServiceDescriptor atlasKerberosDescriptor = kerberosDescriptor.getService("ATLAS"); + KerberosServiceDescriptor rangerKerberosDescriptor = kerberosDescriptor.getService("RANGER"); + addInfrSolrDescriptor(artifactDAO, artifactEntity, kerberosDescriptor, atlasKerberosDescriptor, "ATLAS_SERVER"); + addInfrSolrDescriptor(artifactDAO, artifactEntity, kerberosDescriptor, logSearchKerberosDescriptor, "LOGSEARCH_SERVER"); + addInfrSolrDescriptor(artifactDAO, artifactEntity, kerberosDescriptor, rangerKerberosDescriptor, "RANGER_ADMIN"); + KerberosServiceDescriptor stormKerberosDescriptor = kerberosDescriptor.getService("STORM"); + if (stormKerberosDescriptor != null) { + KerberosComponentDescriptor componentDescriptor = stormKerberosDescriptor.getComponent("NIMBUS"); + if (componentDescriptor != null) { + KerberosIdentityDescriptor origIdentityDescriptor = componentDescriptor.getIdentity("/STORM/NIMBUS/nimbus_server"); + if (origIdentityDescriptor != null) { + KerberosPrincipalDescriptor origPrincipalDescriptor = origIdentityDescriptor.getPrincipalDescriptor(); + KerberosPrincipalDescriptor newPrincipalDescriptor = new KerberosPrincipalDescriptor( + null, + null, + (origPrincipalDescriptor == null) ? + "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal" : origPrincipalDescriptor.getConfiguration(), + null + ); + KerberosKeytabDescriptor origKeytabDescriptor = origIdentityDescriptor.getKeytabDescriptor(); + KerberosKeytabDescriptor newKeytabDescriptor = new KerberosKeytabDescriptor( + null, + null, + null, + null, + null, + (origKeytabDescriptor == null) ? + "ranger-storm-audit/xasecure.audit.jaas.Client.option.keyTab" : origKeytabDescriptor.getConfiguration(), + false); + componentDescriptor.removeIdentity("/STORM/NIMBUS/nimbus_server"); + componentDescriptor.putIdentity(new KerberosIdentityDescriptor("/STORM/storm_components", null, newPrincipalDescriptor, newKeytabDescriptor, null)); + + artifactEntity.setArtifactData(kerberosDescriptor.toMap()); + artifactDAO.merge(artifactEntity); + } + } + } + } + } + } + } + + /** + * Add /AMBARI-INFRA/INFRA_SOLR/infra-solr reference to specific service component + */ + private void addInfrSolrDescriptor(ArtifactDAO artifactDAO, ArtifactEntity artifactEntity, KerberosDescriptor kerberosDescriptor, + KerberosServiceDescriptor serviceDescriptor, String componentName) { + if (serviceDescriptor != null) { + KerberosComponentDescriptor componentDescriptor = serviceDescriptor.getComponent(componentName); + if (componentDescriptor != null) { + KerberosIdentityDescriptor origIdentityDescriptor = componentDescriptor.getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr"); + if (origIdentityDescriptor != null) { + LOG.info("/AMBARI_INFRA/INFRA_SOLR/infra-solr identity already exists in {} component", componentName); + } else { + Predicate predicate = ContainsPredicate.fromMap(Collections.<String, Object>singletonMap(ContainsPredicate.NAME, Arrays.asList("services", "AMBARI_INFRA"))); + componentDescriptor.putIdentity(new KerberosIdentityDescriptor("/AMBARI_INFRA/INFRA_SOLR/infra-solr",null, null, null, predicate)); + artifactEntity.setArtifactData(kerberosDescriptor.toMap()); + artifactDAO.merge(artifactEntity); + } + } + } + } + protected void updateTablesForZeppelinViewRemoval() throws SQLException { dbAccessor.executeQuery("DELETE from viewinstance WHERE view_name='ZEPPELIN{1.0.0}'", true); dbAccessor.executeQuery("DELETE from viewmain WHERE view_name='ZEPPELIN{1.0.0}'", true); @@ -1062,4 +1150,7 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { updateConfigurationPropertiesForCluster(cluster, configType, updateProperty, true, false); } } + + + } http://git-wip-us.apache.org/repos/asf/ambari/blob/f7068818/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json index 0c25c95..4fe4d32 100644 --- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json +++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json @@ -50,7 +50,10 @@ } }, { - "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr" + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", + "when" : { + "contains" : ["services", "AMBARI_INFRA"] + } } ] } http://git-wip-us.apache.org/repos/asf/ambari/blob/f7068818/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json b/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json index d024146..e136bcf 100644 --- a/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json +++ b/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json @@ -89,7 +89,10 @@ "name": "/KAFKA/KAFKA_BROKER/kafka_broker" }, { - "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr" + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", + "when" : { + "contains" : ["services", "AMBARI_INFRA"] + } } ] } http://git-wip-us.apache.org/repos/asf/ambari/blob/f7068818/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json index 60c8afb..9e0f12d 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json @@ -32,7 +32,10 @@ } }, { - "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr" + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", + "when" : { + "contains" : ["services", "AMBARI_INFRA"] + } } ] }, http://git-wip-us.apache.org/repos/asf/ambari/blob/f7068818/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json index c5b3201..1fc8acf 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json @@ -74,7 +74,10 @@ } }, { - "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr" + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", + "when" : { + "contains" : ["services", "AMBARI_INFRA"] + } } ] }, http://git-wip-us.apache.org/repos/asf/ambari/blob/f7068818/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json b/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json index fecef7c..fa2f6db 100644 --- a/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json +++ b/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json @@ -106,7 +106,7 @@ } }, { - "name": "/STORM/NIMBUS/nimbus_server", + "name": "/STORM/storm_components", "principal": { "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal" }, http://git-wip-us.apache.org/repos/asf/ambari/blob/f7068818/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java index 3f934d7..64536cb 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java @@ -39,10 +39,12 @@ import org.apache.ambari.server.controller.KerberosHelper; import org.apache.ambari.server.controller.MaintenanceStateHelper; import org.apache.ambari.server.orm.DBAccessor; import org.apache.ambari.server.orm.dao.AlertDefinitionDAO; +import org.apache.ambari.server.orm.dao.ArtifactDAO; import org.apache.ambari.server.orm.dao.PermissionDAO; import org.apache.ambari.server.orm.dao.ResourceTypeDAO; import org.apache.ambari.server.orm.dao.RoleAuthorizationDAO; import org.apache.ambari.server.orm.entities.AlertDefinitionEntity; +import org.apache.ambari.server.orm.entities.ArtifactEntity; import org.apache.ambari.server.orm.entities.PermissionEntity; import org.apache.ambari.server.orm.entities.ResourceTypeEntity; import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity; @@ -50,6 +52,9 @@ import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; import org.apache.ambari.server.state.Config; import org.apache.ambari.server.state.Service; +import org.apache.ambari.server.state.kerberos.KerberosDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory; +import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor; import org.apache.ambari.server.state.stack.OsFamily; import org.easymock.Capture; import org.easymock.CaptureType; @@ -64,7 +69,9 @@ import org.junit.Test; import org.junit.runner.RunWith; import javax.persistence.EntityManager; +import java.io.File; import java.lang.reflect.Method; +import java.net.URL; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; @@ -280,6 +287,7 @@ public class UpgradeCatalog250Test { Method updateYarnSite = UpgradeCatalog250.class.getDeclaredMethod("updateYarnSite"); Method updateAlerts = UpgradeCatalog250.class.getDeclaredMethod("updateStormAlerts"); Method removeAlertDuplicates = UpgradeCatalog250.class.getDeclaredMethod("removeAlertDuplicates"); + Method updateKerberosDescriptorArtifacts = AbstractUpgradeCatalog.class.getDeclaredMethod("updateKerberosDescriptorArtifacts"); UpgradeCatalog250 upgradeCatalog250 = createMockBuilder(UpgradeCatalog250.class) .addMockedMethod(updateAmsConfigs) @@ -299,6 +307,7 @@ public class UpgradeCatalog250Test { .addMockedMethod(updateYarnSite) .addMockedMethod(updateAlerts) .addMockedMethod(removeAlertDuplicates) + .addMockedMethod(updateKerberosDescriptorArtifacts) .createMock(); @@ -353,6 +362,9 @@ public class UpgradeCatalog250Test { upgradeCatalog250.removeAlertDuplicates(); expectLastCall().once(); + upgradeCatalog250.updateKerberosDescriptorArtifacts(); + expectLastCall().once(); + replay(upgradeCatalog250); upgradeCatalog250.executeDMLUpdates(); @@ -1097,9 +1109,9 @@ public class UpgradeCatalog250Test { public void testLogSearchUpdateConfigs() throws Exception { reset(clusters, cluster); expect(clusters.getClusters()).andReturn(ImmutableMap.of("normal", cluster)).once(); - + EasyMockSupport easyMockSupport = new EasyMockSupport(); - + Injector injector2 = easyMockSupport.createNiceMock(Injector.class); AmbariManagementControllerImpl controller = createMockBuilder(AmbariManagementControllerImpl.class) .addMockedMethod("createConfiguration") @@ -1110,17 +1122,17 @@ public class UpgradeCatalog250Test { expect(injector2.getInstance(AmbariManagementController.class)).andReturn(controller).anyTimes(); expect(controller.getClusters()).andReturn(clusters).anyTimes(); - + Map<String, String> oldLogSearchProperties = ImmutableMap.of( "logsearch.external.auth.enabled", "true", "logsearch.external.auth.host_url", "host_url", "logsearch.external.auth.login_url", "login_url"); - + Map<String, String> expectedLogSearchProperties = ImmutableMap.of( "logsearch.auth.external_auth.enabled", "true", "logsearch.auth.external_auth.host_url", "host_url", "logsearch.auth.external_auth.login_url", "login_url"); - + Config mockLogSearchProperties = easyMockSupport.createNiceMock(Config.class); expect(cluster.getDesiredConfigByType("logsearch-properties")).andReturn(mockLogSearchProperties).atLeastOnce(); expect(mockLogSearchProperties.getProperties()).andReturn(oldLogSearchProperties).anyTimes(); @@ -1130,10 +1142,10 @@ public class UpgradeCatalog250Test { Map<String, String> oldLogFeederEnv = ImmutableMap.of( "content", "infra_solr_ssl_enabled"); - + Map<String, String> expectedLogFeederEnv = ImmutableMap.of( "content", "logfeeder_use_ssl"); - + Config mockLogFeederEnv = easyMockSupport.createNiceMock(Config.class); expect(cluster.getDesiredConfigByType("logfeeder-env")).andReturn(mockLogFeederEnv).atLeastOnce(); expect(mockLogFeederEnv.getProperties()).andReturn(oldLogFeederEnv).anyTimes(); @@ -1146,10 +1158,10 @@ public class UpgradeCatalog250Test { "logsearch_solr_audit_logs_zk_node", "zk_node", "logsearch_solr_audit_logs_zk_quorum", "zk_quorum", "content", "infra_solr_ssl_enabled or logsearch_ui_protocol == 'https'"); - + Map<String, String> expectedLogSearchEnv = ImmutableMap.of( "content", "logsearch_use_ssl"); - + Config mockLogSearchEnv = easyMockSupport.createNiceMock(Config.class); expect(cluster.getDesiredConfigByType("logsearch-env")).andReturn(mockLogSearchEnv).atLeastOnce(); expect(mockLogSearchEnv.getProperties()).andReturn(oldLogSearchEnv).anyTimes(); @@ -1177,7 +1189,7 @@ public class UpgradeCatalog250Test { " <param name=\"maxBackupIndex\" value=\"14\" />\n" + " <layout class=\"org.apache.ambari.logsearch.appender.LogsearchConversion\" />\n" + " </appender>"); - + Map<String, String> expectedLogFeederLog4j = ImmutableMap.of( "content", " <appender name=\"rolling_file\" class=\"org.apache.log4j.RollingFileAppender\">\n" + @@ -1202,7 +1214,7 @@ public class UpgradeCatalog250Test { "logfeeder_log_maxbackupindex", "12", "logfeeder_json_log_maxfilesize", "13", "logfeeder_json_log_maxbackupindex", "14"); - + Config mockLogFeederLog4j = easyMockSupport.createNiceMock(Config.class); expect(cluster.getDesiredConfigByType("logfeeder-log4j")).andReturn(mockLogFeederLog4j).atLeastOnce(); expect(mockLogFeederLog4j.getProperties()).andReturn(oldLogFeederLog4j).anyTimes(); @@ -1260,7 +1272,7 @@ public class UpgradeCatalog250Test { " <priority value=\"warn\"/>\n" + " <appender-ref ref=\"rolling_file_json\"/>\n" + " </category>"); - + Map<String, String> expectedLogSearchLog4j = new HashMap<>(); expectedLogSearchLog4j.put("content", " <appender name=\"rolling_file\" class=\"org.apache.log4j.RollingFileAppender\">\n" + @@ -1320,7 +1332,7 @@ public class UpgradeCatalog250Test { expectedLogSearchLog4j.put("logsearch_audit_log_maxbackupindex", "16"); expectedLogSearchLog4j.put("logsearch_perf_log_maxfilesize", "17"); expectedLogSearchLog4j.put("logsearch_perf_log_maxbackupindex", "18"); - + Config mockLogSearchLog4j = easyMockSupport.createNiceMock(Config.class); expect(cluster.getDesiredConfigByType("logsearch-log4j")).andReturn(mockLogSearchLog4j).atLeastOnce(); expect(mockLogSearchLog4j.getProperties()).andReturn(oldLogSearchLog4j).anyTimes(); @@ -1349,14 +1361,14 @@ public class UpgradeCatalog250Test { Map<String, String> updatedLogSearchLog4j = logSearchLog4jCapture.getValue(); assertTrue(Maps.difference(expectedLogSearchLog4j, updatedLogSearchLog4j).areEqual()); } - + @Test public void testAmbariInfraUpdateConfigs() throws Exception { reset(clusters, cluster); expect(clusters.getClusters()).andReturn(ImmutableMap.of("normal", cluster)).once(); - + EasyMockSupport easyMockSupport = new EasyMockSupport(); - + Injector injector2 = easyMockSupport.createNiceMock(Injector.class); AmbariManagementControllerImpl controller = createMockBuilder(AmbariManagementControllerImpl.class) .addMockedMethod("createConfiguration") @@ -1373,13 +1385,13 @@ public class UpgradeCatalog250Test { "SOLR_SSL_TRUST_STORE_PASSWORD={{infra_solr_keystore_password}}\n" + "SOLR_KERB_NAME_RULES={{infra_solr_kerberos_name_rules}}\n" + "SOLR_AUTHENTICATION_OPTS=\" -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin -Djava.security.auth.login.config=$SOLR_JAAS_FILE -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST} -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}\""); - + Map<String, String> expectedInfraSolrEnv = ImmutableMap.of( "content", "SOLR_SSL_TRUST_STORE={{infra_solr_truststore_location}}\n" + "SOLR_SSL_TRUST_STORE_PASSWORD={{infra_solr_truststore_password}}\n" + "SOLR_KERB_NAME_RULES=\"{{infra_solr_kerberos_name_rules}}\"\n" + "SOLR_AUTHENTICATION_OPTS=\" -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin -Djava.security.auth.login.config=$SOLR_JAAS_FILE -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST}\""); - + Config mockInfraSolrEnv = easyMockSupport.createNiceMock(Config.class); expect(cluster.getDesiredConfigByType("infra-solr-env")).andReturn(mockInfraSolrEnv).atLeastOnce(); expect(mockInfraSolrEnv.getProperties()).andReturn(oldInfraSolrEnv).anyTimes(); @@ -1390,13 +1402,13 @@ public class UpgradeCatalog250Test { Map<String, String> oldInfraSolrLog4j = ImmutableMap.of( "content", "log4j.appender.file.MaxFileSize=15MB\n" + "log4j.appender.file.MaxBackupIndex=5\n"); - + Map<String, String> expectedInfraSolrLog4j = ImmutableMap.of( "content", "log4j.appender.file.MaxFileSize={{infra_log_maxfilesize}}MB\n" + "log4j.appender.file.MaxBackupIndex={{infra_log_maxbackupindex}}\n", "infra_log_maxfilesize", "15", "infra_log_maxbackupindex", "5"); - + Config mockInfraSolrLog4j = easyMockSupport.createNiceMock(Config.class); expect(cluster.getDesiredConfigByType("infra-solr-log4j")).andReturn(mockInfraSolrLog4j).atLeastOnce(); expect(mockInfraSolrLog4j.getProperties()).andReturn(oldInfraSolrLog4j).anyTimes(); @@ -1408,14 +1420,14 @@ public class UpgradeCatalog250Test { "content", "log4j.appender.file.File\u003d{{infra_client_log|default(\u0027/var/log/ambari-infra-solr-client/solr-client.log\u0027)}}\n" + "log4j.appender.file.MaxFileSize=55MB\n" + "log4j.appender.file.MaxBackupIndex=10\n"); - + Map<String, String> expectedInfraSolrClientLog4j = ImmutableMap.of( "content", "log4j.appender.file.File\u003d{{solr_client_log|default(\u0027/var/log/ambari-infra-solr-client/solr-client.log\u0027)}}\n" + "log4j.appender.file.MaxFileSize={{solr_client_log_maxfilesize}}MB\n" + "log4j.appender.file.MaxBackupIndex={{solr_client_log_maxbackupindex}}\n", "infra_client_log_maxfilesize", "55", "infra_client_log_maxbackupindex", "10"); - + Config mockInfraSolrClientLog4j = easyMockSupport.createNiceMock(Config.class); expect(cluster.getDesiredConfigByType("infra-solr-client-log4j")).andReturn(mockInfraSolrClientLog4j).atLeastOnce(); expect(mockInfraSolrClientLog4j.getProperties()).andReturn(oldInfraSolrClientLog4j).anyTimes(); @@ -1438,7 +1450,7 @@ public class UpgradeCatalog250Test { Map<String, String> updatedInfraSolrClientLog4j = infraSolrClientLog4jCapture.getValue(); assertTrue(Maps.difference(expectedInfraSolrClientLog4j, updatedInfraSolrClientLog4j).areEqual()); } - + @Test public void testUpdateHiveConfigs() throws Exception { reset(clusters, cluster); @@ -1588,6 +1600,73 @@ public class UpgradeCatalog250Test { } @Test + public void testUpdateKerberosDescriptorArtifact() throws Exception { + final KerberosDescriptorFactory kerberosDescriptorFactory = new KerberosDescriptorFactory(); + + KerberosServiceDescriptor serviceDescriptor; + + URL systemResourceURL = ClassLoader.getSystemResource("kerberos/test_kerberos_descriptor_2_5_infra_solr.json"); + Assert.assertNotNull(systemResourceURL); + + final KerberosDescriptor kerberosDescriptorOrig = kerberosDescriptorFactory.createInstance(new File(systemResourceURL.getFile())); + + serviceDescriptor = kerberosDescriptorOrig.getService("LOGSEARCH"); + Assert.assertNotNull(serviceDescriptor); + Assert.assertNotNull(serviceDescriptor.getComponent("LOGSEARCH_SERVER")); + Assert.assertNotNull(serviceDescriptor.getComponent("LOGSEARCH_SERVER").getIdentity("logsearch")); + Assert.assertNotNull(serviceDescriptor.getComponent("LOGSEARCH_SERVER").getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr")); + + serviceDescriptor = kerberosDescriptorOrig.getService("ATLAS"); + Assert.assertNotNull(serviceDescriptor); + Assert.assertNotNull(serviceDescriptor.getComponent("ATLAS_SERVER")); + + serviceDescriptor = kerberosDescriptorOrig.getService("RANGER"); + Assert.assertNotNull(serviceDescriptor); + Assert.assertNotNull(serviceDescriptor.getComponent("RANGER_ADMIN")); + + serviceDescriptor = kerberosDescriptorOrig.getService("STORM"); + Assert.assertNotNull(serviceDescriptor); + Assert.assertNotNull(serviceDescriptor.getComponent("NIMBUS")); + + UpgradeCatalog250 upgradeMock = createMockBuilder(UpgradeCatalog250.class).createMock(); + + + ArtifactEntity artifactEntity = createNiceMock(ArtifactEntity.class); + expect(artifactEntity.getArtifactData()) + .andReturn(kerberosDescriptorOrig.toMap()) + .once(); + + Capture<Map<String, Object>> updateData = Capture.newInstance(CaptureType.ALL); + artifactEntity.setArtifactData(capture(updateData)); + expectLastCall().times(3); + + ArtifactDAO artifactDAO = createNiceMock(ArtifactDAO.class); + expect(artifactDAO.merge(anyObject(ArtifactEntity.class))).andReturn(artifactEntity).times(3); + + replay(artifactEntity, artifactDAO, upgradeMock); + upgradeMock.updateKerberosDescriptorArtifact(artifactDAO, artifactEntity); + verify(artifactEntity, artifactDAO, upgradeMock); + + KerberosDescriptor atlasKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(0)); + KerberosDescriptor rangerKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(1)); + KerberosDescriptor stormKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(2)); + + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getIdentity("spnego")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("LOGSEARCH")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("LOGSEARCH").getComponent("LOGSEARCH_SERVER")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("LOGSEARCH").getComponent("LOGSEARCH_SERVER").getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("ATLAS")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("ATLAS").getComponent("ATLAS_SERVER")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("ATLAS").getComponent("ATLAS_SERVER").getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr")); + Assert.assertNotNull(rangerKerberosDescriptorUpdated.getService("RANGER")); + Assert.assertNotNull(rangerKerberosDescriptorUpdated.getService("RANGER").getComponent("RANGER_ADMIN")); + Assert.assertNotNull(rangerKerberosDescriptorUpdated.getService("RANGER").getComponent("RANGER_ADMIN").getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr")); + Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM")); + Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM").getComponent("NIMBUS")); + Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM").getComponent("NIMBUS").getIdentity("/STORM/storm_components")); + } + + @Test public void testCreateRoleAuthorizations() throws AmbariException, SQLException { EasyMockSupport easyMockSupport = new EasyMockSupport(); http://git-wip-us.apache.org/repos/asf/ambari/blob/f7068818/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json new file mode 100644 index 0000000..172ad05 --- /dev/null +++ b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json @@ -0,0 +1,217 @@ +{ + "properties": { + "realm": "${kerberos-env/realm}", + "keytab_dir": "/etc/security/keytabs" + }, + "identities": [ + { + "name": "spnego", + "principal": { + "value": "HTTP/_HOST@${realm}", + "type": "service" + }, + "keytab": { + "file": "${keytab_dir}/spnego.service.keytab", + "owner": { + "name": "root", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "r" + } + } + } + ], + "services": [ + { + "name": "ATLAS", + "identities": [ + { + "name": "/spnego" + } + ], + "components": [ + { + "name": "ATLAS_SERVER", + "identities": [ + { + "name": "atlas", + "principal": { + "value": "atlas/_HOST@${realm}", + "type" : "service", + "configuration": "application-properties/atlas.jaas.KafkaClient.option.principal", + "local_username" : "${atlas-env/metadata_user}" + }, + "keytab": { + "file": "${keytab_dir}/atlas.service.keytab", + "owner": { + "name": "${atlas-env/metadata_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "application-properties/atlas.jaas.KafkaClient.option.keyTab" + } + }, + { + "name": "ranger_atlas_audit", + "reference": "/ATLAS/ATLAS_SERVER/atlas", + "principal": { + "configuration": "ranger-atlas-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-atlas-audit/xasecure.audit.jaas.Client.option.keyTab" + } + } + ] + } + ] + }, + { + "name": "LOGSEARCH", + "identities": [ + { + "name": "/spnego" + } + ], + "components": [ + { + "name": "LOGSEARCH_SERVER", + "identities": [ + { + "name": "logsearch", + "principal": { + "value": "logsearch/_HOST@${realm}", + "type": "service", + "configuration": "logsearch-env/logsearch_kerberos_principal" + }, + "keytab": { + "file": "${keytab_dir}/logsearch.service.keytab", + "owner": { + "name": "${logsearch-env/logsearch_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "logsearch-env/logsearch_kerberos_keytab" + } + }, + { + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", + "when" : { + "contains" : ["services", "AMBARI_INFRA"] + } + } + ] + } + ] + }, + { + "name": "RANGER", + "identities": [ + { + "name": "/spnego" + } + ], + "components": [ + { + "name": "RANGER_ADMIN", + "identities": [ + { + "name": "rangeradmin", + "principal": { + "value": "rangeradmin/_HOST@${realm}", + "type" : "service", + "configuration": "ranger-admin-site/ranger.admin.kerberos.principal", + "local_username" : "${ranger-env/ranger_user}" + }, + "keytab": { + "file": "${keytab_dir}/rangeradmin.service.keytab", + "owner": { + "name": "${ranger-env/ranger_user}", + "access": "r" + }, + "configuration": "ranger-admin-site/ranger.admin.kerberos.keytab" + } + }, + { + "name": "/spnego", + "keytab": { + "configuration": "ranger-admin-site/ranger.spnego.kerberos.keytab" + } + } + ] + } + ] + }, + { + "name": "STORM", + "identities": [ + { + "name": "/spnego" + }, + { + "name": "storm_components", + "principal": { + "value": "${storm-env/storm_user}${principal_suffix}@${realm}", + "type": "user", + "configuration": "storm-env/storm_principal_name" + }, + "keytab": { + "file": "${keytab_dir}/storm.headless.keytab", + "owner": { + "name": "${storm-env/storm_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "storm-env/storm_keytab" + } + } + ], + "components": [ + { + "name": "NIMBUS", + "identities": [ + { + "name": "nimbus_server", + "principal": { + "value": "nimbus/_HOST@${realm}", + "type": "service", + "configuration": "storm-env/nimbus_principal_name" + }, + "keytab": { + "file": "${keytab_dir}/nimbus.service.keytab", + "owner": { + "name": "${storm-env/storm_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "storm-env/nimbus_keytab" + } + }, + { + "name": "/STORM/NIMBUS/nimbus_server", + "principal": { + "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.keyTab" + } + } + ] + } + ] + } + ] +} \ No newline at end of file
