Repository: ambari Updated Branches: refs/heads/trunk 236ae87a1 -> 9112148e5
AMBARI-20196. Ambari should install the unlimited key JCE policy based on service requirements even if cluster is not Kerberized (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/9112148e Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/9112148e Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/9112148e Branch: refs/heads/trunk Commit: 9112148e597baedaab1dea15c8da299dee6f63c7 Parents: 236ae87 Author: Robert Levas <[email protected]> Authored: Mon Feb 27 14:51:46 2017 -0500 Committer: Robert Levas <[email protected]> Committed: Mon Feb 27 14:51:54 2017 -0500 ---------------------------------------------------------------------- ambari-agent/pom.xml | 16 ++ .../apache/ambari/tools/jce/JcePolicyInfo.java | 145 +++++++++++++++++++ .../core/resources/jcepolicyinfo.py | 47 ++++++ .../ambari/server/agent/ExecutionCommand.java | 1 + .../AmbariManagementControllerImpl.java | 22 +++ .../ambari/server/stack/ComponentModule.java | 4 + .../ambari/server/state/ComponentInfo.java | 16 +- .../state/UnlimitedKeyJCERequirement.java | 42 ++++++ .../package/scripts/kerberos_client.py | 6 - .../package/scripts/kerberos_common.py | 35 +---- .../HDP/2.0.6/configuration/cluster-env.xml | 11 ++ .../2.0.6/hooks/before-START/scripts/hook.py | 3 +- .../2.0.6/hooks/before-START/scripts/params.py | 27 +++- .../scripts/shared_initialization.py | 64 ++++++++ .../HDP/3.0/configuration/cluster-env.xml | 11 ++ .../HDP/3.0/hooks/before-START/scripts/hook.py | 3 +- .../3.0/hooks/before-START/scripts/params.py | 27 +++- .../scripts/shared_initialization.py | 64 ++++++++ .../KERBEROS/package/scripts/kerberos_client.py | 3 - .../server/stack/ComponentModuleTest.java | 35 +++++ .../2.0.6/configs/secured_no_jce_name.json | 16 +- .../hooks/before-START/test_before_start.py | 26 ++-- .../stacks/2.2/KERBEROS/test_kerberos_client.py | 21 --- 23 files changed, 554 insertions(+), 91 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-agent/pom.xml ---------------------------------------------------------------------- diff --git a/ambari-agent/pom.xml b/ambari-agent/pom.xml index 074e051..7633b95 100644 --- a/ambari-agent/pom.xml +++ b/ambari-agent/pom.xml @@ -157,6 +157,7 @@ <version>2.3</version> <executions> <execution> + <id>shade-zkmigrator</id> <phase>package</phase> <goals> <goal>shade</goal> @@ -170,6 +171,21 @@ <outputFile>${project.build.directory}${dirsep}${project.artifactId}-${project.version}/var/lib/ambari-agent/tools/zkmigrator.jar</outputFile> </configuration> </execution> + <execution> + <id>shade-jce</id> + <phase>package</phase> + <goals> + <goal>shade</goal> + </goals> + <configuration> + <transformers> + <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer"> + <mainClass>org.apache.ambari.tools.jce.JcePolicyInfo</mainClass> + </transformer> + </transformers> + <outputFile>${project.build.directory}${dirsep}${project.artifactId}-${project.version}/var/lib/ambari-agent/tools/jcepolicyinfo.jar</outputFile> + </configuration> + </execution> </executions> </plugin> <plugin> http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-agent/src/main/java/org/apache/ambari/tools/jce/JcePolicyInfo.java ---------------------------------------------------------------------- diff --git a/ambari-agent/src/main/java/org/apache/ambari/tools/jce/JcePolicyInfo.java b/ambari-agent/src/main/java/org/apache/ambari/tools/jce/JcePolicyInfo.java new file mode 100644 index 0000000..15936e8 --- /dev/null +++ b/ambari-agent/src/main/java/org/apache/ambari/tools/jce/JcePolicyInfo.java @@ -0,0 +1,145 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ambari.tools.jce; + +import java.security.NoSuchAlgorithmException; +import java.security.Provider; +import java.security.Security; + +import javax.crypto.Cipher; + +import org.apache.commons.cli.CommandLine; +import org.apache.commons.cli.DefaultParser; +import org.apache.commons.cli.HelpFormatter; +import org.apache.commons.cli.Option; +import org.apache.commons.cli.Options; +import org.apache.commons.cli.UnrecognizedOptionException; + +/** + * JcePolicyInfo provides information about the JVM's installed JCE (Java Cryptology Enhancements) + * policy. + */ +public class JcePolicyInfo { + + public static void main(String[] args) throws Exception { + try { + boolean showHelp = true; + CommandLine cli = new DefaultParser().parse(options(), args); + if (cli.hasOption("lc")) { + listCiphers(); + showHelp = false; + } + + if (cli.hasOption("tu")) { + testUnlimitedKeyJCEPolicy(); + showHelp = false; + } + + if (showHelp) { + printHelp(null); + } + } catch (UnrecognizedOptionException e) { + printHelp(e); + } + + } + + private static void printHelp(UnrecognizedOptionException exception) { + HelpFormatter helpFormatter = new HelpFormatter(); + + if (exception == null) { + helpFormatter.printHelp("jcepolicyinfo [options]", options()); + } else { + helpFormatter.printHelp("jcepolicyinfo [options]", exception.getLocalizedMessage(), options(), null); + } + + System.exit(1); + } + + private static Options options() { + return new Options() + .addOption(Option.builder("h") + .longOpt("help") + .desc("print help") + .build()) + .addOption(Option.builder("tu") + .longOpt("test_unlimited") + .desc("Test's the policy for unlimited key encryption") + .hasArg(false) + .argName("tu") + .build()) + .addOption(Option.builder("lc") + .longOpt("list_ciphers") + .desc("List the ciphers allowed by the policy") + .hasArg(false) + .argName("lc") + .build()); + } + + /** + * Test if the JCE policy supports unlimited keys + */ + private static void testUnlimitedKeyJCEPolicy() { + System.out.print("Unlimited Key JCE Policy: "); + + try { + boolean unlimited = Cipher.getMaxAllowedKeyLength("RC5") >= 256; + System.out.println(unlimited); + + // If the unlimited key JCE policy is installed exit with a 0 since that indicates a non-error; + // If the unlimited key JCE policy is not installed exit with a 1 + System.exit(unlimited ? 0 : 1); + } catch (NoSuchAlgorithmException e) { + System.out.println("unknown [error]"); + System.exit(-1); + } + } + + /** + * Display the list of available ciphers and their maximum suported key lengths. + */ + private static void listCiphers() { + System.out.println("Available ciphers:"); + + for (Provider provider : Security.getProviders()) { + String providerName = provider.getName(); + + for (Provider.Service service : provider.getServices()) { + String algorithmName = service.getAlgorithm(); + + if ("Cipher".equalsIgnoreCase(service.getType())) { + try { + long keylength = Cipher.getMaxAllowedKeyLength(algorithmName); + + System.out.print('\t'); + System.out.print(providerName.toLowerCase()); + System.out.print('.'); + System.out.print(algorithmName.toLowerCase()); + System.out.print(": "); + System.out.println(keylength); + } catch (NoSuchAlgorithmException e) { + // This is unlikely since we are getting the algorithm names from the service providers. + // In any case, if a bad algorithm is listed it can be skipped since this is only for + // informational purposes. + } + } + } + } + } +} http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-common/src/main/python/resource_management/core/resources/jcepolicyinfo.py ---------------------------------------------------------------------- diff --git a/ambari-common/src/main/python/resource_management/core/resources/jcepolicyinfo.py b/ambari-common/src/main/python/resource_management/core/resources/jcepolicyinfo.py new file mode 100644 index 0000000..a4e4f6e --- /dev/null +++ b/ambari-common/src/main/python/resource_management/core/resources/jcepolicyinfo.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +Ambari Agent + +""" + +from resource_management.core.resources.system import Execute +from resource_management.core.logger import Logger + + +class JcePolicyInfo: + def __init__(self, java_exec, java_home): + self.java_exec = java_exec + self.java_home = java_home + self.jar = "/var/lib/ambari-agent/tools/jcepolicyinfo.jar" + + def is_unlimited_key_jce_policy(self): + Logger.info("Testing the JVM's JCE policy to see it if supports an unlimited key length.") + + try: + Execute(self._command("-tu"), + environment={'JAVA_HOME': self.java_home}, + logoutput=True + ) + return True + except Exception: + return False + + + def _command(self, options): + return "{0} -jar {1} {2}".format(self.java_exec, self.jar, options) http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/java/org/apache/ambari/server/agent/ExecutionCommand.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/agent/ExecutionCommand.java b/ambari-server/src/main/java/org/apache/ambari/server/agent/ExecutionCommand.java index c80ebe6..edf1251 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/agent/ExecutionCommand.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/agent/ExecutionCommand.java @@ -415,6 +415,7 @@ public class ExecutionCommand extends AgentCommand { String JAVA_VERSION = "java_version"; String JDK_NAME = "jdk_name"; String JCE_NAME = "jce_name"; + String UNLIMITED_KEY_JCE_REQUIRED = "unlimited_key_jce_required"; String MYSQL_JDBC_URL = "mysql_jdbc_url"; String ORACLE_JDBC_URL = "oracle_jdbc_url"; String DB_DRIVER_FILENAME = "db_driver_filename"; http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java index 7cb7fce..f921fc4 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java @@ -38,6 +38,7 @@ import static org.apache.ambari.server.agent.ExecutionCommand.KeyNames.SCRIPT; import static org.apache.ambari.server.agent.ExecutionCommand.KeyNames.SCRIPT_TYPE; import static org.apache.ambari.server.agent.ExecutionCommand.KeyNames.SERVICE_PACKAGE_FOLDER; import static org.apache.ambari.server.agent.ExecutionCommand.KeyNames.SERVICE_REPO_INFO; +import static org.apache.ambari.server.agent.ExecutionCommand.KeyNames.UNLIMITED_KEY_JCE_REQUIRED; import static org.apache.ambari.server.agent.ExecutionCommand.KeyNames.USER_GROUPS; import static org.apache.ambari.server.agent.ExecutionCommand.KeyNames.USER_LIST; import static org.apache.ambari.server.agent.ExecutionCommand.KeyNames.VERSION; @@ -183,6 +184,7 @@ import org.apache.ambari.server.state.ServiceOsSpecific; import org.apache.ambari.server.state.StackId; import org.apache.ambari.server.state.StackInfo; import org.apache.ambari.server.state.State; +import org.apache.ambari.server.state.UnlimitedKeyJCERequirement; import org.apache.ambari.server.state.configgroup.ConfigGroupFactory; import org.apache.ambari.server.state.quicklinksprofile.QuickLinkVisibilityController; import org.apache.ambari.server.state.quicklinksprofile.QuickLinkVisibilityControllerFactory; @@ -2434,6 +2436,26 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle String clientsToUpdateConfigs = gson.toJson(clientsToUpdateConfigsList); hostParams.put(CLIENTS_TO_UPDATE_CONFIGS, clientsToUpdateConfigs); + + // If we are starting a component, calculate whether the unlimited key JCE policy is + // required for the relevant host. One of the following indicates that the unlimited + // key JCE policy is required: + // + // * The component explicitly requires it whether Kerberos is enabled or not (example, SMARTSENSE/HST_SERVER) + // * The component explicitly requires it only when Kerberos is enabled AND Kerberos is enabled (example, most components) + // + UnlimitedKeyJCERequirement unlimitedKeyJCERequirement = componentInfo.getUnlimitedKeyJCERequired(); + // Ensure that the unlimited key requirement is set. If null, the default value should be used. + if(unlimitedKeyJCERequirement == null) { + unlimitedKeyJCERequirement = UnlimitedKeyJCERequirement.DEFAULT; + } + + boolean unlimitedKeyJCEPolicyRequired = (UnlimitedKeyJCERequirement.ALWAYS == unlimitedKeyJCERequirement) || + ((UnlimitedKeyJCERequirement.KERBEROS_ENABLED == unlimitedKeyJCERequirement) && (cluster.getSecurityType() == SecurityType.KERBEROS)); + + // Set/update the unlimited_key_jce_required value as needed + hostParams.put(UNLIMITED_KEY_JCE_REQUIRED, (unlimitedKeyJCEPolicyRequired) ? "true" : "false"); + execCmd.setHostLevelParams(hostParams); Map<String, String> roleParams = new TreeMap<>(); http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/java/org/apache/ambari/server/stack/ComponentModule.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/stack/ComponentModule.java b/ambari-server/src/main/java/org/apache/ambari/server/stack/ComponentModule.java index 51d9847..41b06e1 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/stack/ComponentModule.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/stack/ComponentModule.java @@ -101,6 +101,10 @@ public class ComponentModule extends BaseModule<ComponentModule, ComponentInfo> componentInfo.setDecommissionAllowed(parentInfo.getDecommissionAllowed()); } + if (componentInfo.getUnlimitedKeyJCERequired() == null) { + componentInfo.setUnlimitedKeyJCERequired(parentInfo.getUnlimitedKeyJCERequired()); + } + if (componentInfo.getAutoDeploy() == null) { componentInfo.setAutoDeploy(parentInfo.getAutoDeploy()); } http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/java/org/apache/ambari/server/state/ComponentInfo.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/state/ComponentInfo.java b/ambari-server/src/main/java/org/apache/ambari/server/state/ComponentInfo.java index 409bcae..e038caa 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/state/ComponentInfo.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/state/ComponentInfo.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -61,6 +61,9 @@ public class ComponentInfo { @XmlElements(@XmlElement(name = "decommissionAllowed")) private String decommissionAllowed; + @XmlElement(name="unlimitedKeyJCERequired") + private UnlimitedKeyJCERequirement unlimitedKeyJCERequired; + /** * Added at schema ver 2 */ @@ -150,6 +153,7 @@ public class ComponentInfo { versionAdvertisedField = prototype.versionAdvertisedField; versionAdvertisedInternal = prototype.versionAdvertisedInternal; decommissionAllowed = prototype.decommissionAllowed; + unlimitedKeyJCERequired = prototype.unlimitedKeyJCERequired; clientsToUpdateConfigs = prototype.clientsToUpdateConfigs; commandScript = prototype.commandScript; logs = prototype.logs; @@ -368,6 +372,14 @@ public class ComponentInfo { this.decommissionAllowed = decommissionAllowed; } + public UnlimitedKeyJCERequirement getUnlimitedKeyJCERequired() { + return unlimitedKeyJCERequired; + } + + public void setUnlimitedKeyJCERequired(UnlimitedKeyJCERequirement unlimitedKeyJCERequired) { + this.unlimitedKeyJCERequired = unlimitedKeyJCERequired; + } + public void setRecoveryEnabled(boolean recoveryEnabled) { this.recoveryEnabled = recoveryEnabled; } @@ -421,6 +433,7 @@ public class ComponentInfo { if (versionAdvertisedField != null ? !versionAdvertisedField.equals(that.versionAdvertisedField) : that.versionAdvertisedField != null) return false; if (versionAdvertisedInternal != that.versionAdvertisedInternal) return false; if (decommissionAllowed != null ? !decommissionAllowed.equals(that.decommissionAllowed) : that.decommissionAllowed != null) return false; + if (unlimitedKeyJCERequired != null ? !unlimitedKeyJCERequired.equals(that.unlimitedKeyJCERequired) : that.unlimitedKeyJCERequired != null) return false; if (reassignAllowed != null ? !reassignAllowed.equals(that.reassignAllowed) : that.reassignAllowed != null) return false; if (category != null ? !category.equals(that.category) : that.category != null) return false; if (clientConfigFiles != null ? !clientConfigFiles.equals(that.clientConfigFiles) : that.clientConfigFiles != null) @@ -451,6 +464,7 @@ public class ComponentInfo { result = 31 * result + (deleted ? 1 : 0); result = 31 * result + (cardinality != null ? cardinality.hashCode() : 0); result = 31 * result + (decommissionAllowed != null ? decommissionAllowed.hashCode() : 0); + result = 31 * result + (unlimitedKeyJCERequired != null ? unlimitedKeyJCERequired.hashCode() : 0); result = 31 * result + (reassignAllowed != null ? reassignAllowed.hashCode() : 0); result = 31 * result + (commandScript != null ? commandScript.hashCode() : 0); result = 31 * result + (logs != null ? logs.hashCode() : 0); http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/java/org/apache/ambari/server/state/UnlimitedKeyJCERequirement.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/state/UnlimitedKeyJCERequirement.java b/ambari-server/src/main/java/org/apache/ambari/server/state/UnlimitedKeyJCERequirement.java new file mode 100644 index 0000000..371712e --- /dev/null +++ b/ambari-server/src/main/java/org/apache/ambari/server/state/UnlimitedKeyJCERequirement.java @@ -0,0 +1,42 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ambari.server.state; + +public enum UnlimitedKeyJCERequirement { + + /** + * The unlimited key JCE policy is required, unconditionally (even if Kerberos is not enabled) + */ + ALWAYS, + + /** + * The unlimited key JCE policy is required if Kerberos is enabled + */ + KERBEROS_ENABLED, + + /** + * The unlimited key JCE policy is not required, unconditionally (even if Kerberos is enabled) + */ + NEVER; + + /** + * The default value to use if the unlimited key JCE policy requirement is not set. + */ + public static final UnlimitedKeyJCERequirement DEFAULT = KERBEROS_ENABLED; +} http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py index ddc8063..c50c67b 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py @@ -40,8 +40,6 @@ class KerberosClient(KerberosScript): #delete krb cache to prevent using old krb tickets on fresh kerberos setup self.clear_tmp_cache() - self.setup_jce() - def status(self, env): raise ClientComponentHasNoStatus() @@ -72,9 +70,5 @@ class KerberosClient(KerberosScript): def remove_keytab(self, env): self.delete_keytab_file() - def download_install_jce(self, env): - self.setup_jce() - - if __name__ == "__main__": KerberosClient().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py index 5db62c5..8cb1f0c 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py @@ -446,37 +446,4 @@ class KerberosScript(Script): curr_content['keytabs'][principal.replace("_HOST", params.hostname)] = '_REMOVED_' - self.put_structured_out(curr_content) - - def setup_jce(self): - import params - - if not params.jdk_name: - return - jce_curl_target = None - if params.jce_policy_zip is not None: - jce_curl_target = format("{artifact_dir}/{jce_policy_zip}") - Directory(params.artifact_dir, - create_parents = True, - ) - File(jce_curl_target, - content = DownloadSource(format("{jce_location}/{jce_policy_zip}")), - ) - elif params.security_enabled: - # Something weird is happening - raise Fail("Security is enabled, but JCE policy zip is not specified.") - - # The extraction will occur only after the security flag is set - if params.security_enabled: - security_dir = format("{java_home}/jre/lib/security") - - File([format("{security_dir}/US_export_policy.jar"), format("{security_dir}/local_policy.jar")], - action = "delete", - ) - - extract_cmd = ("unzip", "-o", "-j", "-q", jce_curl_target, "-d", security_dir) - Execute(extract_cmd, - only_if = format("test -e {security_dir} && test -f {jce_curl_target}"), - path = ['/bin/','/usr/bin'], - sudo = True - ) + self.put_structured_out(curr_content) \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/resources/stacks/HDP/2.0.6/configuration/cluster-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/configuration/cluster-env.xml b/ambari-server/src/main/resources/stacks/HDP/2.0.6/configuration/cluster-env.xml index 3f74aa7..733b10d 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/configuration/cluster-env.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/configuration/cluster-env.xml @@ -126,6 +126,17 @@ <on-ambari-upgrade add="true"/> </property> <property> + <name>sysprep_skip_setup_jce</name> + <display-name>Whether to skip setting up the unlimited key JCE policy on sysprepped cluster</display-name> + <value>false</value> + <description>Whether to skip setting up the unlimited key JCE policy on sysprepped cluster, during both fresh install and upgrades</description> + <value-attributes> + <overridable>true</overridable> + <type>boolean</type> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> <name>smokeuser</name> <display-name>Smoke User</display-name> <value>ambari-qa</value> http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/hook.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/hook.py b/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/hook.py index f21e4b1..f7705c4 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/hook.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/hook.py @@ -20,7 +20,7 @@ limitations under the License. import sys from resource_management import * from rack_awareness import create_topology_script_and_mapping -from shared_initialization import setup_hadoop, setup_configs, create_javahome_symlink +from shared_initialization import setup_hadoop, setup_configs, create_javahome_symlink, setup_unlimited_key_jce_policy class BeforeStartHook(Hook): @@ -34,6 +34,7 @@ class BeforeStartHook(Hook): setup_configs() create_javahome_symlink() create_topology_script_and_mapping() + setup_unlimited_key_jce_policy() if __name__ == "__main__": BeforeStartHook().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/params.py b/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/params.py index 29c88b4..70ebfeb 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/params.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/params.py @@ -32,10 +32,18 @@ from resource_management.libraries.functions.get_not_managed_resources import ge from resource_management.libraries.resources.hdfs_resource import HdfsResource config = Script.get_config() +tmp_dir = Script.get_tmp_dir() +artifact_dir = tmp_dir + "/AMBARI-artifacts" + +# Global flag enabling or disabling the sysprep feature +host_sys_prepped = default("/hostLevelParams/host_sys_prepped", False) # Whether to skip copying fast-hdfs-resource.jar to /var/lib/ambari-agent/lib/ # This is required if tarballs are going to be copied to HDFS, so set to False -sysprep_skip_copy_fast_jar_hdfs = default("/configurations/cluster-env/sysprep_skip_copy_fast_jar_hdfs", False) +sysprep_skip_copy_fast_jar_hdfs = host_sys_prepped and default("/configurations/cluster-env/sysprep_skip_copy_fast_jar_hdfs", False) + +# Whether to skip setting up the unlimited key JCE policy +sysprep_skip_setup_jce = host_sys_prepped and default("/configurations/cluster-env/sysprep_skip_setup_jce", False) stack_version_unformatted = config['hostLevelParams']['stack_version'] stack_version_formatted = format_stack_version(stack_version_unformatted) @@ -70,6 +78,17 @@ current_service = config['serviceName'] #security params security_enabled = config['configurations']['cluster-env']['security_enabled'] +ambari_server_resources_url = default("/hostLevelParams/jdk_location", None) +if ambari_server_resources_url is not None and ambari_server_resources_url.endswith('/'): + ambari_server_resources_url = ambari_server_resources_url[:-1] + +# Unlimited key JCE policy params +jce_policy_zip = default("/hostLevelParams/jce_name", None) # None when jdk is already installed by user +unlimited_key_jce_required = default("/hostLevelParams/unlimited_key_jce_required", False) +jdk_name = default("/hostLevelParams/jdk_name", None) +java_home = default("/hostLevelParams/java_home", None) +java_exec = "{0}/bin/java".format(java_home) if java_home is not None else "/bin/java" + #users and groups has_hadoop_env = 'hadoop-env' in config['configurations'] mapred_user = config['configurations']['mapred-env']['mapred_user'] @@ -164,9 +183,8 @@ server_db_name = config['hostLevelParams']['db_name'] db_driver_filename = config['hostLevelParams']['db_driver_filename'] oracle_driver_url = config['hostLevelParams']['oracle_jdbc_url'] mysql_driver_url = config['hostLevelParams']['mysql_jdbc_url'] -ambari_server_resources = config['hostLevelParams']['jdk_location'] -oracle_driver_symlink_url = format("{ambari_server_resources}oracle-jdbc-driver.jar") -mysql_driver_symlink_url = format("{ambari_server_resources}mysql-jdbc-driver.jar") +oracle_driver_symlink_url = format("{ambari_server_resources_url}/oracle-jdbc-driver.jar") +mysql_driver_symlink_url = format("{ambari_server_resources_url}/mysql-jdbc-driver.jar") ambari_db_rca_url = config['hostLevelParams']['ambari_db_rca_url'][0] ambari_db_rca_driver = config['hostLevelParams']['ambari_db_rca_driver'][0] @@ -184,7 +202,6 @@ else: rca_prefix = rca_disabled_prefix #hadoop-env.sh -java_home = config['hostLevelParams']['java_home'] jsvc_path = "/usr/lib/bigtop-utils" http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/shared_initialization.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/shared_initialization.py b/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/shared_initialization.py index 9783aa4..3c36962 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/shared_initialization.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/shared_initialization.py @@ -19,6 +19,7 @@ limitations under the License. import os from resource_management.libraries.providers.hdfs_resource import WebHDFSUtil +from resource_management.core.resources.jcepolicyinfo import JcePolicyInfo from resource_management import * @@ -196,3 +197,66 @@ def create_microsoft_r_dir(): except Exception as exception: Logger.warning("Could not check the existence of {0} on DFS while starting {1}, exception: {2}".format(directory, params.current_service, str(exception))) + +def setup_unlimited_key_jce_policy(): + """ + Sets up the unlimited key JCE policy if needed. + + The following criteria must be met: + + * The cluster has not been previously prepared (sys preped) - cluster-env/sysprep_skip_setup_jce = False + * Ambari is managing the host's JVM - /hostLevelParams/jdk_name is set + * Either security is enabled OR a service requires it - /hostLevelParams/unlimited_key_jce_required = True + * The unlimited key JCE policy has not already been installed + + If the conditions are met, the following steps are taken to install the unlimited key JCE policy JARs + + 1. The unlimited key JCE policy ZIP file is downloaded from the Ambari server and stored in the + Ambari agent's temporary directory + 2. The existing JCE policy JAR files are deleted + 3. The downloaded ZIP file is unzipped into the proper JCE policy directory + + :return: None + """ + import params + + if params.sysprep_skip_setup_jce: + Logger.info("Skipping unlimited key JCE policy check and setup since the host is sys prepped") + + elif not params.jdk_name: + Logger.debug("Skipping unlimited key JCE policy check and setup since the Java VM is not managed by Ambari") + + elif not params.unlimited_key_jce_required: + Logger.debug("Skipping unlimited key JCE policy check and setup since it is not required") + + else: + jcePolicyInfo = JcePolicyInfo(java_exec=params.java_exec, java_home=params.java_home) + + if jcePolicyInfo.is_unlimited_key_jce_policy(): + Logger.info("The unlimited key JCE policy is required, and appears to have been installed.") + + elif params.jce_policy_zip is None: + raise Fail("The unlimited key JCE policy needs to be installed; however the JCE policy zip is not specified.") + + else: + Logger.info("The unlimited key JCE policy is required, and needs to be installed.") + + jce_zip_target = format("{artifact_dir}/{jce_policy_zip}") + jce_zip_source = format("{ambari_server_resources_url}/{jce_policy_zip}") + java_security_dir = format("{java_home}/jre/lib/security") + + Logger.debug("Downloading the unlimited key JCE policy files from {0} to {1}.".format(jce_zip_source, jce_zip_target)) + Directory(params.artifact_dir, create_parents=True) + File(jce_zip_target, content=DownloadSource(jce_zip_source)) + + Logger.debug("Removing existing JCE policy JAR files: {0}.".format(java_security_dir)) + File(format("{java_security_dir}/US_export_policy.jar"), action="delete") + File(format("{java_security_dir}/local_policy.jar"), action="delete") + + Logger.debug("Unzipping the unlimited key JCE policy files from {0} into {1}.".format(jce_zip_target, java_security_dir)) + extract_cmd = ("unzip", "-o", "-j", "-q", jce_zip_target, "-d", java_security_dir) + Execute(extract_cmd, + only_if=format("test -e {java_security_dir} && test -f {jce_zip_target}"), + path=['/bin/', '/usr/bin'], + sudo=True + ) \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/resources/stacks/HDP/3.0/configuration/cluster-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/3.0/configuration/cluster-env.xml b/ambari-server/src/main/resources/stacks/HDP/3.0/configuration/cluster-env.xml index 3af8f08..a79e904 100644 --- a/ambari-server/src/main/resources/stacks/HDP/3.0/configuration/cluster-env.xml +++ b/ambari-server/src/main/resources/stacks/HDP/3.0/configuration/cluster-env.xml @@ -126,6 +126,17 @@ <on-ambari-upgrade add="true"/> </property> <property> + <name>sysprep_skip_setup_jce</name> + <display-name>Whether to skip setting up the unlimited key JCE policy on sysprepped cluster</display-name> + <value>false</value> + <description>Whether to skip setting up the unlimited key JCE policy on sysprepped cluster, during both fresh install and upgrades</description> + <value-attributes> + <overridable>true</overridable> + <type>boolean</type> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> <name>smokeuser</name> <display-name>Smoke User</display-name> <value>ambari-qa</value> http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/hook.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/hook.py b/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/hook.py index f21e4b1..f7705c4 100644 --- a/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/hook.py +++ b/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/hook.py @@ -20,7 +20,7 @@ limitations under the License. import sys from resource_management import * from rack_awareness import create_topology_script_and_mapping -from shared_initialization import setup_hadoop, setup_configs, create_javahome_symlink +from shared_initialization import setup_hadoop, setup_configs, create_javahome_symlink, setup_unlimited_key_jce_policy class BeforeStartHook(Hook): @@ -34,6 +34,7 @@ class BeforeStartHook(Hook): setup_configs() create_javahome_symlink() create_topology_script_and_mapping() + setup_unlimited_key_jce_policy() if __name__ == "__main__": BeforeStartHook().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/params.py b/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/params.py index 455710b..5a5361c 100644 --- a/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/params.py +++ b/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/params.py @@ -32,10 +32,18 @@ from resource_management.libraries.functions.get_not_managed_resources import ge from resource_management.libraries.resources.hdfs_resource import HdfsResource config = Script.get_config() +tmp_dir = Script.get_tmp_dir() +artifact_dir = tmp_dir + "/AMBARI-artifacts" + +# Global flag enabling or disabling the sysprep feature +host_sys_prepped = default("/hostLevelParams/host_sys_prepped", False) # Whether to skip copying fast-hdfs-resource.jar to /var/lib/ambari-agent/lib/ # This is required if tarballs are going to be copied to HDFS, so set to False -sysprep_skip_copy_fast_jar_hdfs = default("/configurations/cluster-env/sysprep_skip_copy_fast_jar_hdfs", False) +sysprep_skip_copy_fast_jar_hdfs = host_sys_prepped and default("/configurations/cluster-env/sysprep_skip_copy_fast_jar_hdfs", False) + +# Whether to skip setting up the unlimited key JCE policy +sysprep_skip_setup_jce = host_sys_prepped and default("/configurations/cluster-env/sysprep_skip_setup_jce", False) stack_version_unformatted = config['hostLevelParams']['stack_version'] stack_version_formatted = format_stack_version(stack_version_unformatted) @@ -64,6 +72,17 @@ current_service = config['serviceName'] #security params security_enabled = config['configurations']['cluster-env']['security_enabled'] +ambari_server_resources_url = default("/hostLevelParams/jdk_location", None) +if ambari_server_resources_url is not None and ambari_server_resources_url.endswith('/'): + ambari_server_resources_url = ambari_server_resources_url[:-1] + +# Unlimited key JCE policy params +jce_policy_zip = default("/hostLevelParams/jce_name", None) # None when jdk is already installed by user +unlimited_key_jce_required = default("/hostLevelParams/unlimited_key_jce_required", False) +jdk_name = default("/hostLevelParams/jdk_name", None) +java_home = default("/hostLevelParams/java_home", None) +java_exec = "{0}/bin/java".format(java_home) if java_home is not None else "/bin/java" + #users and groups has_hadoop_env = 'hadoop-env' in config['configurations'] mapred_user = config['configurations']['mapred-env']['mapred_user'] @@ -158,9 +177,8 @@ server_db_name = config['hostLevelParams']['db_name'] db_driver_filename = config['hostLevelParams']['db_driver_filename'] oracle_driver_url = config['hostLevelParams']['oracle_jdbc_url'] mysql_driver_url = config['hostLevelParams']['mysql_jdbc_url'] -ambari_server_resources = config['hostLevelParams']['jdk_location'] -oracle_driver_symlink_url = format("{ambari_server_resources}oracle-jdbc-driver.jar") -mysql_driver_symlink_url = format("{ambari_server_resources}mysql-jdbc-driver.jar") +oracle_driver_symlink_url = format("{ambari_server_resources_url}/oracle-jdbc-driver.jar") +mysql_driver_symlink_url = format("{ambari_server_resources_url}/mysql-jdbc-driver.jar") ambari_db_rca_url = config['hostLevelParams']['ambari_db_rca_url'][0] ambari_db_rca_driver = config['hostLevelParams']['ambari_db_rca_driver'][0] @@ -178,7 +196,6 @@ else: rca_prefix = rca_disabled_prefix #hadoop-env.sh -java_home = config['hostLevelParams']['java_home'] jsvc_path = "/usr/lib/bigtop-utils" http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/shared_initialization.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/shared_initialization.py b/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/shared_initialization.py index 5dce8e0..71161e0 100644 --- a/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/shared_initialization.py +++ b/ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-START/scripts/shared_initialization.py @@ -19,6 +19,7 @@ limitations under the License. import os from resource_management.libraries.providers.hdfs_resource import WebHDFSUtil +from resource_management.core.resources.jcepolicyinfo import JcePolicyInfo from resource_management import * @@ -189,3 +190,66 @@ def create_microsoft_r_dir(): except Exception as exception: Logger.warning("Could not check the existence of {0} on DFS while starting {1}, exception: {2}".format(directory, params.current_service, str(exception))) + +def setup_unlimited_key_jce_policy(): + """ + Sets up the unlimited key JCE policy if needed. + + The following criteria must be met: + + * The cluster has not been previously prepared (sys preped) - cluster-env/sysprep_skip_setup_jce = False + * Ambari is managing the host's JVM - /hostLevelParams/jdk_name is set + * Either security is enabled OR a service requires it - /hostLevelParams/unlimited_key_jce_required = True + * The unlimited key JCE policy has not already been installed + + If the conditions are met, the following steps are taken to install the unlimited key JCE policy JARs + + 1. The unlimited key JCE policy ZIP file is downloaded from the Ambari server and stored in the + Ambari agent's temporary directory + 2. The existing JCE policy JAR files are deleted + 3. The downloaded ZIP file is unzipped into the proper JCE policy directory + + :return: None + """ + import params + + if params.sysprep_skip_setup_jce: + Logger.info("Skipping unlimited key JCE policy check and setup since the host is sys prepped") + + elif not params.jdk_name: + Logger.debug("Skipping unlimited key JCE policy check and setup since the Java VM is not managed by Ambari") + + elif not params.unlimited_key_jce_required: + Logger.debug("Skipping unlimited key JCE policy check and setup since it is not required") + + else: + jcePolicyInfo = JcePolicyInfo(java_exec=params.java_exec, java_home=params.java_home) + + if jcePolicyInfo.is_unlimited_key_jce_policy(): + Logger.info("The unlimited key JCE policy is required, and appears to have been installed.") + + elif params.jce_policy_zip is None: + raise Fail("The unlimited key JCE policy needs to be installed; however the JCE policy zip is not specified.") + + else: + Logger.info("The unlimited key JCE policy is required, and needs to be installed.") + + jce_zip_target = format("{artifact_dir}/{jce_policy_zip}") + jce_zip_source = format("{ambari_server_resources_url}/{jce_policy_zip}") + java_security_dir = format("{java_home}/jre/lib/security") + + Logger.debug("Downloading the unlimited key JCE policy files from {0} to {1}.".format(jce_zip_source, jce_zip_target)) + Directory(params.artifact_dir, create_parents=True) + File(jce_zip_target, content=DownloadSource(jce_zip_source)) + + Logger.debug("Removing existing JCE policy JAR files: {0}.".format(java_security_dir)) + File(format("{java_security_dir}/US_export_policy.jar"), action="delete") + File(format("{java_security_dir}/local_policy.jar"), action="delete") + + Logger.debug("Unzipping the unlimited key JCE policy files from {0} into {1}.".format(jce_zip_target, java_security_dir)) + extract_cmd = ("unzip", "-o", "-j", "-q", jce_zip_target, "-d", java_security_dir) + Execute(extract_cmd, + only_if=format("test -e {java_security_dir} && test -f {jce_zip_target}"), + path=['/bin/', '/usr/bin'], + sudo=True + ) \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py index 2ab700d..1298f1e 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py @@ -70,9 +70,6 @@ class KerberosClient(KerberosScript): def remove_keytab(self, env): self.delete_keytab_file() - def download_install_jce(self, env): - pass - if __name__ == "__main__": KerberosClient().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/test/java/org/apache/ambari/server/stack/ComponentModuleTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/stack/ComponentModuleTest.java b/ambari-server/src/test/java/org/apache/ambari/server/stack/ComponentModuleTest.java index 6e37ded..746b974 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/stack/ComponentModuleTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/stack/ComponentModuleTest.java @@ -36,6 +36,7 @@ import org.apache.ambari.server.state.CommandScriptDefinition; import org.apache.ambari.server.state.ComponentInfo; import org.apache.ambari.server.state.CustomCommandDefinition; import org.apache.ambari.server.state.DependencyInfo; +import org.apache.ambari.server.state.UnlimitedKeyJCERequirement; import org.junit.Test; /** @@ -448,6 +449,40 @@ public class ComponentModuleTest { } @Test + public void testResolve_UnlimitedKeyJCERequiredInheritance(){ + List<ComponentInfo> components = createComponentInfo(2); + ComponentInfo info = components.get(0); + ComponentInfo parentInfo = components.get(1); + + //parent has it, child doesn't + parentInfo.setUnlimitedKeyJCERequired(UnlimitedKeyJCERequirement.ALWAYS); + assertSame(UnlimitedKeyJCERequirement.ALWAYS, resolveComponent(info, parentInfo).getModuleInfo().getUnlimitedKeyJCERequired()); + } + + @Test + public void testResolve_UnlimitedKeyJCERequired(){ + List<ComponentInfo> components = createComponentInfo(2); + ComponentInfo info = components.get(0); + ComponentInfo parentInfo = components.get(1); + + //parent doesn't have it, child has it + info.setUnlimitedKeyJCERequired(UnlimitedKeyJCERequirement.NEVER); + assertSame(UnlimitedKeyJCERequirement.NEVER, resolveComponent(info, parentInfo).getModuleInfo().getUnlimitedKeyJCERequired()); + } + + @Test + public void testResolve_UnlimitedKeyJCERequiredOverwrite(){ + List<ComponentInfo> components = createComponentInfo(2); + ComponentInfo info = components.get(0); + ComponentInfo parentInfo = components.get(1); + + //parent has it, child overwrites it + parentInfo.setUnlimitedKeyJCERequired(UnlimitedKeyJCERequirement.KERBEROS_ENABLED); + info.setUnlimitedKeyJCERequired(UnlimitedKeyJCERequirement.ALWAYS); + assertSame(UnlimitedKeyJCERequirement.ALWAYS, resolveComponent(info, parentInfo).getModuleInfo().getUnlimitedKeyJCERequired()); + } + + @Test public void testResolve_Reassignable(){ List<ComponentInfo> components = createComponentInfo(2); ComponentInfo info = components.get(0); http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/test/python/stacks/2.0.6/configs/secured_no_jce_name.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.0.6/configs/secured_no_jce_name.json b/ambari-server/src/test/python/stacks/2.0.6/configs/secured_no_jce_name.json index fa4cc9d..a0dd539 100644 --- a/ambari-server/src/test/python/stacks/2.0.6/configs/secured_no_jce_name.json +++ b/ambari-server/src/test/python/stacks/2.0.6/configs/secured_no_jce_name.json @@ -6,7 +6,8 @@ "not_managed_hdfs_path_list": "[\"/apps/hive/warehouse\",\"/apps/falcon\",\"/mr-history/done\",\"/app-logs\",\"/tmp\"]", "jdk_location": "http://c6401.ambari.apache.org:8080/resources/";, "ambari_db_rca_password": "mapred", - "ambari_db_rca_url": "jdbc:postgresql://c6401.ambari.apache.org/ambarirca", + "ambari_db_rca_url": "jdbc:postgresql://c6401.ambari.apache.org/ambarirca", + "unlimited_key_jce_required" : "true", "oracle_jdbc_url": "http://c6401.ambari.apache.org:8080/resources//ojdbc6.jar";, "repo_info": "[{\"baseUrl\":\"http://public-repo-1.hortonworks.com/HDP/centos6/2.x/updates/2.0.6.0\",\"osType\":\"centos6\",\"repoId\":\"HDP-2.0.8\",\"repoName\":\"HDP\",\"defaultBaseUrl\":\"http://public-repo-1.hortonworks.com/HDP/centos6/2.x/updates/2.0.6.0\"}]";, "package_list": "[{\"type\":\"rpm\",\"name\":\"hadoop-yarn\"},{\"type\":\"rpm\",\"name\":\"hadoop-yarn-nodemanager\"},{\"type\":\"rpm\",\"name\":\"hadoop-mapreduce\"},{\"type\":\"rpm\",\"name\":\"hadoop-yarn-proxyserver\"},{\"type\":\"rpm\",\"name\":\"hadoop-yarn-resourcemanager\"}]", @@ -35,6 +36,19 @@ "taskId": 186, "public_hostname": "c6401.ambari.apache.org", "configurations": { + "cluster-env": { + "managed_hdfs_resource_property_names": "", + "security_enabled": "true", + "ignore_groupsusers_create": "false", + "smokeuser": "ambari-qa", + "smokeuser_principal_name": "[email protected]", + "kerberos_domain": "EXAMPLE.COM", + "user_group": "hadoop", + "smokeuser_keytab": "/etc/security/keytabs/smokeuser.headless.keytab", + "kinit_path_local": "/usr/bin", + "manage_dirs_on_root": "true", + "ignore_bad_mounts": "false" + }, "mapred-site": { "mapreduce.jobhistory.address": "c6402.ambari.apache.org:10020", "mapreduce.jobhistory.webapp.spnego-keytab-file": "/etc/security/keytabs/spnego.service.keytab", http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/test/python/stacks/2.0.6/hooks/before-START/test_before_start.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.0.6/hooks/before-START/test_before_start.py b/ambari-server/src/test/python/stacks/2.0.6/hooks/before-START/test_before_start.py index 30561ac..4f62ace 100644 --- a/ambari-server/src/test/python/stacks/2.0.6/hooks/before-START/test_before_start.py +++ b/ambari-server/src/test/python/stacks/2.0.6/hooks/before-START/test_before_start.py @@ -21,6 +21,7 @@ limitations under the License. from stacks.utils.RMFTestCase import * from mock.mock import MagicMock, call, patch from resource_management import Hook +from resource_management.core.exceptions import Fail import json @patch("platform.linux_distribution", new = MagicMock(return_value="Linux")) @@ -258,10 +259,10 @@ class TestHookBeforeStart(RMFTestCase): config_file = "stacks/2.0.6/configs/default.json" with open(config_file, "r") as f: default_json = json.load(f) - + default_json['serviceName'] = 'HDFS' default_json['configurations']['core-site']['net.topology.script.file.name'] = '/home/myhadoop/hadoop/conf.hadoop/topology_script.py' - + self.executeScript("2.0.6/hooks/before-START/scripts/hook.py", classname="BeforeStartHook", command="hook", @@ -335,14 +336,13 @@ class TestHookBeforeStart(RMFTestCase): ) self.assertNoMoreResources() - -def test_that_jce_is_required_in_secured_cluster(self): - try: - self.executeScript("2.0.6/hooks/before-START/scripts/hook.py", - classname="BeforeStartHook", - command="hook", - config_file="secured_no_jce_name.json" - ) - self.fail("Should throw an exception") - except Fail: - pass # Expected + def test_that_jce_is_required_in_secured_cluster(self): + try: + self.executeScript("2.0.6/hooks/before-START/scripts/hook.py", + classname="BeforeStartHook", + command="hook", + config_file="secured_no_jce_name.json" + ) + self.fail("Should throw an exception") + except Fail: + pass # Expected http://git-wip-us.apache.org/repos/asf/ambari/blob/9112148e/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py b/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py index 444fae6..6727b2f 100644 --- a/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py +++ b/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py @@ -83,27 +83,6 @@ class TestKerberosClient(RMFTestCase): group='root', mode=0644) - def test_configure_unmanaged_kdc_and_krb5conf(self): - json_data = use_cases.get_unmanged_krb5conf_use_case() - - - self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/kerberos_client.py", - classname="KerberosClient", - command="configure", - config_dict=json_data, - stack_version = self.STACK_VERSION, - target = RMFTestCase.TARGET_COMMON_SERVICES - ) - self.assertResourceCalled('Directory', '/var/lib/ambari-agent/tmp/curl_krb_cache', action=["delete"], - ) - self.assertResourceCalled('Directory', '/tmp/AMBARI-artifacts/', - create_parents = True, - ) - self.assertResourceCalled('File', '/tmp/AMBARI-artifacts//UnlimitedJCEPolicyJDK7.zip', - content = DownloadSource('http://c6401.ambari.apache.org:8080/resources//UnlimitedJCEPolicyJDK7.zip'), - ) - self.assertNoMoreResources() - def test_configure_unmanaged_ad(self): json_data = use_cases.get_unmanged_ad_use_case()
