Repository: ambari Updated Branches: refs/heads/branch-2.5 6da1c530e -> 098e4fc09
AMBARI-20237. After regenerate keytabs post Ambari upgrade yarn.nodemanager.linux-container-executor.cgroups.mount-path property got added with blank value (echekanskiy) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/098e4fc0 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/098e4fc0 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/098e4fc0 Branch: refs/heads/branch-2.5 Commit: 098e4fc091f02922727ed4f0954f4d2ee4ecd08e Parents: 6da1c53 Author: Eugene Chekanskiy <echekans...@hortonworks.com> Authored: Thu Mar 2 19:38:04 2017 +0200 Committer: Eugene Chekanskiy <echekans...@hortonworks.com> Committed: Thu Mar 2 19:38:04 2017 +0200 ---------------------------------------------------------------------- .../server/upgrade/UpgradeCatalog250.java | 14 ++ .../server/upgrade/UpgradeCatalog250Test.java | 10 +- ...test_kerberos_descriptor_2_5_infra_solr.json | 212 ++++++++++++++++++- 3 files changed, 226 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/098e4fc0/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java index 39a129d..a597a63 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java @@ -42,6 +42,7 @@ import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; import org.apache.ambari.server.state.Config; import org.apache.ambari.server.state.kerberos.KerberosComponentDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosConfigurationDescriptor; import org.apache.ambari.server.state.kerberos.KerberosDescriptor; import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory; import org.apache.ambari.server.state.kerberos.KerberosIdentityDescriptor; @@ -442,6 +443,19 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { } } } + KerberosServiceDescriptor yarnKerberosDescriptor = kerberosDescriptor.getService("YARN"); + if (yarnKerberosDescriptor != null) { + Map<String, KerberosConfigurationDescriptor> configs = yarnKerberosDescriptor.getConfigurations(); + KerberosConfigurationDescriptor yarnSiteConfigDescriptor = configs.get("yarn-site"); + if (yarnSiteConfigDescriptor != null) { + Map<String, String> properties = yarnSiteConfigDescriptor.getProperties(); + if (properties != null && properties.containsKey(YARN_LCE_CGROUPS_MOUNT_PATH)) { + properties.remove(YARN_LCE_CGROUPS_MOUNT_PATH); + artifactEntity.setArtifactData(kerberosDescriptor.toMap()); + artifactDAO.merge(artifactEntity); + } + } + } } } } http://git-wip-us.apache.org/repos/asf/ambari/blob/098e4fc0/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java index 64536cb..529ac5c 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java @@ -1601,6 +1601,7 @@ public class UpgradeCatalog250Test { @Test public void testUpdateKerberosDescriptorArtifact() throws Exception { + final String propertyToRemove = "yarn.nodemanager.linux-container-executor.cgroups.mount-path"; final KerberosDescriptorFactory kerberosDescriptorFactory = new KerberosDescriptorFactory(); KerberosServiceDescriptor serviceDescriptor; @@ -1628,8 +1629,7 @@ public class UpgradeCatalog250Test { Assert.assertNotNull(serviceDescriptor); Assert.assertNotNull(serviceDescriptor.getComponent("NIMBUS")); - UpgradeCatalog250 upgradeMock = createMockBuilder(UpgradeCatalog250.class).createMock(); - + UpgradeCatalog250 upgradeMock = createMockBuilder(UpgradeCatalog250.class).withConstructor(injector).createMock(); ArtifactEntity artifactEntity = createNiceMock(ArtifactEntity.class); expect(artifactEntity.getArtifactData()) @@ -1638,10 +1638,10 @@ public class UpgradeCatalog250Test { Capture<Map<String, Object>> updateData = Capture.newInstance(CaptureType.ALL); artifactEntity.setArtifactData(capture(updateData)); - expectLastCall().times(3); + expectLastCall().times(4); ArtifactDAO artifactDAO = createNiceMock(ArtifactDAO.class); - expect(artifactDAO.merge(anyObject(ArtifactEntity.class))).andReturn(artifactEntity).times(3); + expect(artifactDAO.merge(anyObject(ArtifactEntity.class))).andReturn(artifactEntity).times(4); replay(artifactEntity, artifactDAO, upgradeMock); upgradeMock.updateKerberosDescriptorArtifact(artifactDAO, artifactEntity); @@ -1650,6 +1650,7 @@ public class UpgradeCatalog250Test { KerberosDescriptor atlasKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(0)); KerberosDescriptor rangerKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(1)); KerberosDescriptor stormKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(2)); + KerberosDescriptor yarnKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(3)); Assert.assertNotNull(atlasKerberosDescriptorUpdated.getIdentity("spnego")); Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("LOGSEARCH")); @@ -1664,6 +1665,7 @@ public class UpgradeCatalog250Test { Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM")); Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM").getComponent("NIMBUS")); Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM").getComponent("NIMBUS").getIdentity("/STORM/storm_components")); + Assert.assertFalse(yarnKerberosDescriptorUpdated.getService("YARN").getConfigurations().get("yarn-site").getProperties().containsKey(propertyToRemove)); } @Test http://git-wip-us.apache.org/repos/asf/ambari/blob/098e4fc0/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json index 172ad05..0c2723e 100644 --- a/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json +++ b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json @@ -39,9 +39,9 @@ "name": "atlas", "principal": { "value": "atlas/_HOST@${realm}", - "type" : "service", + "type": "service", "configuration": "application-properties/atlas.jaas.KafkaClient.option.principal", - "local_username" : "${atlas-env/metadata_user}" + "local_username": "${atlas-env/metadata_user}" }, "keytab": { "file": "${keytab_dir}/atlas.service.keytab", @@ -103,14 +103,214 @@ }, { "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", - "when" : { - "contains" : ["services", "AMBARI_INFRA"] + "when": { + "contains": [ + "services", + "AMBARI_INFRA" + ] } } ] } ] }, + , + { + "components": [ + { + "identities": [ + { + "name": "/HDFS/NAMENODE/hdfs" + }, + { + "keytab": { + "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.keytab", + "file": "${keytab_dir}/spnego.service.keytab" + }, + "name": "/spnego", + "principal": { + "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal", + "value": "HTTP/_HOST@${realm}" + } + }, + { + "keytab": { + "configuration": "yarn-site/yarn.timeline-service.keytab", + "file": "${keytab_dir}/yarn.service.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + }, + "owner": { + "access": "r", + "name": "${yarn-env/yarn_user}" + } + }, + "name": "app_timeline_server_yarn", + "principal": { + "configuration": "yarn-site/yarn.timeline-service.principal", + "local_username": "${yarn-env/yarn_user}", + "type": "service", + "value": "yarn/_HOST@${realm}" + } + } + ], + "name": "APP_TIMELINE_SERVER" + }, + { + "configurations": [ + { + "yarn-site": { + "yarn.nodemanager.container-executor.class": "org.apache.hadoop.yarn.server.nodemanager.DefaultContainerExecutor" + } + } + ], + "identities": [ + { + "keytab": { + "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-keytab-file", + "file": "${keytab_dir}/spnego.service.keytab" + }, + "name": "/spnego", + "principal": { + "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal", + "value": "HTTP/_HOST@${realm}" + } + }, + { + "keytab": { + "configuration": "yarn-site/yarn.nodemanager.keytab", + "file": "${keytab_dir}/nm.service.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + }, + "owner": { + "access": "r", + "name": "${yarn-env/yarn_user}" + } + }, + "name": "nodemanager_nm", + "principal": { + "configuration": "yarn-site/yarn.nodemanager.principal", + "local_username": "${yarn-env/yarn_user}", + "type": "service", + "value": "nm/_HOST@${realm}" + } + } + ], + "name": "NODEMANAGER" + }, + { + "identities": [ + { + "keytab": { + "configuration": "ranger-yarn-audit/xasecure.audit.jaas.Client.option.keyTab", + "file": "${keytab_dir}/rm.service.keytab" + }, + "name": "/YARN/RESOURCEMANAGER/resource_manager_rm", + "principal": { + "configuration": "ranger-yarn-audit/xasecure.audit.jaas.Client.option.principal", + "value": "rm/_HOST@${realm}" + } + }, + { + "keytab": { + "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-keytab-file", + "file": "${keytab_dir}/spnego.service.keytab" + }, + "name": "/spnego", + "principal": { + "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal", + "value": "HTTP/_HOST@${realm}" + } + }, + { + "keytab": { + "configuration": "yarn-site/yarn.resourcemanager.keytab", + "file": "${keytab_dir}/rm.service.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + }, + "owner": { + "access": "r", + "name": "${yarn-env/yarn_user}" + } + }, + "name": "resource_manager_rm", + "principal": { + "configuration": "yarn-site/yarn.resourcemanager.principal", + "local_username": "${yarn-env/yarn_user}", + "type": "service", + "value": "rm/_HOST@${realm}" + } + } + ], + "name": "RESOURCEMANAGER" + } + ], + "configurations": [ + { + "capacity-scheduler": { + "yarn.scheduler.capacity.root.acl_administer_jobs": "${yarn-env/yarn_user}", + "yarn.scheduler.capacity.root.acl_administer_queue": "${yarn-env/yarn_user}", + "yarn.scheduler.capacity.root.default.acl_administer_jobs": "${yarn-env/yarn_user}", + "yarn.scheduler.capacity.root.default.acl_administer_queue": "${yarn-env/yarn_user}", + "yarn.scheduler.capacity.root.default.acl_submit_applications": "${yarn-env/yarn_user}" + } + }, + { + "core-site": { + "hadoop.proxyuser.${yarn-env/yarn_user}.groups": "*", + "hadoop.proxyuser.${yarn-env/yarn_user}.hosts": "${clusterHostInfo/rm_host}" + } + }, + { + "ranger-yarn-audit": { + "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.option.serviceName": "solr", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.useKeyTab": "true" + } + }, + { + "yarn-site": { + "yarn.acl.enable": "true", + "yarn.admin.acl": "${yarn-env/yarn_user},dr.who", + "yarn.nodemanager.linux-container-executor.cgroups.mount-path": "", + "yarn.resourcemanager.proxy-user-privileges.enabled": "false", + "yarn.resourcemanager.proxyusers.*.groups": "", + "yarn.resourcemanager.proxyusers.*.hosts": "", + "yarn.resourcemanager.proxyusers.*.users": "", + "yarn.timeline-service.enabled": "true", + "yarn.timeline-service.http-authentication.cookie.domain": "", + "yarn.timeline-service.http-authentication.cookie.path": "", + "yarn.timeline-service.http-authentication.kerberos.name.rules": "", + "yarn.timeline-service.http-authentication.proxyusers.*.groups": "", + "yarn.timeline-service.http-authentication.proxyusers.*.hosts": "", + "yarn.timeline-service.http-authentication.proxyusers.*.users": "", + "yarn.timeline-service.http-authentication.signature.secret": "", + "yarn.timeline-service.http-authentication.signature.secret.file": "", + "yarn.timeline-service.http-authentication.signer.secret.provider": "", + "yarn.timeline-service.http-authentication.signer.secret.provider.object": "", + "yarn.timeline-service.http-authentication.token.validity": "", + "yarn.timeline-service.http-authentication.type": "kerberos" + } + } + ], + "identities": [ + { + "name": "/smokeuser" + }, + { + "name": "/spnego" + } + ], + "name": "YARN" + }, { "name": "RANGER", "identities": [ @@ -126,9 +326,9 @@ "name": "rangeradmin", "principal": { "value": "rangeradmin/_HOST@${realm}", - "type" : "service", + "type": "service", "configuration": "ranger-admin-site/ranger.admin.kerberos.principal", - "local_username" : "${ranger-env/ranger_user}" + "local_username": "${ranger-env/ranger_user}" }, "keytab": { "file": "${keytab_dir}/rangeradmin.service.keytab",