http://git-wip-us.apache.org/repos/asf/ambari/blob/67fc4a37/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java index ab85aa1..c7b69f0 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java @@ -60,11 +60,14 @@ import org.apache.ambari.server.controller.internal.RequestStageContainer; import org.apache.ambari.server.controller.utilities.KerberosChecker; import org.apache.ambari.server.metadata.RoleCommandOrder; import org.apache.ambari.server.orm.dao.ArtifactDAO; +import org.apache.ambari.server.orm.dao.HostDAO; import org.apache.ambari.server.orm.dao.KerberosKeytabDAO; +import org.apache.ambari.server.orm.dao.KerberosKeytabPrincipalDAO; import org.apache.ambari.server.orm.dao.KerberosPrincipalDAO; -import org.apache.ambari.server.orm.dao.KerberosPrincipalHostDAO; import org.apache.ambari.server.orm.entities.ArtifactEntity; +import org.apache.ambari.server.orm.entities.HostEntity; import org.apache.ambari.server.orm.entities.KerberosKeytabEntity; +import org.apache.ambari.server.orm.entities.KerberosKeytabPrincipalEntity; import org.apache.ambari.server.security.credential.Credential; import org.apache.ambari.server.security.credential.PrincipalKeyCredential; import org.apache.ambari.server.security.encryption.CredentialStoreService; @@ -79,7 +82,6 @@ import org.apache.ambari.server.serveraction.kerberos.FinalizeKerberosServerActi import org.apache.ambari.server.serveraction.kerberos.KDCType; import org.apache.ambari.server.serveraction.kerberos.KerberosAdminAuthenticationException; import org.apache.ambari.server.serveraction.kerberos.KerberosIdentityDataFileWriter; -import org.apache.ambari.server.serveraction.kerberos.KerberosIdentityDataFileWriterFactory; import org.apache.ambari.server.serveraction.kerberos.KerberosInvalidConfigurationException; import org.apache.ambari.server.serveraction.kerberos.KerberosKDCConnectionException; import org.apache.ambari.server.serveraction.kerberos.KerberosKDCSSLConnectionException; @@ -95,6 +97,7 @@ import org.apache.ambari.server.serveraction.kerberos.PrepareEnableKerberosServe import org.apache.ambari.server.serveraction.kerberos.PrepareKerberosIdentitiesServerAction; import org.apache.ambari.server.serveraction.kerberos.UpdateKerberosConfigsServerAction; import org.apache.ambari.server.serveraction.kerberos.stageutils.ResolvedKerberosKeytab; +import org.apache.ambari.server.serveraction.kerberos.stageutils.ResolvedKerberosPrincipal; import org.apache.ambari.server.stageplanner.RoleGraph; import org.apache.ambari.server.stageplanner.RoleGraphFactory; import org.apache.ambari.server.state.Cluster; @@ -129,14 +132,17 @@ import org.apache.ambari.server.utils.StageUtils; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.io.FileUtils; import org.apache.commons.lang.StringUtils; -import org.apache.commons.lang3.tuple.Pair; import org.apache.directory.server.kerberos.shared.keytab.Keytab; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Lists; import com.google.common.collect.Sets; +import com.google.gson.JsonArray; +import com.google.gson.JsonObject; +import com.google.gson.JsonPrimitive; import com.google.inject.Inject; import com.google.inject.Injector; import com.google.inject.Singleton; @@ -200,19 +206,19 @@ public class KerberosHelperImpl implements KerberosHelper { private KerberosDescriptorFactory kerberosDescriptorFactory; @Inject - private KerberosIdentityDataFileWriterFactory kerberosIdentityDataFileWriterFactory; + private ArtifactDAO artifactDAO; @Inject private KerberosPrincipalDAO kerberosPrincipalDAO; @Inject - private ArtifactDAO artifactDAO; + private KerberosKeytabDAO kerberosKeytabDAO; @Inject - private KerberosKeytabDAO kerberosKeytabDAO; + private KerberosKeytabPrincipalDAO kerberosKeytabPrincipalDAO; @Inject - KerberosPrincipalHostDAO kerberosPrincipalHostDAO; + private HostDAO hostDAO; /** * The injector used to create new instances of helper classes like CreatePrincipalsServerAction @@ -234,7 +240,7 @@ public class KerberosHelperImpl implements KerberosHelper { public RequestStageContainer toggleKerberos(Cluster cluster, SecurityType securityType, RequestStageContainer requestStageContainer, Boolean manageIdentities) - throws AmbariException, KerberosOperationException { + throws AmbariException, KerberosOperationException { KerberosDetails kerberosDetails = getKerberosDetails(cluster, manageIdentities); @@ -258,7 +264,7 @@ public class KerberosHelperImpl implements KerberosHelper { public RequestStageContainer executeCustomOperations(Cluster cluster, Map<String, String> requestProperties, RequestStageContainer requestStageContainer, Boolean manageIdentities) - throws AmbariException, KerberosOperationException { + throws AmbariException, KerberosOperationException { if (requestProperties != null) { @@ -279,7 +285,7 @@ public class KerberosHelperImpl implements KerberosHelper { Map<String, Set<String>> serviceComponentFilter = parseComponentFilter(requestProperties); boolean updateConfigurations = !requestProperties.containsKey(DIRECTIVE_IGNORE_CONFIGS) - || !"true".equalsIgnoreCase(requestProperties.get(DIRECTIVE_IGNORE_CONFIGS)); + || !"true".equalsIgnoreCase(requestProperties.get(DIRECTIVE_IGNORE_CONFIGS)); boolean forceAllHosts = (hostFilter == null) || (hostFilter.contains("*")); @@ -291,7 +297,7 @@ public class KerberosHelperImpl implements KerberosHelper { if (handler != null) { requestStageContainer = handle(cluster, getKerberosDetails(cluster, manageIdentities), - serviceComponentFilter, hostFilter, null, null, requestStageContainer, handler); + serviceComponentFilter, hostFilter, null, null, requestStageContainer, handler); } else { throw new AmbariException(String.format("Unexpected directive value: %s", value)); } @@ -353,19 +359,19 @@ public class KerberosHelperImpl implements KerberosHelper { public RequestStageContainer ensureIdentities(Cluster cluster, Map<String, ? extends Collection<String>> serviceComponentFilter, Set<String> hostFilter, Collection<String> identityFilter, Set<String> hostsToForceKerberosOperations, RequestStageContainer requestStageContainer, Boolean manageIdentities) - throws AmbariException, KerberosOperationException { + throws AmbariException, KerberosOperationException { return handle(cluster, getKerberosDetails(cluster, manageIdentities), serviceComponentFilter, hostFilter, identityFilter, - hostsToForceKerberosOperations, requestStageContainer, new CreatePrincipalsAndKeytabsHandler(KerberosServerAction.OperationType.DEFAULT, false, false, - false)); + hostsToForceKerberosOperations, requestStageContainer, new CreatePrincipalsAndKeytabsHandler(KerberosServerAction.OperationType.DEFAULT, false, false, + false)); } @Override public RequestStageContainer deleteIdentities(Cluster cluster, Map<String, ? extends Collection<String>> serviceComponentFilter, Set<String> hostFilter, Collection<String> identityFilter, RequestStageContainer requestStageContainer, Boolean manageIdentities) - throws AmbariException, KerberosOperationException { + throws AmbariException, KerberosOperationException { return handle(cluster, getKerberosDetails(cluster, manageIdentities), serviceComponentFilter, hostFilter, identityFilter, null, - requestStageContainer, new DeletePrincipalsAndKeytabsHandler()); + requestStageContainer, new DeletePrincipalsAndKeytabsHandler()); } /** @@ -383,23 +389,23 @@ public class KerberosHelperImpl implements KerberosHelper { RoleCommandOrder roleCommandOrder = ambariManagementController.getRoleCommandOrder(cluster); DeleteIdentityHandler handler = new DeleteIdentityHandler(customCommandExecutionHelper, configuration.getDefaultServerTaskTimeout(), stageFactory, ambariManagementController); DeleteIdentityHandler.CommandParams commandParameters = new DeleteIdentityHandler.CommandParams( - components, - identities, - ambariManagementController.getAuthName(), - dataDirectory, - kerberosDetails.getDefaultRealm(), - kerberosDetails.getKdcType()); + components, + identities, + ambariManagementController.getAuthName(), + dataDirectory, + kerberosDetails.getDefaultRealm(), + kerberosDetails.getKdcType()); OrderedRequestStageContainer stageContainer = new OrderedRequestStageContainer( - roleGraphFactory, - roleCommandOrder, - new RequestStageContainer(actionManager.getNextRequestId(), null, requestFactory, actionManager)); + roleGraphFactory, + roleCommandOrder, + new RequestStageContainer(actionManager.getNextRequestId(), null, requestFactory, actionManager)); handler.addDeleteIdentityStages(cluster, stageContainer, commandParameters, kerberosDetails.manageIdentities()); stageContainer.getRequestStageContainer().persist(); } @Override public void configureServices(Cluster cluster, Map<String, Collection<String>> serviceFilter) - throws AmbariException, KerberosInvalidConfigurationException { + throws AmbariException, KerberosInvalidConfigurationException { final Map<String, Set<String>> installedServices = new HashMap<>(); final Set<String> previouslyExistingServices = new HashSet<>(); @@ -407,40 +413,40 @@ public class KerberosHelperImpl implements KerberosHelper { // We can create the map in the "shouldIncludeCommand" Command to avoid having to iterate // over the returned ServiceComponentHost List. getServiceComponentHosts(cluster, - new Command<Boolean, ServiceComponentHost>() { - @Override - public Boolean invoke(ServiceComponentHost sch) throws AmbariException { - if (sch != null) { - String serviceName = sch.getServiceName(); - - Set<String> installedComponents = installedServices.get(serviceName); - if (installedComponents == null) { - installedComponents = new HashSet<>(); - installedServices.put(serviceName, installedComponents); - } - installedComponents.add(sch.getServiceComponentName()); + new Command<Boolean, ServiceComponentHost>() { + @Override + public Boolean invoke(ServiceComponentHost sch) throws AmbariException { + if (sch != null) { + String serviceName = sch.getServiceName(); - // Determine if this component was PREVIOUSLY installed, which implies that its containing service was PREVIOUSLY installed - if (!previouslyExistingServices.contains(serviceName) && PREVIOUSLY_INSTALLED_STATES.contains(sch.getState())) { - previouslyExistingServices.add(serviceName); - } + Set<String> installedComponents = installedServices.get(serviceName); + if (installedComponents == null) { + installedComponents = new HashSet<>(); + installedServices.put(serviceName, installedComponents); + } + installedComponents.add(sch.getServiceComponentName()); - return true; + // Determine if this component was PREVIOUSLY installed, which implies that its containing service was PREVIOUSLY installed + if (!previouslyExistingServices.contains(serviceName) && PREVIOUSLY_INSTALLED_STATES.contains(sch.getState())) { + previouslyExistingServices.add(serviceName); } - return false; + return true; } - }); + + return false; + } + }); Map<String, Map<String, String>> existingConfigurations = calculateExistingConfigurations(cluster, null); Map<String, Map<String, String>> updates = getServiceConfigurationUpdates(cluster, - existingConfigurations, installedServices, serviceFilter, previouslyExistingServices, true, true); + existingConfigurations, installedServices, serviceFilter, previouslyExistingServices, true, true); // Store the updates... for (Map.Entry<String, Map<String, String>> entry : updates.entrySet()) { configHelper.updateConfigType(cluster, cluster.getDesiredStackVersion(), - ambariManagementController, entry.getKey(), entry.getValue(), null, - ambariManagementController.getAuthName(), "Enabling Kerberos for added components"); + ambariManagementController, entry.getKey(), entry.getValue(), null, + ambariManagementController.getAuthName(), "Enabling Kerberos for added components"); } } @@ -452,7 +458,7 @@ public class KerberosHelperImpl implements KerberosHelper { Set<String> previouslyExistingServices, boolean kerberosEnabled, boolean applyStackAdvisorUpdates) - throws KerberosInvalidConfigurationException, AmbariException { + throws KerberosInvalidConfigurationException, AmbariException { Map<String, Map<String, String>> kerberosConfigurations = new HashMap<>(); KerberosDetails kerberosDetails = getKerberosDetails(cluster, null); @@ -460,14 +466,14 @@ public class KerberosHelperImpl implements KerberosHelper { Map<String, String> kerberosDescriptorProperties = kerberosDescriptor.getProperties(); Map<String, Map<String, String>> configurations = addAdditionalConfigurations(cluster, - deepCopy(existingConfigurations), null, kerberosDescriptorProperties); + deepCopy(existingConfigurations), null, kerberosDescriptorProperties); Map<String, Set<String>> propertiesToIgnore = new HashMap<>(); // If Ambari is managing it own identities then add AMBARI to the set of installed service so // that its Kerberos descriptor entries will be included. if (createAmbariIdentities(existingConfigurations.get(KERBEROS_ENV))) { - installedServices = new HashMap<>(installedServices); + installedServices = new HashMap<String, Set<String>>(installedServices); installedServices.put(RootService.AMBARI.name(), Collections.singleton(RootComponent.AMBARI_SERVER.name())); } @@ -504,7 +510,7 @@ public class KerberosHelperImpl implements KerberosHelper { processIdentityConfigurations(identityConfigurations, kerberosConfigurations, configurations, propertiesToIgnore); mergeConfigurations(kerberosConfigurations, - componentDescriptor.getConfigurations(!servicePreviouslyExisted), configurations, null); + componentDescriptor.getConfigurations(!servicePreviouslyExisted), configurations, null); } } } @@ -516,9 +522,9 @@ public class KerberosHelperImpl implements KerberosHelper { setAuthToLocalRules(cluster, kerberosDescriptor, kerberosDetails.getDefaultRealm(), installedServices, configurations, kerberosConfigurations, false); return (applyStackAdvisorUpdates) - ? applyStackAdvisorUpdates(cluster, installedServices.keySet(), configurations, kerberosConfigurations, propertiesToIgnore, - new HashMap<>(), kerberosEnabled) - : kerberosConfigurations; + ? applyStackAdvisorUpdates(cluster, installedServices.keySet(), configurations, kerberosConfigurations, propertiesToIgnore, + new HashMap<>(), kerberosEnabled) + : kerberosConfigurations; } /** @@ -536,7 +542,7 @@ public class KerberosHelperImpl implements KerberosHelper { Set<String> services, Set<String> componentFilter, Map<String, Map<String, String>> configurations) - throws AmbariException { + throws AmbariException { StackId stackVersion = cluster.getCurrentStackVersion(); List<String> hostNames = new ArrayList<>(); @@ -548,12 +554,12 @@ public class KerberosHelperImpl implements KerberosHelper { } StackAdvisorRequest request = StackAdvisorRequest.StackAdvisorRequestBuilder - .forStack(stackVersion.getStackName(), stackVersion.getStackVersion()) - .forServices(services) - .forHosts(hostNames) - .withComponentHostsMap(cluster.getServiceComponentHostMap(null, services)) - .ofType(StackAdvisorRequest.StackAdvisorRequestType.HOST_GROUPS) - .build(); + .forStack(stackVersion.getStackName(), stackVersion.getStackVersion()) + .forServices(services) + .forHosts(hostNames) + .withComponentHostsMap(cluster.getServiceComponentHostMap(null, services)) + .ofType(StackAdvisorRequest.StackAdvisorRequestType.HOST_GROUPS) + .build(); try { RecommendationResponse response = stackAdvisorHelper.recommend(request); @@ -727,13 +733,13 @@ public class KerberosHelperImpl implements KerberosHelper { } StackAdvisorRequest request = StackAdvisorRequest.StackAdvisorRequestBuilder - .forStack(stackId.getStackName(), stackId.getStackVersion()) - .forServices(services) - .forHosts(hostNames) - .withComponentHostsMap(cluster.getServiceComponentHostMap(null, services)) - .withConfigurations(requestConfigurations) - .ofType(StackAdvisorRequest.StackAdvisorRequestType.CONFIGURATIONS) - .build(); + .forStack(stackId.getStackName(), stackId.getStackVersion()) + .forServices(services) + .forHosts(hostNames) + .withComponentHostsMap(cluster.getServiceComponentHostMap(null, services)) + .withConfigurations(requestConfigurations) + .ofType(StackAdvisorRequest.StackAdvisorRequestType.CONFIGURATIONS) + .build(); try { RecommendationResponse response = stackAdvisorHelper.recommend(request); @@ -752,11 +758,11 @@ public class KerberosHelperImpl implements KerberosHelper { Set<String> ignoreProperties = (propertiesToIgnore == null) ? null : propertiesToIgnore.get(configType); addRecommendedPropertiesForConfigType(kerberosConfigurations, configType, recommendedConfigProperties, - existingConfigProperties, kerberosConfigProperties, ignoreProperties); + existingConfigProperties, kerberosConfigProperties, ignoreProperties); if (recommendedConfigPropertyAttributes != null) { removeRecommendedPropertiesForConfigType(configType, recommendedConfigPropertyAttributes, - existingConfigProperties, kerberosConfigurations, ignoreProperties, propertiesToRemove); + existingConfigProperties, kerberosConfigurations, ignoreProperties, propertiesToRemove); } } } @@ -793,8 +799,8 @@ public class KerberosHelperImpl implements KerberosHelper { // add the config and property if it also does not exist in the existing configurations if ((existingConfigProperties == null) || !existingConfigProperties.containsKey(propertyName)) { LOG.debug("Adding Kerberos configuration based on StackAdvisor recommendation:" + - "\n\tConfigType: {}\n\tProperty: {}\n\tValue: {}", - configType, propertyName, recommendedValue); + "\n\tConfigType: {}\n\tProperty: {}\n\tValue: {}", + configType, propertyName, recommendedValue); if (kerberosConfigProperties == null) { kerberosConfigProperties = new HashMap<>(); @@ -808,8 +814,8 @@ public class KerberosHelperImpl implements KerberosHelper { if ((value == null) ? (recommendedValue != null) : !value.equals(recommendedValue)) { // If the recommended value is a change, automatically change it. LOG.debug("Updating Kerberos configuration based on StackAdvisor recommendation:" + - "\n\tConfigType: {}\n\tProperty: {}\n\tOld Value: {}\n\tNew Value: {}", - configType, propertyName, (value == null) ? "" : value, (recommendedValue == null) ? "" : recommendedValue); + "\n\tConfigType: {}\n\tProperty: {}\n\tOld Value: {}\n\tNew Value: {}", + configType, propertyName, (value == null) ? "" : value, (recommendedValue == null) ? "" : recommendedValue); kerberosConfigProperties.put(propertyName, recommendedValue); } @@ -837,12 +843,12 @@ public class KerberosHelperImpl implements KerberosHelper { // add to propertiesToBeRemoved map Map<String, String> kerberosConfigProperties = kerberosConfigurations.get(configType); if (((ignoreProperties == null) || !ignoreProperties.contains(propertyName)) && - ((kerberosConfigProperties == null) || kerberosConfigProperties.get(propertyName) == null) && - (existingConfigProperties != null && existingConfigProperties.containsKey(propertyName))) { + ((kerberosConfigProperties == null) || kerberosConfigProperties.get(propertyName) == null) && + (existingConfigProperties != null && existingConfigProperties.containsKey(propertyName))) { LOG.debug("Property to remove from configuration based on StackAdvisor recommendation:" + - "\n\tConfigType: {}\n\tProperty: {}", - configType, propertyName); + "\n\tConfigType: {}\n\tProperty: {}", + configType, propertyName); // kerberosEnabled add property to propertiesToRemove, otherwise to kerberosConfigurations map if (propertiesToRemove != null) { @@ -866,7 +872,7 @@ public class KerberosHelperImpl implements KerberosHelper { @Override public boolean ensureHeadlessIdentities(Cluster cluster, Map<String, Map<String, String>> existingConfigurations, Set<String> services) - throws KerberosInvalidConfigurationException, AmbariException { + throws KerberosInvalidConfigurationException, AmbariException { KerberosDetails kerberosDetails = getKerberosDetails(cluster, null); @@ -876,7 +882,7 @@ public class KerberosHelperImpl implements KerberosHelper { Map<String, String> kerberosDescriptorProperties = kerberosDescriptor.getProperties(); Map<String, Map<String, String>> configurations = addAdditionalConfigurations(cluster, - deepCopy(existingConfigurations), null, kerberosDescriptorProperties); + deepCopy(existingConfigurations), null, kerberosDescriptorProperties); Map<String, String> kerberosConfiguration = kerberosDetails.getKerberosEnvProperties(); KerberosOperationHandler kerberosOperationHandler = kerberosOperationHandlerFactory.getKerberosOperationHandler(kerberosDetails.getKdcType()); @@ -886,7 +892,7 @@ public class KerberosHelperImpl implements KerberosHelper { kerberosOperationHandler.open(administratorCredential, kerberosDetails.getDefaultRealm(), kerberosConfiguration); } catch (KerberosOperationException e) { String message = String.format("Failed to process the identities, could not properly open the KDC operation handler: %s", - e.getMessage()); + e.getMessage()); LOG.error(message); throw new AmbariException(message, e); } @@ -1040,15 +1046,27 @@ public class KerberosHelperImpl implements KerberosHelper { if ((operationHandler != null) && operationHandler.createKeytabFile(keytab, tmpKeytabFile)) { String ownerName = variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerName(), configurations); String ownerAccess = keytabDescriptor.getOwnerAccess(); - boolean ownerWritable = "w".equalsIgnoreCase(ownerAccess) || "rw".equalsIgnoreCase(ownerAccess); - boolean ownerReadable = "r".equalsIgnoreCase(ownerAccess) || "rw".equalsIgnoreCase(ownerAccess); String groupName = variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupName(), configurations); String groupAccess = keytabDescriptor.getGroupAccess(); - boolean groupWritable = "w".equalsIgnoreCase(groupAccess) || "rw".equalsIgnoreCase(groupAccess); - boolean groupReadable = "r".equalsIgnoreCase(groupAccess) || "rw".equalsIgnoreCase(groupAccess); - configureAmbariIdentitiesServerAction.installAmbariServerIdentity(principal, tmpKeytabFile.getAbsolutePath(), destKeytabFilePath, - ownerName, ownerReadable, ownerWritable, groupName, groupReadable, groupWritable, null); + // TODO check if this reliable + String componentName = principal.contains(KerberosHelper.AMBARI_SERVER_KERBEROS_IDENTITY_NAME) + ? "AMBARI_SERVER_SELF" + : RootComponent.AMBARI_SERVER.name(); + + ResolvedKerberosPrincipal resolvedKerberosPrincipal = new ResolvedKerberosPrincipal( + null, + hostname, + principal, + false, + null, + RootService.AMBARI.name(), + componentName, + destKeytabFilePath + ); + + configureAmbariIdentitiesServerAction.installAmbariServerIdentity(resolvedKerberosPrincipal, tmpKeytabFile.getAbsolutePath(), destKeytabFilePath, + ownerName, ownerAccess, groupName, groupAccess, null); LOG.debug("Successfully created keytab file for {} at {}", principal, destKeytabFile.getAbsolutePath()); } else { LOG.error("Failed to create keytab file for {} at {}", principal, destKeytabFile.getAbsolutePath()); @@ -1058,7 +1076,7 @@ public class KerberosHelperImpl implements KerberosHelper { } } catch (KerberosOperationException e) { throw new AmbariException(String.format("Failed to create keytab file for %s at %s: %s:", - principal, destKeytabFile.getAbsolutePath(), e.getLocalizedMessage()), e); + principal, destKeytabFile.getAbsolutePath(), e.getLocalizedMessage()), e); } } else { LOG.error("No keytab data is available to create the keytab file for {} at {}", principal, destKeytabFile.getAbsolutePath()); @@ -1074,24 +1092,24 @@ public class KerberosHelperImpl implements KerberosHelper { @Override public RequestStageContainer createTestIdentity(Cluster cluster, Map<String, String> commandParamsStage, RequestStageContainer requestStageContainer) - throws KerberosOperationException, AmbariException { + throws KerberosOperationException, AmbariException { return handleTestIdentity(cluster, getKerberosDetails(cluster, null), commandParamsStage, requestStageContainer, - new CreatePrincipalsAndKeytabsHandler(KerberosServerAction.OperationType.DEFAULT, false, false, false)); + new CreatePrincipalsAndKeytabsHandler(KerberosServerAction.OperationType.DEFAULT, false, false, false)); } @Override public RequestStageContainer deleteTestIdentity(Cluster cluster, Map<String, String> commandParamsStage, RequestStageContainer requestStageContainer) - throws KerberosOperationException, AmbariException { + throws KerberosOperationException, AmbariException { requestStageContainer = handleTestIdentity(cluster, getKerberosDetails(cluster, null), commandParamsStage, requestStageContainer, new DeletePrincipalsAndKeytabsHandler()); return requestStageContainer; } @Override public void validateKDCCredentials(Cluster cluster) throws KerberosMissingAdminCredentialsException, - KerberosAdminAuthenticationException, - KerberosInvalidConfigurationException, - AmbariException { + KerberosAdminAuthenticationException, + KerberosInvalidConfigurationException, + AmbariException { validateKDCCredentials(null, cluster); } @@ -1102,7 +1120,7 @@ public class KerberosHelperImpl implements KerberosHelper { Map<String, Map<String, String>> existingConfigurations, Map<String, Map<String, String>> kerberosConfigurations, boolean includePreconfigureData) - throws AmbariException { + throws AmbariException { boolean processAuthToLocalRules = true; Map<String, String> kerberosEnvProperties = existingConfigurations.get(KERBEROS_ENV); @@ -1132,8 +1150,8 @@ public class KerberosHelperImpl implements KerberosHelper { // Add in the default configurations for the services that need to be preconfigured. These // configurations may be needed while calculating the auth-to-local rules. Map<String, Map<String, String>> replacements = (includePreconfigureData) - ? addConfigurationsForPreProcessedServices(deepCopy(existingConfigurations), cluster, kerberosDescriptor, false) - : existingConfigurations; + ? addConfigurationsForPreProcessedServices(deepCopy(existingConfigurations), cluster, kerberosDescriptor, false) + : existingConfigurations; // Process top-level identities addIdentities(authToLocalBuilder, kerberosDescriptor.getIdentities(true, filterContext), null, replacements); @@ -1157,8 +1175,8 @@ public class KerberosHelperImpl implements KerberosHelper { // service has been explicitly added to the cluster if (preconfigure || explicitlyAdded) { LOG.info("Adding identities for service {} to auth to local mapping [{}]", - serviceName, - (explicitlyAdded) ? "explicit" : "preconfigured"); + serviceName, + (explicitlyAdded) ? "explicit" : "preconfigured"); // Process the service-level Kerberos descriptor addIdentities(authToLocalBuilder, serviceDescriptor.getIdentities(true, filterContext), null, replacements); @@ -1233,20 +1251,19 @@ public class KerberosHelperImpl implements KerberosHelper { } kerberosConfiguration.put(propertyName, - builder.generate(AuthToLocalBuilder.ConcatenationType.translate(m.group(3)))); + builder.generate(AuthToLocalBuilder.ConcatenationType.translate(m.group(3)))); } } } } } - @Override public List<ServiceComponentHost> getServiceComponentHostsToProcess(final Cluster cluster, final KerberosDescriptor kerberosDescriptor, final Map<String, ? extends Collection<String>> serviceComponentFilter, final Collection<String> hostFilter) - throws AmbariException { + throws AmbariException { return getServiceComponentHosts(cluster, new Command<Boolean, ServiceComponentHost>() { @Override public Boolean invoke(ServiceComponentHost sch) throws AmbariException { @@ -1288,7 +1305,7 @@ public class KerberosHelperImpl implements KerberosHelper { */ private List<ServiceComponentHost> getServiceComponentHosts(Cluster cluster, Command<Boolean, ServiceComponentHost> shouldIncludeCommand) - throws AmbariException { + throws AmbariException { List<ServiceComponentHost> serviceComponentHostsToProcess = new ArrayList<>(); // Get the hosts in the cluster Collection<Host> hosts = cluster.getHosts(); @@ -1318,7 +1335,7 @@ public class KerberosHelperImpl implements KerberosHelper { @Override public Set<String> getHostsWithValidKerberosClient(Cluster cluster) - throws AmbariException { + throws AmbariException { Set<String> hostsWithValidKerberosClient = new HashSet<>(); List<ServiceComponentHost> schKerberosClients = cluster.getServiceComponentHosts(Service.Type.KERBEROS.name(), Role.KERBEROS_CLIENT.name()); @@ -1342,7 +1359,7 @@ public class KerberosHelperImpl implements KerberosHelper { public KerberosDescriptor getKerberosDescriptor(KerberosDescriptorType kerberosDescriptorType, Cluster cluster, boolean evaluateWhenClauses, Collection<String> additionalServices, boolean includePreconfigureData) - throws AmbariException { + throws AmbariException { // !!! FIXME in a per-service view, what does this become? Set<StackId> stackIds = new HashSet<>(); @@ -1409,12 +1426,12 @@ public class KerberosHelperImpl implements KerberosHelper { public KerberosDescriptor getKerberosDescriptor(KerberosDescriptorType kerberosDescriptorType, Cluster cluster, StackId stackId, boolean includePreconfigureData) throws AmbariException { KerberosDescriptor stackDescriptor = (kerberosDescriptorType == KerberosDescriptorType.STACK || kerberosDescriptorType == KerberosDescriptorType.COMPOSITE) - ? getKerberosDescriptorFromStack(stackId, includePreconfigureData) - : null; + ? getKerberosDescriptorFromStack(stackId, includePreconfigureData) + : null; KerberosDescriptor userDescriptor = (kerberosDescriptorType == KerberosDescriptorType.USER || kerberosDescriptorType == KerberosDescriptorType.COMPOSITE) - ? getKerberosDescriptorUpdates(cluster) - : null; + ? getKerberosDescriptorUpdates(cluster) + : null; return combineKerberosDescriptors(stackDescriptor, userDescriptor); } @@ -1424,7 +1441,7 @@ public class KerberosHelperImpl implements KerberosHelper { Map<String, KerberosConfigurationDescriptor> updates, Map<String, Map<String, String>> replacements, Set<String> configurationTypeFilter) - throws AmbariException { + throws AmbariException { if ((updates != null) && !updates.isEmpty()) { if (configurations == null) { @@ -1453,7 +1470,7 @@ public class KerberosHelperImpl implements KerberosHelper { Map<String, Map<String, String>> replacements, Cluster cluster, KerberosDescriptor kerberosDescriptor) - throws AmbariException { + throws AmbariException { // Ensure the Kerberos descriptor exists.... if (kerberosDescriptor == null) { @@ -1500,7 +1517,7 @@ public class KerberosHelperImpl implements KerberosHelper { String componentName, Map<String, Map<String, String>> kerberosConfigurations, Map<String, Map<String, String>> configurations, Map<String, ResolvedKerberosKeytab> resolvedKeytabs, String realm) - throws IOException { + throws IOException { int identitiesAdded = 0; if (identities != null) { @@ -1541,14 +1558,24 @@ public class KerberosHelperImpl implements KerberosHelper { String evaluatedPrincipal = principal.replace("_HOST", hostname).replace("_REALM", realm); ResolvedKerberosKeytab resolvedKeytab = new ResolvedKerberosKeytab( - keytabFilePath, - keytabFileOwnerName, - keytabFileOwnerAccess, - keytabFileGroupName, - keytabFileGroupAccess, - Sets.newHashSet(Pair.of(hostId, Pair.of(evaluatedPrincipal, principalType))), - serviceName.equalsIgnoreCase(RootService.AMBARI.name()), - componentName.equalsIgnoreCase("AMBARI_SERVER_SELF") + keytabFilePath, + keytabFileOwnerName, + keytabFileOwnerAccess, + keytabFileGroupName, + keytabFileGroupAccess, + Sets.newHashSet(new ResolvedKerberosPrincipal( + hostId, + hostname, + evaluatedPrincipal, + "service".equalsIgnoreCase(principalType), + null, + serviceName, + componentName, + keytabFilePath + ) + ), + serviceName.equalsIgnoreCase(RootService.AMBARI.name()), + componentName.equalsIgnoreCase("AMBARI_SERVER_SELF") ); if (resolvedKeytabs.containsKey(keytabFilePath)) { ResolvedKerberosKeytab sameKeytab = resolvedKeytabs.get(keytabFilePath); @@ -1557,58 +1584,58 @@ public class KerberosHelperImpl implements KerberosHelper { String warnTemplate = "Keytab '{}' on host '{}' has different {}, originally set to '{}' and '{}:{}' has '{}', using '{}'"; if (!resolvedKeytab.getOwnerName().equals(sameKeytab.getOwnerName())) { LOG.warn(warnTemplate, - keytabFilePath, hostname, "owners", sameKeytab.getOwnerName(), - serviceName, componentName, resolvedKeytab.getOwnerName(), - sameKeytab.getOwnerName()); + keytabFilePath, hostname, "owners", sameKeytab.getOwnerName(), + serviceName, componentName, resolvedKeytab.getOwnerName(), + sameKeytab.getOwnerName()); differentOwners = true; } if (!resolvedKeytab.getOwnerAccess().equals(sameKeytab.getOwnerAccess())) { LOG.warn(warnTemplate, - keytabFilePath, hostname, "owner access", sameKeytab.getOwnerAccess(), - serviceName, componentName, resolvedKeytab.getOwnerAccess(), - sameKeytab.getOwnerAccess()); + keytabFilePath, hostname, "owner access", sameKeytab.getOwnerAccess(), + serviceName, componentName, resolvedKeytab.getOwnerAccess(), + sameKeytab.getOwnerAccess()); } // TODO probably fail on group difference. Some services can inject its principals to same keytab, but // TODO with different owners, so make sure that keytabs are accessible through group acls // TODO this includes same group name and group 'r' mode if (!resolvedKeytab.getGroupName().equals(sameKeytab.getGroupName())) { - if(differentOwners) { + if (differentOwners) { LOG.error(warnTemplate, - keytabFilePath, hostname, "groups", sameKeytab.getGroupName(), - serviceName, componentName, resolvedKeytab.getGroupName(), - sameKeytab.getGroupName()); + keytabFilePath, hostname, "groups", sameKeytab.getGroupName(), + serviceName, componentName, resolvedKeytab.getGroupName(), + sameKeytab.getGroupName()); } else { LOG.warn(warnTemplate, - keytabFilePath, hostname, "groups", sameKeytab.getGroupName(), - serviceName, componentName, resolvedKeytab.getGroupName(), - sameKeytab.getGroupName()); + keytabFilePath, hostname, "groups", sameKeytab.getGroupName(), + serviceName, componentName, resolvedKeytab.getGroupName(), + sameKeytab.getGroupName()); } } if (!resolvedKeytab.getGroupAccess().equals(sameKeytab.getGroupAccess())) { - if(differentOwners) { + if (differentOwners) { if (!sameKeytab.getGroupAccess().contains("r")) { LOG.error("Keytab '{}' on host '{}' referenced by multiple identities which have different owners," + "but 'r' attribute missing for group. Make sure all users (that need this keytab) are in '{}' +" + "group and keytab can be read by this group", - keytabFilePath, - hostname, - sameKeytab.getGroupName() + keytabFilePath, + hostname, + sameKeytab.getGroupName() ); } LOG.error(warnTemplate, - keytabFilePath, hostname, "group access", sameKeytab.getGroupAccess(), - serviceName, componentName, resolvedKeytab.getGroupAccess(), - sameKeytab.getGroupAccess()); + keytabFilePath, hostname, "group access", sameKeytab.getGroupAccess(), + serviceName, componentName, resolvedKeytab.getGroupAccess(), + sameKeytab.getGroupAccess()); } else { LOG.warn(warnTemplate, - keytabFilePath, hostname, "group access", sameKeytab.getGroupAccess(), - serviceName, componentName, resolvedKeytab.getGroupAccess(), - sameKeytab.getGroupAccess()); + keytabFilePath, hostname, "group access", sameKeytab.getGroupAccess(), + serviceName, componentName, resolvedKeytab.getGroupAccess(), + sameKeytab.getGroupAccess()); } } // end validating // merge principal to keytab - sameKeytab.getMappedPrincipals().addAll(resolvedKeytab.getMappedPrincipals()); + sameKeytab.mergePrincipals(resolvedKeytab); // ensure that keytab file on ambari-server host creating jass file if (sameKeytab.isMustWriteAmbariJaasFile() || resolvedKeytab.isMustWriteAmbariJaasFile()) { sameKeytab.setMustWriteAmbariJaasFile(true); @@ -1620,24 +1647,24 @@ public class KerberosHelperImpl implements KerberosHelper { } else { resolvedKeytabs.put(keytabFilePath, resolvedKeytab); LOG.info("Keytab {} owner:'{}:{}', group:'{}:{}' is defined", keytabFilePath, - keytabFileOwnerName, keytabFileOwnerAccess, keytabFileGroupName, keytabFileGroupAccess); + keytabFileOwnerName, keytabFileOwnerAccess, keytabFileGroupName, keytabFileGroupAccess); } // Append an entry to the action data file builder... // TODO obsolete, move to ResolvedKerberosKeytab - if(kerberosIdentityDataFileWriter != null) { + if (kerberosIdentityDataFileWriter != null) { kerberosIdentityDataFileWriter.writeRecord( - hostname, - serviceName, - componentName, - evaluatedPrincipal, - principalType, - keytabFilePath, - keytabFileOwnerName, - keytabFileOwnerAccess, - keytabFileGroupName, - keytabFileGroupAccess, - "true"); + hostname, + serviceName, + componentName, + evaluatedPrincipal, + principalType, + keytabFilePath, + keytabFileOwnerName, + keytabFileOwnerAccess, + keytabFileGroupName, + keytabFileGroupAccess, + "true"); } // Add the principal-related configuration to the map of configurations @@ -1660,14 +1687,14 @@ public class KerberosHelperImpl implements KerberosHelper { KerberosDescriptor kerberosDescriptor, boolean includePreconfigureData, boolean calculateClusterHostInfo) - throws AmbariException { + throws AmbariException { Map<String, Map<String, String>> calculatedConfigurations = addAdditionalConfigurations( - cluster, - calculateExistingConfigurations(cluster, hostname), - hostname, - (kerberosDescriptor == null) ? null : kerberosDescriptor.getProperties()); + cluster, + calculateExistingConfigurations(cluster, hostname), + hostname, + (kerberosDescriptor == null) ? null : kerberosDescriptor.getProperties()); if (includePreconfigureData) { calculatedConfigurations = addConfigurationsForPreProcessedServices(calculatedConfigurations, cluster, kerberosDescriptor, calculateClusterHostInfo); @@ -1689,7 +1716,7 @@ public class KerberosHelperImpl implements KerberosHelper { String serviceName, String componentName, boolean replaceHostNames) - throws AmbariException { + throws AmbariException { if ((clusterName == null) || clusterName.isEmpty()) { throw new IllegalArgumentException("Invalid argument, cluster name is required"); @@ -1708,7 +1735,7 @@ public class KerberosHelperImpl implements KerberosHelper { Config kerberosEnvConfig = cluster.getDesiredConfigByType(KERBEROS_ENV); if (kerberosEnvConfig == null) { LOG.debug("Calculating the active identities for {} is being skipped since the kerberos-env configuration is not available", - clusterName, cluster.getSecurityType().name(), SecurityType.KERBEROS.name()); + clusterName, cluster.getSecurityType().name(), SecurityType.KERBEROS.name()); } else { Collection<String> hosts; String ambariServerHostname = StageUtils.getHostName(); @@ -1741,10 +1768,10 @@ public class KerberosHelperImpl implements KerberosHelper { // Calculate the current host-specific configurations. These will be used to replace // variables within the Kerberos descriptor data Map<String, Map<String, String>> configurations = calculateConfigurations(cluster, - hostname, - kerberosDescriptor, - false, - false); + hostname, + kerberosDescriptor, + false, + false); // Create the context to use for filtering Kerberos Identities based on the state of the cluster Map<String, Object> filterContext = new HashMap<>(); @@ -1754,7 +1781,7 @@ public class KerberosHelperImpl implements KerberosHelper { Map<String, KerberosIdentityDescriptor> hostActiveIdentities = new HashMap<>(); List<KerberosIdentityDescriptor> identities = getActiveIdentities(cluster, hostname, - serviceName, componentName, kerberosDescriptor, filterContext); + serviceName, componentName, kerberosDescriptor, filterContext); if (hostname.equals(ambariServerHostname)) { // Determine if we should _calculate_ the Ambari service identities. @@ -1799,10 +1826,10 @@ public class KerberosHelperImpl implements KerberosHelper { } KerberosPrincipalDescriptor resolvedPrincipalDescriptor = - new KerberosPrincipalDescriptor(principal, - principalType, - variableReplacementHelper.replaceVariables(principalDescriptor.getConfiguration(), configurations), - variableReplacementHelper.replaceVariables(principalDescriptor.getLocalUsername(), configurations)); + new KerberosPrincipalDescriptor(principal, + principalType, + variableReplacementHelper.replaceVariables(principalDescriptor.getConfiguration(), configurations), + variableReplacementHelper.replaceVariables(principalDescriptor.getLocalUsername(), configurations)); KerberosKeytabDescriptor resolvedKeytabDescriptor; @@ -1810,22 +1837,22 @@ public class KerberosHelperImpl implements KerberosHelper { resolvedKeytabDescriptor = null; } else { resolvedKeytabDescriptor = - new KerberosKeytabDescriptor( - keytabFile, - variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerName(), configurations), - variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerAccess(), configurations), - variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupName(), configurations), - variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupAccess(), configurations), - variableReplacementHelper.replaceVariables(keytabDescriptor.getConfiguration(), configurations), - keytabDescriptor.isCachable()); + new KerberosKeytabDescriptor( + keytabFile, + variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerName(), configurations), + variableReplacementHelper.replaceVariables(keytabDescriptor.getOwnerAccess(), configurations), + variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupName(), configurations), + variableReplacementHelper.replaceVariables(keytabDescriptor.getGroupAccess(), configurations), + variableReplacementHelper.replaceVariables(keytabDescriptor.getConfiguration(), configurations), + keytabDescriptor.isCachable()); } hostActiveIdentities.put(uniqueKey, new KerberosIdentityDescriptor( - identity.getName(), - identity.getReference(), - resolvedPrincipalDescriptor, - resolvedKeytabDescriptor, - identity.getWhen())); + identity.getName(), + identity.getReference(), + resolvedPrincipalDescriptor, + resolvedKeytabDescriptor, + identity.getWhen())); } } } @@ -1844,10 +1871,10 @@ public class KerberosHelperImpl implements KerberosHelper { public List<KerberosIdentityDescriptor> getAmbariServerIdentities(KerberosDescriptor kerberosDescriptor) throws AmbariException { List<KerberosIdentityDescriptor> ambariIdentities = new ArrayList<>(); - KerberosServiceDescriptor ambariKerberosDescriptor = kerberosDescriptor.getService("AMBARI"); + KerberosServiceDescriptor ambariKerberosDescriptor = kerberosDescriptor.getService(RootService.AMBARI.name()); if (ambariKerberosDescriptor != null) { List<KerberosIdentityDescriptor> serviceIdentities = ambariKerberosDescriptor.getIdentities(true, null); - KerberosComponentDescriptor ambariServerKerberosComponentDescriptor = ambariKerberosDescriptor.getComponent("AMBARI_SERVER"); + KerberosComponentDescriptor ambariServerKerberosComponentDescriptor = ambariKerberosDescriptor.getComponent(RootComponent.AMBARI_SERVER.name()); if (serviceIdentities != null) { ambariIdentities.addAll(serviceIdentities); @@ -1892,44 +1919,42 @@ public class KerberosHelperImpl implements KerberosHelper { /** * Creates and saves underlying {@link org.apache.ambari.server.orm.entities.KerberosPrincipalEntity}, - * {@link org.apache.ambari.server.orm.entities.KerberosKeytabEntity} and - * {@link org.apache.ambari.server.orm.entities.KerberosPrincipalHostEntity} entities in JPA storage. + * {@link org.apache.ambari.server.orm.entities.KerberosKeytabEntity} entities in JPA storage. * * @param resolvedKerberosKeytab kerberos keytab to be persisted */ @Override - public void processResolvedKeytab(ResolvedKerberosKeytab resolvedKerberosKeytab) { + public void createResolvedKeytab(ResolvedKerberosKeytab resolvedKerberosKeytab) { if (kerberosKeytabDAO.find(resolvedKerberosKeytab.getFile()) == null) { - kerberosKeytabDAO.create(resolvedKerberosKeytab.getFile()); + KerberosKeytabEntity kke = new KerberosKeytabEntity(resolvedKerberosKeytab.getFile()); + kke.setAmbariServerKeytab(resolvedKerberosKeytab.isAmbariServerKeytab()); + kke.setWriteAmbariJaasFile(resolvedKerberosKeytab.isMustWriteAmbariJaasFile()); + kke.setOwnerName(resolvedKerberosKeytab.getOwnerName()); + kke.setOwnerAccess(resolvedKerberosKeytab.getOwnerAccess()); + kke.setGroupName(resolvedKerberosKeytab.getGroupName()); + kke.setGroupAccess(resolvedKerberosKeytab.getGroupAccess()); + kerberosKeytabDAO.create(kke); } - for (Pair<Long, Pair<String, String>> principalPair : resolvedKerberosKeytab.getMappedPrincipals()) { - Pair<String, String> principal = principalPair.getRight(); - String principalName = principal.getLeft(); - String principalType = principal.getRight(); - Long hostId = principalPair.getLeft(); - if (!kerberosPrincipalDAO.exists(principalName)) { - kerberosPrincipalDAO.create(principalName, "service".equalsIgnoreCase(principalType)); + for (ResolvedKerberosPrincipal principal : resolvedKerberosKeytab.getPrincipals()) { + if (!kerberosPrincipalDAO.exists(principal.getPrincipal())) { + kerberosPrincipalDAO.create(principal.getPrincipal(), principal.isService()); } - if (hostId != null) { - if(!kerberosPrincipalHostDAO.exists(principalName, hostId, resolvedKerberosKeytab.getFile())) { - kerberosPrincipalHostDAO.create(principalName, hostId, resolvedKerberosKeytab.getFile()); + for (Map.Entry<String, String> mappingEntry : principal.getServiceMapping().entries()) { + String serviceName = mappingEntry.getKey(); + HostEntity hostEntity = principal.getHostId() != null ? hostDAO.findById(principal.getHostId()) : null; + KerberosKeytabEntity kke = kerberosKeytabDAO.find(resolvedKerberosKeytab.getFile()); + + KerberosKeytabPrincipalEntity kkp = kerberosKeytabPrincipalDAO.findOrCreate(kke, hostEntity, kerberosPrincipalDAO.find(principal.getPrincipal())); + if(kkp.putServiceMapping(serviceName, mappingEntry.getValue())) { + kerberosKeytabPrincipalDAO.merge(kkp); } + kerberosKeytabDAO.merge(kke); } } } @Override public void removeStaleKeytabs(Collection<ResolvedKerberosKeytab> expectedKeytabs) { - List<KerberosKeytabEntity> allKeytabs = kerberosKeytabDAO.findAll(); - Set<KerberosKeytabEntity> staleKeytabs; - staleKeytabs = allKeytabs != null ? new HashSet<>(allKeytabs) : Collections.emptySet(); - for (ResolvedKerberosKeytab keytab : expectedKeytabs) { - staleKeytabs.remove(new KerberosKeytabEntity(keytab.getFile())); - } - for (KerberosKeytabEntity staleKeytab: staleKeytabs) { - kerberosPrincipalHostDAO.removeByKeytabPath(staleKeytab.getKeytabPath()); - kerberosKeytabDAO.remove(staleKeytab); - } } @Override @@ -1951,7 +1976,7 @@ public class KerberosHelperImpl implements KerberosHelper { } Set<String> propertyNames = translation.get(configType); - if(propertyNames == null) { + if (propertyNames == null) { propertyNames = new HashSet<>(); translation.put(configType, propertyNames); } @@ -1982,7 +2007,7 @@ public class KerberosHelperImpl implements KerberosHelper { KerberosPrincipalType expectedType, Map<String, String> kerberosEnvProperties, KerberosOperationHandler kerberosOperationHandler, Map<String, Map<String, String>> configurations, String hostname) - throws AmbariException { + throws AmbariException { Keytab keytab = null; @@ -2005,12 +2030,12 @@ public class KerberosHelperImpl implements KerberosHelper { CreatePrincipalsServerAction.CreatePrincipalResult result; result = injector.getInstance(CreatePrincipalsServerAction.class).createPrincipal( - principal, - KerberosPrincipalType.SERVICE.equals(expectedType), - kerberosEnvProperties, - kerberosOperationHandler, - false, - null); + principal, + KerberosPrincipalType.SERVICE.equals(expectedType), + kerberosEnvProperties, + kerberosOperationHandler, + false, + null); if (result == null) { throw new AmbariException("Failed to create the account for " + principal); @@ -2019,13 +2044,13 @@ public class KerberosHelperImpl implements KerberosHelper { if (keytabDescriptor != null) { keytab = injector.getInstance(CreateKeytabFilesServerAction.class).createKeytab( - principal, - result.getPassword(), - result.getKeyNumber(), - kerberosOperationHandler, - true, - true, - null); + principal, + result.getPassword(), + result.getKeyNumber(), + kerberosOperationHandler, + true, + true, + null); if (keytab == null) { throw new AmbariException("Failed to create the keytab for " + principal); @@ -2050,9 +2075,9 @@ public class KerberosHelperImpl implements KerberosHelper { * @throws AmbariException if any other error occurs while trying to validate the credentials */ private void validateKDCCredentials(KerberosDetails kerberosDetails, Cluster cluster) throws KerberosMissingAdminCredentialsException, - KerberosAdminAuthenticationException, - KerberosInvalidConfigurationException, - AmbariException { + KerberosAdminAuthenticationException, + KerberosInvalidConfigurationException, + AmbariException { if (kerberosDetails == null) { kerberosDetails = getKerberosDetails(cluster, null); @@ -2075,34 +2100,34 @@ public class KerberosHelperImpl implements KerberosHelper { missingCredentials = !operationHandler.testAdministratorCredentials(); } catch (KerberosAdminAuthenticationException e) { throw new KerberosAdminAuthenticationException( - "Invalid KDC administrator credentials.\n" + - "The KDC administrator credentials must be set as a persisted or temporary credential resource." + - "This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:\n" + - "{\n" + - " \"Credential\" : {\n" + - " \"principal\" : \"(PRINCIPAL)\", \"key\" : \"(PASSWORD)\", \"type\" : \"(persisted|temporary)\"}\n" + - " }\n" + - "}", e); + "Invalid KDC administrator credentials.\n" + + "The KDC administrator credentials must be set as a persisted or temporary credential resource." + + "This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:\n" + + "{\n" + + " \"Credential\" : {\n" + + " \"principal\" : \"(PRINCIPAL)\", \"key\" : \"(PASSWORD)\", \"type\" : \"(persisted|temporary)\"}\n" + + " }\n" + + "}", e); } catch (KerberosKDCConnectionException e) { throw new KerberosInvalidConfigurationException( - "Failed to connect to KDC - " + e.getMessage() + "\n" + - "Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue.", - e); + "Failed to connect to KDC - " + e.getMessage() + "\n" + + "Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue.", + e); } catch (KerberosKDCSSLConnectionException e) { throw new KerberosInvalidConfigurationException( - "Failed to connect to KDC - " + e.getMessage() + "\n" + - "Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore.", - e); + "Failed to connect to KDC - " + e.getMessage() + "\n" + + "Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore.", + e); } catch (KerberosRealmException e) { throw new KerberosInvalidConfigurationException( - "Failed to find a KDC for the specified realm - " + e.getMessage() + "\n" + - "Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue.", - e); + "Failed to find a KDC for the specified realm - " + e.getMessage() + "\n" + + "Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue.", + e); } catch (KerberosLDAPContainerException e) { throw new KerberosInvalidConfigurationException( - "The principal container was not specified\n" + - "Set the 'container_dn' value in the kerberos-env configuration to correct this issue.", - e); + "The principal container was not specified\n" + + "Set the 'container_dn' value in the kerberos-env configuration to correct this issue.", + e); } catch (KerberosOperationException e) { throw new AmbariException(e.getMessage(), e); } finally { @@ -2163,15 +2188,15 @@ public class KerberosHelperImpl implements KerberosHelper { Set<String> hostsToForceKerberosOperations, RequestStageContainer requestStageContainer, final Handler handler) - throws AmbariException, KerberosOperationException { + throws AmbariException, KerberosOperationException { final KerberosDescriptor kerberosDescriptor = getKerberosDescriptor(cluster, false); List<ServiceComponentHost> schToProcess = getServiceComponentHostsToProcess( - cluster, - kerberosDescriptor, - serviceComponentFilter, - hostFilter); + cluster, + kerberosDescriptor, + serviceComponentFilter, + hostFilter); // While iterating over all the ServiceComponentHosts find hosts that have KERBEROS_CLIENT // components in the INSTALLED state and add them to the hostsWithValidKerberosClient Set. @@ -2215,29 +2240,29 @@ public class KerberosHelperImpl implements KerberosHelper { String hostParamsJson = StageUtils.getGson().toJson(hostParams); String ambariServerHostname = StageUtils.getHostName(); ServiceComponentHostServerActionEvent event = new ServiceComponentHostServerActionEvent( - "AMBARI_SERVER", - ambariServerHostname, // TODO: Choose a random hostname from the cluster. All tasks for the AMBARI_SERVER service will be executed on this Ambari server - System.currentTimeMillis()); + RootComponent.AMBARI_SERVER.name(), + ambariServerHostname, // TODO: Choose a random hostname from the cluster. All tasks for the AMBARI_SERVER service will be executed on this Ambari server + System.currentTimeMillis()); RoleCommandOrder roleCommandOrder = ambariManagementController.getRoleCommandOrder(cluster); // If a RequestStageContainer does not already exist, create a new one... if (requestStageContainer == null) { requestStageContainer = new RequestStageContainer( - actionManager.getNextRequestId(), - null, - requestFactory, - actionManager); + actionManager.getNextRequestId(), + null, + requestFactory, + actionManager); } // Use the handler implementation to setup the relevant stages. handler.createStages(cluster, clusterHostInfoJson, - hostParamsJson, event, roleCommandOrder, kerberosDetails, dataDirectory, - requestStageContainer, schToProcess, serviceComponentFilter, hostFilter, identityFilter, - hostsWithValidKerberosClient); + hostParamsJson, event, roleCommandOrder, kerberosDetails, dataDirectory, + requestStageContainer, schToProcess, serviceComponentFilter, hostFilter, identityFilter, + hostsWithValidKerberosClient); // Add the finalize stage... handler.addFinalizeOperationStage(cluster, clusterHostInfoJson, hostParamsJson, event, - dataDirectory, roleCommandOrder, requestStageContainer, kerberosDetails); + dataDirectory, roleCommandOrder, requestStageContainer, kerberosDetails); return requestStageContainer; } @@ -2275,7 +2300,6 @@ public class KerberosHelperImpl implements KerberosHelper { List<ServiceComponentHost> serviceComponentHostsToProcess = new ArrayList<>(); KerberosDescriptor kerberosDescriptor = getKerberosDescriptor(cluster, false); - KerberosIdentityDataFileWriter kerberosIdentityDataFileWriter = null; // This is needed to help determine which hosts to perform actions for and create tasks for. Set<String> hostsWithValidKerberosClient = getHostsWithValidKerberosClient(cluster); @@ -2286,15 +2310,11 @@ public class KerberosHelperImpl implements KerberosHelper { // this directory until they are distributed to their appropriate hosts. File dataDirectory = createTemporaryDirectory(); - // Create the file used to store details about principals and keytabs to create - File identityDataFile = new File(dataDirectory, KerberosIdentityDataFileWriter.DATA_FILE_NAME); - // Calculate the current non-host-specific configurations. These will be used to replace // variables within the Kerberos descriptor data Map<String, Map<String, String>> configurations = calculateConfigurations(cluster, null, kerberosDescriptor, false, false); String principal = variableReplacementHelper.replaceVariables("${kerberos-env/service_check_principal_name}@${realm}", configurations); - String principalType = "user"; String keytabFilePath = variableReplacementHelper.replaceVariables("${keytab_dir}/kerberos.service_check.${short_date}.keytab", configurations); String keytabFileOwnerName = variableReplacementHelper.replaceVariables("${cluster-env/smokeuser}", configurations); @@ -2311,7 +2331,6 @@ public class KerberosHelperImpl implements KerberosHelper { List<ServiceComponentHost> serviceComponentHosts = cluster.getServiceComponentHosts(Service.Type.KERBEROS.name(), Role.KERBEROS_CLIENT.name()); if ((serviceComponentHosts != null) && !serviceComponentHosts.isEmpty()) { - kerberosIdentityDataFileWriter = kerberosIdentityDataFileWriterFactory.createKerberosIdentityDataFileWriter(identityDataFile); // Iterate over the KERBEROS_CLIENT service component hosts to get the service and // component-level Kerberos descriptors in order to determine which principals, @@ -2319,54 +2338,36 @@ public class KerberosHelperImpl implements KerberosHelper { for (ServiceComponentHost sch : serviceComponentHosts) { if (sch.getState() == State.INSTALLED) { String hostname = sch.getHostName(); - - if(kerberosKeytabDAO.find(keytabFilePath) == null) { - kerberosKeytabDAO.create(keytabFilePath); + KerberosKeytabEntity kke = kerberosKeytabDAO.find(keytabFilePath); + + if (kke == null) { + kke = new KerberosKeytabEntity(); + kke.setKeytabPath(keytabFilePath); + kke.setOwnerName(keytabFileOwnerName); + kke.setOwnerAccess(keytabFileOwnerAccess); + kke.setGroupName(keytabFileGroupName); + kke.setGroupAccess(keytabFileGroupAccess); + kerberosKeytabDAO.create(kke); } // create principals if (!kerberosPrincipalDAO.exists(principal)) { kerberosPrincipalDAO.create(principal, false); } - if (!kerberosPrincipalHostDAO.exists(principal, sch.getHost().getHostId(), keytabFilePath)) { - kerberosPrincipalHostDAO.create(principal, sch.getHost().getHostId(), keytabFilePath); + KerberosKeytabPrincipalEntity kkp = kerberosKeytabPrincipalDAO.findOrCreate(kke, hostDAO.findById(sch.getHost().getHostId()), kerberosPrincipalDAO.find(principal)); + if(kkp.putServiceMapping(sch.getServiceName(), sch.getServiceComponentName())) { + kerberosKeytabPrincipalDAO.merge(kkp); } - - kerberosIdentityDataFileWriter.writeRecord( - hostname, - Service.Type.KERBEROS.name(), - Role.KERBEROS_CLIENT.name(), - principal, - principalType, - keytabFilePath, - keytabFileOwnerName, - keytabFileOwnerAccess, - keytabFileGroupName, - keytabFileGroupAccess, - "false"); - + kerberosKeytabDAO.merge(kke); hostsWithValidKerberosClient.add(hostname); serviceComponentHostsToProcess.add(sch); } } } - } catch (IOException e) { - String message = String.format("Failed to write index file - %s", identityDataFile.getAbsolutePath()); - LOG.error(message); - throw new AmbariException(message, e); } catch (Exception e) { // make sure to log what is going wrong LOG.error("Failed " + e); throw e; - } finally { - if (kerberosIdentityDataFileWriter != null) { - // Make sure the data file is closed - try { - kerberosIdentityDataFileWriter.close(); - } catch (IOException e) { - LOG.warn("Failed to close the index file writer", e); - } - } } // If there are ServiceComponentHosts to process, make sure the administrator credential @@ -2380,7 +2381,7 @@ public class KerberosHelperImpl implements KerberosHelper { FileUtils.deleteDirectory(dataDirectory); } catch (Throwable t) { LOG.warn(String.format("The data directory (%s) was not deleted due to an error condition - {%s}", - dataDirectory.getAbsolutePath(), t.getMessage()), t); + dataDirectory.getAbsolutePath(), t.getMessage()), t); } throw e; @@ -2398,31 +2399,31 @@ public class KerberosHelperImpl implements KerberosHelper { String hostParamsJson = StageUtils.getGson().toJson(hostParams); String ambariServerHostname = StageUtils.getHostName(); ServiceComponentHostServerActionEvent event = new ServiceComponentHostServerActionEvent( - "AMBARI_SERVER", - ambariServerHostname, // TODO: Choose a random hostname from the cluster. All tasks for the AMBARI_SERVER service will be executed on this Ambari server - System.currentTimeMillis()); + RootComponent.AMBARI_SERVER.name(), + ambariServerHostname, // TODO: Choose a random hostname from the cluster. All tasks for the AMBARI_SERVER service will be executed on this Ambari server + System.currentTimeMillis()); RoleCommandOrder roleCommandOrder = ambariManagementController.getRoleCommandOrder(cluster); - // If a RequestStageContainer does not already exist, create a new one... if (requestStageContainer == null) { requestStageContainer = new RequestStageContainer( - actionManager.getNextRequestId(), - null, - requestFactory, - actionManager); + actionManager.getNextRequestId(), + null, + requestFactory, + actionManager); } // Use the handler implementation to setup the relevant stages. // Set the service/component filter to an empty map since the service/component processing // was done above. handler.createStages(cluster, - clusterHostInfoJson, hostParamsJson, event, roleCommandOrder, kerberosDetails, - dataDirectory, requestStageContainer, serviceComponentHostsToProcess, - Collections.emptyMap(), null, null, hostsWithValidKerberosClient); + clusterHostInfoJson, hostParamsJson, event, roleCommandOrder, kerberosDetails, + dataDirectory, requestStageContainer, serviceComponentHostsToProcess, + Collections.singletonMap("KERBEROS", Lists.newArrayList("KERBEROS_CLIENT")), + null, Sets.newHashSet(principal), hostsWithValidKerberosClient); handler.addFinalizeOperationStage(cluster, clusterHostInfoJson, hostParamsJson, event, - dataDirectory, roleCommandOrder, requestStageContainer, kerberosDetails); + dataDirectory, roleCommandOrder, requestStageContainer, kerberosDetails); } return requestStageContainer; @@ -2441,7 +2442,7 @@ public class KerberosHelperImpl implements KerberosHelper { * @throws AmbariException */ private KerberosDetails getKerberosDetails(Cluster cluster, Boolean manageIdentities) - throws KerberosInvalidConfigurationException, AmbariException { + throws KerberosInvalidConfigurationException, AmbariException { KerberosDetails kerberosDetails = new KerberosDetails(); @@ -2527,7 +2528,7 @@ public class KerberosHelperImpl implements KerberosHelper { do { directory = new File(temporaryDirectory, String.format("%s%d-%d.d", - KerberosServerAction.DATA_DIRECTORY_PREFIX, now, tries)); + KerberosServerAction.DATA_DIRECTORY_PREFIX, now, tries)); if ((directory.exists()) || !directory.mkdirs()) { directory = null; // Rest and try again... @@ -2603,8 +2604,8 @@ public class KerberosHelperImpl implements KerberosHelper { for (Map.Entry<String, String> property : updates.entrySet()) { existingProperties.put( - variableReplacementHelper.replaceVariables(property.getKey(), replacements), - variableReplacementHelper.replaceVariables(property.getValue(), replacements) + variableReplacementHelper.replaceVariables(property.getKey(), replacements), + variableReplacementHelper.replaceVariables(property.getValue(), replacements) ); } } @@ -2632,8 +2633,8 @@ public class KerberosHelperImpl implements KerberosHelper { KerberosPrincipalDescriptor principalDescriptor = identity.getPrincipalDescriptor(); if (principalDescriptor != null) { authToLocalBuilder.addRule( - variableReplacementHelper.replaceVariables(principalDescriptor.getValue(), configurations), - variableReplacementHelper.replaceVariables(principalDescriptor.getLocalUsername(), configurations)); + variableReplacementHelper.replaceVariables(principalDescriptor.getValue(), configurations), + variableReplacementHelper.replaceVariables(principalDescriptor.getLocalUsername(), configurations)); } } } @@ -2693,12 +2694,12 @@ public class KerberosHelperImpl implements KerberosHelper { String requestContext, String commandParams, String hostParams) { Stage stage = stageFactory.createNew(requestId, - BASE_LOG_DIR + File.pathSeparator + requestId, - cluster.getClusterName(), - cluster.getClusterId(), - requestContext, - commandParams, - hostParams); + BASE_LOG_DIR + File.pathSeparator + requestId, + cluster.getClusterName(), + cluster.getClusterId(), + requestContext, + commandParams, + hostParams); stage.setStageId(id); return stage; @@ -2732,9 +2733,9 @@ public class KerberosHelperImpl implements KerberosHelper { Stage stage = createNewStage(id, cluster, requestId, requestContext, commandParams, hostParams); stage.addServerActionCommand(actionClass.getName(), null, Role.AMBARI_SERVER_ACTION, - RoleCommand.EXECUTE, cluster.getClusterName(), event, commandParameters, commandDetail, - ambariManagementController.findConfigurationTagsWithOverrides(cluster, null), timeout, - false, false); + RoleCommand.EXECUTE, cluster.getClusterName(), event, commandParameters, commandDetail, + ambariManagementController.findConfigurationTagsWithOverrides(cluster, null), timeout, + false, false); return stage; } @@ -2748,7 +2749,7 @@ public class KerberosHelperImpl implements KerberosHelper { * @throws org.apache.ambari.server.AmbariException */ private List<String> createUniqueHostList(Collection<ServiceComponentHost> serviceComponentHosts, Set<HostState> allowedStates) - throws AmbariException { + throws AmbariException { Set<String> hostNames = new HashSet<>(); Set<String> visitedHostNames = new HashSet<>(); @@ -2785,7 +2786,7 @@ public class KerberosHelperImpl implements KerberosHelper { public boolean shouldExecuteCustomOperations(SecurityType requestSecurityType, Map<String, String> requestProperties) { if (((requestSecurityType == SecurityType.KERBEROS) || (requestSecurityType == SecurityType.NONE)) && - (requestProperties != null) && !requestProperties.isEmpty()) { + (requestProperties != null) && !requestProperties.isEmpty()) { for (SupportedCustomOperation type : SupportedCustomOperation.values()) { if (requestProperties.containsKey(type.name().toLowerCase())) { return true; @@ -2800,8 +2801,8 @@ public class KerberosHelperImpl implements KerberosHelper { String value = (requestProperties == null) ? null : requestProperties.get(DIRECTIVE_MANAGE_KERBEROS_IDENTITIES); return (value == null) - ? null - : !"false".equalsIgnoreCase(value); + ? null + : !"false".equalsIgnoreCase(value); } @Override @@ -2878,7 +2879,7 @@ public class KerberosHelperImpl implements KerberosHelper { String componentName, KerberosDescriptor kerberosDescriptor, Map<String, Object> filterContext) - throws AmbariException { + throws AmbariException { List<KerberosIdentityDescriptor> identities = new ArrayList<>(); @@ -2890,7 +2891,7 @@ public class KerberosHelperImpl implements KerberosHelper { String schComponentName = serviceComponentHost.getServiceComponentName(); if (((serviceName == null) || serviceName.equals(schServiceName)) && - ((componentName == null) || componentName.equals(schComponentName))) { + ((componentName == null) || componentName.equals(schComponentName))) { KerberosServiceDescriptor serviceDescriptor = kerberosDescriptor.getService(schServiceName); @@ -2968,7 +2969,7 @@ public class KerberosHelperImpl implements KerberosHelper { */ private Map<String, Map<String, String>> addAdditionalConfigurations(Cluster cluster, Map<String, Map<String, String>> configurations, String hostname, Map<String, String> kerberosDescriptorProperties) - throws AmbariException { + throws AmbariException { // A map to hold un-categorized properties. This may come from the KerberosDescriptor // and will also contain a value for the current host @@ -3140,7 +3141,7 @@ public class KerberosHelperImpl implements KerberosHelper { Map<String, Map<String, String>> kerberosConfigurations, Map<String, Map<String, String>> configurations, Map<String, Set<String>> propertiesToIgnore) - throws AmbariException { + throws AmbariException { if (identityConfigurations != null) { for (Map.Entry<String, Map<String, String>> identitiyEntry : identityConfigurations.entrySet()) { String configType = identitiyEntry.getKey(); @@ -3185,7 +3186,7 @@ public class KerberosHelperImpl implements KerberosHelper { Cluster cluster, KerberosDescriptor kerberosDescriptor, boolean calculateClusterHostInfo) - throws AmbariException { + throws AmbariException { Map<String, KerberosServiceDescriptor> serviceDescriptorMap = kerberosDescriptor.getServices(); @@ -3355,25 +3356,25 @@ public class KerberosHelperImpl implements KerberosHelper { Map<String, ? extends Collection<String>> serviceComponentFilter, Set<String> hostFilter, Collection<String> identityFilter, Set<String> hostsWithValidKerberosClient) - throws AmbariException; + throws AmbariException; public void addPrepareEnableKerberosOperationsStage(Cluster cluster, String clusterHostInfoJson, String hostParamsJson, ServiceComponentHostServerActionEvent event, Map<String, String> commandParameters, RoleCommandOrder roleCommandOrder, RequestStageContainer requestStageContainer) - throws AmbariException { + throws AmbariException { Stage stage = createServerActionStage(requestStageContainer.getLastStageId(), - cluster, - requestStageContainer.getId(), - "Preparing Operations", - "{}", - hostParamsJson, - PrepareEnableKerberosServerAction.class, - event, - commandParameters, - "Preparing Operations", - configuration.getDefaultServerTaskTimeout()); + cluster, + requestStageContainer.getId(), + "Preparing Operations", + "{}", + hostParamsJson, + PrepareEnableKerberosServerAction.class, + event, + commandParameters, + "Preparing Operations", + configuration.getDefaultServerTaskTimeout()); RoleGraph roleGraph = roleGraphFactory.createNew(roleCommandOrder); roleGraph.build(stage); @@ -3386,18 +3387,18 @@ public class KerberosHelperImpl implements KerberosHelper { String hostParamsJson, ServiceComponentHostServerActionEvent event, Map<String, String> commandParameters, RoleCommandOrder roleCommandOrder, RequestStageContainer requestStageContainer) - throws AmbariException { + throws AmbariException { Stage stage = createServerActionStage(requestStageContainer.getLastStageId(), - cluster, - requestStageContainer.getId(), - "Preparing Operations", - "{}", - hostParamsJson, - PrepareKerberosIdentitiesServerAction.class, - event, - commandParameters, - "Preparing Operations", - configuration.getDefaultServerTaskTimeout()); + cluster, + requestStageContainer.getId(), + "Preparing Operations", + "{}", + hostParamsJson, + PrepareKerberosIdentitiesServerAction.class, + event, + commandParameters, + "Preparing Operations", + configuration.getDefaultServerTaskTimeout()); RoleGraph roleGraph = roleGraphFactory.createNew(roleCommandOrder); roleGraph.build(stage); @@ -3410,18 +3411,18 @@ public class KerberosHelperImpl implements KerberosHelper { String hostParamsJson, ServiceComponentHostServerActionEvent event, Map<String, String> commandParameters, RoleCommandOrder roleCommandOrder, RequestStageContainer requestStageContainer) - throws AmbariException { + throws AmbariException { Stage stage = createServerActionStage(requestStageContainer.getLastStageId(), - cluster, - requestStageContainer.getId(), - "Preparing Operations", - "{}", - hostParamsJson, - PrepareDisableKerberosServerAction.class, - event, - commandParameters, - "Preparing Operations", - configuration.getDefaultServerTaskTimeout()); + cluster, + requestStageContainer.getId(), + "Preparing Operations", + "{}", + hostParamsJson, + PrepareDisableKerberosServerAction.class, + event, + commandParameters, + "Preparing Operations", + configuration.getDefaultServerTaskTimeout()); RoleGraph roleGraph = roleGraphFactory.createNew(roleCommandOrder); roleGraph.build(stage); @@ -3434,18 +3435,18 @@ public class KerberosHelperImpl implements KerberosHelper { String hostParamsJson, ServiceComponentHostServerActionEvent event, Map<String, String> commandParameters, RoleCommandOrder roleCommandOrder, RequestStageContainer requestStageContainer) - throws AmbariException { + throws AmbariException { Stage stage = createServerActionStage(requestStageContainer.getLastStageId(), - cluster, - requestStageContainer.getId(), - "Create Principals", - "{}", - hostParamsJson, - CreatePrincipalsServerAction.class, - event, - commandParameters, - "Create Principals", - Math.max(ServerAction.DEFAULT_LONG_RUNNING_TASK_TIMEOUT_SECONDS, configuration.getDefaultServerTaskTimeout())); + cluster, + requestStageContainer.getId(), + "Create Principals", + "{}", + hostParamsJson, + CreatePrincipalsServerAction.class, + event, + commandParameters, + "Create Principals", + Math.max(ServerAction.DEFAULT_LONG_RUNNING_TASK_TIMEOUT_SECONDS, configuration.getDefaultServerTaskTimeout())); RoleGraph roleGraph = roleGraphFactory.createNew(roleCommandOrder); roleGraph.build(stage); @@ -3458,18 +3459,18 @@ public class KerberosHelperImpl implements KerberosHelper {
<TRUNCATED>
