AMBARI-22530. Refactor internal code of handling info between kerberos wizard actions (echekanskiy)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/67fc4a37 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/67fc4a37 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/67fc4a37 Branch: refs/heads/branch-feature-AMBARI-21674 Commit: 67fc4a3785da0a7c39dcb27f220c8573a59ab63d Parents: 81c0454 Author: root <[email protected]> Authored: Thu Dec 21 10:58:23 2017 -0500 Committer: Eugene Chekanskiy <[email protected]> Committed: Thu Dec 21 11:00:37 2017 -0500 ---------------------------------------------------------------------- .../ambari/server/agent/HeartBeatHandler.java | 122 +- .../ambari/server/agent/HeartbeatProcessor.java | 33 +- .../controller/DeleteIdentityHandler.java | 5 +- .../server/controller/KerberosHelper.java | 2 +- .../server/controller/KerberosHelperImpl.java | 1129 +++++++++--------- .../HostKerberosIdentityResourceProvider.java | 15 +- .../server/orm/dao/KerberosKeytabDAO.java | 154 ++- .../orm/dao/KerberosKeytabPrincipalDAO.java | 309 +++++ .../server/orm/dao/KerberosPrincipalDAO.java | 9 - .../orm/dao/KerberosPrincipalHostDAO.java | 252 ---- .../entities/HostGroupComponentEntityPK.java | 4 +- .../orm/entities/KerberosKeytabEntity.java | 152 ++- .../entities/KerberosKeytabPrincipalEntity.java | 236 ++++ .../KerberosKeytabServiceMappingEntity.java | 88 ++ .../orm/entities/KerberosPrincipalEntity.java | 25 - .../entities/KerberosPrincipalHostEntity.java | 213 ---- .../entities/KerberosPrincipalHostEntityPK.java | 115 -- .../AbstractPrepareKerberosServerAction.java | 31 +- .../kerberos/CleanupServerAction.java | 6 +- .../ConfigureAmbariIdentitiesServerAction.java | 141 ++- .../kerberos/CreateKeytabFilesServerAction.java | 112 +- .../kerberos/CreatePrincipalsServerAction.java | 47 +- .../kerberos/DestroyPrincipalsServerAction.java | 62 +- .../kerberos/FinalizeKerberosServerAction.java | 24 +- .../kerberos/KerberosServerAction.java | 291 ++--- .../PrepareEnableKerberosServerAction.java | 16 +- .../PrepareKerberosIdentitiesServerAction.java | 9 - .../stageutils/KerberosKeytabController.java | 213 ++++ .../stageutils/ResolvedKerberosKeytab.java | 117 +- .../stageutils/ResolvedKerberosPrincipal.java | 169 +++ .../upgrades/PreconfigureKerberosAction.java | 12 +- .../server/state/cluster/ClustersImpl.java | 8 +- .../main/resources/Ambari-DDL-Derby-CREATE.sql | 34 +- .../main/resources/Ambari-DDL-MySQL-CREATE.sql | 33 +- .../main/resources/Ambari-DDL-Oracle-CREATE.sql | 35 +- .../resources/Ambari-DDL-Postgres-CREATE.sql | 35 +- .../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 33 +- .../resources/Ambari-DDL-SQLServer-CREATE.sql | 33 +- .../src/main/resources/META-INF/persistence.xml | 3 +- .../server/agent/TestHeartbeatHandler.java | 79 +- .../server/controller/KerberosHelperTest.java | 47 +- ...ostKerberosIdentityResourceProviderTest.java | 15 +- .../apache/ambari/server/orm/db/DDLTests.java | 2 +- ...nfigureAmbariIdentitiesServerActionTest.java | 36 +- .../FinalizeKerberosServerActionTest.java | 5 +- .../kerberos/KerberosServerActionTest.java | 26 +- .../PreconfigureKerberosActionTest.java | 16 +- 47 files changed, 2618 insertions(+), 1935 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/67fc4a37/ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java index 53cceb0..2b82fe3 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java @@ -26,6 +26,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.util.ArrayList; +import java.util.Collection; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -39,8 +40,10 @@ import org.apache.ambari.server.actionmanager.ActionManager; import org.apache.ambari.server.api.services.AmbariMetaInfo; import org.apache.ambari.server.configuration.Configuration; import org.apache.ambari.server.serveraction.kerberos.KerberosIdentityDataFileReader; -import org.apache.ambari.server.serveraction.kerberos.KerberosIdentityDataFileReaderFactory; import org.apache.ambari.server.serveraction.kerberos.KerberosServerAction; +import org.apache.ambari.server.serveraction.kerberos.stageutils.KerberosKeytabController; +import org.apache.ambari.server.serveraction.kerberos.stageutils.ResolvedKerberosKeytab; +import org.apache.ambari.server.serveraction.kerberos.stageutils.ResolvedKerberosPrincipal; import org.apache.ambari.server.state.AgentVersion; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; @@ -104,11 +107,8 @@ public class HeartBeatHandler { @Inject private RecoveryConfigHelper recoveryConfigHelper; - /** - * KerberosIdentityDataFileReaderFactory used to create KerberosIdentityDataFileReader instances - */ @Inject - private KerberosIdentityDataFileReaderFactory kerberosIdentityDataFileReaderFactory; + private KerberosKeytabController kerberosKeytabController; private Map<String, Long> hostResponseIds = new ConcurrentHashMap<>(); @@ -241,7 +241,6 @@ public class HeartBeatHandler { * TODO: Handle the case when a host is a part of multiple clusters. */ Set<Cluster> clusters = clusterFsm.getClustersForHost(hostname); - if (clusters.size() > 0) { String clusterName = clusters.iterator().next().getClusterName(); @@ -584,80 +583,75 @@ public class HeartBeatHandler { */ void injectKeytab(ExecutionCommand ec, String command, String targetHost) throws AmbariException { String dataDir = ec.getCommandParams().get(KerberosServerAction.DATA_DIRECTORY); - + KerberosServerAction.KerberosCommandParameters kerberosCommandParameters = new KerberosServerAction.KerberosCommandParameters(ec); if(dataDir != null) { - KerberosIdentityDataFileReader reader = null; List<Map<String, String>> kcp = ec.getKerberosCommandParams(); try { - reader = kerberosIdentityDataFileReaderFactory.createKerberosIdentityDataFileReader(new File(dataDir, KerberosIdentityDataFileReader.DATA_FILE_NAME)); - - for (Map<String, String> record : reader) { - String hostName = record.get(KerberosIdentityDataFileReader.HOSTNAME); - - if (targetHost.equalsIgnoreCase(hostName)) { - - if (SET_KEYTAB.equalsIgnoreCase(command)) { - String keytabFilePath = record.get(KerberosIdentityDataFileReader.KEYTAB_FILE_PATH); - - if (keytabFilePath != null) { - - String sha1Keytab = DigestUtils.sha1Hex(keytabFilePath); - File keytabFile = new File(dataDir + File.separator + hostName + File.separator + sha1Keytab); - - if (keytabFile.canRead()) { - Map<String, String> keytabMap = new HashMap<>(); - String principal = record.get(KerberosIdentityDataFileReader.PRINCIPAL); - String isService = record.get(KerberosIdentityDataFileReader.SERVICE); - + Set<ResolvedKerberosKeytab> keytabsToInject = kerberosKeytabController.getFilteredKeytabs((Map<String, Collection<String>>)kerberosCommandParameters.getServiceComponentFilter(), kerberosCommandParameters.getHostFilter(), kerberosCommandParameters.getIdentityFilter()); + for (ResolvedKerberosKeytab resolvedKeytab : keytabsToInject) { + for(ResolvedKerberosPrincipal resolvedPrincipal: resolvedKeytab.getPrincipals()) { + String hostName = resolvedPrincipal.getHostName(); + + if (targetHost.equalsIgnoreCase(hostName)) { + + if (SET_KEYTAB.equalsIgnoreCase(command)) { + String keytabFilePath = resolvedKeytab.getFile(); + + if (keytabFilePath != null) { + + String sha1Keytab = DigestUtils.sha256Hex(keytabFilePath); + File keytabFile = new File(dataDir + File.separator + hostName + File.separator + sha1Keytab); + + if (keytabFile.canRead()) { + Map<String, String> keytabMap = new HashMap<>(); + String principal = resolvedPrincipal.getPrincipal(); + + keytabMap.put(KerberosIdentityDataFileReader.HOSTNAME, hostName); + keytabMap.put(KerberosIdentityDataFileReader.PRINCIPAL, principal); + keytabMap.put(KerberosIdentityDataFileReader.KEYTAB_FILE_PATH, keytabFilePath); + keytabMap.put(KerberosIdentityDataFileReader.KEYTAB_FILE_OWNER_NAME, resolvedKeytab.getOwnerName()); + keytabMap.put(KerberosIdentityDataFileReader.KEYTAB_FILE_OWNER_ACCESS, resolvedKeytab.getOwnerAccess()); + keytabMap.put(KerberosIdentityDataFileReader.KEYTAB_FILE_GROUP_NAME, resolvedKeytab.getGroupName()); + keytabMap.put(KerberosIdentityDataFileReader.KEYTAB_FILE_GROUP_ACCESS, resolvedKeytab.getGroupAccess()); + + BufferedInputStream bufferedIn = new BufferedInputStream(new FileInputStream(keytabFile)); + byte[] keytabContent = null; + try { + keytabContent = IOUtils.toByteArray(bufferedIn); + } finally { + bufferedIn.close(); + } + String keytabContentBase64 = Base64.encodeBase64String(keytabContent); + keytabMap.put(KerberosServerAction.KEYTAB_CONTENT_BASE64, keytabContentBase64); + + kcp.add(keytabMap); + } + } + } else if (REMOVE_KEYTAB.equalsIgnoreCase(command) || CHECK_KEYTABS.equalsIgnoreCase(command)) { + Map<String, String> keytabMap = new HashMap<>(); + String keytabFilePath = resolvedKeytab.getFile(); + + String principal = resolvedPrincipal.getPrincipal(); + for (Map.Entry<String, String> mappingEntry: resolvedPrincipal.getServiceMapping().entries()) { + String serviceName = mappingEntry.getKey(); + String componentName = mappingEntry.getValue(); keytabMap.put(KerberosIdentityDataFileReader.HOSTNAME, hostName); - keytabMap.put(KerberosIdentityDataFileReader.SERVICE, isService); - keytabMap.put(KerberosIdentityDataFileReader.COMPONENT, record.get(KerberosIdentityDataFileReader.COMPONENT)); + keytabMap.put(KerberosIdentityDataFileReader.SERVICE, serviceName); + keytabMap.put(KerberosIdentityDataFileReader.COMPONENT, componentName); keytabMap.put(KerberosIdentityDataFileReader.PRINCIPAL, principal); keytabMap.put(KerberosIdentityDataFileReader.KEYTAB_FILE_PATH, keytabFilePath); - keytabMap.put(KerberosIdentityDataFileReader.KEYTAB_FILE_OWNER_NAME, record.get(KerberosIdentityDataFileReader.KEYTAB_FILE_OWNER_NAME)); - keytabMap.put(KerberosIdentityDataFileReader.KEYTAB_FILE_OWNER_ACCESS, record.get(KerberosIdentityDataFileReader.KEYTAB_FILE_OWNER_ACCESS)); - keytabMap.put(KerberosIdentityDataFileReader.KEYTAB_FILE_GROUP_NAME, record.get(KerberosIdentityDataFileReader.KEYTAB_FILE_GROUP_NAME)); - keytabMap.put(KerberosIdentityDataFileReader.KEYTAB_FILE_GROUP_ACCESS, record.get(KerberosIdentityDataFileReader.KEYTAB_FILE_GROUP_ACCESS)); - - BufferedInputStream bufferedIn = new BufferedInputStream(new FileInputStream(keytabFile)); - byte[] keytabContent = null; - try { - keytabContent = IOUtils.toByteArray(bufferedIn); - } finally { - bufferedIn.close(); - } - String keytabContentBase64 = Base64.encodeBase64String(keytabContent); - keytabMap.put(KerberosServerAction.KEYTAB_CONTENT_BASE64, keytabContentBase64); - kcp.add(keytabMap); } - } - } else if (REMOVE_KEYTAB.equalsIgnoreCase(command) || CHECK_KEYTABS.equalsIgnoreCase(command)) { - Map<String, String> keytabMap = new HashMap<>(); - keytabMap.put(KerberosIdentityDataFileReader.HOSTNAME, hostName); - keytabMap.put(KerberosIdentityDataFileReader.SERVICE, record.get(KerberosIdentityDataFileReader.SERVICE)); - keytabMap.put(KerberosIdentityDataFileReader.COMPONENT, record.get(KerberosIdentityDataFileReader.COMPONENT)); - keytabMap.put(KerberosIdentityDataFileReader.PRINCIPAL, record.get(KerberosIdentityDataFileReader.PRINCIPAL)); - keytabMap.put(KerberosIdentityDataFileReader.KEYTAB_FILE_PATH, record.get(KerberosIdentityDataFileReader.KEYTAB_FILE_PATH)); - - kcp.add(keytabMap); + kcp.add(keytabMap); + } } } } } catch (IOException e) { throw new AmbariException("Could not inject keytabs to enable kerberos"); - } finally { - if (reader != null) { - try { - reader.close(); - } catch (Throwable t) { - // ignored - } - } } - ec.setKerberosCommandParams(kcp); } } http://git-wip-us.apache.org/repos/asf/ambari/blob/67fc4a37/ambari-server/src/main/java/org/apache/ambari/server/agent/HeartbeatProcessor.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/agent/HeartbeatProcessor.java b/ambari-server/src/main/java/org/apache/ambari/server/agent/HeartbeatProcessor.java index 83d2c98..1374a3d 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/agent/HeartbeatProcessor.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/agent/HeartbeatProcessor.java @@ -53,8 +53,8 @@ import org.apache.ambari.server.events.publishers.AmbariEventPublisher; import org.apache.ambari.server.events.publishers.VersionEventPublisher; import org.apache.ambari.server.metadata.ActionMetadata; import org.apache.ambari.server.orm.dao.KerberosKeytabDAO; -import org.apache.ambari.server.orm.dao.KerberosPrincipalHostDAO; -import org.apache.ambari.server.orm.entities.KerberosPrincipalHostEntity; +import org.apache.ambari.server.orm.dao.KerberosKeytabPrincipalDAO; +import org.apache.ambari.server.orm.entities.KerberosKeytabPrincipalEntity; import org.apache.ambari.server.state.Alert; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; @@ -133,10 +133,10 @@ public class HeartbeatProcessor extends AbstractService{ AmbariMetaInfo ambariMetaInfo; @Inject - KerberosPrincipalHostDAO kerberosPrincipalHostDAO; + KerberosKeytabPrincipalDAO kerberosKeytabPrincipalDAO; @Inject - KerberosKeytabDAO kerberosKeytabDao; + KerberosKeytabDAO kerberosKeytabDAO; @Inject Gson gson; @@ -439,35 +439,32 @@ public class HeartbeatProcessor extends AbstractService{ } if (writeKeytabsStructuredOut != null) { + // TODO rework this. Make sure that keytab check and write commands returns principal list for each keytab if (SET_KEYTAB.equalsIgnoreCase(customCommand)) { Map<String, String> keytabs = writeKeytabsStructuredOut.getKeytabs(); if (keytabs != null) { for (Map.Entry<String, String> entry : keytabs.entrySet()) { String principal = entry.getKey(); String keytabPath = entry.getValue(); - KerberosPrincipalHostEntity kphe = kerberosPrincipalHostDAO.find(principal, host.getHostId(), keytabPath); - kphe.setDistributed(true); - kerberosPrincipalHostDAO.merge(kphe); + for (KerberosKeytabPrincipalEntity kkpe: kerberosKeytabPrincipalDAO.findByHostAndKeytab(host.getHostId(), keytabPath)) { + kkpe.setDistributed(true); + kerberosKeytabPrincipalDAO.merge(kkpe); + } } } } else if (REMOVE_KEYTAB.equalsIgnoreCase(customCommand)) { - Map<String, String> deletedKeytabs = writeKeytabsStructuredOut.getRemovedKeytabs(); - if (deletedKeytabs != null) { - for (Map.Entry<String, String> entry : deletedKeytabs.entrySet()) { - String keytabPath = entry.getValue(); - kerberosPrincipalHostDAO.removeByKeytabPath(keytabPath); - kerberosKeytabDao.remove(keytabPath); - } - } + // TODO check if additional processing of removed records(besides existent in DestroyPrincipalsServerAction) + // TODO is required } } } else if (CHECK_KEYTABS.equalsIgnoreCase(customCommand)) { ListKeytabsStructuredOut structuredOut = gson.fromJson(report.getStructuredOut(), ListKeytabsStructuredOut.class); for (MissingKeytab each : structuredOut.missingKeytabs) { LOG.info("Missing principal: {} for keytab: {} on host: {}", each.principal, each.keytabFilePath, hostname); - KerberosPrincipalHostEntity kphe = kerberosPrincipalHostDAO.find(each.principal, host.getHostId(), each.keytabFilePath); - kphe.setDistributed(false); - kerberosPrincipalHostDAO.merge(kphe); + for (KerberosKeytabPrincipalEntity kkpe: kerberosKeytabPrincipalDAO.findByHostAndKeytab(host.getHostId(), each.keytabFilePath)) { + kkpe.setDistributed(false); + kerberosKeytabPrincipalDAO.merge(kkpe); + } } } } http://git-wip-us.apache.org/repos/asf/ambari/blob/67fc4a37/ambari-server/src/main/java/org/apache/ambari/server/controller/DeleteIdentityHandler.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/DeleteIdentityHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/DeleteIdentityHandler.java index a7b9d80..9837d70 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/DeleteIdentityHandler.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/DeleteIdentityHandler.java @@ -45,6 +45,7 @@ import org.apache.ambari.server.serveraction.kerberos.DestroyPrincipalsServerAct import org.apache.ambari.server.serveraction.kerberos.KDCType; import org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler; import org.apache.ambari.server.serveraction.kerberos.KerberosServerAction; +import org.apache.ambari.server.serveraction.kerberos.stageutils.ResolvedKerberosPrincipal; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Config; import org.apache.ambari.server.state.StackId; @@ -78,7 +79,7 @@ class DeleteIdentityHandler { public void addDeleteIdentityStages(Cluster cluster, OrderedRequestStageContainer stageContainer, CommandParams commandParameters, boolean manageIdentities) throws AmbariException { - ServiceComponentHostServerActionEvent event = new ServiceComponentHostServerActionEvent("AMBARI_SERVER", StageUtils.getHostName(), System.currentTimeMillis()); + ServiceComponentHostServerActionEvent event = new ServiceComponentHostServerActionEvent(RootComponent.AMBARI_SERVER.name(), StageUtils.getHostName(), System.currentTimeMillis()); String hostParamsJson = StageUtils.getGson().toJson(customCommandExecutionHelper.createDefaultHostParams(cluster, cluster.getDesiredStackVersion())); stageContainer.setClusterHostInfo(StageUtils.getGson().toJson(StageUtils.getClusterHostInfo(cluster))); if (manageIdentities) { @@ -321,7 +322,7 @@ class DeleteIdentityHandler { } @Override - protected CommandReport processIdentity(Map<String, String> identityRecord, String evaluatedPrincipal, KerberosOperationHandler operationHandler, Map<String, String> kerberosConfiguration, Map<String, Object> requestSharedDataContext) throws AmbariException { + protected CommandReport processIdentity(ResolvedKerberosPrincipal resolvedPrincipal, KerberosOperationHandler operationHandler, Map<String, String> kerberosConfiguration, Map<String, Object> requestSharedDataContext) throws AmbariException { return null; } } http://git-wip-us.apache.org/repos/asf/ambari/blob/67fc4a37/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java index 749943d..0aef548 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java @@ -740,7 +740,7 @@ public interface KerberosHelper { * * @param resolvedKerberosKeytab kerberos keytab to be persisted */ - void processResolvedKeytab(ResolvedKerberosKeytab resolvedKerberosKeytab); + void createResolvedKeytab(ResolvedKerberosKeytab resolvedKerberosKeytab); /** * Removes existent persisted keytabs if they are not in {@code expectedKeytabs} collection.
