AMBARI-22719. Regenerate Keytabs resets security.inter.broker.protocol to PLAINTEXTSASL
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e2be62d5 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e2be62d5 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e2be62d5 Branch: refs/heads/branch-feature-AMBARI-21674 Commit: e2be62d598054c822ecc0c7039ed8a433e1212d9 Parents: 13056cf Author: Doroszlai, Attila <[email protected]> Authored: Wed Jan 3 11:13:16 2018 +0100 Committer: Doroszlai, Attila <[email protected]> Committed: Thu Jan 4 12:53:12 2018 +0100 ---------------------------------------------------------------------- .../stacks/HDP/2.3/services/stack_advisor.py | 9 ++++++++- .../python/stacks/2.3/common/test_stack_advisor.py | 17 +++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/e2be62d5/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py index 201efff..c4c493d 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py @@ -339,7 +339,14 @@ class HDP23StackAdvisor(HDP22StackAdvisor): putKafkaBrokerProperty("super.users", kafka_super_users) putKafkaBrokerProperty("principal.to.local.class", "kafka.security.auth.KerberosPrincipalToLocal") - putKafkaBrokerProperty("security.inter.broker.protocol", "PLAINTEXTSASL") + + recommended_inter_broker_protocol = 'PLAINTEXTSASL' + if 'security.inter.broker.protocol' in kafka_broker: + current_inter_broker_protocol = kafka_broker['security.inter.broker.protocol'] + if current_inter_broker_protocol in ('PLAINTEXTSASL', 'SASL_PLAINTEXT', 'SASL_SSL'): + recommended_inter_broker_protocol = current_inter_broker_protocol + putKafkaBrokerProperty("security.inter.broker.protocol", recommended_inter_broker_protocol) + putKafkaBrokerProperty("zookeeper.set.acl", "true") else: # not security_enabled http://git-wip-us.apache.org/repos/asf/ambari/blob/e2be62d5/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py b/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py index 2112fa0..1a58522 100644 --- a/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py +++ b/ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py @@ -364,6 +364,22 @@ class TestHDP23StackAdvisor(TestCase): self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None) self.assertEquals(configurations['kafka-broker']['properties']['authorizer.class.name'], 'kafka.security.auth.SimpleAclAuthorizer' , "Test authorizer.class.name with Ranger Kafka plugin disabled in kerberos environment") + # Advise 'PLAINTEXTSASL' for secure cluster by default + services['configurations']['cluster-env']['properties']['security_enabled'] = "true" + configurations['kafka-broker']['properties'] = {} + configurations['kafka-broker']['property_attributes'] = {} + self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None) + self.assertEqual(configurations['kafka-broker']['properties']['security.inter.broker.protocol'], 'PLAINTEXTSASL') + + # Secure security.inter.broker.protocol values should be retained by stack advisor + services['configurations']['cluster-env']['properties']['security_enabled'] = "true" + configurations['kafka-broker']['properties'] = {} + configurations['kafka-broker']['property_attributes'] = {} + for proto in ('PLAINTEXTSASL', 'SASL_PLAINTEXT', 'SASL_SSL'): + services['configurations']['kafka-broker']['properties']['security.inter.broker.protocol'] = proto + self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None) + self.assertEqual(configurations['kafka-broker']['properties']['security.inter.broker.protocol'], proto) + # Test authorizer.class.name with Ranger Kafka plugin enabled in non-kerberos environment services['configurations']['cluster-env']['properties']['security_enabled'] = "false" configurations['kafka-broker']['properties'] = {} @@ -383,6 +399,7 @@ class TestHDP23StackAdvisor(TestCase): self.stackAdvisor.recommendKAFKAConfigurations(configurations, clusterData, services, None) self.assertEquals(configurations['kafka-broker']['properties']['authorizer.class.name'], 'org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer', "Test authorizer.class.name with Ranger Kafka plugin enabled in kerberos environment") self.assertEquals(configurations['ranger-kafka-plugin-properties']['properties']['zookeeper.connect'], 'host1:2181') + self.assertTrue('security.inter.broker.protocol' not in configurations['kafka-broker']['properties']) # Test kafka-log4j content when Ranger plugin for Kafka is enabled
