[ambari] branch branch-2.7 updated: AMBARI-24319. Regenerating keytabs for the given service(s) only

Wed, 25 Jul 2018 05:31:51 -0700 

This is an automated email from the ASF dual-hosted git repository.

rlevas pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.7 by this push:
     new ee68d7c  AMBARI-24319. Regenerating keytabs for the given service(s) 
only
ee68d7c is described below

commit ee68d7cf49a50942cfc7685a5d3219a046da1157
Author: Sandor Molnar <[email protected]>
AuthorDate: Wed Jul 25 08:11:18 2018 +0200

    AMBARI-24319. Regenerating keytabs for the given service(s) only
---
 .../server/controller/KerberosHelperImpl.java      |  6 +--
 .../kerberos/KerberosServerAction.java             | 50 ++++++++++++++++------
 2 files changed, 40 insertions(+), 16 deletions(-)

diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
index 13cb8fa..a15f424 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
@@ -138,7 +138,6 @@ import org.slf4j.LoggerFactory;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import com.google.gson.JsonArray;
 import com.google.gson.JsonObject;
@@ -1867,7 +1866,7 @@ public class KerberosHelperImpl implements KerberosHelper 
{
 
                   String uniqueKey = String.format("%s|%s", principal, 
(keytabFile == null) ? "" : keytabFile);
 
-                  if (!hostActiveIdentities.containsKey(uniqueKey)) {
+                  if (!hostActiveIdentities.containsKey(uniqueKey) || 
(StringUtils.isNotBlank(hostActiveIdentities.get(uniqueKey).getReference()) && 
StringUtils.isBlank(identity.getReference()))) {
                     KerberosPrincipalType principalType = 
principalDescriptor.getType();
 
                     // Assume the principal is a service principal if not 
specified
@@ -2468,8 +2467,7 @@ public class KerberosHelperImpl implements KerberosHelper 
{
       handler.createStages(cluster,
         clusterHostInfoJson, hostParamsJson, event, roleCommandOrder, 
kerberosDetails,
         dataDirectory, requestStageContainer, serviceComponentHostsToProcess,
-        Collections.singletonMap("KERBEROS", 
Lists.newArrayList("KERBEROS_CLIENT")),
-        null, Sets.newHashSet(principal), hostsWithValidKerberosClient);
+        null, null, Sets.newHashSet(principal), hostsWithValidKerberosClient);
 
 
       handler.addFinalizeOperationStage(cluster, clusterHostInfoJson, 
hostParamsJson, event,
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
index 904fd01..0c11e34 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
@@ -21,6 +21,7 @@ package org.apache.ambari.server.serveraction.kerberos;
 import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.Type;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
@@ -41,6 +42,7 @@ import 
org.apache.ambari.server.serveraction.kerberos.stageutils.ResolvedKerbero
 import 
org.apache.ambari.server.serveraction.kerberos.stageutils.ResolvedKerberosPrincipal;
 import org.apache.ambari.server.state.Cluster;
 import org.apache.ambari.server.state.Clusters;
+import org.apache.ambari.server.state.kerberos.KerberosIdentityDescriptor;
 import org.apache.ambari.server.utils.StageUtils;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang.StringUtils;
@@ -178,12 +180,6 @@ public abstract class KerberosServerAction extends 
AbstractServerAction {
   private KerberosOperationHandlerFactory kerberosOperationHandlerFactory;
 
   /**
-   * The KerberosIdentityDataFileReaderFactory to use to obtain 
KerberosIdentityDataFileReader instances
-   */
-  @Inject
-  private KerberosIdentityDataFileReaderFactory 
kerberosIdentityDataFileReaderFactory;
-
-  /**
    * KerberosHelper
    */
   @Inject
@@ -455,13 +451,17 @@ public abstract class KerberosServerAction extends 
AbstractServerAction {
       }
 
       try {
-        for (ResolvedKerberosKeytab rkk : 
kerberosKeytabController.getFilteredKeytabs((Map<String, Collection<String>>) 
getServiceComponentFilter(), getHostFilter(), getIdentityFilter())) {
+        final Map<String, Collection<String>> serviceComponentFilter = 
(Map<String, Collection<String>>) getServiceComponentFilter();
+        final Collection<KerberosIdentityDescriptor> serviceIdentities = 
serviceComponentFilter == null ? null : 
calculateServiceIdentities(getClusterName(), serviceComponentFilter);
+        for (ResolvedKerberosKeytab rkk : 
kerberosKeytabController.getFilteredKeytabs(serviceComponentFilter, 
getHostFilter(), getIdentityFilter())) {
           for (ResolvedKerberosPrincipal principal : rkk.getPrincipals()) {
-            commandReport = processIdentity(principal, handler, 
kerberosConfiguration, requestSharedDataContext);
-            // If the principal processor returns a CommandReport, than it is 
time to stop since
-            // an error condition has probably occurred, else all is assumed 
to be well.
-            if (commandReport != null) {
-              break;
+            if (isRelevantIdentity(serviceIdentities, principal)) {
+              commandReport = processIdentity(principal, handler, 
kerberosConfiguration, requestSharedDataContext);
+              // If the principal processor returns a CommandReport, than it 
is time to stop
+              // since an error condition has probably occurred, else all is 
assumed to be well.
+              if (commandReport != null) {
+                break;
+              }
             }
           }
         }
@@ -487,6 +487,32 @@ public abstract class KerberosServerAction extends 
AbstractServerAction {
         : commandReport;
   }
 
+  private boolean isRelevantIdentity(Collection<KerberosIdentityDescriptor> 
serviceIdentities, ResolvedKerberosPrincipal principal) {
+    if (serviceIdentities != null) {
+      boolean hasValidIdentity = false;
+      for (KerberosIdentityDescriptor serviceIdentity : serviceIdentities) {
+        if 
(principal.getPrincipal().equals(serviceIdentity.getPrincipalDescriptor().getName())
 && StringUtils.isBlank(serviceIdentity.getReference())) {
+          hasValidIdentity = true;
+          break;
+        }
+      }
+      return hasValidIdentity;
+    }
+
+    return true;
+  }
+
+  private Collection<KerberosIdentityDescriptor> 
calculateServiceIdentities(String clusterName, Map<String, Collection<String>> 
serviceComponentFilter)
+      throws AmbariException {
+    final Collection<KerberosIdentityDescriptor> serviceIdentities = new 
ArrayList<>();
+    for (String service : serviceComponentFilter.keySet()) {
+      for (Collection<KerberosIdentityDescriptor> activeIdentities : 
kerberosHelper.getActiveIdentities(clusterName, null, service, null, 
true).values()) {
+        serviceIdentities.addAll(activeIdentities);
+      }
+    }
+    return serviceIdentities;
+  }
+
   /**
    * Processes an identity as necessary.
    * <p/>

Reply via email to