[ambari] branch trunk updated: AMBARI-24680. Remove out-dated and insecure encryption algorithms use… (#2369)

Tue, 25 Sep 2018 06:19:23 -0700 

This is an automated email from the ASF dual-hosted git repository.

amagyar pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 8b6d900  AMBARI-24680. Remove out-dated and insecure encryption 
algorithms use… (#2369)
8b6d900 is described below

commit 8b6d9001784dcaef282ebc159c37e78eece15c2e
Author: Attila Magyar <m.magy...@gmail.com>
AuthorDate: Tue Sep 25 15:18:45 2018 +0200

    AMBARI-24680. Remove out-dated and insecure encryption algorithms use… 
(#2369)
    
    * AMBARI-24680. Remove out-dated and insecure encryption algorithms used by 
default by Kerberos (amagyar)
    
    * AMBARI-24680. Remove out-dated and insecure encryption algorithms used by 
default by Kerberos (amagyar)
---
 .../test/python/ambari_agent/TestKerberosCommon.py | 48 ++++++++++++++++++++++
 .../ambari_commons/kerberos/kerberos_common.py     | 19 +++++++++
 2 files changed, 67 insertions(+)

diff --git a/ambari-agent/src/test/python/ambari_agent/TestKerberosCommon.py 
b/ambari-agent/src/test/python/ambari_agent/TestKerberosCommon.py
new file mode 100644
index 0000000..95cd034
--- /dev/null
+++ b/ambari-agent/src/test/python/ambari_agent/TestKerberosCommon.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python
+
+'''
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+'''
+
+from unittest import TestCase
+from ambari_commons.kerberos.kerberos_common import 
resolve_encryption_family_list, resolve_encryption_families
+
+class TestEncryptionTypes(TestCase):
+
+  def test_resolves_family(self):
+    expected = set([
+      'aes256-cts-hmac-sha1-96',
+      'aes128-cts-hmac-sha1-96',
+      'aes256-cts-hmac-sha384-192',
+      'aes128-cts-hmac-sha256-128',
+      'rc4-hmac'])
+    self.assertEquals(expected, resolve_encryption_family_list(['rc4', 'aes']))
+
+  def test_no_resolve_if_no_family_is_given(self):
+    expected = set(['aes256-cts-hmac-sha1-96', 'rc4-hmac'])
+    self.assertEquals(expected, resolve_encryption_family_list(['rc4-hmac', 
'aes256-cts-hmac-sha1-96']))
+
+  def test_eliminates_duplications(self):
+    expected = set([
+      'aes256-cts-hmac-sha1-96',
+      'aes128-cts-hmac-sha1-96',
+      'aes256-cts-hmac-sha384-192',
+      'aes128-cts-hmac-sha256-128'])
+    self.assertEquals(expected, resolve_encryption_family_list(['aes', 
'aes128-cts-hmac-sha1-96']))
+
+  def test_translate_str(self):
+    self.assertEquals('rc4-hmac', resolve_encryption_families('rc4'))
\ No newline at end of file
diff --git 
a/ambari-common/src/main/python/ambari_commons/kerberos/kerberos_common.py 
b/ambari-common/src/main/python/ambari_commons/kerberos/kerberos_common.py
index 174bc10..4b2f3e9 100644
--- a/ambari-common/src/main/python/ambari_commons/kerberos/kerberos_common.py
+++ b/ambari-common/src/main/python/ambari_commons/kerberos/kerberos_common.py
@@ -169,3 +169,22 @@ def find_missing_keytabs(params, output_hook=lambda 
missing_keytabs: None):
   missing_keytabs = 
MissingKeytabs.from_kerberos_records(params.kerberos_command_params, 
params.hostname)
   Logger.info(str(missing_keytabs))
   output_hook(missing_keytabs.as_dict())
+
+# Encryption families from: 
http://web.mit.edu/KERBEROS/krb5-latest/doc/admin/conf_files/kdc_conf.html#encryption-types
+ENCRYPTION_FAMILY_MAP = {
+  'aes'       : ['aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96', 
'aes256-cts-hmac-sha384-192', 'aes128-cts-hmac-sha256-128'],
+  'rc4'       : ['rc4-hmac'],
+  'camellia'  : ['camellia256-cts-cmac', 'camellia128-cts-cmac'],
+  'des3'      : ['des3-cbc-sha1'],
+  'des'       : ['des-cbc-crc', 'des-cbc-md5', 'des-cbc-md4']
+}
+
+def resolve_encryption_family_list(enc_types_list):
+  result = []
+  for each in enc_types_list:
+    result.extend(ENCRYPTION_FAMILY_MAP[each] if each in ENCRYPTION_FAMILY_MAP 
else [each])
+  return set(result)
+
+def resolve_encryption_families(enc_types_str):
+  return None if enc_types_str is None \
+    else ' '.join(resolve_encryption_family_list(enc_types_str.split()))
\ No newline at end of file

Reply via email to