This is an automated email from the ASF dual-hosted git repository. amagyar pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push: new 8b6d900 AMBARI-24680. Remove out-dated and insecure encryption algorithms use… (#2369) 8b6d900 is described below commit 8b6d9001784dcaef282ebc159c37e78eece15c2e Author: Attila Magyar <m.magy...@gmail.com> AuthorDate: Tue Sep 25 15:18:45 2018 +0200 AMBARI-24680. Remove out-dated and insecure encryption algorithms use… (#2369) * AMBARI-24680. Remove out-dated and insecure encryption algorithms used by default by Kerberos (amagyar) * AMBARI-24680. Remove out-dated and insecure encryption algorithms used by default by Kerberos (amagyar) --- .../test/python/ambari_agent/TestKerberosCommon.py | 48 ++++++++++++++++++++++ .../ambari_commons/kerberos/kerberos_common.py | 19 +++++++++ 2 files changed, 67 insertions(+) diff --git a/ambari-agent/src/test/python/ambari_agent/TestKerberosCommon.py b/ambari-agent/src/test/python/ambari_agent/TestKerberosCommon.py new file mode 100644 index 0000000..95cd034 --- /dev/null +++ b/ambari-agent/src/test/python/ambari_agent/TestKerberosCommon.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python + +''' +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +''' + +from unittest import TestCase +from ambari_commons.kerberos.kerberos_common import resolve_encryption_family_list, resolve_encryption_families + +class TestEncryptionTypes(TestCase): + + def test_resolves_family(self): + expected = set([ + 'aes256-cts-hmac-sha1-96', + 'aes128-cts-hmac-sha1-96', + 'aes256-cts-hmac-sha384-192', + 'aes128-cts-hmac-sha256-128', + 'rc4-hmac']) + self.assertEquals(expected, resolve_encryption_family_list(['rc4', 'aes'])) + + def test_no_resolve_if_no_family_is_given(self): + expected = set(['aes256-cts-hmac-sha1-96', 'rc4-hmac']) + self.assertEquals(expected, resolve_encryption_family_list(['rc4-hmac', 'aes256-cts-hmac-sha1-96'])) + + def test_eliminates_duplications(self): + expected = set([ + 'aes256-cts-hmac-sha1-96', + 'aes128-cts-hmac-sha1-96', + 'aes256-cts-hmac-sha384-192', + 'aes128-cts-hmac-sha256-128']) + self.assertEquals(expected, resolve_encryption_family_list(['aes', 'aes128-cts-hmac-sha1-96'])) + + def test_translate_str(self): + self.assertEquals('rc4-hmac', resolve_encryption_families('rc4')) \ No newline at end of file diff --git a/ambari-common/src/main/python/ambari_commons/kerberos/kerberos_common.py b/ambari-common/src/main/python/ambari_commons/kerberos/kerberos_common.py index 174bc10..4b2f3e9 100644 --- a/ambari-common/src/main/python/ambari_commons/kerberos/kerberos_common.py +++ b/ambari-common/src/main/python/ambari_commons/kerberos/kerberos_common.py @@ -169,3 +169,22 @@ def find_missing_keytabs(params, output_hook=lambda missing_keytabs: None): missing_keytabs = MissingKeytabs.from_kerberos_records(params.kerberos_command_params, params.hostname) Logger.info(str(missing_keytabs)) output_hook(missing_keytabs.as_dict()) + +# Encryption families from: http://web.mit.edu/KERBEROS/krb5-latest/doc/admin/conf_files/kdc_conf.html#encryption-types +ENCRYPTION_FAMILY_MAP = { + 'aes' : ['aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha384-192', 'aes128-cts-hmac-sha256-128'], + 'rc4' : ['rc4-hmac'], + 'camellia' : ['camellia256-cts-cmac', 'camellia128-cts-cmac'], + 'des3' : ['des3-cbc-sha1'], + 'des' : ['des-cbc-crc', 'des-cbc-md5', 'des-cbc-md4'] +} + +def resolve_encryption_family_list(enc_types_list): + result = [] + for each in enc_types_list: + result.extend(ENCRYPTION_FAMILY_MAP[each] if each in ENCRYPTION_FAMILY_MAP else [each]) + return set(result) + +def resolve_encryption_families(enc_types_str): + return None if enc_types_str is None \ + else ' '.join(resolve_encryption_family_list(enc_types_str.split())) \ No newline at end of file