This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push:
new fac419b AMBARI-24879. kAdmin principal name is set on the GUI when
enabling Kerberos with MIT KDC using a new variable replacement function (#2788)
fac419b is described below
commit fac419b5cb4dbdc3eddb0c6e1c336143760786b0
Author: Sandor Molnar <[email protected]>
AuthorDate: Tue Jan 29 10:52:34 2019 +0100
AMBARI-24879. kAdmin principal name is set on the GUI when enabling
Kerberos with MIT KDC using a new variable replacement function (#2788)
---
.../kerberos/IPAKerberosOperationHandler.java | 2 +-
.../kerberos/KDCKerberosOperationHandler.java | 10 ++++---
.../kerberos/KerberosOperationHandler.java | 5 ++++
.../kerberos/MITKerberosOperationHandler.java | 35 ++++++++++++++++------
.../state/kerberos/VariableReplacementHelper.java | 16 ++++++++++
.../kerberos/MITKerberosOperationHandlerTest.java | 1 +
.../kerberos/VariableReplacementHelperTest.java | 5 ++++
7 files changed, 60 insertions(+), 14 deletions(-)
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java
index be7b96d..07ab77e 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java
@@ -254,7 +254,7 @@ public class IPAKerberosOperationHandler extends
KDCKerberosOperationHandler {
}
@Override
- protected String[] getKinitCommand(String executableKinit,
PrincipalKeyCredential credentials, String credentialsCache) {
+ protected String[] getKinitCommand(String executableKinit,
PrincipalKeyCredential credentials, String credentialsCache, Map<String,
String> kerberosConfiguration) {
return new String[]{
executableKinit,
"-c",
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KDCKerberosOperationHandler.java
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KDCKerberosOperationHandler.java
index 9936f43..a708d71 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KDCKerberosOperationHandler.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KDCKerberosOperationHandler.java
@@ -111,7 +111,7 @@ abstract class KDCKerberosOperationHandler extends
KerberosOperationHandler {
// Pre-determine the paths to relevant Kerberos executables
executableKinit = getExecutable("kinit");
- setOpen(init());
+ setOpen(init(kerberosConfiguration));
}
@Override
@@ -269,9 +269,11 @@ abstract class KDCKerberosOperationHandler extends
KerberosOperationHandler {
* @param executableKinit the absolute path to the kinit executable
* @param credentials the KDC adminisrator's credentials
* @param credentialsCache the absolute path to the expected location of the
Kerberos ticket/credential cache file
+ * @param kerberosConfigurations a Map of key/value pairs containing data
from the kerberos-env configuration set
+ * @throws KerberosOperationException in case there was any error during
kinit command creation
* @return an array of Strings containing the command to execute
*/
- protected abstract String[] getKinitCommand(String executableKinit,
PrincipalKeyCredential credentials, String credentialsCache);
+ protected abstract String[] getKinitCommand(String executableKinit,
PrincipalKeyCredential credentials, String credentialsCache, Map<String,
String> kerberosConfigurations) throws KerberosOperationException;
/**
* Export the requested keytab entries for a given principal into the
specified file.
@@ -294,7 +296,7 @@ abstract class KDCKerberosOperationHandler extends
KerberosOperationHandler {
* @return
* @throws KerberosOperationException
*/
- protected boolean init() throws KerberosOperationException {
+ protected boolean init(Map<String, String> kerberosConfiguration) throws
KerberosOperationException {
if (credentialsCacheFile != null) {
if (!credentialsCacheFile.delete()) {
LOG.debug("Failed to remove the orphaned cache file, {}",
credentialsCacheFile.getAbsolutePath());
@@ -317,7 +319,7 @@ abstract class KDCKerberosOperationHandler extends
KerberosOperationHandler {
PrincipalKeyCredential credentials = getAdministratorCredential();
- ShellCommandUtil.Result result =
executeCommand(getKinitCommand(executableKinit, credentials, credentialsCache),
+ ShellCommandUtil.Result result =
executeCommand(getKinitCommand(executableKinit, credentials, credentialsCache,
kerberosConfiguration),
environmentMap,
new InteractivePasswordHandler(String.valueOf(credentials.getKey()),
null));
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
index a159880..2646d2c 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
@@ -95,6 +95,11 @@ public abstract class KerberosOperationHandler {
public final static String KERBEROS_ENV_ADMIN_SERVER_HOST =
"admin_server_host";
/**
+ * Kerberos-env configuration property name: kadmin_principal_name
+ */
+ public final static String KERBEROS_ENV_KADMIN_PRINCIPAL_NAME =
"kadmin_principal_name";
+
+ /**
* Kerberos-env configuration property name: executable_search_paths
*/
public final static String KERBEROS_ENV_EXECUTABLE_SEARCH_PATHS =
"executable_search_paths";
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
index 254f705..142aace 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
@@ -19,12 +19,15 @@
package org.apache.ambari.server.serveraction.kerberos;
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.security.credential.PrincipalKeyCredential;
+import org.apache.ambari.server.state.kerberos.VariableReplacementHelper;
import org.apache.ambari.server.utils.ShellCommandUtil;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
@@ -48,6 +51,9 @@ public class MITKerberosOperationHandler extends
KDCKerberosOperationHandler {
@Inject
private Configuration configuration;
+ @Inject
+ private VariableReplacementHelper variableReplacementHelper;
+
/**
* A String containing user-specified attributes used when creating
principals
*/
@@ -333,16 +339,27 @@ public class MITKerberosOperationHandler extends
KDCKerberosOperationHandler {
}
@Override
- protected String[] getKinitCommand(String executableKinit,
PrincipalKeyCredential credentials, String credentialsCache) {
+ protected String[] getKinitCommand(String executableKinit,
PrincipalKeyCredential credentials, String credentialsCache, Map<String,
String> kerberosConfiguration) throws KerberosOperationException {
// kinit -c <path> -S kadmin/`hostname -f` <principal>
- return new String[]{
- executableKinit,
- "-c",
- credentialsCache,
- "-S",
- String.format("kadmin/%s", getAdminServerHost(false)),
- credentials.getPrincipal()
- };
+ try {
+ final String kadminPrincipalName =
variableReplacementHelper.replaceVariables(kerberosConfiguration.get(KERBEROS_ENV_KADMIN_PRINCIPAL_NAME),
buildReplacementsMap(kerberosConfiguration));
+ return new String[]{
+ executableKinit,
+ "-c",
+ credentialsCache,
+ "-S",
+ kadminPrincipalName,
+ credentials.getPrincipal()
+ };
+ } catch (AmbariException e) {
+ throw new KerberosOperationException("Error while getting 'kinit'
command", e);
+ }
+ }
+
+ private Map<String, Map<String, String>> buildReplacementsMap(Map<String,
String> kerberosConfiguration) {
+ final Map<String, Map<String, String>> replacementsMap = new HashMap<>();
+ replacementsMap.put("", kerberosConfiguration);
+ return replacementsMap;
}
@Override
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java
b/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java
index a83f080..bf2539e 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java
@@ -60,6 +60,7 @@ public class VariableReplacementHelper {
put("replace", new ReplaceValue());
put("append", new AppendFunction());
put("principalPrimary", new PrincipalPrimary());
+ put("stripPort", new StripPort());
}
};
@@ -432,4 +433,19 @@ public class VariableReplacementHelper {
}
}
}
+
+ /**
+ * Strips out the port (if any) from a URL assuming the following input data
layout
+ * <code>host[:port]</code>
+ */
+ private static class StripPort implements Function {
+ @Override
+ public String perform(String[] args, String data, Map<String, Map<String,
String>> replacementsMap) {
+ if (data == null) {
+ return null;
+ }
+ final int semicolonIndex = data.indexOf(":");
+ return semicolonIndex == -1 ? data : data.substring(0, semicolonIndex);
+ }
+ }
}
diff --git
a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java
index dd3a3c3..0071c5b 100644
---
a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java
+++
b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java
@@ -265,6 +265,7 @@ public class MITKerberosOperationHandlerTest extends
KDCKerberosOperationHandler
Map<String,String> config = new HashMap<>();
config.put("encryption_types", "aes des3-cbc-sha1 rc4 des-cbc-md5");
+ config.put(MITKerberosOperationHandler.KERBEROS_ENV_KADMIN_PRINCIPAL_NAME,
"kadmin/kdc.example.com");
replayAll();
diff --git
a/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java
index 839af39..5152bee 100644
---
a/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java
+++
b/ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java
@@ -196,6 +196,8 @@ public class VariableReplacementHelperTest {
put("", new HashMap<String, String>() {{
put("delimited.data", "one,two,three,four");
put("realm", "UNIT.TEST");
+ put("admin_server_host", "c7401.ambari.apache.org");
+ put("admin_server_host_port", "c7401.ambari.apache.org:8080");
}});
put("kafka-broker", new HashMap<String, String>() {{
@@ -259,6 +261,9 @@ public class VariableReplacementHelperTest {
assertEquals("test=unit.test",
helper.replaceVariables("test=${realm|toLower()}", configurations));
assertEquals("PLAINTEXTSASL://localhost:6667",
helper.replaceVariables("${kafka-broker/listeners|replace(\\bPLAINTEXT\\b,PLAINTEXTSASL)}",
configurations));
+
+ assertEquals("kadmin/c7401.ambari.apache.org",
helper.replaceVariables("kadmin/${admin_server_host|stripPort()}",
configurations));
+ assertEquals("kadmin/c7401.ambari.apache.org",
helper.replaceVariables("kadmin/${admin_server_host_port|stripPort()}",
configurations));
}
@Test
