Review Request 38865: Create a credentials resource used to securely set, update, and remove credentials used by Ambari

Tue, 29 Sep 2015 15:57:31 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38865/
-----------------------------------------------------------

Review request for Ambari, Jonathan Hurley, John Speidel, and Robert Nettleton.


Bugs: AMBARI-13214
    https://issues.apache.org/jira/browse/AMBARI-13214


Repository: ambari


Description
-------

Storage of the credentials is to be done using the existing _secure_ 
credentials provider API which already exits within Ambari.  

Credential may be stored in either Ambari's persistent or temporary secure 
storage facilities. 

# Testing capabilities

* Request 
```
GET api/v1/clusters/{CLUSTER_NAME}
```

* Responses
```
200 OK
{
  ...
  "credential_store_properties" : {
    "storage.persistent" : "true",
    "storage.temporary" : "true"
  },
  ...
}
```

# Creating credentials

* Request 
```
POST /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}
{
  "Credential" : {
    "principal" : "USERNAME",
    "key" : "SECRET",
    "persist" : true
  }
}

Where:
** principal:  the principal (or username) part of the credential to store
** key: the secret key part of the credential to store
** persist:  a boolean value indicating whether to store this credential in a 
persisted (true) or temporary (false) secure credential store
```

* Responses
```
200 OK
```
```
400 Bad Request
{
  "status": 400,
  "message": "Cannot persist credential in Ambari's secure credential store 
since secure storage has not yet be configured.  Use ambari-server 
setup-security to enable this feature."
}
```
```
403 Forbidden
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
```

# Updating credentials

* Request
```
PUT /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}
{
  "Credential" : {
    "principal" : "USERNAME",
    "key" : "SECRET1",
    "persist" : true
  }
}

Where:
** principal:  the principal (or username) part of the credential to store
** key: the secret key part of the credential to store
** persist:  a boolean value indicating whether to store this credential in a 
persisted (true) or temporary (false) secure credential store
```

* Responses
```
200 OK
```
```
400 Bad Request
{
  "status": 400,
  "message": "Cannot persist credential in Ambari's secure credential store 
since secure storage has not yet be configured.  Use ambari-server 
setup-security to enable this feature."
}
```
```
403 Forbidden
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
```

# Removing credentials

* Request
```
DELETE /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}
```

* Responses
```
200 OK
```
```
404 Not Found
{
  "status": 404,
  "message": "Not Found"
}
```
```403 Forbidden
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
```

# Listing credentials

* Request
```
GET /api/v1/clusters/{CLUSTER_NAME}/credentials
```

* Responses 
```
200 OK
{
  "href" : "http://host:8080/api/v1/clusters/c1/credentials";,
  "items" : [
    {
      "href" : 
"http://host:8080/api/v1/clusters/c1/credentials/kdc.admin.credentials";,
      "Credential" : {
        "alias" : "kdc.admin.credentials",
        "cluster_name" : "c1"
      }
    },
    {
      "href" : 
"http://host:8080/api/v1/clusters/c1/credentials/service.admin.credentials";,
      "Credential" : {
        "alias" : "service.admin.credentials",
        "cluster_name" : "c1"
      }
    }
  ]
}
```
```
404 Not Found
{
  "status": 404,
  "message": "Not Found"
}
```
```
403 Forbidden
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
```

# Retrieving credentials

* Request
```
GET /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS}
```

* Responses 
```
200 OK
{
  "href" : 
"http://host:8080/api/v1/clusters/c1/credentials/kdc.admin.credentials";,
  "Credential" : {
    "alias" : "kdc.admin.credentials",
    "cluster_name" : "c1",
    "persist" : true
  }
}
```
```
404 Not Found
{
  "status": 404,
  "message": "Not Found"
}
```
```
403 Forbidden
{
  "status": 403,
  "message": "You do not have permissions to access this resource."
}
```


Diffs
-----

  ambari-server/docs/api/v1/credential-create.md PRE-CREATION 
  ambari-server/docs/api/v1/credential-delete.md PRE-CREATION 
  ambari-server/docs/api/v1/credential-get.md PRE-CREATION 
  ambari-server/docs/api/v1/credential-list.md PRE-CREATION 
  ambari-server/docs/api/v1/credential-resources.md PRE-CREATION 
  ambari-server/docs/api/v1/credential-update.md PRE-CREATION 
  ambari-server/docs/api/v1/index.md c1e464c 
  
ambari-server/src/main/java/org/apache/ambari/server/api/resources/CredentialResourceDefinition.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/api/resources/ResourceInstanceFactoryImpl.java
 1e219ff 
  
ambari-server/src/main/java/org/apache/ambari/server/api/services/ClusterService.java
 7bb0a72 
  
ambari-server/src/main/java/org/apache/ambari/server/api/services/CredentialService.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
 e3686ac 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
 6ba6bac 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/ClusterResponse.java
 bb6d88e 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java
 a40fae6 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
 a1cd5b8 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/ResourceProviderFactory.java
 5d1143a 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
 9163656 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterResourceProvider.java
 7e75a75 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/CredentialResourceProvider.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/spi/Resource.java
 1b208fb 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
 44c9613 
  
ambari-server/src/main/java/org/apache/ambari/server/security/credential/Credential.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/credential/CredentialFactory.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/credential/GenericKeyCredential.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/credential/InvalidCredentialValueException.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/credential/PrincipalKeyCredential.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/encryption/AbstractCredentialStore.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialProvider.java
 b812337 
  
ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStore.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreService.java
 4aa3b0a 
  
ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceImpl.java
 968e96a 
  
ambari-server/src/main/java/org/apache/ambari/server/security/encryption/FileBasedCredentialStore.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/encryption/FileBasedCredentialStoreService.java
 41ff71b 
  
ambari-server/src/main/java/org/apache/ambari/server/security/encryption/InMemoryCredentialStore.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/encryption/InMemoryCredentialStoreService.java
 08d84fc 
  
ambari-server/src/test/java/org/apache/ambari/server/api/resources/CredentialResourceDefinitionTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/api/services/CredentialServiceTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
 074fbb4 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java
 23ce914 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/CredentialResourceProviderTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserResourceProviderTest.java
 b0e1018 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
 1824486 
  
ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialProviderTest.java
 ef1a9c8 
  
ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceImplTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceTest.java
 9725746 
  
ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialStoreTest.java
 PRE-CREATION 

Diff: https://reviews.apache.org/r/38865/diff/


Testing
-------

Units tests updated and passed
Manually testing in existing cluster (upgrade scenario) and new cluster

# Local test results:

[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 54:46.952s
[INFO] Finished at: Tue Sep 29 18:02:43 EDT 2015
[INFO] Final Memory: 66M/1534M
[INFO] ------------------------------------------------------------------------

# Jenkins test results: PENDING


Thanks,

Robert Levas

Reply via email to