[MediaWiki-commits] [Gerrit] Abort deployment, if Oozie's Hive config seems to contain pa... - change (analytics/refinery)

QChris (Code Review) Thu, 04 Dec 2014 16:42:12 -0800

Hello Ottomata,

I'd like you to do a code review.  Please visit


    https://gerrit.wikimedia.org/r/177714

to review the following change.

Change subject: Abort deployment, if Oozie's Hive config seems to contain 
passwords
......................................................................

Abort deployment, if Oozie's Hive config seems to contain passwords

Analytics1027 is used for many maintenance tasks around
refinery. However, it should not be used to deploy refinery, as the
hive-site.xml on analytics1027 contains passwords.
To guard against refinery deployments from analytics1027, we check if
Oozie's hive config seems to contain passwords. If it does, we abort
the deployment. If it doesn't, we deploy.

Bug: T76806
Change-Id: I01f7f8b0a2195cba4083fab84be32f8de82f93af
---
M bin/refinery-deploy-to-hdfs
1 file changed, 19 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/analytics/refinery 
refs/changes/14/177714/1

diff --git a/bin/refinery-deploy-to-hdfs b/bin/refinery-deploy-to-hdfs
index df40569..c0d1c75 100755
--- a/bin/refinery-deploy-to-hdfs
+++ b/bin/refinery-deploy-to-hdfs
@@ -5,6 +5,7 @@
 #
 #   _ABS      - absolute path
 #   _RELB     - path, relative to $REFINERY_BASE_HDFSDIR_ABS
+#   _RELR     - path, relative to root of the refinery repository
 #
 #   _FILE     - file in plain file system
 #   _DIR      - directory in plain file system
@@ -24,6 +25,8 @@
 VERBOSE=no
 CURRENT_TARGET_HDFSDIR_RELB="current"
 SKIP_UPDATING_CURRENT=no
+
+OOZIES_HIVE_CONFIG_FILE_RELR="oozie/util/hive/hive-site.xml"
 
 print_help() {
     cat <<EOF
@@ -157,6 +160,21 @@
     fi
 }
 
+guard_against_obviously_fishy_hive_config_for_oozie() {
+    if [ ! -e "$OOZIES_HIVE_CONFIG_FILE_RELR" ]
+    then
+        # If we cannot find Oozie's hive config, we bail out. This way, we de
+        # detect if the file gets moved around at some point.
+        error "Could not find oozie's hive config at 
'$OOZIES_HIVE_CONFIG_FILE_RELR'"
+    fi
+
+    if grep -q -i 'password' "$OOZIES_HIVE_CONFIG_FILE_RELR"
+    then
+        error "Oozie's hive config at '$OOZIES_HIVE_CONFIG_FILE_RELR' matches \
+password. Aborting to avoid accidentally deploying passwords."
+    fi
+}
+
 describe_deployment() {
     local TARGET_HDFSFILE_ABS="$1"
     shift
@@ -212,6 +230,7 @@
 alert_dry_run
 
 guard_against_uninitialized_git_fat
+guard_against_obviously_fishy_hive_config_for_oozie
 
 GIT_DESCRIPTION="$(git describe $GIT_EXTRA_OPTION --always --dirty 2>/dev/null 
|| true)"
 [[ ! -z "$GIT_DESCRIPTION" ]] || error "Cannot describe current version"

-- 
To view, visit https://gerrit.wikimedia.org/r/177714
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I01f7f8b0a2195cba4083fab84be32f8de82f93af
Gerrit-PatchSet: 1
Gerrit-Project: analytics/refinery
Gerrit-Branch: master
Gerrit-Owner: QChris <[email protected]>
Gerrit-Reviewer: Ottomata <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Abort deployment, if Oozie's Hive config seems to contain pa... - change (analytics/refinery)

Reply via email to