Re: Review Request 58006: AMBARI-20600 : AMS grafana restart fails with ssl error after upgrading from 2.4.2.0

Wed, 29 Mar 2017 10:06:21 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58006/
-----------------------------------------------------------

(Updated March 29, 2017, 5:06 p.m.)


Review request for Ambari, Dmytro Sen, Robert Levas, Sumit Mohanty, and Sid 
Wagle.


Changes
-------

Fixed review issue.


Bugs: AMBARI-20600
    https://issues.apache.org/jira/browse/AMBARI-20600


Repository: ambari


Description
-------

EXCEPTION TRACE

  File 
"/var/lib/ambari-agent/cache/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py",
 line 235, in create_grafana_admin_pwd
    response = perform_grafana_get_call(GRAFANA_USER_URL, serverCall1)
  File 
"/var/lib/ambari-agent/cache/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py",
 line 59, in perform_grafana_get_call
    grafana_https_enabled, ca_certs)
  File "/usr/lib/python2.6/site-packages/ambari_commons/network.py", line 49, 
in get_http_connection
    ssl_version = check_ssl_certificate_and_return_ssl_version(host, port, 
ca_certs)
  File "/usr/lib/python2.6/site-packages/ambari_commons/network.py", line 66, 
in check_ssl_certificate_and_return_ssl_version
    .format(host, port, ca_certs, str(ssl_error)))
resource_management.core.exceptions.Fail: Failed to verify the SSL certificate 
for https://<host>:3000 with CA certificate in /etc/security/ssl/test.cert. 
Error : [Errno 1] _ssl.c:492: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


PROBLEM
The Grafana util script makes HTTPS calls with the server endpoint to create 
datasource, dashboards etc. For this call, it validates the server's 
certificate with the CA certificate using the 
https://docs.python.org/2/library/ssl.html#ssl.get_server_certificate call. 
This call checks the certificate validity against a root certificate list.
The Grafana cert file (/configurations/ams-grafana-ini/cert_file) can be used 
both by the Grafana server to start up in HTTPS as well as in this validation 
step if the cert file is not a leaf certificate (for example a self signed 
certificate). If there is a CA which issued the certificate for Grafana HTTPS, 
then the ca bundle must be used to validate the server's certificate.

FIX
Added a new parameter that takes in the ca_cert, defaulting to the cert file. 
Grafana start should not fail if we are not able to validate the certificate, 
but able to make HTTPS calls to the server. We will print out a warning 
statement instead.


Diffs (updated)
-----

  ambari-common/src/main/python/ambari_commons/network.py 6ab92b2 
  
ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml
 b4570b7 
  
ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py
 a6a9779 
  
ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
 3276cc1 


Diff: https://reviews.apache.org/r/58006/diff/2/

Changes: https://reviews.apache.org/r/58006/diff/1-2/


Testing
-------

Manually tested.
Python unit tests passed.


Thanks,

Aravindan Vijayan

Reply via email to