Repository: ambari Updated Branches: refs/heads/trunk c337b6ea5 -> 53dbf69f9
AMBARI-9171. Keytab generation should use kerberos-env/encryption_types when creating key entries (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/53dbf69f Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/53dbf69f Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/53dbf69f Branch: refs/heads/trunk Commit: 53dbf69f9d60891cf76179b10ff2019515022709 Parents: c337b6e Author: Robert Levas <rle...@hortonworks.com> Authored: Fri Feb 13 14:40:14 2015 -0500 Committer: Robert Levas <rle...@hortonworks.com> Committed: Fri Feb 13 14:40:14 2015 -0500 ---------------------------------------------------------------------- .../kerberos/ADKerberosOperationHandler.java | 14 +- .../kerberos/KerberosOperationHandler.java | 177 ++++++++++++++++++- .../kerberos/MITKerberosOperationHandler.java | 6 + .../1.10.3-10/configuration/kerberos-env.xml | 10 +- .../1.10.3-10/configuration/krb5-conf.xml | 25 ++- .../1.10.3-10/package/scripts/params.py | 12 +- .../1.10.3-10/package/templates/krb5_conf.j2 | 6 + .../KERBEROS/configuration/krb5-conf.xml | 24 ++- .../KERBEROS/package/templates/krb5_conf.j2 | 6 + .../ADKerberosOperationHandlerTest.java | 2 +- .../kerberos/KerberosOperationHandlerTest.java | 45 ++++- .../MITKerberosOperationHandlerTest.java | 33 ++-- .../journalnode-upgrade-hdfs-secure.json | 10 +- .../stacks/2.2/configs/journalnode-upgrade.json | 10 +- 14 files changed, 328 insertions(+), 52 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java index 4c1fdb5..2dbd50e 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java @@ -52,10 +52,6 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler { private static final String LDAP_CONTEXT_FACTORY_CLASS = "com.sun.jndi.ldap.LdapCtxFactory"; - public final static String KERBEROS_ENV_LDAP_URL = "ldap_url"; - public final static String KERBEROS_ENV_PRINCIPAL_CONTAINER_DN = "container_dn"; - public final static String KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE = "create_attributes_template"; - /** * A String containing the URL for the LDAP interface for the relevant Active Directory */ @@ -146,6 +142,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler { setAdministratorCredentials(administratorCredentials); setDefaultRealm(realm); + setKeyEncryptionTypes(translateEncryptionTypes(kerberosConfiguration.get(KERBEROS_ENV_ENCRYPTION_TYPES), "\\s+")); this.ldapContext = createLdapContext(); this.searchControls = createSearchControls(); @@ -203,7 +200,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler { throw new KerberosOperationException("principal is null"); } - DeconstructedPrincipal deconstructPrincipal = deconstructPrincipal(principal); + DeconstructedPrincipal deconstructPrincipal = createDeconstructPrincipal(principal); try { return (findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal()) != null); @@ -237,8 +234,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler { throw new KerberosOperationException("principal password is null"); } - // TODO: (rlevas) pass components and realm in separately (AMBARI-9122) - DeconstructedPrincipal deconstructedPrincipal = deconstructPrincipal(principal); + DeconstructedPrincipal deconstructedPrincipal = createDeconstructPrincipal(principal); String realm = deconstructedPrincipal.getRealm(); if (realm == null) { @@ -327,7 +323,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler { throw new KerberosOperationException("principal password is null"); } - DeconstructedPrincipal deconstructPrincipal = deconstructPrincipal(principal); + DeconstructedPrincipal deconstructPrincipal = createDeconstructPrincipal(principal); try { String dn = findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal()); @@ -368,7 +364,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler { throw new KerberosOperationException("principal is null"); } - DeconstructedPrincipal deconstructPrincipal = deconstructPrincipal(principal); + DeconstructedPrincipal deconstructPrincipal = createDeconstructPrincipal(principal); try { String dn = findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal()); http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java index a23aa81..c51475e 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java @@ -37,6 +37,8 @@ import java.io.OutputStream; import java.security.SecureRandom; import java.util.ArrayList; import java.util.Collections; +import java.util.EnumSet; +import java.util.HashMap; import java.util.HashSet; import java.util.List; import java.util.Map; @@ -58,12 +60,111 @@ public abstract class KerberosOperationHandler { protected final static int SECURE_PASSWORD_LENGTH = 18; /** + * Kerberos-env configuration property name: ldap_url + */ + public final static String KERBEROS_ENV_LDAP_URL = "ldap_url"; + + /** + * Kerberos-env configuration property name: container_dn + */ + public final static String KERBEROS_ENV_PRINCIPAL_CONTAINER_DN = "container_dn"; + + /** + * Kerberos-env configuration property name: create_attributes_template + */ + public final static String KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE = "create_attributes_template"; + + /** + * Kerberos-env configuration property name: encryption_types + */ + public final static String KERBEROS_ENV_ENCRYPTION_TYPES = "encryption_types"; + + /** * The set of available characters to use when generating a secure password */ private final static char[] SECURE_PASSWORD_CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890?.!$%^*()-_+=~".toCharArray(); /** + * A Map of MIT KDC Encryption types to EncryptionType values. + * <p/> + * See http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/kdc_conf.html#encryption-types + */ + private static final Map<String, Set<EncryptionType>> ENCRYPTION_TYPE_TRANSLATION_MAP = Collections.unmodifiableMap( + new HashMap<String, Set<EncryptionType>>() { + { + // aes: The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 + put("aes", EnumSet.of(EncryptionType.AES256_CTS_HMAC_SHA1_96, EncryptionType.AES128_CTS_HMAC_SHA1_96)); + + // aes256-cts-hmac-sha1-96 aes256-cts: AES-256 CTS mode with 96-bit SHA-1 HMAC + put("aes256-cts-hmac-sha1-96", EnumSet.of(EncryptionType.AES256_CTS_HMAC_SHA1_96)); + put("aes256-cts", EnumSet.of(EncryptionType.AES256_CTS_HMAC_SHA1_96)); + put("aes-256", EnumSet.of(EncryptionType.AES256_CTS_HMAC_SHA1_96)); + + // aes128-cts-hmac-sha1-96 aes128-cts AES-128: CTS mode with 96-bit SHA-1 HMAC + put("aes128-cts-hmac-sha1-96", EnumSet.of(EncryptionType.AES128_CTS_HMAC_SHA1_96)); + put("aes128-cts", EnumSet.of(EncryptionType.AES128_CTS_HMAC_SHA1_96)); + put("aes-128", EnumSet.of(EncryptionType.AES128_CTS_HMAC_SHA1_96)); + + // rc4 The RC4 family: arcfour-hmac + put("rc4", EnumSet.of(EncryptionType.RC4_HMAC)); + + // arcfour-hmac rc4-hmac arcfour-hmac-md5: RC4 with HMAC/MD5 + put("arcfour-hmac", EnumSet.of(EncryptionType.RC4_HMAC)); + put("rc4-hmac", EnumSet.of(EncryptionType.RC4_HMAC)); + put("arcfour-hmac-md5", EnumSet.of(EncryptionType.UNKNOWN)); + + // arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp: Exportable RC4 with HMAC/MD5 (weak) + put("arcfour-hmac-exp", EnumSet.of(EncryptionType.RC4_HMAC_EXP)); + put("rc4-hmac-exp", EnumSet.of(EncryptionType.RC4_HMAC_EXP)); + put("arcfour-hmac-md5-exp", EnumSet.of(EncryptionType.UNKNOWN)); + + // camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac + put("camellia", EnumSet.of(EncryptionType.UNKNOWN)); + + // camellia256-cts-cmac camellia256-cts: Camellia-256 CTS mode with CMAC + put("camellia256-cts-cmac", EnumSet.of(EncryptionType.UNKNOWN)); + put("camellia256-cts", EnumSet.of(EncryptionType.UNKNOWN)); + + // camellia128-cts-cmac camellia128-cts: Camellia-128 CTS mode with CMAC + put("camellia128-cts-cmac", EnumSet.of(EncryptionType.UNKNOWN)); + put("camellia128-cts", EnumSet.of(EncryptionType.UNKNOWN)); + + //des: The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) + put("des", EnumSet.of(EncryptionType.DES_CBC_CRC, EncryptionType.DES_CBC_MD5, EncryptionType.DES_CBC_MD4)); + + // des-cbc-md4: DES cbc mode with RSA-MD4 (weak) + put("des-cbc-md4", EnumSet.of(EncryptionType.DES_CBC_MD4)); + + // des-cbc-md5: DES cbc mode with RSA-MD5 (weak) + put("des-cbc-md5", EnumSet.of(EncryptionType.DES_CBC_MD5)); + + // des-cbc-crc: DES cbc mode with CRC-32 (weak) + put("des-cbc-crc", EnumSet.of(EncryptionType.DES_CBC_CRC)); + + // des-cbc-raw: DES cbc mode raw (weak) + put("des-cbc-raw", EnumSet.of(EncryptionType.UNKNOWN)); + + // des-hmac-sha1: DES with HMAC/sha1 (weak) + put("des-hmac-sha1", EnumSet.of(EncryptionType.UNKNOWN)); + + // des3: The triple DES family: des3-cbc-sha1 + put("des3", EnumSet.of(EncryptionType.DES3_CBC_SHA1_KD)); // Using DES3_CBC_SHA1_KD since DES3_CBC_SHA1 invalid key issues with KDC + + // des3-cbc-raw: Triple DES cbc mode raw (weak) + put("des3-cbc-raw", EnumSet.of(EncryptionType.UNKNOWN)); + + // des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd: Triple DES cbc mode with HMAC/sha1 + put("des3-cbc-sha1", EnumSet.of(EncryptionType.DES3_CBC_SHA1_KD)); // Using DES3_CBC_SHA1_KD since DES3_CBC_SHA1 invalid key issues with KDC + put("des3-hmac-sha1", EnumSet.of(EncryptionType.UNKNOWN)); + put("des3-cbc-sha1-kd", EnumSet.of(EncryptionType.DES3_CBC_SHA1_KD)); + + + } + } + ); + + /** * The default set of ciphers to use for creating keytab entries */ private static final Set<EncryptionType> DEFAULT_CIPHERS = Collections.unmodifiableSet( @@ -77,6 +178,7 @@ public abstract class KerberosOperationHandler { private KerberosCredential administratorCredentials = null; private String defaultRealm = null; + private Set<EncryptionType> keyEncryptionTypes = new HashSet<EncryptionType>(DEFAULT_CIPHERS); private boolean open = false; /** @@ -235,7 +337,7 @@ public abstract class KerberosOperationHandler { throw new KerberosOperationException(String.format("Failed to create keytab file for %s, missing file path", principal)); } else { Keytab keytab; - Set<EncryptionType> ciphers = new HashSet<EncryptionType>(DEFAULT_CIPHERS); + Set<EncryptionType> ciphers = new HashSet<EncryptionType>(keyEncryptionTypes); List<KeytabEntry> keytabEntries = new ArrayList<KeytabEntry>(); if (keytabFile.exists() && keytabFile.canRead() && (keytabFile.length() > 0)) { @@ -322,6 +424,31 @@ public abstract class KerberosOperationHandler { } /** + * Gets the encryption algorithms used to encrypt keys in keytab entries + * + * @return a Set of EncryptionKey values indicating which algorithms are to be used when + * encrypting keys for keytab entries. + */ + public Set<EncryptionType> getKeyEncryptionTypes() { + return keyEncryptionTypes; + } + + /** + * Sets the encryption algorithms to use to encrypt keys in keytab entries + * <p/> + * If set to <code>null</code> the default set of ciphers will be used. See {@link #DEFAULT_CIPHERS} + * + * @param keyEncryptionTypes a Set of EncryptionKey values or null to indicate the default set + */ + public void setKeyEncryptionTypes(Set<EncryptionType> keyEncryptionTypes) { + this.keyEncryptionTypes = new HashSet<EncryptionType>( + (keyEncryptionTypes == null) + ? DEFAULT_CIPHERS + : keyEncryptionTypes + ); + } + + /** * Test this KerberosOperationHandler to see whether is was previously open or not * * @return a boolean value indicating whether this KerberosOperationHandler was open (true) or not (false) @@ -432,7 +559,14 @@ public abstract class KerberosOperationHandler { } } - protected DeconstructedPrincipal deconstructPrincipal(String principal) throws KerberosOperationException { + /** + * Given a principal, attempt to create a new DeconstructedPrincipal + * + * @param principal a String containing the principal to deconstruct + * @return a DeconstructedPrincipal + * @throws KerberosOperationException + */ + protected DeconstructedPrincipal createDeconstructPrincipal(String principal) throws KerberosOperationException { try { return DeconstructedPrincipal.valueOf(principal, getDefaultRealm()); } catch (IllegalArgumentException e) { @@ -440,4 +574,43 @@ public abstract class KerberosOperationHandler { } } + /** + * Given a cipher (or algorithm) name, attempts to translate it into an EncryptionType value. + * <p/> + * If a translation is not able to be made, {@link org.apache.directory.shared.kerberos.codec.types.EncryptionType#UNKNOWN} + * is returned. + * + * @param name a String containing the name of the cipher to translate + * @return an EncryptionType + */ + protected Set<EncryptionType> translateEncryptionType(String name) { + Set<EncryptionType> encryptionTypes = null; + + if ((name != null) && !name.isEmpty()) { + encryptionTypes = ENCRYPTION_TYPE_TRANSLATION_MAP.get(name.toLowerCase()); + } + + return (encryptionTypes == null) ? Collections.<EncryptionType>emptySet() : encryptionTypes; + } + + /** + * Given a delimited set of encryption type names, attempts to translate into a set of EncryptionType + * values. + * + * @param names a String containing a delimited list of encryption type names + * @param delimiter a String declaring the delimiter to use to split names, if null, " " is used. + * @return a Set of EncryptionType values + */ + protected Set<EncryptionType> translateEncryptionTypes(String names, String delimiter) { + Set<EncryptionType> encryptionTypes = new HashSet<EncryptionType>(); + + if ((names != null) && !names.isEmpty()) { + for (String name : names.split((delimiter == null) ? "\\s+" : delimiter)) { + encryptionTypes.addAll(translateEncryptionType(name.trim())); + } + } + + return encryptionTypes; + } + } http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java index b81fa59..152d29c 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java @@ -70,8 +70,14 @@ public class MITKerberosOperationHandler extends KerberosOperationHandler { public void open(KerberosCredential administratorCredentials, String realm, Map<String, String> kerberosConfiguration) throws KerberosOperationException { + setAdministratorCredentials(administratorCredentials); setDefaultRealm(realm); + + if (kerberosConfiguration != null) { + setKeyEncryptionTypes(translateEncryptionTypes(kerberosConfiguration.get(KERBEROS_ENV_ENCRYPTION_TYPES), "\\s+")); + } + setOpen(true); } http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml index f2c5d6f..15a39d9 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml @@ -34,7 +34,7 @@ <description> The URL to the Active Directory LDAP Interface </description> - <value></value> + <value/> </property> <property require-input="true"> @@ -42,7 +42,7 @@ <description> The distinguished name (DN) of the container used store service principals </description> - <value></value> + <value/> </property> <property require-input="true"> @@ -50,9 +50,7 @@ <description> The supported list of session key encryption types that should be returned by the KDC. </description> - <value> - aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 - </value> + <value>aes des3-cbc-sha1 rc4 des-cbc-md5</value> </property> <property require-input="true"> @@ -60,7 +58,7 @@ <description> The default realm to use when creating service principals </description> - <value></value> + <value/> </property> http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml index 99f2601..02d78b8 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml @@ -78,7 +78,23 @@ </description> <value>true</value> </property> - <property require-input="true"> + <property require-input="false"> + <name>libdefaults_default_tgs_enctypes</name> + <description> + A space-delimited list of session key encryption types supported by the KDC or Active + Directory + </description> + <value/> + </property> + <property require-input="false"> + <name>libdefaults_default_tkt_enctypes</name> + <description> + A space-delimited list of session key encryption types supported by the KDC or Active + Directory. + </description> + <value/> + </property> + <property require-input="false"> <name>domains</name> <description> A comma-separated list of domain names used to map server host names to the Realm name (e.g. .example.com,example.com). This is optional @@ -108,7 +124,6 @@ <value>true</value> </property> - <property> <name>conf_dir</name> <description>The krb5.conf configuration directory</description> @@ -125,6 +140,12 @@ ticket_lifetime = {{libdefaults_ticket_lifetime}} dns_lookup_realm = {{libdefaults_dns_lookup_realm}} dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}} + {% if libdefaults_default_tgs_enctypes %} + default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}} + {% endif %} + {% if libdefaults_default_tkt_enctypes %} + default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}} + {% endif %} {% if domains %} [domain_realm] http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py index d23da8e..3705cfe 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py @@ -102,12 +102,8 @@ if config is not None: libdefaults_ticket_lifetime = '24h' libdefaults_renew_lifetime = '7d' libdefaults_forwardable = 'true' - libdefaults_default_tgs_enctypes = 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 ' \ - 'arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac ' \ - 'des-cbc-crc des-cbc-md5 des-cbc-md4' - libdefaults_default_tkt_enctypes = 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 ' \ - 'arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac ' \ - 'des-cbc-crc des-cbc-md5 des-cbc-md4' + libdefaults_default_tgs_enctypes = None + libdefaults_default_tkt_enctypes = None realm = 'EXAMPLE.COM' domains = '' @@ -150,10 +146,10 @@ if config is not None: libdefaults_forwardable) libdefaults_default_tgs_enctypes = get_property_value(krb5_conf_data, 'libdefaults_default_tgs_enctypes', - encryption_types) + libdefaults_default_tgs_enctypes) libdefaults_default_tkt_enctypes = get_property_value(krb5_conf_data, 'libdefaults_default_tkt_enctypes', - encryption_types) + libdefaults_default_tkt_enctypes) realm = get_property_value(krb5_conf_data, 'realm', realm) domains = get_property_value(krb5_conf_data, 'domains', domains) kdc_host = get_property_value(krb5_conf_data, 'kdc_host', kdc_host) http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2 b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2 index db1015a..0d915ba 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2 +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2 @@ -22,6 +22,12 @@ ticket_lifetime = {{libdefaults_ticket_lifetime}} dns_lookup_realm = {{libdefaults_dns_lookup_realm}} dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}} + {% if libdefaults_default_tgs_enctypes %} + default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}} + {% endif %} + {% if libdefaults_default_tkt_enctypes %} + default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}} + {% endif %} {% if domains %} [domain_realm] http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml index 9d229f7..43050bd 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml @@ -54,7 +54,23 @@ <name>libdefaults_forwardable</name> <value>true</value> </property> - <property require-input="true"> + <property require-input="false"> + <name>libdefaults_default_tgs_enctypes</name> + <description> + A space-delimited list of session key encryption types supported by the KDC or Active + Directory + </description> + <value/> + </property> + <property require-input="false"> + <name>libdefaults_default_tkt_enctypes</name> + <description> + A space-delimited list of session key encryption types supported by the KDC or Active + Directory + </description> + <value/> + </property> + <property require-input="false"> <name>domains</name> <description> A comma-delimited list of domain names that the realm serves (optional) @@ -128,6 +144,12 @@ ticket_lifetime = {{libdefaults_ticket_lifetime}} dns_lookup_realm = {{libdefaults_dns_lookup_realm}} dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}} + {% if libdefaults_default_tgs_enctypes %} + default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}} + {% endif %} + {% if libdefaults_default_tkt_enctypes %} + default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}} + {% endif %} {% if domains %} [domain_realm] http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2 b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2 index db1015a..0d915ba 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2 +++ b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2 @@ -22,6 +22,12 @@ ticket_lifetime = {{libdefaults_ticket_lifetime}} dns_lookup_realm = {{libdefaults_dns_lookup_realm}} dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}} + {% if libdefaults_default_tgs_enctypes %} + default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}} + {% endif %} + {% if libdefaults_default_tkt_enctypes %} + default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}} + {% endif %} {% if domains %} [domain_realm] http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java index 4e0d8b0..e5d7505 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java @@ -45,7 +45,7 @@ import java.util.Properties; import static org.easymock.EasyMock.*; -public class ADKerberosOperationHandlerTest extends EasyMockSupport { +public class ADKerberosOperationHandlerTest extends KerberosOperationHandlerTest { private static final String DEFAULT_ADMIN_PRINCIPAL = "cluser_admin@HDP01.LOCAL"; private static final String DEFAULT_ADMIN_PASSWORD = "Hadoop12345"; private static final String DEFAULT_LDAP_URL = "ldaps://10.0.100.4"; http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java index 2f205b2..8dab409 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java @@ -22,6 +22,8 @@ import junit.framework.Assert; import org.apache.commons.codec.binary.Base64; import org.apache.directory.server.kerberos.shared.keytab.Keytab; import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry; +import org.apache.directory.shared.kerberos.codec.types.EncryptionType; +import org.easymock.EasyMockSupport; import org.junit.Rule; import org.junit.Test; import org.junit.rules.TemporaryFolder; @@ -33,7 +35,7 @@ import java.util.List; import java.util.Map; import java.util.Set; -public abstract class KerberosOperationHandlerTest { +public abstract class KerberosOperationHandlerTest extends EasyMockSupport { @Rule public TemporaryFolder folder = new TemporaryFolder(); @@ -201,6 +203,47 @@ public abstract class KerberosOperationHandlerTest { } } + @Test + public void testTranslateEncryptionTypes() throws Exception { + KerberosOperationHandler handler = createHandler(); + + Assert.assertEquals( + new HashSet<EncryptionType>() {{ + add(EncryptionType.AES256_CTS_HMAC_SHA1_96); + add(EncryptionType.AES128_CTS_HMAC_SHA1_96); + add(EncryptionType.DES3_CBC_SHA1_KD); + add(EncryptionType.DES_CBC_MD5); + add(EncryptionType.DES_CBC_MD4); + add(EncryptionType.DES_CBC_CRC); + add(EncryptionType.UNKNOWN); + }}, + handler.translateEncryptionTypes("aes256-cts-hmac-sha1-96\n aes128-cts-hmac-sha1-96\tdes3-cbc-sha1 arcfour-hmac-md5 " + + "camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4", "\\s+") + ); + + Assert.assertEquals( + new HashSet<EncryptionType>() {{ + add(EncryptionType.AES256_CTS_HMAC_SHA1_96); + add(EncryptionType.AES128_CTS_HMAC_SHA1_96); + }}, + handler.translateEncryptionTypes("aes", " ") + ); + + Assert.assertEquals( + new HashSet<EncryptionType>() {{ + add(EncryptionType.AES256_CTS_HMAC_SHA1_96); + }}, + handler.translateEncryptionTypes("aes-256", " ") + ); + + Assert.assertEquals( + new HashSet<EncryptionType>() {{ + add(EncryptionType.DES3_CBC_SHA1_KD); + }}, + handler.translateEncryptionTypes("des3", " ") + ); + } + private KerberosOperationHandler createHandler() throws KerberosOperationException { KerberosOperationHandler handler = new KerberosOperationHandler() { http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java index 41d98b4..12b5f34 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java @@ -25,21 +25,30 @@ import org.easymock.IAnswer; import org.junit.Ignore; import org.junit.Test; +import java.util.HashMap; +import java.util.Map; + import static org.easymock.EasyMock.anyObject; import static org.easymock.EasyMock.expect; import static org.easymock.EasyMock.replay; -public class MITKerberosOperationHandlerTest extends EasyMockSupport { +public class MITKerberosOperationHandlerTest extends KerberosOperationHandlerTest { private static final String DEFAULT_ADMIN_PRINCIPAL = "admin/admin"; private static final String DEFAULT_ADMIN_PASSWORD = "hadoop"; private static final String DEFAULT_REALM = "EXAMPLE.COM"; + private static final Map<String, String> KERBEROS_ENV_MAP = new HashMap<String, String>() { + { + put(MITKerberosOperationHandler.KERBEROS_ENV_ENCRYPTION_TYPES, null); + } + }; + @Test public void testSetPrincipalPasswordExceptions() throws Exception { MITKerberosOperationHandler handler = new MITKerberosOperationHandler(); - handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null); + handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP); try { handler.setPrincipalPassword(DEFAULT_ADMIN_PRINCIPAL, null); @@ -75,7 +84,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport { @Test public void testCreateServicePrincipalExceptions() throws Exception { MITKerberosOperationHandler handler = new MITKerberosOperationHandler(); - handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null); + handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP); try { handler.createPrincipal(DEFAULT_ADMIN_PRINCIPAL, null, false); @@ -134,7 +143,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport { replayAll(); - handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null); + handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP); handler.testAdministratorCredentials(); handler.close(); } @@ -167,7 +176,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport { replayAll(); - handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null); + handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP); handler.testAdministratorCredentials(); handler.close(); } @@ -200,7 +209,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport { replayAll(); - handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null); + handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP); handler.testAdministratorCredentials(); handler.close(); } @@ -233,7 +242,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport { replayAll(); - handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null); + handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP); handler.testAdministratorCredentials(); handler.close(); } @@ -266,7 +275,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport { replayAll(); - handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null); + handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP); handler.testAdministratorCredentials(); handler.close(); } @@ -299,7 +308,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport { replayAll(); - handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null); + handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP); handler.testAdministratorCredentials(); handler.close(); } @@ -332,7 +341,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport { replayAll(); - handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null); + handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP); Assert.assertFalse(handler.testAdministratorCredentials()); handler.close(); } @@ -385,7 +394,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport { replayAll(); - handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null); + handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP); handler.testAdministratorCredentials(); handler.close(); } @@ -412,7 +421,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport { KerberosCredential credentials = new KerberosCredential(principal, password, null); - handler.open(credentials, realm, null); + handler.open(credentials, realm, KERBEROS_ENV_MAP); handler.testAdministratorCredentials(); handler.close(); } http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade-hdfs-secure.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade-hdfs-secure.json b/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade-hdfs-secure.json index 314f2b2..b4e3c59 100644 --- a/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade-hdfs-secure.json +++ b/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade-hdfs-secure.json @@ -1004,15 +1004,15 @@ "conf_dir": "/etc", "libdefaults_dns_lookup_kdc": "false", "logging_admin_server": "FILE:/var/log/kadmind.log", - "libdefaults_default_tgs_enctypes": "\n aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5\n camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4\n ", - "content": "\n[libdefaults]\n renew_lifetime = {{libdefaults_renew_lifetime}}\n forwardable = {{libdefaults_forwardable}}\n realm = {{realm|upper()}}\n ticket_lifetime = {{libdefaults_ticket_lifetime}}\n dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n default = {{logging_default}}\n{#\n# The following options are unused unless a managed KDC is installed\n admin_server = {{logging_admin_server}}\n kdc = {{logging_admin_kdc}}\n#}\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n ", + "libdefaults_default_tgs_enctypes": "aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4", + "content": "\n[libdefaults]\n renew_lifetime = {{libdefaults_renew_lifetime}}\n forwardable = {{libdefaults_forwardable}}\n default_realm = {{realm|upper()}}\n ticket_lifetime = {{libdefaults_ticket_lifetime}}\n dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n default = {{logging_default}}\n{#\n# The following options are unused unless a managed KDC is installed\n admin_server = {{logging_admin_server}}\n kdc = {{logging_admin_kdc}}\n#}\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n ", "libdefaults_ticket_lifetime": "24h", "logging_kdc": "FILE:/var/log/krb5kdc.log", "domains": "", "logging_default": "FILE:/var/log/krb5libs.log", "libdefaults_dns_lookup_realm": "false", "libdefaults_renew_lifetime": "7d", - "libdefaults_default_tkt_enctypes": "\n aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5\n camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4\n " + "libdefaults_default_tkt_enctypes": "aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4" }, "yarn-log4j": { "content": "\n#Relative to Yarn Log Dir Prefix\nyarn.log.dir=.\n#\n# Job Summary Appender\n#\n# Use following logger to send summary to separate file defined by\n# hadoop.mapreduce.jobsummary.log.file rolled daily:\n# hadoop.mapreduce.jobsummary.logger=INFO,JSA\n#\nhadoop.mapreduce.jobsummary.logger=${hadoop.root.logger}\nhadoop.mapreduce.jobsummary.log.file=hadoop-mapreduce.jobsummary.log\nlog4j.appender.JSA=org.apache.log4j.DailyRollingFileAppender\n# Set the ResourceManager summary log filename\nyarn.server.resourcemanager.appsummary.log.file=hadoop-mapreduce.jobsummary.log\n# Set the ResourceManager summary log level and appender\nyarn.server.resourcemanager.appsummary.logger=${hadoop.root.logger}\n#yarn.server.resourcemanager.appsummary.logger=INFO,RMSUMMARY\n\n# To enable AppSummaryLogging for the RM,\n# set yarn.server.resourcemanager.appsummary.logger to\n# LEVEL,RMSUMMARY in hadoop-env.sh\n\n# Appender for ResourceManager Application Summary Log\n# Requires the following properties to be set\n# - hadoop.log.dir (Hadoop Log directory)\n# - yarn.server.resourcemanager.appsummary.log.file (resource manager app summary log filename)\n# - yarn.server.resourcemanager.appsummary.logger (resource manager app summary log level and appender)\nlog4j.appender.RMSUMMARY=org.apache.log4j.RollingFileAppender\nlog4j.appender.RMSUMMARY.File=${yarn.log.dir}/${yarn.server.resourcemanager.appsummary.log.file}\nlog4j.appender.RMSUMMARY.MaxFileSize=256MB\nlog4j.appender.RMSUMMARY.MaxBackupIndex=20\nlog4j.appender.RMSUMMARY.layout=org.apache.log4j.PatternLayout\nlog4j.appender.RMSUMMARY.layout.ConversionPattern=%d{ISO8601} %p %c{2}: %m%n\nlog4j.appender.JSA.layout=org.apache.log4j.PatternLayout\nlog4j.appender.JSA.layout.ConversionPattern=%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n\nlog4j.appender.JSA.DatePattern=.yyyy-MM-dd\nlog4j.appender.JSA.layout=org.apache.log4j.PatternLayout\nlog4j.logger.org.apache.hadoop.yarn.server.resourcemanager.RMAppManager$Applic ationSummary=${yarn.server.resourcemanager.appsummary.logger}\nlog4j.additivity.org.apache.hadoop.yarn.server.resourcemanager.RMAppManager$ApplicationSummary=false" @@ -1246,7 +1246,7 @@ "slave_hosts": [ "c6406.ambari.apache.org" ], - "metrics_monitor_hosts": [ + "metric_monitor_hosts": [ "c6408.ambari.apache.org", "c6407.ambari.apache.org", "c6406.ambari.apache.org", @@ -1264,7 +1264,7 @@ "webhcat_server_host": [ "c6407.ambari.apache.org" ], - "metrics_collector_hosts": [ + "metric_collector_hosts": [ "c6408.ambari.apache.org" ], "ambari_server_host": [ http://git-wip-us.apache.org/repos/asf/ambari/blob/53dbf69f/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade.json b/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade.json index 6b3439a..96d31b0 100644 --- a/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade.json +++ b/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade.json @@ -1004,15 +1004,15 @@ "conf_dir": "/etc", "libdefaults_dns_lookup_kdc": "false", "logging_admin_server": "FILE:/var/log/kadmind.log", - "libdefaults_default_tgs_enctypes": "\n aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5\n camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4\n ", - "content": "\n[libdefaults]\n renew_lifetime = {{libdefaults_renew_lifetime}}\n forwardable = {{libdefaults_forwardable}}\n realm = {{realm|upper()}}\n ticket_lifetime = {{libdefaults_ticket_lifetime}}\n dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n default = {{logging_default}}\n{#\n# The following options are unused unless a managed KDC is installed\n admin_server = {{logging_admin_server}}\n kdc = {{logging_admin_kdc}}\n#}\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n ", + "libdefaults_default_tgs_enctypes": "aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4", + "content": "\n[libdefaults]\n renew_lifetime = {{libdefaults_renew_lifetime}}\n forwardable = {{libdefaults_forwardable}}\n default_realm = {{realm|upper()}}\n ticket_lifetime = {{libdefaults_ticket_lifetime}}\n dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n default = {{logging_default}}\n{#\n# The following options are unused unless a managed KDC is installed\n admin_server = {{logging_admin_server}}\n kdc = {{logging_admin_kdc}}\n#}\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n ", "libdefaults_ticket_lifetime": "24h", "logging_kdc": "FILE:/var/log/krb5kdc.log", "domains": "", "logging_default": "FILE:/var/log/krb5libs.log", "libdefaults_dns_lookup_realm": "false", "libdefaults_renew_lifetime": "7d", - "libdefaults_default_tkt_enctypes": "\n aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5\n camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4\n " + "libdefaults_default_tkt_enctypes": "aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4" }, "yarn-log4j": { "content": "\n#Relative to Yarn Log Dir Prefix\nyarn.log.dir=.\n#\n# Job Summary Appender\n#\n# Use following logger to send summary to separate file defined by\n# hadoop.mapreduce.jobsummary.log.file rolled daily:\n# hadoop.mapreduce.jobsummary.logger=INFO,JSA\n#\nhadoop.mapreduce.jobsummary.logger=${hadoop.root.logger}\nhadoop.mapreduce.jobsummary.log.file=hadoop-mapreduce.jobsummary.log\nlog4j.appender.JSA=org.apache.log4j.DailyRollingFileAppender\n# Set the ResourceManager summary log filename\nyarn.server.resourcemanager.appsummary.log.file=hadoop-mapreduce.jobsummary.log\n# Set the ResourceManager summary log level and appender\nyarn.server.resourcemanager.appsummary.logger=${hadoop.root.logger}\n#yarn.server.resourcemanager.appsummary.logger=INFO,RMSUMMARY\n\n# To enable AppSummaryLogging for the RM,\n# set yarn.server.resourcemanager.appsummary.logger to\n# LEVEL,RMSUMMARY in hadoop-env.sh\n\n# Appender for ResourceManager Application Summary Log\n# Requires the following properties to be set\n# - hadoop.log.dir (Hadoop Log directory)\n# - yarn.server.resourcemanager.appsummary.log.file (resource manager app summary log filename)\n# - yarn.server.resourcemanager.appsummary.logger (resource manager app summary log level and appender)\nlog4j.appender.RMSUMMARY=org.apache.log4j.RollingFileAppender\nlog4j.appender.RMSUMMARY.File=${yarn.log.dir}/${yarn.server.resourcemanager.appsummary.log.file}\nlog4j.appender.RMSUMMARY.MaxFileSize=256MB\nlog4j.appender.RMSUMMARY.MaxBackupIndex=20\nlog4j.appender.RMSUMMARY.layout=org.apache.log4j.PatternLayout\nlog4j.appender.RMSUMMARY.layout.ConversionPattern=%d{ISO8601} %p %c{2}: %m%n\nlog4j.appender.JSA.layout=org.apache.log4j.PatternLayout\nlog4j.appender.JSA.layout.ConversionPattern=%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n\nlog4j.appender.JSA.DatePattern=.yyyy-MM-dd\nlog4j.appender.JSA.layout=org.apache.log4j.PatternLayout\nlog4j.logger.org.apache.hadoop.yarn.server.resourcemanager.RMAppManager$Applic ationSummary=${yarn.server.resourcemanager.appsummary.logger}\nlog4j.additivity.org.apache.hadoop.yarn.server.resourcemanager.RMAppManager$ApplicationSummary=false" @@ -1246,7 +1246,7 @@ "slave_hosts": [ "c6406.ambari.apache.org" ], - "metrics_monitor_hosts": [ + "metric_monitor_hosts": [ "c6408.ambari.apache.org", "c6407.ambari.apache.org", "c6406.ambari.apache.org", @@ -1264,7 +1264,7 @@ "webhcat_server_host": [ "c6407.ambari.apache.org" ], - "metrics_collector_hosts": [ + "metric_collector_hosts": [ "c6408.ambari.apache.org" ], "ambari_server_host": [