Repository: ambari Updated Branches: refs/heads/trunk 87ddb4792 -> 94205c744
AMBARI-9578. Kerberos: provide option to not generate kerb client krb5.conf (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/94205c74 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/94205c74 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/94205c74 Branch: refs/heads/trunk Commit: 94205c744402e90e44eb8d4d67cb801ce1f7d7fc Parents: 87ddb47 Author: Robert Levas <rle...@hortonworks.com> Authored: Thu Feb 12 15:54:00 2015 -0500 Committer: Robert Levas <rle...@hortonworks.com> Committed: Thu Feb 12 15:54:11 2015 -0500 ---------------------------------------------------------------------- .../server/controller/KerberosHelper.java | 4 +-- .../1.10.3-10/configuration/kerberos-env.xml | 19 ++++++++++ .../1.10.3-10/configuration/krb5-conf.xml | 38 +++++--------------- .../package/scripts/kerberos_client.py | 3 +- .../1.10.3-10/package/scripts/params.py | 18 ++++++++-- .../1.10.3-10/package/templates/kdc_conf.j2 | 2 +- .../resources/stacks/HDP/2.0.6/kerberos.json | 2 +- .../KERBEROS/configuration/kadm5-acl.xml | 2 +- .../KERBEROS/configuration/kdc-conf.xml | 4 +-- .../KERBEROS/configuration/krb5-conf.xml | 37 ++++--------------- .../KERBEROS/package/scripts/kerberos_client.py | 3 +- .../services/KERBEROS/package/scripts/params.py | 17 +++++++-- .../KERBEROS/package/templates/kdc_conf.j2 | 2 +- .../server/controller/KerberosHelperTest.java | 19 +++++----- .../stacks/2.2/KERBEROS/test_kerberos_client.py | 14 ++++++++ .../python/stacks/2.2/KERBEROS/use_cases.py | 37 ++++++++++++------- .../journalnode-upgrade-hdfs-secure.json | 2 +- .../stacks/2.2/configs/journalnode-upgrade.json | 2 +- ambari-web/app/data/HDP2/site_properties.js | 10 +++++- 19 files changed, 138 insertions(+), 97 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java index ba6beba..2e68c7d 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java @@ -708,7 +708,7 @@ public class KerberosHelper { throw new AmbariException(message); } - KDCType kdcType = null; + KDCType kdcType; String kdcTypeProperty = kerberosEnvProperties.get("kdc_type"); if(kdcTypeProperty == null) { String message = "The 'kerberos-env/kdc_type' value must be set to a valid KDC type"; @@ -725,7 +725,7 @@ public class KerberosHelper { } kerberosDetails.setSecurityType(cluster.getSecurityType()); - kerberosDetails.setDefaultRealm(krb5ConfProperties.get("realm")); + kerberosDetails.setDefaultRealm(kerberosEnvProperties.get("realm")); // Set the KDCType to the the MIT_KDC as a fallback. kerberosDetails.setKdcType((kdcType == null) ? KDCType.MIT_KDC : kdcType); http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml index 74b6f71..f2c5d6f 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml @@ -46,6 +46,25 @@ </property> <property require-input="true"> + <name>encryption_types</name> + <description> + The supported list of session key encryption types that should be returned by the KDC. + </description> + <value> + aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 + </value> + </property> + + <property require-input="true"> + <name>realm</name> + <description> + The default realm to use when creating service principals + </description> + <value></value> + </property> + + + <property require-input="true"> <name>create_attributes_template</name> <description> A Velocity template to use to generate a JSON-formatted document containing the set of http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml index 3a2c81f..99f2601 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml @@ -78,38 +78,10 @@ </description> <value>true</value> </property> - <property> - <name>libdefaults_default_tgs_enctypes</name> - <description> - The supported list of session key encryption types that should be returned by the KDC. - </description> - <value> - aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 - camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 - </value> - </property> - <property> - <name>libdefaults_default_tkt_enctypes</name> - <description> - The supported list of session key encryption types that should be requested by the client. - </description> - <value> - aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 - camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 - </value> - </property> - - <property require-input="true"> - <name>realm</name> - <description> - The realm to use when creating Service and Ambari principals from the realms section of your /etc/krb5.conf (e.g. EXAMPLE.COM). - </description> - <value/> - </property> <property require-input="true"> <name>domains</name> <description> - A comma-seperated list of domain names used to map server hostnames to the Realm name (e.g. .example.com,example.com). This is optional + A comma-separated list of domain names used to map server host names to the Realm name (e.g. .example.com,example.com). This is optional </description> <value/> </property> @@ -128,6 +100,14 @@ <value/> </property> + <property> + <name>manage_krb5_conf</name> + <description> + Indicates whether your krb5.conf file should be managed by the wizard or should you manage it yourself + </description> + <value>true</value> + </property> + <property> <name>conf_dir</name> http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py index 2c3505c..717b96d 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py @@ -29,7 +29,8 @@ class KerberosClient(KerberosScript): def configure(self, env): import params env.set_params(params) - self.write_krb5_conf() + if params.manage_krb5_conf: + self.write_krb5_conf() def status(self, env): raise ClientComponentHasNoStatus() http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py index 83dd016..d23da8e 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py @@ -108,6 +108,7 @@ if config is not None: libdefaults_default_tkt_enctypes = 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 ' \ 'arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac ' \ 'des-cbc-crc des-cbc-md5 des-cbc-md4' + realm = 'EXAMPLE.COM' domains = '' kdc_host = 'localhost' @@ -119,11 +120,18 @@ if config is not None: test_password = None test_keytab = None test_keytab_file = None - + encryption_types = None + manage_krb5_conf = "true" krb5_conf_template = None krb5_conf_data = get_property_value(configurations, 'krb5-conf') + kerberos_env = get_property_value(configurations, "kerberos-env") + + if kerberos_env is not None: + encryption_types = get_property_value(kerberos_env, "encryption_types", None, True, None) + realm = get_property_value(kerberos_env, "realm", None, True, None) + if krb5_conf_data is not None: logging_default = get_property_value(krb5_conf_data, 'logging_default', logging_default) logging_kdc = get_property_value(krb5_conf_data, 'logging_kdc', logging_kdc) @@ -142,10 +150,10 @@ if config is not None: libdefaults_forwardable) libdefaults_default_tgs_enctypes = get_property_value(krb5_conf_data, 'libdefaults_default_tgs_enctypes', - libdefaults_default_tgs_enctypes) + encryption_types) libdefaults_default_tkt_enctypes = get_property_value(krb5_conf_data, 'libdefaults_default_tkt_enctypes', - libdefaults_default_tkt_enctypes) + encryption_types) realm = get_property_value(krb5_conf_data, 'realm', realm) domains = get_property_value(krb5_conf_data, 'domains', domains) kdc_host = get_property_value(krb5_conf_data, 'kdc_host', kdc_host) @@ -169,6 +177,10 @@ if config is not None: krb5_conf_file = get_property_value(krb5_conf_data, 'conf_file', krb5_conf_file) krb5_conf_path = krb5_conf_dir + '/' + krb5_conf_file + manage_krb5_conf = get_property_value(krb5_conf_data, 'manage_krb5_conf', + "true") + + # ################################################################################################ # Get kdc.conf template data # ################################################################################################ http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/kdc_conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/kdc_conf.j2 b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/kdc_conf.j2 index c067bae..f78adc7 100644 --- a/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/kdc_conf.j2 +++ b/ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/kdc_conf.j2 @@ -24,7 +24,7 @@ acl_file = {{kadm5_acl_path}} dict_file = /usr/share/dict/words admin_keytab = {{kadm5_acl_dir}}/kadm5.keytab - supported_enctypes = {{libdefaults_default_tgs_enctypes}} + supported_enctypes = {{encryption_types}} } {# Append additional realm declarations should be placed below #} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json index 46aff38..271fffd 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json @@ -1,6 +1,6 @@ { "properties": { - "realm": "${krb5-conf/realm}", + "realm": "${kerberos-env/realm}", "keytab_dir": "/etc/security/keytabs" }, "identities": [ http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kadm5-acl.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kadm5-acl.xml b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kadm5-acl.xml index 293bcbf..31aa72c 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kadm5-acl.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kadm5-acl.xml @@ -33,4 +33,4 @@ {# Append additional realm declarations below #} </value> </property> -</configuration> \ No newline at end of file +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kdc-conf.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kdc-conf.xml b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kdc-conf.xml index ac41317..9b0199e 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kdc-conf.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kdc-conf.xml @@ -48,10 +48,10 @@ acl_file = {{kadm5_acl_path}} dict_file = /usr/share/dict/words admin_keytab = {{kadm5_acl_dir}}/kadm5.keytab - supported_enctypes = {{libdefaults_default_tgs_enctypes}} + supported_enctypes = {{encryption_types}} } {# Append additional realm declarations below #} </value> </property> -</configuration> \ No newline at end of file +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml index 44bb209..9d229f7 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml @@ -54,36 +54,6 @@ <name>libdefaults_forwardable</name> <value>true</value> </property> - <property> - <name>libdefaults_default_tgs_enctypes</name> - <description> - a space-delimited list of session key encryption types supported by the KDC or Active - Directory - </description> - <value> - aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 - camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 - </value> - </property> - <property> - <name>libdefaults_default_tkt_enctypes</name> - <description> - a space-delimited list of session key encryption types supported by the KDC or Active - Directory - </description> - <value> - aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 - camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 - </value> - </property> - - <property require-input="true"> - <name>realm</name> - <description> - The realm to use when creating service principals - </description> - <value/> - </property> <property require-input="true"> <name>domains</name> <description> @@ -134,6 +104,13 @@ </value> </property> + <property> + <name>manage_krb5_conf</name> + <description> + Indicates weather the Kerberos client krb5.conf file should be managed by Ambari or you will manage manually + </description> + <value>true</value> + </property> <property> <name>conf_dir</name> http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/kerberos_client.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/kerberos_client.py b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/kerberos_client.py index a341e8d..06d8eb6 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/kerberos_client.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/kerberos_client.py @@ -28,7 +28,8 @@ class KerberosClient(KerberosScript): def configure(self, env): import params env.set_params(params) - self.write_krb5_conf() + if params.manage_krb5_conf: + self.write_krb5_conf() def status(self, env): raise ClientComponentHasNoStatus() http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/params.py b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/params.py index cff6250..31e4134 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/params.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/params.py @@ -116,8 +116,18 @@ if config is not None: krb5_conf_template = None + encryption_types = None + manage_krb5_conf = "true" + krb5_conf_template = None + krb5_conf_data = get_property_value(configurations, 'krb5-conf') + kerberos_env = get_property_value(configurations, "kerberos-env") + + if kerberos_env is not None: + encryption_types = get_property_value(kerberos_env, "encryption_types", None) + realm = get_property_value(kerberos_env, "realm", None) + if krb5_conf_data is not None: logging_default = get_property_value(krb5_conf_data, 'logging_default', logging_default) logging_kdc = get_property_value(krb5_conf_data, 'logging_kdc', logging_kdc) @@ -136,10 +146,10 @@ if config is not None: libdefaults_forwardable) libdefaults_default_tgs_enctypes = get_property_value(krb5_conf_data, 'libdefaults_default_tgs_enctypes', - libdefaults_default_tgs_enctypes) + encryption_types) libdefaults_default_tkt_enctypes = get_property_value(krb5_conf_data, 'libdefaults_default_tkt_enctypes', - libdefaults_default_tkt_enctypes) + encryption_types) realm = get_property_value(krb5_conf_data, 'realm', realm) domains = get_property_value(krb5_conf_data, 'domains', domains) kdc_host = get_property_value(krb5_conf_data, 'kdc_host', kdc_host) @@ -173,6 +183,9 @@ if config is not None: krb5_conf_file = get_property_value(krb5_conf_data, 'conf_file', krb5_conf_file) krb5_conf_path = krb5_conf_dir + '/' + krb5_conf_file + manage_krb5_conf = get_property_value(krb5_conf_data, 'manage_krb5_conf', + "true") + # ################################################################################################ # Get kdc.conf template data # ################################################################################################ http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/kdc_conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/kdc_conf.j2 b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/kdc_conf.j2 index c067bae..f78adc7 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/kdc_conf.j2 +++ b/ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/kdc_conf.j2 @@ -24,7 +24,7 @@ acl_file = {{kadm5_acl_path}} dict_file = /usr/share/dict/words admin_keytab = {{kadm5_acl_dir}}/kadm5.keytab - supported_enctypes = {{libdefaults_default_tgs_enctypes}} + supported_enctypes = {{encryption_types}} } {# Append additional realm declarations should be placed below #} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java index fd36d9d..136615e 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java @@ -216,10 +216,12 @@ public class KerberosHelperTest extends EasyMockSupport { public void testMissingKerberosEnvConf() throws Exception { KerberosHelper kerberosHelper = injector.getInstance(KerberosHelper.class); + final Map<String, String> kerberosEnvProperties = createNiceMock(Map.class); + expect(kerberosEnvProperties.get("realm")).andReturn("EXAMPLE.COM").once(); + final Map<String, String> krb5ConfProperties = createNiceMock(Map.class); expect(krb5ConfProperties.get("kdc_host")).andReturn("10.0.100.1").once(); expect(krb5ConfProperties.get("kadmin_host")).andReturn("10.0.100.1").once(); - expect(krb5ConfProperties.get("realm")).andReturn("EXAMPLE.COM").once(); final Config krb5ConfConfig = createNiceMock(Config.class); expect(krb5ConfConfig.getProperties()).andReturn(krb5ConfProperties).once(); @@ -384,19 +386,20 @@ public class KerberosHelperTest extends EasyMockSupport { service2.setSecurityState(SecurityState.SECURED_KERBEROS); expectLastCall().once(); - final Map<String, String> kerberosEnvProperties = createNiceMock(Map.class); + final Map<String, String> kerberosEnvProperties = createMock(Map.class); expect(kerberosEnvProperties.get("kdc_type")).andReturn("mit-kdc").once(); + expect(kerberosEnvProperties.get("realm")).andReturn("FOOBAR.COM").once(); final Config kerberosEnvConfig = createNiceMock(Config.class); expect(kerberosEnvConfig.getProperties()).andReturn(kerberosEnvProperties).once(); - final Map<String, String> krb5ConfProperties = createNiceMock(Map.class); - expect(krb5ConfProperties.get("realm")).andReturn("FOOBAR.COM").once(); + final Map<String, String> krb5ConfProperties = createMock(Map.class); final Config krb5ConfConfig = createNiceMock(Config.class); expect(krb5ConfConfig.getProperties()).andReturn(krb5ConfProperties).once(); - final Cluster cluster = createNiceMock(Cluster.class); + final Cluster cluster = createMock(Cluster.class); + expect(cluster.getClusterId()).andReturn(1L).anyTimes(); expect(cluster.getSecurityType()).andReturn(SecurityType.KERBEROS).once(); expect(cluster.getDesiredConfigByType("krb5-conf")).andReturn(krb5ConfConfig).once(); expect(cluster.getDesiredConfigByType("kerberos-env")).andReturn(kerberosEnvConfig).once(); @@ -634,12 +637,12 @@ public class KerberosHelperTest extends EasyMockSupport { final Map<String, String> kerberosEnvProperties = createNiceMock(Map.class); expect(kerberosEnvProperties.get("kdc_type")).andReturn("mit-kdc").once(); + expect(kerberosEnvProperties.get("realm")).andReturn("FOOBAR.COM").once(); final Config kerberosEnvConfig = createNiceMock(Config.class); expect(kerberosEnvConfig.getProperties()).andReturn(kerberosEnvProperties).once(); final Map<String, String> krb5ConfProperties = createNiceMock(Map.class); - expect(krb5ConfProperties.get("realm")).andReturn("FOOBAR.COM").once(); final Config krb5ConfConfig = createNiceMock(Config.class); expect(krb5ConfConfig.getProperties()).andReturn(krb5ConfProperties).once(); @@ -857,12 +860,12 @@ public class KerberosHelperTest extends EasyMockSupport { final Map<String, String> kerberosEnvProperties = createNiceMock(Map.class); expect(kerberosEnvProperties.get("kdc_type")).andReturn("mit-kdc").once(); + expect(kerberosEnvProperties.get("realm")).andReturn("FOOBAR.COM").once(); final Config kerberosEnvConfig = createNiceMock(Config.class); expect(kerberosEnvConfig.getProperties()).andReturn(kerberosEnvProperties).once(); final Map<String, String> krb5ConfProperties = createNiceMock(Map.class); - expect(krb5ConfProperties.get("realm")).andReturn("FOOBAR.COM").once(); final Config krb5ConfConfig = createNiceMock(Config.class); expect(krb5ConfConfig.getProperties()).andReturn(krb5ConfProperties).once(); @@ -1135,12 +1138,12 @@ public class KerberosHelperTest extends EasyMockSupport { final Map<String, String> kerberosEnvProperties = createNiceMock(Map.class); expect(kerberosEnvProperties.get("kdc_type")).andReturn("mit-kdc").once(); + expect(kerberosEnvProperties.get("realm")).andReturn("FOOBAR.COM").once(); final Config kerberosEnvConfig = createNiceMock(Config.class); expect(kerberosEnvConfig.getProperties()).andReturn(kerberosEnvProperties).once(); final Map<String, String> krb5ConfProperties = createNiceMock(Map.class); - expect(krb5ConfProperties.get("realm")).andReturn("FOOBAR.COM").once(); final Config krb5ConfConfig = createNiceMock(Config.class); expect(krb5ConfConfig.getProperties()).andReturn(krb5ConfProperties).once(); http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py b/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py index b87b7ca..2b69f1a 100644 --- a/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py +++ b/ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py @@ -81,6 +81,20 @@ class TestKerberosClient(RMFTestCase): group='root', mode=0644) + def test_configure_unmanaged_kdc_and_krb5conf(self): + json_data = use_cases.get_unmanged_krb5conf_use_case() + + + self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/kerberos_client.py", + classname="KerberosClient", + command="configure", + config_dict=json_data, + hdp_stack_version = self.STACK_VERSION, + target = RMFTestCase.TARGET_COMMON_SERVICES + ) + + self.assertNoMoreResources() + def test_configure_unmanaged_ad(self): json_data = use_cases.get_unmanged_ad_use_case() http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/test/python/stacks/2.2/KERBEROS/use_cases.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/KERBEROS/use_cases.py b/ambari-server/src/test/python/stacks/2.2/KERBEROS/use_cases.py index 8b896c1..ecf7853 100644 --- a/ambari-server/src/test/python/stacks/2.2/KERBEROS/use_cases.py +++ b/ambari-server/src/test/python/stacks/2.2/KERBEROS/use_cases.py @@ -23,7 +23,7 @@ krb5_conf_template = \ '[libdefaults]\n' \ ' renew_lifetime = {{libdefaults_renew_lifetime}}\n' \ ' forwardable = {{libdefaults_forwardable}}\n' \ - ' default_realm = {{realm|upper()}}\n' \ + ' realm = {{realm|upper()}}\n' \ ' ticket_lifetime = {{libdefaults_ticket_lifetime}}\n' \ ' dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n' \ ' dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n' \ @@ -60,7 +60,7 @@ kdc_conf_template = \ ' acl_file = {{kadm5_acl_path}}\n' \ ' dict_file = /usr/share/dict/words\n' \ ' admin_keytab = {{kadm5_acl_dir}}/kadm5.keytab\n' \ - ' supported_enctypes = {{libdefaults_default_tgs_enctypes}}\n' \ + ' supported_enctypes = {{encryption_types}}\n' \ '}\n' \ '\n' \ '{# Append additional realm declarations should be placed below #}\n' @@ -78,13 +78,12 @@ def get_manged_kdc_use_case(): 'kdc_type': 'mit-kdc' } json_data['configurations']['krb5-conf'] = { - 'libdefaults_default_tgs_enctypes': 'aes256-cts-hmac-sha1-96', - 'libdefaults_default_tkt_enctypes': 'aes256-cts-hmac-sha1-96', 'realm': 'MANAGED_REALM.COM', 'kdc_host': 'c6401.ambari.apache.org', 'admin_principal': "admin/admin", 'admin_password': "hadoop" } + json_data['configurations']['kerberos-env'] = { 'encryption_types' : 'aes256-cts-hmac-sha1-96'} return json_data @@ -98,8 +97,6 @@ def get_unmanged_kdc_use_case(): 'kdc_type': 'mit-kdc' } json_data['configurations']['krb5-conf'] = { - 'libdefaults_default_tgs_enctypes': 'aes256-cts-hmac-sha1-96', - 'libdefaults_default_tkt_enctypes': 'aes256-cts-hmac-sha1-96', 'conf_dir': '/tmp', 'conf_file': 'krb5_unmanaged.conf', 'content': krb5_conf_template, @@ -114,6 +111,26 @@ def get_unmanged_kdc_use_case(): json_data['configurations']['kadm5-acl'] = { 'content': kadm5_acl_template } + json_data['configurations']['kerberos-env'] = { 'encryption_types' : 'aes256-cts-hmac-sha1-96'} + + + return json_data + +def get_unmanged_krb5conf_use_case(): + config_file = "stacks/2.2/configs/default.json" + with open(config_file, "r") as f: + json_data = json.load(f) + + json_data['clusterHostInfo']['kdc_server_hosts'] = ['c6401.ambari.apache.org'] + json_data['configurations']['krb5-conf'] = { + 'realm': 'MANAGED_REALM.COM', + 'kdc_type': 'mit-kdc', + 'kdc_host': 'c6401.ambari.apache.org', + 'admin_principal': "admin/admin", + 'admin_password': "hadoop", + 'manage_krb5_conf': "false" + } + json_data['configurations']['kerberos-env'] = { 'encryption_types' : 'aes256-cts-hmac-sha1-96'} return json_data @@ -126,8 +143,6 @@ def get_unmanged_ad_use_case(): 'kdc_type': 'active-directory', } json_data['configurations']['krb5-conf'] = { - 'libdefaults_default_tgs_enctypes': 'aes256-cts-hmac-sha1-96', - 'libdefaults_default_tkt_enctypes': 'aes256-cts-hmac-sha1-96', 'conf_dir': '/tmp', 'conf_file': 'krb5_ad.conf', 'content': krb5_conf_template, @@ -142,7 +157,7 @@ def get_unmanged_ad_use_case(): json_data['configurations']['kadm5-acl'] = { 'content': kadm5_acl_template } - + json_data['configurations']['kerberos-env'] = { 'encryption_types' : 'aes256-cts-hmac-sha1-96'} return json_data def get_cross_realm_use_case(): @@ -161,8 +176,6 @@ def get_cross_realm_use_case(): 'kdc_type': 'mit-kdc' } json_data['configurations']['krb5-conf'] = { - 'libdefaults_default_tgs_enctypes': 'aes256-cts-hmac-sha1-96', - 'libdefaults_default_tkt_enctypes': 'aes256-cts-hmac-sha1-96', 'content': _krb5_conf_template, 'realm': 'MANAGED_REALM.COM', 'kdc_host': 'c6401.ambari.apache.org', @@ -175,7 +188,7 @@ def get_cross_realm_use_case(): json_data['configurations']['kadm5-acl'] = { 'content': kadm5_acl_template } - + json_data['configurations']['kerberos-env'] = { 'encryption_types' : 'aes256-cts-hmac-sha1-96'} return json_data def get_value(dictionary, path, nullValue=None): http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade-hdfs-secure.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade-hdfs-secure.json b/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade-hdfs-secure.json index 5b2ad89..314f2b2 100644 --- a/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade-hdfs-secure.json +++ b/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade-hdfs-secure.json @@ -1005,7 +1005,7 @@ "libdefaults_dns_lookup_kdc": "false", "logging_admin_server": "FILE:/var/log/kadmind.log", "libdefaults_default_tgs_enctypes": "\n aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5\n camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4\n ", - "content": "\n[libdefaults]\n renew_lifetime = {{libdefaults_renew_lifetime}}\n forwardable = {{libdefaults_forwardable}}\n default_realm = {{realm|upper()}}\n ticket_lifetime = {{libdefaults_ticket_lifetime}}\n dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n default = {{logging_default}}\n{#\n# The following options are unused unless a managed KDC is installed\n admin_server = {{logging_admin_server}}\n kdc = {{logging_admin_kdc}}\n#}\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n ", + "content": "\n[libdefaults]\n renew_lifetime = {{libdefaults_renew_lifetime}}\n forwardable = {{libdefaults_forwardable}}\n realm = {{realm|upper()}}\n ticket_lifetime = {{libdefaults_ticket_lifetime}}\n dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n default = {{logging_default}}\n{#\n# The following options are unused unless a managed KDC is installed\n admin_server = {{logging_admin_server}}\n kdc = {{logging_admin_kdc}}\n#}\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n ", "libdefaults_ticket_lifetime": "24h", "logging_kdc": "FILE:/var/log/krb5kdc.log", "domains": "", http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade.json b/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade.json index 676bff7..6b3439a 100644 --- a/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade.json +++ b/ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade.json @@ -1005,7 +1005,7 @@ "libdefaults_dns_lookup_kdc": "false", "logging_admin_server": "FILE:/var/log/kadmind.log", "libdefaults_default_tgs_enctypes": "\n aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5\n camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4\n ", - "content": "\n[libdefaults]\n renew_lifetime = {{libdefaults_renew_lifetime}}\n forwardable = {{libdefaults_forwardable}}\n default_realm = {{realm|upper()}}\n ticket_lifetime = {{libdefaults_ticket_lifetime}}\n dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n default = {{logging_default}}\n{#\n# The following options are unused unless a managed KDC is installed\n admin_server = {{logging_admin_server}}\n kdc = {{logging_admin_kdc}}\n#}\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n ", + "content": "\n[libdefaults]\n renew_lifetime = {{libdefaults_renew_lifetime}}\n forwardable = {{libdefaults_forwardable}}\n realm = {{realm|upper()}}\n ticket_lifetime = {{libdefaults_ticket_lifetime}}\n dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n default = {{logging_default}}\n{#\n# The following options are unused unless a managed KDC is installed\n admin_server = {{logging_admin_server}}\n kdc = {{logging_admin_kdc}}\n#}\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n ", "libdefaults_ticket_lifetime": "24h", "logging_kdc": "FILE:/var/log/krb5kdc.log", "domains": "", http://git-wip-us.apache.org/repos/asf/ambari/blob/94205c74/ambari-web/app/data/HDP2/site_properties.js ---------------------------------------------------------------------- diff --git a/ambari-web/app/data/HDP2/site_properties.js b/ambari-web/app/data/HDP2/site_properties.js index 0f25cb5..16886ba 100644 --- a/ambari-web/app/data/HDP2/site_properties.js +++ b/ambari-web/app/data/HDP2/site_properties.js @@ -1989,7 +1989,7 @@ var hdp2properties = [ "isVisible": true, "isRequiredByAgent": true, "serviceName": "KERBEROS", - "filename": "krb5-conf.xml", + "filename": "kerberos-env.xml", "category": "KDC", "index": 2 }, @@ -2025,6 +2025,14 @@ var hdp2properties = [ }, { "id": "puppet var", + "name": "encryption_types", + "displayName": "Encryption Types", + "serviceName": "KERBEROS", + "filename": "kerberos-env.xml", + "category": "Advanced kerberos-env" + }, + { + "id": "puppet var", "name": "domains", "displayName": "Domains", "isRequired": false,