This is an automated email from the ASF dual-hosted git repository. rlevas pushed a commit to branch branch-2.7 in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push: new ee68d7c AMBARI-24319. Regenerating keytabs for the given service(s) only ee68d7c is described below commit ee68d7cf49a50942cfc7685a5d3219a046da1157 Author: Sandor Molnar <smol...@apache.org> AuthorDate: Wed Jul 25 08:11:18 2018 +0200 AMBARI-24319. Regenerating keytabs for the given service(s) only --- .../server/controller/KerberosHelperImpl.java | 6 +-- .../kerberos/KerberosServerAction.java | 50 ++++++++++++++++------ 2 files changed, 40 insertions(+), 16 deletions(-) diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java index 13cb8fa..a15f424 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java @@ -138,7 +138,6 @@ import org.slf4j.LoggerFactory; import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Lists; import com.google.common.collect.Sets; import com.google.gson.JsonArray; import com.google.gson.JsonObject; @@ -1867,7 +1866,7 @@ public class KerberosHelperImpl implements KerberosHelper { String uniqueKey = String.format("%s|%s", principal, (keytabFile == null) ? "" : keytabFile); - if (!hostActiveIdentities.containsKey(uniqueKey)) { + if (!hostActiveIdentities.containsKey(uniqueKey) || (StringUtils.isNotBlank(hostActiveIdentities.get(uniqueKey).getReference()) && StringUtils.isBlank(identity.getReference()))) { KerberosPrincipalType principalType = principalDescriptor.getType(); // Assume the principal is a service principal if not specified @@ -2468,8 +2467,7 @@ public class KerberosHelperImpl implements KerberosHelper { handler.createStages(cluster, clusterHostInfoJson, hostParamsJson, event, roleCommandOrder, kerberosDetails, dataDirectory, requestStageContainer, serviceComponentHostsToProcess, - Collections.singletonMap("KERBEROS", Lists.newArrayList("KERBEROS_CLIENT")), - null, Sets.newHashSet(principal), hostsWithValidKerberosClient); + null, null, Sets.newHashSet(principal), hostsWithValidKerberosClient); handler.addFinalizeOperationStage(cluster, clusterHostInfoJson, hostParamsJson, event, diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java index 904fd01..0c11e34 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java @@ -21,6 +21,7 @@ package org.apache.ambari.server.serveraction.kerberos; import java.io.File; import java.io.IOException; import java.lang.reflect.Type; +import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.Map; @@ -41,6 +42,7 @@ import org.apache.ambari.server.serveraction.kerberos.stageutils.ResolvedKerbero import org.apache.ambari.server.serveraction.kerberos.stageutils.ResolvedKerberosPrincipal; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; +import org.apache.ambari.server.state.kerberos.KerberosIdentityDescriptor; import org.apache.ambari.server.utils.StageUtils; import org.apache.commons.io.FileUtils; import org.apache.commons.lang.StringUtils; @@ -178,12 +180,6 @@ public abstract class KerberosServerAction extends AbstractServerAction { private KerberosOperationHandlerFactory kerberosOperationHandlerFactory; /** - * The KerberosIdentityDataFileReaderFactory to use to obtain KerberosIdentityDataFileReader instances - */ - @Inject - private KerberosIdentityDataFileReaderFactory kerberosIdentityDataFileReaderFactory; - - /** * KerberosHelper */ @Inject @@ -455,13 +451,17 @@ public abstract class KerberosServerAction extends AbstractServerAction { } try { - for (ResolvedKerberosKeytab rkk : kerberosKeytabController.getFilteredKeytabs((Map<String, Collection<String>>) getServiceComponentFilter(), getHostFilter(), getIdentityFilter())) { + final Map<String, Collection<String>> serviceComponentFilter = (Map<String, Collection<String>>) getServiceComponentFilter(); + final Collection<KerberosIdentityDescriptor> serviceIdentities = serviceComponentFilter == null ? null : calculateServiceIdentities(getClusterName(), serviceComponentFilter); + for (ResolvedKerberosKeytab rkk : kerberosKeytabController.getFilteredKeytabs(serviceComponentFilter, getHostFilter(), getIdentityFilter())) { for (ResolvedKerberosPrincipal principal : rkk.getPrincipals()) { - commandReport = processIdentity(principal, handler, kerberosConfiguration, requestSharedDataContext); - // If the principal processor returns a CommandReport, than it is time to stop since - // an error condition has probably occurred, else all is assumed to be well. - if (commandReport != null) { - break; + if (isRelevantIdentity(serviceIdentities, principal)) { + commandReport = processIdentity(principal, handler, kerberosConfiguration, requestSharedDataContext); + // If the principal processor returns a CommandReport, than it is time to stop + // since an error condition has probably occurred, else all is assumed to be well. + if (commandReport != null) { + break; + } } } } @@ -487,6 +487,32 @@ public abstract class KerberosServerAction extends AbstractServerAction { : commandReport; } + private boolean isRelevantIdentity(Collection<KerberosIdentityDescriptor> serviceIdentities, ResolvedKerberosPrincipal principal) { + if (serviceIdentities != null) { + boolean hasValidIdentity = false; + for (KerberosIdentityDescriptor serviceIdentity : serviceIdentities) { + if (principal.getPrincipal().equals(serviceIdentity.getPrincipalDescriptor().getName()) && StringUtils.isBlank(serviceIdentity.getReference())) { + hasValidIdentity = true; + break; + } + } + return hasValidIdentity; + } + + return true; + } + + private Collection<KerberosIdentityDescriptor> calculateServiceIdentities(String clusterName, Map<String, Collection<String>> serviceComponentFilter) + throws AmbariException { + final Collection<KerberosIdentityDescriptor> serviceIdentities = new ArrayList<>(); + for (String service : serviceComponentFilter.keySet()) { + for (Collection<KerberosIdentityDescriptor> activeIdentities : kerberosHelper.getActiveIdentities(clusterName, null, service, null, true).values()) { + serviceIdentities.addAll(activeIdentities); + } + } + return serviceIdentities; + } + /** * Processes an identity as necessary. * <p/>