This is an automated email from the ASF dual-hosted git repository. smolnar pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push: new 153d5f9 AMBARI-24913. New LDAP related properties to indicate if Ambari should manage LDAP configuration for certain services (#2629) 153d5f9 is described below commit 153d5f96cf1c1c68084d308bb98314b3d5231153 Author: Sandor Molnar <smol...@apache.org> AuthorDate: Mon Nov 19 15:54:41 2018 +0100 AMBARI-24913. New LDAP related properties to indicate if Ambari should manage LDAP configuration for certain services (#2629) --- .../AmbariServerConfigurationKey.java | 3 + .../AmbariServerLDAPConfigurationHandler.java | 2 +- .../ldap/domain/AmbariLdapConfiguration.java | 8 ++ .../ambari/server/upgrade/UpgradeCatalog270.java | 8 ++ .../main/resources/stacks/ambari_configuration.py | 59 ++++++++++++ .../server/upgrade/UpgradeCatalog270Test.java | 3 + .../src/test/python/TestAmbariConfiguration.py | 104 +++++++++++++++++++++ 7 files changed, 186 insertions(+), 1 deletion(-) diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java index 8599a0d0..05caa75 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java @@ -25,6 +25,9 @@ public enum AmbariServerConfigurationKey { /* ******************************************************** * LDAP Configuration Keys * ******************************************************** */ + AMBARI_MANAGES_LDAP_CONFIGURATION(AmbariServerConfigurationCategory.LDAP_CONFIGURATION, "ambari.ldap.manage_services", PLAINTEXT, "false", "A Boolean value indicating whether Ambari is to manage the LDAP configuration for services or not."), + LDAP_ENABLED_SERVICES(AmbariServerConfigurationCategory.LDAP_CONFIGURATION, "ambari.ldap.enabled_services", PLAINTEXT, null, "A comma-delimited list of services that are expected to be configured for LDAP. A \"*\" indicates all services."), + LDAP_ENABLED(AmbariServerConfigurationCategory.LDAP_CONFIGURATION, "ambari.ldap.authentication.enabled", PLAINTEXT, "false", "An internal property used for unit testing and development purposes."), SERVER_HOST(AmbariServerConfigurationCategory.LDAP_CONFIGURATION, "ambari.ldap.connectivity.server.host", PLAINTEXT, "localhost", "The LDAP URL host used for connecting to an LDAP server when authenticating users."), SERVER_PORT(AmbariServerConfigurationCategory.LDAP_CONFIGURATION, "ambari.ldap.connectivity.server.port", PLAINTEXT, "33389", "The LDAP URL port used for connecting to an LDAP server when authenticating users."), diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariServerLDAPConfigurationHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariServerLDAPConfigurationHandler.java index f08c1de..2cc79b2 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariServerLDAPConfigurationHandler.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariServerLDAPConfigurationHandler.java @@ -66,7 +66,7 @@ public class AmbariServerLDAPConfigurationHandler extends AmbariServerStackAdvis public void updateComponentCategory(String categoryName, Map<String, String> properties, boolean removePropertiesIfNotSpecified) throws AmbariException { super.updateComponentCategory(categoryName, properties, removePropertiesIfNotSpecified); final AmbariLdapConfiguration ldapConfiguration = new AmbariLdapConfiguration(getConfigurationProperties(AmbariServerConfigurationCategory.LDAP_CONFIGURATION.getCategoryName())); - if (ldapConfiguration.ldapEnabled()) { + if (ldapConfiguration.isAmbariManagesLdapConfiguration()) { processClusters(LDAP_CONFIGURATIONS); } } diff --git a/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java b/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java index c55f337..0647138 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java @@ -71,6 +71,14 @@ public class AmbariLdapConfiguration { this.configurationMap = configuration; } + public boolean isAmbariManagesLdapConfiguration() { + return Boolean.valueOf(configValue(AmbariServerConfigurationKey.AMBARI_MANAGES_LDAP_CONFIGURATION)); + } + + public String getLdapEnabledServices() { + return configValue(AmbariServerConfigurationKey.LDAP_ENABLED_SERVICES); + } + public boolean ldapEnabled() { return Boolean.valueOf(configValue(AmbariServerConfigurationKey.LDAP_ENABLED)); } diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java index 43a3d5f..6ba4ce2 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java @@ -1683,6 +1683,14 @@ public class UpgradeCatalog270 extends AbstractUpgradeCatalog { populateConfigurationToBeMoved(propertiesToBeMoved, null, AmbariServerConfigurationKey.SSO_MANAGE_SERVICES, "true"); populateConfigurationToBeMoved(propertiesToBeMoved, null, AmbariServerConfigurationKey.SSO_ENABLED_SERVICES, "AMBARI"); } + } else if (AmbariServerConfigurationKey.LDAP_ENABLED == key) { + populateConfigurationToBeMoved(propertiesToBeMoved, oldPropertyName, key, propertyValue); + + if ("true".equalsIgnoreCase(propertyValue)) { + // Add the new properties to tell Ambari that LDAP is enabled: + populateConfigurationToBeMoved(propertiesToBeMoved, null, AmbariServerConfigurationKey.AMBARI_MANAGES_LDAP_CONFIGURATION, "true"); + populateConfigurationToBeMoved(propertiesToBeMoved, null, AmbariServerConfigurationKey.LDAP_ENABLED_SERVICES, "AMBARI"); + } } else { populateConfigurationToBeMoved(propertiesToBeMoved, oldPropertyName, key, propertyValue); } diff --git a/ambari-server/src/main/resources/stacks/ambari_configuration.py b/ambari-server/src/main/resources/stacks/ambari_configuration.py index 9104c32..ece7387 100644 --- a/ambari-server/src/main/resources/stacks/ambari_configuration.py +++ b/ambari-server/src/main/resources/stacks/ambari_configuration.py @@ -487,3 +487,62 @@ class AmbariLDAPConfiguration: :return: How to handle username collision while updating from LDAP or None if ldap-configuration/ambari.ldap.advanced.collision_behavior is not specified ''' return _get_from_dictionary(self.ldap_properties, 'ambari.ldap.advanced.collision_behavior') + + def is_managing_services(self): + """ + Tests the configuration data to determine if Ambari should be configuring services to enable LDAP integration. + + The relevant property is "ldap-configuration/ambari.ldap.manage_services", which is expected + to be a "true" or "false". + + :return: True, if Ambari should manage services' LDAP configurations + """ + return "true" == _get_from_dictionary(self.ldap_properties, "ambari.ldap.manage_services") + + def get_services_to_enable(self): + """ + Safely gets the list of services that Ambari should enabled for LDAP. + + The returned value is a list of the relevant service names converted to lowercase. + + :return: a list of service names converted to lowercase + """ + ldap_enabled_services = _get_from_dictionary(self.ldap_properties, "ambari.ldap.enabled_services") + + return [x.strip().lower() for x in ldap_enabled_services.strip().split(",")] \ + if ldap_enabled_services \ + else [] + + def should_enable_ldap(self, service_name): + """ + Tests the configuration data to determine if the specified service should be configured by + Ambari to enable LDAP integration. + + The relevant property is "ldap-configuration/ambari.ldap.enabled_services", which is expected + to be a comma-delimited list of services to be enabled or '*' indicating ALL installed services. + + :param service_name: the name of the service to test + :return: True, if LDAP should be enabled; False, otherwise + """ + if self.is_managing_services(): + services_to_enable = self.get_services_to_enable() + return "*" in services_to_enable or service_name.lower() in services_to_enable + else: + return False + + def should_disable_ldap(self, service_name): + """ + Tests the configuration data to determine if the specified service should be configured by + Ambari to disable LDAP integration. + + The relevant property is "ldap-configuration/ambari.ldap.enabled_services", which is expected + to be a comma-delimited list of services to be enabled or '*' indicating ALL installed services. + + :param service_name: the name of the service to test + :return: True, if LDAP should be disabled; False, otherwise + """ + if self.is_managing_services(): + services_to_enable = self.get_services_to_enable() + return "*" not in services_to_enable and service_name.lower() not in services_to_enable + else: + return False diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog270Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog270Test.java index 6fa317b..d83b99b 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog270Test.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog270Test.java @@ -1267,6 +1267,9 @@ public class UpgradeCatalog270Test { expect(entityManager.find(anyObject(), anyObject())).andReturn(null).anyTimes(); final Map<String, String> properties = new HashMap<>(); properties.put(AmbariServerConfigurationKey.LDAP_ENABLED.key(), "true"); + properties.put(AmbariServerConfigurationKey.AMBARI_MANAGES_LDAP_CONFIGURATION.key(), "true"); + properties.put(AmbariServerConfigurationKey.LDAP_ENABLED_SERVICES.key(), "AMBARI"); + expect(ambariConfigurationDao.reconcileCategory(AmbariServerConfigurationCategory.LDAP_CONFIGURATION.getCategoryName(), properties, false)).andReturn(true).once(); replay(entityManager, ambariConfigurationDao); diff --git a/ambari-server/src/test/python/TestAmbariConfiguration.py b/ambari-server/src/test/python/TestAmbariConfiguration.py index 58062e1..fd2bc7b 100644 --- a/ambari-server/src/test/python/TestAmbariConfiguration.py +++ b/ambari-server/src/test/python/TestAmbariConfiguration.py @@ -404,3 +404,107 @@ class TestAmbariConfiguration(TestCase): self.assertTrue(ambari_ldap_details.is_ldap_alternate_user_search_enabled()) self.assertEquals(ambari_ldap_details.get_alternate_user_search_filter(), "alternate_user_search_filter") self.assertEquals(ambari_ldap_details.get_sync_collision_handling_behavior(), "collision_behavior") + + def testAmbariNotMangingLdapConfiguration(self): + ## Case 1: missing the boolean flag indicating that Ambari manages LDAP configuration + services_json = { + "ambari-server-configuration": { + "ldap-configuration": { + "ambari.ldap.enabled_services": "AMBARI" + } + } + } + + ambari_configuration = self.ambari_configuration_class(services_json) + self.assertIsNotNone(ambari_configuration.get_ambari_ldap_configuration()) + + ambari_ldap_details = ambari_configuration.get_ambari_ldap_details() + self.assertIsNotNone(ambari_ldap_details) + self.assertFalse(ambari_ldap_details.is_managing_services()) + self.assertFalse(ambari_ldap_details.should_enable_ldap("AMBARI")) + self.assertFalse(ambari_ldap_details.should_disable_ldap("AMBARI")) + + ## Case 2: setting the boolean flag to false indicating that Ambari shall NOT manage LDAP configuration + services_json = { + "ambari-server-configuration": { + "ldap-configuration": { + "ambari.ldap.manage_services": "false", + "ambari.ldap.enabled_services": "AMBARI, RANGER" + } + } + } + + ambari_configuration = self.ambari_configuration_class(services_json) + self.assertIsNotNone(ambari_configuration.get_ambari_ldap_configuration()) + + ambari_ldap_details = ambari_configuration.get_ambari_ldap_details() + self.assertIsNotNone(ambari_ldap_details) + self.assertFalse(ambari_ldap_details.is_managing_services()) + self.assertFalse(ambari_ldap_details.should_enable_ldap("AMBARI")) + self.assertFalse(ambari_ldap_details.should_disable_ldap("AMBARI")) + self.assertFalse(ambari_ldap_details.should_enable_ldap("RANGER")) + self.assertFalse(ambari_ldap_details.should_disable_ldap("RANGER")) + + ## Case 3: setting the boolean flag to false indicating that Ambari shall NOT manage LDAP configuration and indicating it should be done for ALL services + services_json = { + "ambari-server-configuration": { + "ldap-configuration": { + "ambari.ldap.manage_services": "false", + "ambari.ldap.enabled_services": "*" + } + } + } + + ambari_configuration = self.ambari_configuration_class(services_json) + self.assertIsNotNone(ambari_configuration.get_ambari_ldap_configuration()) + + ambari_ldap_details = ambari_configuration.get_ambari_ldap_details() + self.assertIsNotNone(ambari_ldap_details) + self.assertFalse(ambari_ldap_details.is_managing_services()) + self.assertFalse(ambari_ldap_details.should_enable_ldap("AMBARI")) + self.assertFalse(ambari_ldap_details.should_disable_ldap("AMBARI")) + self.assertFalse(ambari_ldap_details.should_enable_ldap("RANGER")) + self.assertFalse(ambari_ldap_details.should_disable_ldap("RANGER")) + + def testAmbariMangingLdapConfiguration(self): + ## Case 1: setting the boolean flag to false indicating that Ambari shall manage LDAP configuration for AMBARI and RANGER + services_json = { + "ambari-server-configuration": { + "ldap-configuration": { + "ambari.ldap.manage_services": "true", + "ambari.ldap.enabled_services": "AMBARI, RANGER" + } + } + } + + ambari_configuration = self.ambari_configuration_class(services_json) + self.assertIsNotNone(ambari_configuration.get_ambari_ldap_configuration()) + + ambari_ldap_details = ambari_configuration.get_ambari_ldap_details() + self.assertIsNotNone(ambari_ldap_details) + self.assertTrue(ambari_ldap_details.is_managing_services()) + self.assertTrue(ambari_ldap_details.should_enable_ldap("AMBARI")) + self.assertFalse(ambari_ldap_details.should_disable_ldap("AMBARI")) + self.assertTrue(ambari_ldap_details.should_enable_ldap("RANGER")) + self.assertFalse(ambari_ldap_details.should_disable_ldap("RANGER")) + + ## Case 2: setting the boolean flag to false indicating that Ambari shall manage LDAP configuration for ALL services + services_json = { + "ambari-server-configuration": { + "ldap-configuration": { + "ambari.ldap.manage_services": "true", + "ambari.ldap.enabled_services": "*" + } + } + } + + ambari_configuration = self.ambari_configuration_class(services_json) + self.assertIsNotNone(ambari_configuration.get_ambari_ldap_configuration()) + + ambari_ldap_details = ambari_configuration.get_ambari_ldap_details() + self.assertIsNotNone(ambari_ldap_details) + self.assertTrue(ambari_ldap_details.is_managing_services()) + self.assertTrue(ambari_ldap_details.should_enable_ldap("AMBARI")) + self.assertFalse(ambari_ldap_details.should_disable_ldap("AMBARI")) + self.assertTrue(ambari_ldap_details.should_enable_ldap("HDFS")) + self.assertFalse(ambari_ldap_details.should_disable_ldap("HDFS"))