AMBARI-2225. Security fixes with HBase service check. (jaimin)

git-svn-id: https://svn.apache.org/repos/asf/incubator/ambari/trunk@1488012 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -907,6 +907,8 @@ Trunk (unreleased changes):
 
  BUG FIXES
 
+ AMBARI-2225. Security fixes with HBase service check. (jaimin)
+
  AMBARI-2233. Ensure version values are used appropriately throughout
  Ambari. (smohanty)
 

ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/hbase/service_check.pp

@@ -18,15 +18,18 @@
 # under the License.
 #
 #
-class hdp-hbase::hbase::service_check()
+class hdp-hbase::hbase::service_check() inherits hdp-hbase::params
 {
   $smoke_test_user = $hdp::params::smokeuser
-
+  $security_enabled = $hdp::params::security_enabled
   $output_file = "/apps/hbase/data/ambarismoketest"
   $conf_dir = $hdp::params::hbase_conf_dir
-
+  $smoke_user_keytab = "${hdp-hbase::params::keytab_path}/${smoke_test_user}.headless.keytab"
+  $hbase_user = $hdp-hbase::params::hbase_user
+  $hbase_keytab = "${hdp-hbase::params::keytab_path}/${hbase_user}.headless.keytab"
   $test_cmd = "fs -test -e ${output_file}"
   $serviceCheckData = hdp_unique_id_and_date()
+  $kinit_cmd = "${hdp::params::kinit_path_local} -kt ${smoke_user_keytab} ${smoke_test_user};"
 
   anchor { 'hdp-hbase::hbase::service_check::begin':}
 
@@ -42,9 +45,16 @@ class hdp-hbase::hbase::service_check()
     mode => '0755',
     content => template('hdp-hbase/hbase-smoke.sh.erb'),
   }
+  if ($security_enabled == true) {
+    $servicecheckcmd = "su - ${smoke_test_user} -c '$kinit_cmd hbase --config $conf_dir  shell $hbase_servicecheck_file'"
+    $smokeverifycmd = "su - ${smoke_test_user} -c '$kinit_cmd /tmp/hbaseSmokeVerify.sh $conf_dir ${serviceCheckData}'"
+  } else {
+    $servicecheckcmd = "su - ${smoke_test_user} -c 'hbase --config $conf_dir  shell $hbase_servicecheck_file'"
+    $smokeverifycmd = "su - ${smoke_test_user} -c '/tmp/hbaseSmokeVerify.sh $conf_dir ${serviceCheckData}'"
+  }
 
   exec { $hbase_servicecheck_file:
-    command   => "su - ${smoke_test_user} -c 'hbase --config $conf_dir  shell $hbase_servicecheck_file'",
+    command   => $servicecheckcmd,
     tries     => 3,
     try_sleep => 5,
     path      => '/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin',
@@ -52,7 +62,7 @@ class hdp-hbase::hbase::service_check()
   }
 
   exec { '/tmp/hbaseSmokeVerify.sh':
-    command   => "su - ${smoke_test_user} -c '/tmp/hbaseSmokeVerify.sh $conf_dir ${serviceCheckData}'",
+    command   => $smokeverifycmd,
     tries     => 3,
     try_sleep => 5,
     path      => '/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin',
@@ -67,9 +77,30 @@ class hdp-hbase::hbase::service_check()
     before      => Anchor['hdp-hbase::hbase::service_check::end'] #TODO: remove after testing
   }
 
-  Anchor['hdp-hbase::hbase::service_check::begin'] ->  File['/tmp/hbaseSmokeVerify.sh']
-  File[$hbase_servicecheck_file] -> Exec[$hbase_servicecheck_file] -> Exec['/tmp/hbaseSmokeVerify.sh']
-  -> Anchor['hdp-hbase::hbase::service_check::end']
+  if ($security_enabled == true) {
+    $hbase_grant_premissions_file = '/tmp/hbase_grant_permissions.sh'
+    $hbase_kinit_cmd = "${hdp::params::kinit_path_local} -kt ${hbase_keytab} ${hbase_user};"
+    $grantprivelegecmd = "$hbase_kinit_cmd hbase shell ${hbase_grant_premissions_file}"
 
+    file { $hbase_grant_premissions_file:
+      owner   => $hbase_user,
+      group   => $hdp::params::user_group,
+      mode => '0644',
+      content => template('hdp-hbase/hbase_grant_permissions.erb')
+      }
+      hdp::exec { '${smokeuser}_grant_privileges' :
+        command => $grantprivelegecmd,
+        require => File[$hbase_grant_premissions_file],
+        user => $hbase_user
+      }
+     Anchor['hdp-hbase::hbase::service_check::begin'] ->  File['/tmp/hbaseSmokeVerify.sh']
+       File[$hbase_servicecheck_file] ->  File[$hbase_grant_premissions_file] ->
+       Hdp::Exec['${smokeuser}_grant_privileges'] -> Exec[$hbase_servicecheck_file] ->
+       Exec['/tmp/hbaseSmokeVerify.sh'] -> Anchor['hdp-hbase::hbase::service_check::end']
+  } else {
+    Anchor['hdp-hbase::hbase::service_check::begin'] ->  File['/tmp/hbaseSmokeVerify.sh']
+    File[$hbase_servicecheck_file] -> Exec[$hbase_servicecheck_file] -> Exec['/tmp/hbaseSmokeVerify.sh']
+    -> Anchor['hdp-hbase::hbase::service_check::end']
+  }
   anchor{ 'hdp-hbase::hbase::service_check::end':}
 }

ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/init.pp

@@ -29,6 +29,7 @@ class hdp-hbase(
   
   $hdp::params::component_exists['hdp-hbase'] = true
   $smokeuser = $hdp::params::smokeuser
+  $security_enabled = $hdp::params::security_enabled
 
   #Configs generation  
 
@@ -102,26 +103,6 @@ class hdp-hbase(
     if ($security_enabled == true) {
       if ($type == 'master' and $service_state == 'running') {
         hdp-hbase::configfile { 'hbase_master_jaas.conf' : }
-
-        $hbase_grant_premissions_file = '/tmp/hbase_grant_permissions.sh'
-
-        file { $hbase_grant_premissions_file:
-          owner   => $hbase_user,
-          group   => $hdp::params::user_group,
-          mode => '0644',
-          content => template('hdp-hbase/hbase_grant_permissions.erb')
-        }
-        $hbase_principal = $hdp-hbase::params::hbase_master_principal
-        $hbase_user_keytab = $hdp-hbase::params::hbase_keytab_path
-        $kinit_cmd = "${hdp::params::kinit_path_local} -kt ${hbase_user_keytab} ${hbase_principal};"
-        hdp::exec { '${smokeuser}_grant_privileges' :
-          command => "su - ${hbase_user} -c '$kinit_cmd hbase --config $conf_dir shell ${hbase_grant_premissions_file}'",
-          require => File[$hbase_grant_premissions_file]
-        }
-
-        Hdp-hbase::Configfile<||> -> File[$hbase_grant_premissions_file] ->
-        Hdp::Exec['${smokeuser}_grant_privileges'] -> Anchor['hdp-hbase::end']
-
       } elsif ($type == 'regionserver' and $service_state == 'running') {
         hdp-hbase::configfile { 'hbase_regionserver_jaas.conf' : }
       } elsif ($type == 'client') {

ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/params.pp

@@ -83,6 +83,7 @@ class hdp-hbase::params() inherits hdp::params
 
   $regionserver_memstore_upperlimit = hdp_default("hbase-site/regionserver.memstore.upperlimit","0.4")
 
+  $keytab_path = hdp_default("keytab_path","/etc/security/keytabs")
   $hbase_client_jaas_config_file = hdp_default("hbase_client_jaas_config_file", "${conf_dir}/hbase_client_jaas.conf")
   $hbase_master_jaas_config_file = hdp_default("hbase_master_jaas_config_file", "${conf_dir}/hbase_master_jaas.conf")
   $hbase_regionserver_jaas_config_file = hdp_default("hbase_regionserver_jaas_config_file", "${conf_dir}/hbase_regionserver_jaas.conf")

ambari-agent/src/main/puppet/modules/hdp-hbase/templates/hbase_grant_permissions.erb

@@ -17,4 +17,5 @@
 # under the License.
 #
 #
-grant '<%=scope.function_hdp_template_var("::hdp::params::smokeuser")%>', '<%=scope.function_hdp_template_var("::hdp-hbase::params::smokeuser_permissions")%>'
+grant '<%=scope.function_hdp_template_var("::hdp::params::smokeuser")%>', '<%=scope.function_hdp_template_var("::hdp-hbase::params::smokeuser_permissions")%>'
+exit