AMBARI-9171. Keytab generation should use kerberos-env/encryption_types when creating key entries (rlevas)

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java

@@ -52,10 +52,6 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
 
   private static final String LDAP_CONTEXT_FACTORY_CLASS = "com.sun.jndi.ldap.LdapCtxFactory";
 
-  public final static String KERBEROS_ENV_LDAP_URL = "ldap_url";
-  public final static String KERBEROS_ENV_PRINCIPAL_CONTAINER_DN = "container_dn";
-  public final static String KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE = "create_attributes_template";
-
   /**
    * A String containing the URL for the LDAP interface for the relevant Active Directory
    */
@@ -146,6 +142,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
 
     setAdministratorCredentials(administratorCredentials);
     setDefaultRealm(realm);
+    setKeyEncryptionTypes(translateEncryptionTypes(kerberosConfiguration.get(KERBEROS_ENV_ENCRYPTION_TYPES), "\\s+"));
 
     this.ldapContext = createLdapContext();
     this.searchControls = createSearchControls();
@@ -203,7 +200,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
       throw new KerberosOperationException("principal is null");
     }
 
-    DeconstructedPrincipal deconstructPrincipal = deconstructPrincipal(principal);
+    DeconstructedPrincipal deconstructPrincipal = createDeconstructPrincipal(principal);
 
     try {
       return (findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal()) != null);
@@ -237,8 +234,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
       throw new KerberosOperationException("principal password is null");
     }
 
-    // TODO: (rlevas) pass components and realm in separately (AMBARI-9122)
-    DeconstructedPrincipal deconstructedPrincipal = deconstructPrincipal(principal);
+    DeconstructedPrincipal deconstructedPrincipal = createDeconstructPrincipal(principal);
 
     String realm = deconstructedPrincipal.getRealm();
     if (realm == null) {
@@ -327,7 +323,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
       throw new KerberosOperationException("principal password is null");
     }
 
-    DeconstructedPrincipal deconstructPrincipal = deconstructPrincipal(principal);
+    DeconstructedPrincipal deconstructPrincipal = createDeconstructPrincipal(principal);
 
     try {
       String dn = findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal());
@@ -368,7 +364,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
       throw new KerberosOperationException("principal is null");
     }
 
-    DeconstructedPrincipal deconstructPrincipal = deconstructPrincipal(principal);
+    DeconstructedPrincipal deconstructPrincipal = createDeconstructPrincipal(principal);
 
     try {
       String dn = findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal());

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java

@@ -37,6 +37,8 @@ import java.io.OutputStream;
 import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.EnumSet;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -57,12 +59,111 @@ public abstract class KerberosOperationHandler {
    */
   protected final static int SECURE_PASSWORD_LENGTH = 18;
 
+  /**
+   * Kerberos-env configuration property name: ldap_url
+   */
+  public final static String KERBEROS_ENV_LDAP_URL = "ldap_url";
+
+  /**
+   * Kerberos-env configuration property name: container_dn
+   */
+  public final static String KERBEROS_ENV_PRINCIPAL_CONTAINER_DN = "container_dn";
+
+  /**
+   * Kerberos-env configuration property name: create_attributes_template
+   */
+  public final static String KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE = "create_attributes_template";
+
+  /**
+   * Kerberos-env configuration property name: encryption_types
+   */
+  public final static String KERBEROS_ENV_ENCRYPTION_TYPES = "encryption_types";
+
   /**
    * The set of available characters to use when generating a secure password
    */
   private final static char[] SECURE_PASSWORD_CHARS =
       "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890?.!$%^*()-_+=~".toCharArray();
 
+  /**
+   * A Map of MIT KDC Encryption types to EncryptionType values.
+   * <p/>
+   * See http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/kdc_conf.html#encryption-types
+   */
+  private static final Map<String, Set<EncryptionType>> ENCRYPTION_TYPE_TRANSLATION_MAP = Collections.unmodifiableMap(
+      new HashMap<String, Set<EncryptionType>>() {
+        {
+          // aes: The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
+          put("aes", EnumSet.of(EncryptionType.AES256_CTS_HMAC_SHA1_96, EncryptionType.AES128_CTS_HMAC_SHA1_96));
+
+          // aes256-cts-hmac-sha1-96 aes256-cts:  AES-256	CTS mode with 96-bit SHA-1 HMAC
+          put("aes256-cts-hmac-sha1-96", EnumSet.of(EncryptionType.AES256_CTS_HMAC_SHA1_96));
+          put("aes256-cts", EnumSet.of(EncryptionType.AES256_CTS_HMAC_SHA1_96));
+          put("aes-256", EnumSet.of(EncryptionType.AES256_CTS_HMAC_SHA1_96));
+
+          // aes128-cts-hmac-sha1-96 aes128-cts AES-128:	CTS mode with 96-bit SHA-1 HMAC
+          put("aes128-cts-hmac-sha1-96", EnumSet.of(EncryptionType.AES128_CTS_HMAC_SHA1_96));
+          put("aes128-cts", EnumSet.of(EncryptionType.AES128_CTS_HMAC_SHA1_96));
+          put("aes-128", EnumSet.of(EncryptionType.AES128_CTS_HMAC_SHA1_96));
+
+          // rc4	The RC4 family: arcfour-hmac
+          put("rc4", EnumSet.of(EncryptionType.RC4_HMAC));
+
+          // arcfour-hmac rc4-hmac arcfour-hmac-md5:	RC4 with HMAC/MD5
+          put("arcfour-hmac", EnumSet.of(EncryptionType.RC4_HMAC));
+          put("rc4-hmac", EnumSet.of(EncryptionType.RC4_HMAC));
+          put("arcfour-hmac-md5", EnumSet.of(EncryptionType.UNKNOWN));
+
+          // arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp:	Exportable RC4 with HMAC/MD5 (weak)
+          put("arcfour-hmac-exp", EnumSet.of(EncryptionType.RC4_HMAC_EXP));
+          put("rc4-hmac-exp", EnumSet.of(EncryptionType.RC4_HMAC_EXP));
+          put("arcfour-hmac-md5-exp", EnumSet.of(EncryptionType.UNKNOWN));
+
+          // camellia 	The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
+          put("camellia", EnumSet.of(EncryptionType.UNKNOWN));
+
+          // camellia256-cts-cmac camellia256-cts:	Camellia-256 CTS mode with CMAC
+          put("camellia256-cts-cmac", EnumSet.of(EncryptionType.UNKNOWN));
+          put("camellia256-cts", EnumSet.of(EncryptionType.UNKNOWN));
+
+          // camellia128-cts-cmac camellia128-cts:	Camellia-128 CTS mode with CMAC
+          put("camellia128-cts-cmac", EnumSet.of(EncryptionType.UNKNOWN));
+          put("camellia128-cts", EnumSet.of(EncryptionType.UNKNOWN));
+
+          //des:	The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
+          put("des", EnumSet.of(EncryptionType.DES_CBC_CRC, EncryptionType.DES_CBC_MD5, EncryptionType.DES_CBC_MD4));
+
+          // des-cbc-md4: DES cbc mode with RSA-MD4 (weak)
+          put("des-cbc-md4", EnumSet.of(EncryptionType.DES_CBC_MD4));
+
+          // des-cbc-md5:	DES cbc mode with RSA-MD5 (weak)
+          put("des-cbc-md5", EnumSet.of(EncryptionType.DES_CBC_MD5));
+
+          // des-cbc-crc:	DES cbc mode with CRC-32 (weak)
+          put("des-cbc-crc", EnumSet.of(EncryptionType.DES_CBC_CRC));
+
+          // des-cbc-raw: DES cbc mode raw (weak)
+          put("des-cbc-raw", EnumSet.of(EncryptionType.UNKNOWN));
+
+          // des-hmac-sha1: DES with HMAC/sha1 (weak)
+          put("des-hmac-sha1", EnumSet.of(EncryptionType.UNKNOWN));
+
+          // des3:	The triple DES family: des3-cbc-sha1
+          put("des3", EnumSet.of(EncryptionType.DES3_CBC_SHA1_KD)); // Using DES3_CBC_SHA1_KD since DES3_CBC_SHA1 invalid key issues with KDC
+
+          // des3-cbc-raw:	Triple DES cbc mode raw (weak)
+          put("des3-cbc-raw", EnumSet.of(EncryptionType.UNKNOWN));
+
+          // des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd:	Triple DES cbc mode with HMAC/sha1
+          put("des3-cbc-sha1", EnumSet.of(EncryptionType.DES3_CBC_SHA1_KD)); // Using DES3_CBC_SHA1_KD since DES3_CBC_SHA1 invalid key issues with KDC
+          put("des3-hmac-sha1", EnumSet.of(EncryptionType.UNKNOWN));
+          put("des3-cbc-sha1-kd", EnumSet.of(EncryptionType.DES3_CBC_SHA1_KD));
+
+
+        }
+      }
+  );
+
   /**
    * The default set of ciphers to use for creating keytab entries
    */
@@ -77,6 +178,7 @@ public abstract class KerberosOperationHandler {
 
   private KerberosCredential administratorCredentials = null;
   private String defaultRealm = null;
+  private Set<EncryptionType> keyEncryptionTypes = new HashSet<EncryptionType>(DEFAULT_CIPHERS);
   private boolean open = false;
 
   /**
@@ -235,7 +337,7 @@ public abstract class KerberosOperationHandler {
       throw new KerberosOperationException(String.format("Failed to create keytab file for %s, missing file path", principal));
     } else {
       Keytab keytab;
-      Set<EncryptionType> ciphers = new HashSet<EncryptionType>(DEFAULT_CIPHERS);
+      Set<EncryptionType> ciphers = new HashSet<EncryptionType>(keyEncryptionTypes);
       List<KeytabEntry> keytabEntries = new ArrayList<KeytabEntry>();
 
       if (keytabFile.exists() && keytabFile.canRead() && (keytabFile.length() > 0)) {
@@ -321,6 +423,31 @@ public abstract class KerberosOperationHandler {
     this.defaultRealm = defaultRealm;
   }
 
+  /**
+   * Gets the encryption algorithms used to encrypt keys in keytab entries
+   *
+   * @return a Set of EncryptionKey values indicating which algorithms are to be used when
+   * encrypting keys for keytab entries.
+   */
+  public Set<EncryptionType> getKeyEncryptionTypes() {
+    return keyEncryptionTypes;
+  }
+
+  /**
+   * Sets the encryption algorithms to use to encrypt keys in keytab entries
+   * <p/>
+   * If set to <code>null</code> the default set of ciphers will be used.  See {@link #DEFAULT_CIPHERS}
+   *
+   * @param keyEncryptionTypes a Set of EncryptionKey values or null to indicate the default set
+   */
+  public void setKeyEncryptionTypes(Set<EncryptionType> keyEncryptionTypes) {
+    this.keyEncryptionTypes = new HashSet<EncryptionType>(
+        (keyEncryptionTypes == null)
+            ? DEFAULT_CIPHERS
+            : keyEncryptionTypes
+    );
+  }
+
   /**
    * Test this KerberosOperationHandler to see whether is was previously open or not
    *
@@ -432,7 +559,14 @@ public abstract class KerberosOperationHandler {
     }
   }
 
-  protected DeconstructedPrincipal deconstructPrincipal(String principal) throws KerberosOperationException {
+  /**
+   * Given a principal, attempt to create a new DeconstructedPrincipal
+   *
+   * @param principal a String containing the principal to deconstruct
+   * @return a DeconstructedPrincipal
+   * @throws KerberosOperationException
+   */
+  protected DeconstructedPrincipal createDeconstructPrincipal(String principal) throws KerberosOperationException {
     try {
       return DeconstructedPrincipal.valueOf(principal, getDefaultRealm());
     } catch (IllegalArgumentException e) {
@@ -440,4 +574,43 @@ public abstract class KerberosOperationHandler {
     }
   }
 
+  /**
+   * Given a cipher (or algorithm) name, attempts to translate it into an EncryptionType value.
+   * <p/>
+   * If a translation is not able to be made, {@link org.apache.directory.shared.kerberos.codec.types.EncryptionType#UNKNOWN}
+   * is returned.
+   *
+   * @param name a String containing the name of the cipher to translate
+   * @return an EncryptionType
+   */
+  protected Set<EncryptionType> translateEncryptionType(String name) {
+    Set<EncryptionType> encryptionTypes = null;
+
+    if ((name != null) && !name.isEmpty()) {
+      encryptionTypes = ENCRYPTION_TYPE_TRANSLATION_MAP.get(name.toLowerCase());
+    }
+
+    return (encryptionTypes == null) ? Collections.<EncryptionType>emptySet() : encryptionTypes;
+  }
+
+  /**
+   * Given a delimited set of encryption type names, attempts to translate into a set of EncryptionType
+   * values.
+   *
+   * @param names     a String containing a delimited list of encryption type names
+   * @param delimiter a String declaring the delimiter to use to split names, if null, " " is used.
+   * @return a Set of EncryptionType values
+   */
+  protected Set<EncryptionType> translateEncryptionTypes(String names, String delimiter) {
+    Set<EncryptionType> encryptionTypes = new HashSet<EncryptionType>();
+
+    if ((names != null) && !names.isEmpty()) {
+      for (String name : names.split((delimiter == null) ? "\\s+" : delimiter)) {
+        encryptionTypes.addAll(translateEncryptionType(name.trim()));
+      }
+    }
+
+    return encryptionTypes;
+  }
+
 }

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java

@@ -70,8 +70,14 @@ public class MITKerberosOperationHandler extends KerberosOperationHandler {
   public void open(KerberosCredential administratorCredentials, String realm,
                    Map<String, String> kerberosConfiguration)
       throws KerberosOperationException {
+
     setAdministratorCredentials(administratorCredentials);
     setDefaultRealm(realm);
+
+    if (kerberosConfiguration != null) {
+      setKeyEncryptionTypes(translateEncryptionTypes(kerberosConfiguration.get(KERBEROS_ENV_ENCRYPTION_TYPES), "\\s+"));
+    }
+
     setOpen(true);
   }
 

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml

@@ -34,7 +34,7 @@
     <description>
       The URL to the Active Directory LDAP Interface
     </description>
-    <value></value>
+    <value/>
   </property>
 
   <property require-input="true">
@@ -42,7 +42,7 @@
     <description>
       The distinguished name (DN) of the container used store service principals
     </description>
-    <value></value>
+    <value/>
   </property>
 
   <property require-input="true">
@@ -50,9 +50,7 @@
     <description>
       The supported list of session key encryption types that should be returned by the KDC.
     </description>
-    <value>
-      aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
-    </value>
+    <value>aes des3-cbc-sha1 rc4 des-cbc-md5</value>
   </property>
 
   <property require-input="true">
@@ -60,7 +58,7 @@
     <description>
       The default realm to use when creating service principals
     </description>
-    <value></value>
+    <value/>
   </property>
 
 

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml

@@ -78,7 +78,23 @@
     </description>
     <value>true</value>
   </property>
-  <property require-input="true">
+  <property require-input="false">
+    <name>libdefaults_default_tgs_enctypes</name>
+    <description>
+      A space-delimited list of session key encryption types supported by the KDC or Active
+      Directory
+    </description>
+    <value/>
+  </property>
+  <property require-input="false">
+    <name>libdefaults_default_tkt_enctypes</name>
+    <description>
+      A space-delimited list of session key encryption types supported by the KDC or Active
+      Directory.
+    </description>
+    <value/>
+  </property>
+  <property require-input="false">
     <name>domains</name>
     <description>
       A comma-separated list of domain names used to map server host names to the Realm name (e.g. .example.com,example.com). This is optional
@@ -108,7 +124,6 @@
     <value>true</value>
   </property>
 
-
   <property>
     <name>conf_dir</name>
     <description>The krb5.conf configuration directory</description>
@@ -125,6 +140,12 @@
   ticket_lifetime = {{libdefaults_ticket_lifetime}}
   dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
   dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
+  {% if libdefaults_default_tgs_enctypes %}
+  default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
+  {% endif %}
+  {% if libdefaults_default_tkt_enctypes %}
+  default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
+  {% endif %}
 
 {% if domains %}
 [domain_realm]

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py

@@ -102,12 +102,8 @@ if config is not None:
   libdefaults_ticket_lifetime = '24h'
   libdefaults_renew_lifetime = '7d'
   libdefaults_forwardable = 'true'
-  libdefaults_default_tgs_enctypes = 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 ' \
-                                     'arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac ' \
-                                     'des-cbc-crc des-cbc-md5 des-cbc-md4'
-  libdefaults_default_tkt_enctypes = 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 ' \
-                                     'arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac ' \
-                                     'des-cbc-crc des-cbc-md5 des-cbc-md4'
+  libdefaults_default_tgs_enctypes = None
+  libdefaults_default_tkt_enctypes = None
 
   realm = 'EXAMPLE.COM'
   domains = ''
@@ -150,10 +146,10 @@ if config is not None:
                                                  libdefaults_forwardable)
     libdefaults_default_tgs_enctypes = get_property_value(krb5_conf_data,
                                                           'libdefaults_default_tgs_enctypes',
-                                                          encryption_types)
+                                                          libdefaults_default_tgs_enctypes)
     libdefaults_default_tkt_enctypes = get_property_value(krb5_conf_data,
                                                           'libdefaults_default_tkt_enctypes',
-                                                          encryption_types)
+                                                          libdefaults_default_tkt_enctypes)
     realm = get_property_value(krb5_conf_data, 'realm', realm)
     domains = get_property_value(krb5_conf_data, 'domains', domains)
     kdc_host = get_property_value(krb5_conf_data, 'kdc_host', kdc_host)

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2

@@ -22,6 +22,12 @@
   ticket_lifetime = {{libdefaults_ticket_lifetime}}
   dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
   dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
+  {% if libdefaults_default_tgs_enctypes %}
+  default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
+  {% endif %}
+  {% if libdefaults_default_tkt_enctypes %}
+  default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
+  {% endif %}
 
 {% if domains %}
 [domain_realm]

ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml

@@ -54,7 +54,23 @@
     <name>libdefaults_forwardable</name>
     <value>true</value>
   </property>
-  <property require-input="true">
+  <property require-input="false">
+    <name>libdefaults_default_tgs_enctypes</name>
+    <description>
+      A space-delimited list of session key encryption types supported by the KDC or Active
+      Directory
+    </description>
+    <value/>
+  </property>
+  <property require-input="false">
+    <name>libdefaults_default_tkt_enctypes</name>
+    <description>
+      A space-delimited list of session key encryption types supported by the KDC or Active
+      Directory
+    </description>
+    <value/>
+  </property>
+  <property require-input="false">
     <name>domains</name>
     <description>
       A comma-delimited list of domain names that the realm serves (optional)
@@ -128,6 +144,12 @@
   ticket_lifetime = {{libdefaults_ticket_lifetime}}
   dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
   dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
+  {% if libdefaults_default_tgs_enctypes %}
+  default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
+  {% endif %}
+  {% if libdefaults_default_tkt_enctypes %}
+  default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
+  {% endif %}
 
 {% if domains %}
 [domain_realm]

ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2

@@ -22,6 +22,12 @@
   ticket_lifetime = {{libdefaults_ticket_lifetime}}
   dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
   dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
+  {% if libdefaults_default_tgs_enctypes %}
+  default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
+  {% endif %}
+  {% if libdefaults_default_tkt_enctypes %}
+  default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
+  {% endif %}
 
 {% if domains %}
 [domain_realm]

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java

@@ -45,7 +45,7 @@ import java.util.Properties;
 
 import static org.easymock.EasyMock.*;
 
-public class ADKerberosOperationHandlerTest extends EasyMockSupport {
+public class ADKerberosOperationHandlerTest extends KerberosOperationHandlerTest {
   private static final String DEFAULT_ADMIN_PRINCIPAL = "cluser_admin@HDP01.LOCAL";
   private static final String DEFAULT_ADMIN_PASSWORD = "Hadoop12345";
   private static final String DEFAULT_LDAP_URL = "ldaps://10.0.100.4";

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java

@@ -22,6 +22,8 @@ import junit.framework.Assert;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.directory.server.kerberos.shared.keytab.Keytab;
 import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;
+import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
+import org.easymock.EasyMockSupport;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
@@ -33,7 +35,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
-public abstract class KerberosOperationHandlerTest {
+public abstract class KerberosOperationHandlerTest extends EasyMockSupport {
 
   @Rule
   public TemporaryFolder folder = new TemporaryFolder();
@@ -201,6 +203,47 @@ public abstract class KerberosOperationHandlerTest {
     }
   }
 
+  @Test
+  public void testTranslateEncryptionTypes() throws Exception {
+    KerberosOperationHandler handler = createHandler();
+
+    Assert.assertEquals(
+        new HashSet<EncryptionType>() {{
+          add(EncryptionType.AES256_CTS_HMAC_SHA1_96);
+          add(EncryptionType.AES128_CTS_HMAC_SHA1_96);
+          add(EncryptionType.DES3_CBC_SHA1_KD);
+          add(EncryptionType.DES_CBC_MD5);
+          add(EncryptionType.DES_CBC_MD4);
+          add(EncryptionType.DES_CBC_CRC);
+          add(EncryptionType.UNKNOWN);
+        }},
+        handler.translateEncryptionTypes("aes256-cts-hmac-sha1-96\n aes128-cts-hmac-sha1-96\tdes3-cbc-sha1 arcfour-hmac-md5 " +
+            "camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4", "\\s+")
+    );
+
+    Assert.assertEquals(
+        new HashSet<EncryptionType>() {{
+          add(EncryptionType.AES256_CTS_HMAC_SHA1_96);
+          add(EncryptionType.AES128_CTS_HMAC_SHA1_96);
+        }},
+        handler.translateEncryptionTypes("aes", " ")
+    );
+
+    Assert.assertEquals(
+        new HashSet<EncryptionType>() {{
+          add(EncryptionType.AES256_CTS_HMAC_SHA1_96);
+        }},
+        handler.translateEncryptionTypes("aes-256", " ")
+    );
+
+    Assert.assertEquals(
+        new HashSet<EncryptionType>() {{
+          add(EncryptionType.DES3_CBC_SHA1_KD);
+        }},
+        handler.translateEncryptionTypes("des3", " ")
+    );
+  }
+
   private KerberosOperationHandler createHandler() throws KerberosOperationException {
     KerberosOperationHandler handler = new KerberosOperationHandler() {
 

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java

@@ -25,21 +25,30 @@ import org.easymock.IAnswer;
 import org.junit.Ignore;
 import org.junit.Test;
 
+import java.util.HashMap;
+import java.util.Map;
+
 import static org.easymock.EasyMock.anyObject;
 import static org.easymock.EasyMock.expect;
 import static org.easymock.EasyMock.replay;
 
 
-public class MITKerberosOperationHandlerTest extends EasyMockSupport {
+public class MITKerberosOperationHandlerTest extends KerberosOperationHandlerTest {
 
   private static final String DEFAULT_ADMIN_PRINCIPAL = "admin/admin";
   private static final String DEFAULT_ADMIN_PASSWORD = "hadoop";
   private static final String DEFAULT_REALM = "EXAMPLE.COM";
 
+  private static final Map<String, String> KERBEROS_ENV_MAP = new HashMap<String, String>() {
+    {
+      put(MITKerberosOperationHandler.KERBEROS_ENV_ENCRYPTION_TYPES, null);
+    }
+  };
+
   @Test
   public void testSetPrincipalPasswordExceptions() throws Exception {
     MITKerberosOperationHandler handler = new MITKerberosOperationHandler();
-    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null);
+    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP);
 
     try {
       handler.setPrincipalPassword(DEFAULT_ADMIN_PRINCIPAL, null);
@@ -75,7 +84,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport {
   @Test
   public void testCreateServicePrincipalExceptions() throws Exception {
     MITKerberosOperationHandler handler = new MITKerberosOperationHandler();
-    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null);
+    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP);
 
     try {
       handler.createPrincipal(DEFAULT_ADMIN_PRINCIPAL, null, false);
@@ -134,7 +143,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport {
 
     replayAll();
 
-    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null);
+    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP);
     handler.testAdministratorCredentials();
     handler.close();
   }
@@ -167,7 +176,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport {
 
     replayAll();
 
-    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null);
+    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP);
     handler.testAdministratorCredentials();
     handler.close();
   }
@@ -200,7 +209,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport {
 
     replayAll();
 
-    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null);
+    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP);
     handler.testAdministratorCredentials();
     handler.close();
   }
@@ -233,7 +242,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport {
 
     replayAll();
 
-    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null);
+    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP);
     handler.testAdministratorCredentials();
     handler.close();
   }
@@ -266,7 +275,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport {
 
     replayAll();
 
-    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null);
+    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP);
     handler.testAdministratorCredentials();
     handler.close();
   }
@@ -299,7 +308,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport {
 
     replayAll();
 
-    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null);
+    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP);
     handler.testAdministratorCredentials();
     handler.close();
   }
@@ -332,7 +341,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport {
 
     replayAll();
 
-    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null);
+    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP);
     Assert.assertFalse(handler.testAdministratorCredentials());
     handler.close();
   }
@@ -385,7 +394,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport {
 
     replayAll();
 
-    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, null);
+    handler.open(new KerberosCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD, null), DEFAULT_REALM, KERBEROS_ENV_MAP);
     handler.testAdministratorCredentials();
     handler.close();
   }
@@ -412,7 +421,7 @@ public class MITKerberosOperationHandlerTest extends EasyMockSupport {
 
     KerberosCredential credentials = new KerberosCredential(principal, password, null);
 
-    handler.open(credentials, realm, null);
+    handler.open(credentials, realm, KERBEROS_ENV_MAP);
     handler.testAdministratorCredentials();
     handler.close();
   }