AMBARI-20600 : AMS grafana restart fails with ssl error after upgrading from 2.4.2.0. (avijayan)

ambari-common/src/main/python/ambari_commons/network.py

@@ -52,12 +52,14 @@ def get_http_connection(host, port, https_enabled=False, ca_certs=None):
 
 def check_ssl_certificate_and_return_ssl_version(host, port, ca_certs):
   try:
+    # Try with TLSv1 first.
     ssl_version = ssl.PROTOCOL_TLSv1
     ssl.get_server_certificate((host, port), ssl_version=ssl_version, ca_certs=ca_certs)
   except ssl.SSLError as ssl_error:
     print_warning_msg("Failed to verify the SSL certificate for https://{0}:{1} with CA certificate in {2} using ssl.PROTOCOL_TLSv1."
                       " Trying to use less secure ssl.PROTOCOL_SSLv23. Error : {3}".format(host, port, ca_certs, str(ssl_error)))
     try:
+      # Try with SSLv23 only if TLSv1 failed.
       ssl_version = ssl.PROTOCOL_SSLv23
       ssl.get_server_certificate((host, port), ssl_version=ssl_version, ca_certs=ca_certs)
     except ssl.SSLError as ssl_error:

ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-grafana-ini.xml

@@ -42,6 +42,17 @@
     <description>Path to grafana certificate key (.key) file.</description>
     <on-ambari-upgrade add="true"/>
   </property>
+  <property>
+    <name>ca_cert</name>
+    <value></value>
+    <description>Path to CA root certificate or bundle to be used to validate the Grafana certificate against.
+      For self signed certificates, this value can be the same as the value for 'cert_file'.
+      (If a path is not specified, the certificate validation is skipped)</description>
+    <value-attributes>
+      <empty-value-valid>true</empty-value-valid>
+    </value-attributes>
+    <on-ambari-upgrade add="true"/>
+  </property>
   <property>
     <name>content</name>
     <display-name>ams-grafana-ini template</display-name>

ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py

@@ -50,7 +50,7 @@ def perform_grafana_get_call(url, server):
   ca_certs = None
   if grafana_https_enabled:
     import params
-    ca_certs = params.ams_grafana_cert_file
+    ca_certs = params.ams_grafana_ca_cert
 
   for i in xrange(0, GRAFANA_CONNECT_TRIES):
     try:
@@ -90,7 +90,7 @@ def perform_grafana_put_call(url, id, payload, server):
   ca_certs = None
   if grafana_https_enabled:
     import params
-    ca_certs = params.ams_grafana_cert_file
+    ca_certs = params.ams_grafana_ca_cert
 
   for i in xrange(0, GRAFANA_CONNECT_TRIES):
     try:
@@ -125,7 +125,7 @@ def perform_grafana_post_call(url, payload, server):
   ca_certs = None
   if grafana_https_enabled:
     import params
-    ca_certs = params.ams_grafana_cert_file
+    ca_certs = params.ams_grafana_ca_cert
 
   for i in xrange(0, GRAFANA_CONNECT_TRIES):
     try:
@@ -167,7 +167,7 @@ def perform_grafana_delete_call(url, server):
   ca_certs = None
   if grafana_https_enabled:
     import params
-    ca_certs = params.ams_grafana_cert_file
+    ca_certs = params.ams_grafana_ca_cert
 
   for i in xrange(0, GRAFANA_CONNECT_TRIES):
     try:

ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py

@@ -166,6 +166,7 @@ ams_grafana_port = default("/configurations/ams-grafana-ini/port", 3000)
 ams_grafana_protocol = default("/configurations/ams-grafana-ini/protocol", 'http')
 ams_grafana_cert_file = default("/configurations/ams-grafana-ini/cert_file", '/etc/ambari-metrics/conf/ams-grafana.crt')
 ams_grafana_cert_key = default("/configurations/ams-grafana-ini/cert_key", '/etc/ambari-metrics/conf/ams-grafana.key')
+ams_grafana_ca_cert = default("/configurations/ams-grafana-ini/ca_cert", None)
 
 ams_hbase_home_dir = "/usr/lib/ams-hbase/"