AMBARI-19681: Credential store should add hadoop credential provider path property to all affected configuration types

ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py

@@ -266,7 +266,6 @@ class CustomServiceOrchestrator():
     serviceName = commandJson['serviceName']
 
     # Gather the password values and remove them from the configuration
-    provider_paths = [] # A service may depend on multiple configs
     configtype_credentials = self.getConfigTypeCredentials(commandJson)
     for config_type, credentials in configtype_credentials.items():
       config = commandJson['configurations'][config_type]
@@ -274,7 +273,6 @@ class CustomServiceOrchestrator():
       if os.path.exists(file_path):
         os.remove(file_path)
       provider_path = 'jceks://file{file_path}'.format(file_path=file_path)
-      provider_paths.append(provider_path)
       logger.info('provider_path={0}'.format(provider_path))
       for alias, pwd in credentials.items():
         logger.debug("config={0}".format(config))
@@ -286,10 +284,8 @@ class CustomServiceOrchestrator():
         cmd_result = subprocess.call(cmd)
         logger.info('cmd_result = {0}'.format(cmd_result))
         os.chmod(file_path, 0644) # group and others should have read access so that the service user can read
-
-    if provider_paths:
-      # Add JCEKS provider paths instead
-      config[self.CREDENTIAL_PROVIDER_PROPERTY_NAME] = ','.join(provider_paths)
+      # Add JCEKS provider path instead
+      config[self.CREDENTIAL_PROVIDER_PROPERTY_NAME] = provider_path
 
     return cmd_result
 

ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py

@@ -46,22 +46,19 @@ def update_credential_provider_path(config, config_type, dest_provider_path, fil
   """
   # Get the path to the provider <config_type>.jceks
   if HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME in config:
-    provider_paths = config[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME].split(',')
-    for path_index in range(len(provider_paths)):
-      provider_path = provider_paths[path_index]
-      if config_type == os.path.splitext(os.path.basename(provider_path))[0]:
-        src_provider_path = provider_path[len('jceks://file'):]
-        File(dest_provider_path,
-             owner = file_owner,
-             group = file_group,
-             mode = 0640,
-             content = StaticFile(src_provider_path)
-             )
-        provider_paths[path_index] = 'jceks://file{0}'.format(dest_provider_path)
-        # make a copy of the config dictionary since it is read-only
-        config_copy = config.copy()
-        config_copy[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME] = ','.join(provider_paths)
-        return config_copy
+    provider_path = config[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME]
+    src_provider_path = provider_path[len('jceks://file'):]
+    File(dest_provider_path,
+        owner = file_owner,
+        group = file_group,
+        mode = 0640,
+        content = StaticFile(src_provider_path)
+    )
+    # make a copy of the config dictionary since it is read-only
+    config_copy = config.copy()
+    # overwrite the provider path with the path specified
+    config_copy[HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME] = 'jceks://file{0}'.format(dest_provider_path)
+    return config_copy
   return config
 
 def validate_security_config_properties(params, configuration_rules):