Revert "AMBARI-18406. Create authentication filter to perform Kerberos authentication for Ambari (rlevas)"

This reverts commit 14e44bfd240ae4f223fe5152fbede294e78084f9.

ambari-project/pom.xml

@@ -131,11 +131,6 @@
         <artifactId>spring-security-web</artifactId>
         <version>3.1.2.RELEASE</version>
       </dependency>
-      <dependency>
-        <groupId>org.springframework.security.kerberos</groupId>
-        <artifactId>spring-security-kerberos-web</artifactId>
-        <version>1.0.1.RELEASE</version>
-      </dependency>
       <dependency>
         <groupId>org.springframework</groupId>
         <artifactId>spring-mock</artifactId>

ambari-server/pom.xml

@@ -984,10 +984,6 @@
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-web</artifactId>
     </dependency>
-    <dependency>
-      <groupId>org.springframework.security.kerberos</groupId>
-      <artifactId>spring-security-kerberos-web</artifactId>
-    </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-mock</artifactId>

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -5287,11 +5287,9 @@ public class Configuration {
         try {
           orderedUserTypes.add(UserType.valueOf(type.toUpperCase()));
         } catch (IllegalArgumentException e) {
-          String message = String.format("While processing ordered user types from %s, " +
+          throw new IllegalArgumentException(String.format("While processing ordered user types from %s, " +
                   "%s was found to be an invalid user type.",
-              KERBEROS_AUTH_USER_TYPES.getKey(), type);
-          LOG.error(message);
-          throw new IllegalArgumentException(message, e);
+              KERBEROS_AUTH_USER_TYPES.getKey(), type), e);
         }
       }
     }
@@ -5325,11 +5323,9 @@ public class Configuration {
     // Validate the SPNEGO principal name to ensure it was set.
     // Log any found issues.
     if (StringUtils.isEmpty(kerberosAuthProperties.getSpnegoPrincipalName())) {
-      String message = String.format("The SPNEGO principal name specified in %s is empty. " +
+      throw new IllegalArgumentException(String.format("The SPNEGO principal name specified in %s is empty. " +
           "This will cause issues authenticating users using Kerberos.",
-          KERBEROS_AUTH_SPNEGO_PRINCIPAL.getKey());
-      LOG.error(message);
-      throw new IllegalArgumentException(message);
+          KERBEROS_AUTH_SPNEGO_PRINCIPAL.getKey()));
     }
 
     // Get the SPNEGO keytab file. There is nothing special to process for this value.
@@ -5338,25 +5334,19 @@ public class Configuration {
     // Validate the SPNEGO keytab file to ensure it was set, it exists and it is readable by Ambari.
     // Log any found issues.
     if (StringUtils.isEmpty(kerberosAuthProperties.getSpnegoKeytabFilePath())) {
-      String message = String.format("The SPNEGO keytab file path specified in %s is empty. " +
+      throw new IllegalArgumentException(String.format("The SPNEGO keytab file path specified in %s is empty. " +
               "This will cause issues authenticating users using Kerberos.",
-          KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey());
-      LOG.error(message);
-      throw new IllegalArgumentException(message);
+          KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey()));
     } else {
       File keytabFile = new File(kerberosAuthProperties.getSpnegoKeytabFilePath());
       if (!keytabFile.exists()) {
-        String message = String.format("The SPNEGO keytab file path (%s) specified in %s does not exist. " +
+        throw new IllegalArgumentException(String.format("The SPNEGO keytab file path (%s) specified in %s does not exist. " +
                 "This will cause issues authenticating users using Kerberos.",
-            keytabFile.getAbsolutePath(), KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey());
-        LOG.error(message);
-        throw new IllegalArgumentException(message);
+            keytabFile.getAbsolutePath(), KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey()));
       } else if (!keytabFile.canRead()) {
-        String message = String.format("The SPNEGO keytab file path (%s) specified in %s cannot be read. " +
+        throw new IllegalArgumentException(String.format("The SPNEGO keytab file path (%s) specified in %s cannot be read. " +
                 "This will cause issues authenticating users using Kerberos.",
-            keytabFile.getAbsolutePath(), KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey());
-        LOG.error(message);
-        throw new IllegalArgumentException(message);
+            keytabFile.getAbsolutePath(), KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey()));
       }
     }
 

ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java

@@ -70,8 +70,6 @@ public interface KerberosHelper {
 
   String AMBARI_IDENTITY_NAME = "ambari-server";
 
-  String SPNEGO_IDENTITY_NAME = "spnego";
-
   String CREATE_AMBARI_PRINCIPAL = "create_ambari_principal";
 
   String MANAGE_IDENTITIES = "manage_identities";

ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java

@@ -61,7 +61,7 @@ import org.apache.ambari.server.security.encryption.CredentialStoreService;
 import org.apache.ambari.server.serveraction.ActionLog;
 import org.apache.ambari.server.serveraction.ServerAction;
 import org.apache.ambari.server.serveraction.kerberos.CleanupServerAction;
-import org.apache.ambari.server.serveraction.kerberos.ConfigureAmbariIdentitiesServerAction;
+import org.apache.ambari.server.serveraction.kerberos.ConfigureAmbariIndetityServerAction;
 import org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction;
 import org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction;
 import org.apache.ambari.server.serveraction.kerberos.DestroyPrincipalsServerAction;
@@ -811,7 +811,7 @@ public class KerberosHelperImpl implements KerberosHelper {
    * @param ambariServerIdentity the ambari server's {@link KerberosIdentityDescriptor}
    * @param configurations       a map of compiled configrations used for variable replacment
    * @throws AmbariException
-   * @see ConfigureAmbariIdentitiesServerAction#installAmbariServerIdentity(String, String, String, ActionLog)
+   * @see ConfigureAmbariIndetityServerAction#installAmbariServerIdentity(String, String, String, ActionLog)
    */
   private void installAmbariIdentity(KerberosIdentityDescriptor ambariServerIdentity,
                                      Map<String, Map<String, String>> configurations) throws AmbariException {
@@ -825,7 +825,7 @@ public class KerberosHelperImpl implements KerberosHelper {
         if(keytabDescriptor != null) {
           String keytabFilePath = variableReplacementHelper.replaceVariables(keytabDescriptor.getFile(), configurations);
 
-          injector.getInstance(ConfigureAmbariIdentitiesServerAction.class)
+          injector.getInstance(ConfigureAmbariIndetityServerAction.class)
               .installAmbariServerIdentity(principal, ambariServerPrincipalEntity.getCachedKeytabPath(), keytabFilePath, null);
         }
       }
@@ -1309,7 +1309,7 @@ public class KerberosHelperImpl implements KerberosHelper {
                 serviceName, componentName, kerberosDescriptor, filterContext);
 
             if (hostname.equals(ambariServerHostname)) {
-              addAmbariServerIdentities(kerberosEnvConfig.getProperties(), kerberosDescriptor, identities);
+              addAmbariServerIdentity(kerberosEnvConfig.getProperties(), kerberosDescriptor, identities);
             }
 
             if (!identities.isEmpty()) {
@@ -1396,7 +1396,7 @@ public class KerberosHelperImpl implements KerberosHelper {
    * @param kerberosDescriptor    the kerberos descriptor
    * @param identities            the collection of identities to add to
    */
-  void addAmbariServerIdentities(Map<String, String> kerberosEnvProperties, KerberosDescriptor kerberosDescriptor, List<KerberosIdentityDescriptor> identities) {
+  void addAmbariServerIdentity(Map<String, String> kerberosEnvProperties, KerberosDescriptor kerberosDescriptor, List<KerberosIdentityDescriptor> identities) {
     // Determine if we should _calculate_ the Ambari service identity.
     // If kerberos-env/create_ambari_principal is not set to false the identity should be calculated.
     boolean createAmbariPrincipal = (kerberosEnvProperties == null) || !"false".equalsIgnoreCase(kerberosEnvProperties.get(CREATE_AMBARI_PRINCIPAL));
@@ -1407,12 +1407,6 @@ public class KerberosHelperImpl implements KerberosHelper {
       if (ambariServerIdentity != null) {
         identities.add(ambariServerIdentity);
       }
-
-      // Add the spnego principal for the Ambari server host....
-      KerberosIdentityDescriptor spnegoIdentity = kerberosDescriptor.getIdentity(KerberosHelper.SPNEGO_IDENTITY_NAME);
-      if (spnegoIdentity != null) {
-        identities.add(spnegoIdentity);
-      }
     }
   }
 
@@ -2806,7 +2800,7 @@ public class KerberosHelperImpl implements KerberosHelper {
           clusterHostInfoJson,
           "{}",
           hostParamsJson,
-          ConfigureAmbariIdentitiesServerAction.class,
+          ConfigureAmbariIndetityServerAction.class,
           event,
           commandParameters,
           "Configure Ambari Identity",

ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java

@@ -28,19 +28,6 @@ import java.io.IOException;
 public class AmbariEntryPoint implements AuthenticationEntryPoint {
   @Override
   public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
-    /* *****************************************************************************************
-     * To maintain backward compatibility and respond with the appropriate response when
-     * authentication is needed, by default return an HTTP 403 status.
-     *
-     * However if requested by the user, respond such that the client is challenged to Negotiate
-     * and reissue the request with a Kerberos token.  This response is an HTTP 401 status with the
-     * WWW-Authenticate: Negotiate" header.
-     * ****************************************************************************************** */
-    if ("true".equalsIgnoreCase(request.getHeader("X-Negotiate-Authentication"))) {
-      response.setHeader("WWW-Authenticate", "Negotiate");
-      response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication requested");
-    } else {
-      response.sendError(HttpServletResponse.SC_FORBIDDEN, authException.getMessage());
-    }
+    response.sendError(HttpServletResponse.SC_FORBIDDEN, authException.getMessage());
   }
 }

ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java

@@ -1,139 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import org.apache.ambari.server.AmbariException;
-import org.apache.ambari.server.configuration.Configuration;
-import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
-import org.apache.ambari.server.security.authorization.UserType;
-import org.apache.ambari.server.security.authorization.Users;
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.security.authentication.util.KerberosName;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.core.userdetails.UsernameNotFoundException;
-
-import java.io.IOException;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-
-/**
- * AmbariAuthToLocalUserDetailsService is a {@link UserDetailsService} that translates
- * a Kerberos principal name into a local username that may be used when looking up
- * and Ambari user account.
- */
-public class AmbariAuthToLocalUserDetailsService implements UserDetailsService {
-  private static final Logger LOG = LoggerFactory.getLogger(AmbariAuthToLocalUserDetailsService.class);
-
-  private final Users users;
-
-  private final List<UserType> userTypeOrder;
-
-  /**
-   * Constructor.
-   * <p>
-   * Given the Ambari {@link Configuration}, initializes the {@link KerberosName} class using
-   * the <code>auth-to-local</code> rules from {@link AmbariKerberosAuthenticationProperties#getAuthToLocalRules()}.
-   *
-   * @param configuration the Ambari configuration data
-   * @param users         the Ambari users access object
-   * @throws AmbariException if an error occurs parsing the user-provided auth-to-local rules
-   */
-  public AmbariAuthToLocalUserDetailsService(Configuration configuration, Users users) throws AmbariException {
-    String authToLocalRules = null;
-    List<UserType> orderedUserTypes = null;
-
-    if (configuration != null) {
-      AmbariKerberosAuthenticationProperties properties = configuration.getKerberosAuthenticationProperties();
-
-      if (properties != null) {
-        authToLocalRules = properties.getAuthToLocalRules();
-        orderedUserTypes = properties.getOrderedUserTypes();
-      }
-    }
-
-    if (StringUtils.isEmpty(authToLocalRules)) {
-      authToLocalRules = "DEFAULT";
-    }
-
-    if ((orderedUserTypes == null) || orderedUserTypes.isEmpty()) {
-      orderedUserTypes = Collections.singletonList(UserType.LDAP);
-    }
-
-    KerberosName.setRules(authToLocalRules);
-
-    this.users = users;
-    this.userTypeOrder = orderedUserTypes;
-  }
-
-  @Override
-  public UserDetails loadUserByUsername(String principal) throws UsernameNotFoundException {
-    KerberosName kerberosName = new KerberosName(principal);
-
-    try {
-      String username = kerberosName.getShortName();
-
-      if (username == null) {
-        String message = String.format("Failed to translate %s to a local username during Kerberos authentication.", principal);
-        LOG.warn(message);
-        throw new UsernameNotFoundException(message);
-      }
-
-      LOG.info("Translated {} to {} using auth-to-local rules during Kerberos authentication.", principal, username);
-      return createUser(username);
-    } catch (IOException e) {
-      String message = String.format("Failed to translate %s to a local username during Kerberos authentication: %s", principal, e.getLocalizedMessage());
-      LOG.warn(message);
-      throw new UsernameNotFoundException(message, e);
-    }
-  }
-
-  /**
-   * Given a username, finds an appropriate account in the Ambari database.
-   * <p>
-   * User accounts are searched in order of preferred user type as specified in the Ambari configuration
-   * ({@link Configuration#KERBEROS_AUTH_USER_TYPES}).
-   *
-   * @param username a username
-   * @return the user details of the found user, or <code>null</code> if an appropriate user was not found
-   */
-  private UserDetails createUser(String username) {
-    // Iterate over the ordered user types... when an account for the username/type combination is
-    // found, build the related AmbariUserAuthentication instance and return it.  Only the first
-    // match matters... this may be an issue and cause some ambiguity in the event multiple user
-    // types are specified in the configuration and multiple accounts for the same username, but
-    // different types (LOCAL vs LDAP, etc...).
-    for (UserType userType : userTypeOrder) {
-      org.apache.ambari.server.security.authorization.User user = users.getUser(username, userType);
-
-      if (user != null) {
-        Collection<AmbariGrantedAuthority> userAuthorities = users.getUserAuthorities(user.getUserName(), user.getUserType());
-        return new User(username, "", userAuthorities);
-      }
-    }
-
-    String message = String.format("Failed find user account for user with username of %s during Kerberos authentication.", username);
-    LOG.warn(message);
-    throw new UsernameNotFoundException(message);
-  }
-}

ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilter.java

@@ -1,172 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import org.apache.ambari.server.audit.AuditLogger;
-import org.apache.ambari.server.audit.event.AuditEvent;
-import org.apache.ambari.server.audit.event.LoginAuditEvent;
-import org.apache.ambari.server.configuration.Configuration;
-import org.apache.ambari.server.security.authentication.AmbariAuthenticationFilter;
-import org.apache.ambari.server.security.authorization.AuthorizationHelper;
-import org.apache.ambari.server.security.authorization.PermissionHelper;
-import org.apache.ambari.server.utils.RequestUtils;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
-import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.authentication.AuthenticationFailureHandler;
-import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-
-/**
- * AmbariKerberosAuthenticationFilter extends the {@link SpnegoAuthenticationProcessingFilter} class
- * to perform Kerberos-based authentication for Ambari.
- * <p>
- * If configured, auditing is performed using {@link AuditLogger}.
- */
-public class AmbariKerberosAuthenticationFilter extends SpnegoAuthenticationProcessingFilter implements AmbariAuthenticationFilter {
-
-  /**
-   * Audit logger
-   */
-  private final AuditLogger auditLogger;
-
-  /**
-   * A Boolean value indicating whether Kerberos authentication is enabled or not.
-   */
-  private final boolean kerberosAuthenticationEnabled;
-
-  /**
-   * Constructor.
-   * <p>
-   * Given supplied data, sets up the the {@link SpnegoAuthenticationProcessingFilter} to perform
-   * authentication and audit logging if configured do to so.
-   *
-   * @param authenticationManager the Spring authentication manager
-   * @param entryPoint            the Spring entry point
-   * @param configuration         the Ambari configuration data
-   * @param auditLogger           an audit logger
-   * @param permissionHelper      a permission helper to aid in audit logging
-   */
-  public AmbariKerberosAuthenticationFilter(AuthenticationManager authenticationManager, final AuthenticationEntryPoint entryPoint, Configuration configuration, final AuditLogger auditLogger, final PermissionHelper permissionHelper) {
-    AmbariKerberosAuthenticationProperties kerberosAuthenticationProperties = (configuration == null)
-        ? null
-        : configuration.getKerberosAuthenticationProperties();
-
-    kerberosAuthenticationEnabled = (kerberosAuthenticationProperties != null) && kerberosAuthenticationProperties.isKerberosAuthenticationEnabled();
-
-    this.auditLogger = auditLogger;
-
-    setAuthenticationManager(authenticationManager);
-
-    setFailureHandler(new AuthenticationFailureHandler() {
-      @Override
-      public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
-        if (auditLogger.isEnabled()) {
-          AuditEvent loginFailedAuditEvent = LoginAuditEvent.builder()
-              .withRemoteIp(RequestUtils.getRemoteAddress(httpServletRequest))
-              .withTimestamp(System.currentTimeMillis())
-              .withReasonOfFailure(e.getLocalizedMessage())
-              .build();
-          auditLogger.log(loginFailedAuditEvent);
-        }
-
-        entryPoint.commence(httpServletRequest, httpServletResponse, e);
-      }
-    });
-
-    setSuccessHandler(new AuthenticationSuccessHandler() {
-      @Override
-      public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
-        if (auditLogger.isEnabled()) {
-          AuditEvent loginSucceededAuditEvent = LoginAuditEvent.builder()
-              .withRemoteIp(RequestUtils.getRemoteAddress(httpServletRequest))
-              .withUserName(authentication.getName())
-              .withTimestamp(System.currentTimeMillis())
-              .withRoles(permissionHelper.getPermissionLabels(authentication))
-              .build();
-          auditLogger.log(loginSucceededAuditEvent);
-        }
-      }
-    });
-  }
-
-  /**
-   * Tests to determine if this authentication filter is applicable given the Ambari configuration
-   * and the user's HTTP request.
-   * <p>
-   * If the Ambari configuration indicates the Kerberos authentication is enabled and the HTTP request
-   * contains the appropriate <code>Authorization</code> header, than this filter may be applied;
-   * otherwise it should be skipped.
-   *
-   * @param httpServletRequest the request
-   * @return true if this filter should be applied; false otherwise
-   */
-  @Override
-  public boolean shouldApply(HttpServletRequest httpServletRequest) {
-    if (kerberosAuthenticationEnabled) {
-      String header = httpServletRequest.getHeader("Authorization");
-      return (header != null) && (header.startsWith("Negotiate ") || header.startsWith("Kerberos "));
-    } else {
-      return false;
-    }
-  }
-
-  /**
-   * Performs the logic for this filter.
-   * <p>
-   * Checks whether the authentication information is filled. If it is not, then a login failed audit event is logged.
-   * <p>
-   * Then, forwards the workflow to {@link SpnegoAuthenticationProcessingFilter#doFilter(ServletRequest, ServletResponse, FilterChain)}
-   *
-   * @param servletRequest  the request
-   * @param servletResponse the response
-   * @param filterChain     the Spring filter chain
-   * @throws IOException
-   * @throws ServletException
-   */
-  @Override
-  public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
-    HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
-
-    if (shouldApply(httpServletRequest)) {
-      if (auditLogger.isEnabled() && (AuthorizationHelper.getAuthenticatedName() == null)) {
-        AuditEvent loginFailedAuditEvent = LoginAuditEvent.builder()
-            .withRemoteIp(RequestUtils.getRemoteAddress(httpServletRequest))
-            .withTimestamp(System.currentTimeMillis())
-            .withReasonOfFailure("Authentication required")
-            .withUserName(null)
-            .build();
-        auditLogger.log(loginFailedAuditEvent);
-      }
-
-      super.doFilter(servletRequest, servletResponse, filterChain);
-    } else {
-      filterChain.doFilter(servletRequest, servletResponse);
-    }
-  }
-}

ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidator.java

@@ -1,93 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import org.apache.ambari.server.configuration.Configuration;
-import org.springframework.beans.factory.InitializingBean;
-import org.springframework.core.io.FileSystemResource;
-import org.springframework.core.io.Resource;
-import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.kerberos.authentication.KerberosTicketValidation;
-import org.springframework.security.kerberos.authentication.KerberosTicketValidator;
-import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
-
-/**
- * AmbariKerberosTicketValidator is a {@link KerberosTicketValidator} implementation that delegates
- * to a {@link SunJaasKerberosTicketValidator}, if Kerberos authentication is enabled.
- * <p>
- * If Kerberos authentication is enabled, the following properties are set:
- * <ul>
- * <li>{@link SunJaasKerberosTicketValidator#setServicePrincipal(String)} using the Ambari server property from {@link Configuration#KERBEROS_AUTH_SPNEGO_PRINCIPAL}</li>
- * <li>{@link SunJaasKerberosTicketValidator#setKeyTabLocation(Resource)} using the Ambari server property from {@link Configuration#KERBEROS_AUTH_SPNEGO_KEYTAB_FILE}</li>
- * </ul>
- */
-public class AmbariKerberosTicketValidator implements KerberosTicketValidator, InitializingBean {
-
-  private final SunJaasKerberosTicketValidator kerberosTicketValidator;
-
-  /**
-   * Creates a new AmbariKerberosTicketValidator
-   *
-   * @param configuration the Ambari server configuration
-   */
-  public AmbariKerberosTicketValidator(Configuration configuration) {
-
-    AmbariKerberosAuthenticationProperties properties = (configuration == null)
-        ? null
-        : configuration.getKerberosAuthenticationProperties();
-
-    if ((properties != null) && properties.isKerberosAuthenticationEnabled()) {
-      kerberosTicketValidator = new SunJaasKerberosTicketValidator();
-      kerberosTicketValidator.setServicePrincipal(properties.getSpnegoPrincipalName());
-
-      if (properties.getSpnegoKeytabFilePath() != null) {
-        kerberosTicketValidator.setKeyTabLocation(new FileSystemResource(properties.getSpnegoKeytabFilePath()));
-      }
-    } else {
-      // Don't create the SunJaasKerberosTicketValidator if Kerberos authentication is not enabled.
-      kerberosTicketValidator = null;
-    }
-  }
-
-  @Override
-  public void afterPropertiesSet() throws Exception {
-    // If Kerberos authentication is enabled, forward this method invocation to the backing
-    // SunJaasKerberosTicketValidator instance.
-    if (kerberosTicketValidator != null) {
-      kerberosTicketValidator.afterPropertiesSet();
-    }
-  }
-
-  @Override
-  public KerberosTicketValidation validateTicket(byte[] bytes) throws BadCredentialsException {
-    // If Kerberos authentication is enabled, forward this method invocation to the backing
-    // SunJaasKerberosTicketValidator instance.
-    return (kerberosTicketValidator == null)
-        ? null
-        : kerberosTicketValidator.validateTicket(bytes);
-  }
-
-  public void setDebug(boolean debug) {
-    // If Kerberos authentication is enabled, forward this method invocation to the backing
-    // SunJaasKerberosTicketValidator instance.
-    if (kerberosTicketValidator != null) {
-      kerberosTicketValidator.setDebug(debug);
-    }
-  }
-}

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java

@@ -156,15 +156,7 @@ public abstract class AbstractPrepareKerberosServerAction extends KerberosServer
             if (ambariServerIdentity != null) {
               List<KerberosIdentityDescriptor> componentIdentities = Collections.singletonList(ambariServerIdentity);
               kerberosHelper.addIdentities(kerberosIdentityDataFileWriter, componentIdentities,
-                identityFilter, KerberosHelper.AMBARI_SERVER_HOST_NAME, "AMBARI_SERVER", "AMBARI_SERVER", kerberosConfigurations, configurations);
-              propertiesToIgnore = gatherPropertiesToIgnore(componentIdentities, propertiesToIgnore);
-            }
-
-            KerberosIdentityDescriptor spnegoIdentity = kerberosDescriptor.getIdentity(KerberosHelper.SPNEGO_IDENTITY_NAME);
-            if (spnegoIdentity != null) {
-              List<KerberosIdentityDescriptor> componentIdentities = Collections.singletonList(spnegoIdentity);
-              kerberosHelper.addIdentities(kerberosIdentityDataFileWriter, componentIdentities,
-                identityFilter, KerberosHelper.AMBARI_SERVER_HOST_NAME, "AMBARI_SERVER", "SPNEGO", kerberosConfigurations, configurations);
+                identityFilter, KerberosHelper.AMBARI_SERVER_HOST_NAME, "AMBARI_SEVER", "AMBARI_SEVER", kerberosConfigurations, configurations);
               propertiesToIgnore = gatherPropertiesToIgnore(componentIdentities, propertiesToIgnore);
             }
           }

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIdentitiesServerAction.java → ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIndetityServerAction.java

@@ -23,25 +23,20 @@ import java.io.IOException;
 import java.util.Map;
 import java.util.concurrent.ConcurrentMap;
 
-import com.google.inject.Inject;
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.actionmanager.HostRoleStatus;
 import org.apache.ambari.server.agent.CommandReport;
 import org.apache.ambari.server.controller.KerberosHelper;
 import org.apache.ambari.server.controller.utilities.KerberosChecker;
-import org.apache.ambari.server.orm.dao.HostDAO;
-import org.apache.ambari.server.orm.dao.KerberosPrincipalHostDAO;
-import org.apache.ambari.server.orm.entities.HostEntity;
 import org.apache.ambari.server.serveraction.ActionLog;
 import org.apache.ambari.server.utils.ShellCommandUtil;
-import org.apache.ambari.server.utils.StageUtils;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.io.FileUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * ConfigureAmbariIdentitiesServerAction is a ServerAction implementation that creates keytab files as
+ * ConfigureAmbariIndetityServerAction is a ServerAction implementation that creates keytab files as
  * instructed.
  * <p/>
  * This class mainly relies on the KerberosServerAction to iterate through metadata identifying
@@ -50,25 +45,19 @@ import org.slf4j.LoggerFactory;
  * {@link KerberosServerAction#processIdentity(Map, String, KerberosOperationHandler, Map, Map)}
  * is invoked attempting the creation of the relevant keytab file.
  */
-public class ConfigureAmbariIdentitiesServerAction extends KerberosServerAction {
+public class ConfigureAmbariIndetityServerAction extends KerberosServerAction {
 
 
   private static final String KEYTAB_PATTERN = "keyTab=\"(.+)?\"";
   private static final String PRINCIPAL_PATTERN = "principal=\"(.+)?\"";
 
-  private final static Logger LOG = LoggerFactory.getLogger(ConfigureAmbariIdentitiesServerAction.class);
-
-  @Inject
-  private KerberosPrincipalHostDAO kerberosPrincipalHostDAO;
-
-  @Inject
-  private HostDAO hostDAO;
+  private final static Logger LOG = LoggerFactory.getLogger(ConfigureAmbariIndetityServerAction.class);
 
   /**
    * Called to execute this action.  Upon invocation, calls
    * {@link KerberosServerAction#processIdentities(Map)} )}
    * to iterate through the Kerberos identity metadata and call
-   * {@link ConfigureAmbariIdentitiesServerAction#processIdentities(Map)}
+   * {@link ConfigureAmbariIndetityServerAction#processIdentities(Map)}
    * for each identity to process.
    *
    * @param requestSharedDataContext a Map to be used a shared data among all ServerActions related
@@ -79,7 +68,7 @@ public class ConfigureAmbariIdentitiesServerAction extends KerberosServerAction
    */
   @Override
   public CommandReport execute(ConcurrentMap<String, Object> requestSharedDataContext) throws
-      AmbariException, InterruptedException {
+    AmbariException, InterruptedException {
     return processIdentities(requestSharedDataContext);
   }
 
@@ -106,14 +95,19 @@ public class ConfigureAmbariIdentitiesServerAction extends KerberosServerAction
                                           KerberosOperationHandler operationHandler,
                                           Map<String, String> kerberosConfiguration,
                                           Map<String, Object> requestSharedDataContext)
-      throws AmbariException {
+    throws AmbariException {
     CommandReport commandReport = null;
 
     if (identityRecord != null) {
       String message;
       String dataDirectory = getDataDirectoryPath();
 
-      if (dataDirectory == null) {
+      if (operationHandler == null) {
+        message = String.format("Failed to create keytab file for %s, missing KerberosOperationHandler", evaluatedPrincipal);
+        actionLog.writeStdErr(message);
+        LOG.error(message);
+        commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
+      } else if (dataDirectory == null) {
         message = "The data directory has not been set. Generated keytab files can not be stored.";
         LOG.error(message);
         commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
@@ -125,13 +119,8 @@ public class ConfigureAmbariIdentitiesServerAction extends KerberosServerAction
           File hostDirectory = new File(dataDirectory, hostName);
           File srcKeytabFile = new File(hostDirectory, DigestUtils.sha1Hex(destKeytabFilePath));
 
-          if (srcKeytabFile.exists()) {
+          if(srcKeytabFile.exists()) {
             installAmbariServerIdentity(evaluatedPrincipal, srcKeytabFile.getAbsolutePath(), destKeytabFilePath, actionLog);
-
-            if ("AMBARI_SERVER".equals(identityRecord.get(KerberosIdentityDataFileReader.COMPONENT))) {
-              // Create/update the JAASFile...
-              configureJAAS(evaluatedPrincipal, destKeytabFilePath, actionLog);
-            }
           }
         }
       }
@@ -171,30 +160,14 @@ public class ConfigureAmbariIdentitiesServerAction extends KerberosServerAction
       result = ShellCommandUtil.copyFile(srcKeytabFilePath, destKeytabFilePath, true, true);
       if (!result.isSuccessful()) {
         throw new AmbariException(result.getStderr());
-      } else {
-        String ambariServerHostName = StageUtils.getHostName();
-        HostEntity ambariServerHostEntity = hostDAO.findByName(ambariServerHostName);
-        Long ambariServerHostID = (ambariServerHostEntity == null)
-            ? null
-            : ambariServerHostEntity.getHostId();
-
-        if (ambariServerHostID == null) {
-          String message = String.format("Failed to add the kerberos_principal_host record for %s on " +
-                  "the Ambari server host since the host id for Ambari server host, %s, was not found." +
-                  "  This is not an error if an Ambari agent is not installed on the Ambari server host.",
-              principal, ambariServerHostName);
-          LOG.warn(message);
-          actionLog.writeStdErr(message);
-        } else if (!kerberosPrincipalHostDAO.exists(principal, ambariServerHostID)) {
-          kerberosPrincipalHostDAO.create(principal, ambariServerHostID);
-        }
-
-        actionLog.writeStdOut(String.format("Created Ambari server keytab file for %s at %s", principal, destKeytabFile));
       }
     } catch (InterruptedException | IOException e) {
       throw new AmbariException(e.getLocalizedMessage(), e);
     }
 
+    // Create/update the JAASFile...
+    configureJAAS(principal, destKeytabFilePath, actionLog);
+
     return true;
   }
 
@@ -210,13 +183,13 @@ public class ConfigureAmbariIdentitiesServerAction extends KerberosServerAction
         jaasConfig = jaasConfig.replaceFirst(PRINCIPAL_PATTERN, "principal=\"" + evaluatedPrincipal + "\"");
         FileUtils.writeStringToFile(jaasConfigFile, jaasConfig);
         String message = String.format("JAAS config file %s modified successfully for principal %s.", jaasConfigFile
-            .getName(), evaluatedPrincipal);
+          .getName(), evaluatedPrincipal);
         if (actionLog != null) {
           actionLog.writeStdOut(message);
         }
       } catch (IOException e) {
         String message = String.format("Failed to configure JAAS file %s for %s - %s", jaasConfigFile,
-            evaluatedPrincipal, e.getMessage());
+          evaluatedPrincipal, e.getMessage());
         if (actionLog != null) {
           actionLog.writeStdErr(message);
         }
@@ -224,7 +197,7 @@ public class ConfigureAmbariIdentitiesServerAction extends KerberosServerAction
       }
     } else {
       String message = String.format("Failed to configure JAAS, config file should be passed to Ambari server as: " +
-          "%s.", KerberosChecker.JAVA_SECURITY_AUTH_LOGIN_CONFIG);
+        "%s.", KerberosChecker.JAVA_SECURITY_AUTH_LOGIN_CONFIG);
       if (actionLog != null) {
         actionLog.writeStdErr(message);
       }

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java

@@ -18,6 +18,7 @@
 
 package org.apache.ambari.server.serveraction.kerberos;
 
+import com.google.common.base.Optional;
 import com.google.inject.Inject;
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.actionmanager.HostRoleStatus;
@@ -144,7 +145,7 @@ public class CreatePrincipalsServerAction extends KerberosServerAction {
           // This principal has been processed and a keytab file has been distributed... do not process it.
           processPrincipal = false;
         } else {
-          // This principal has been processed but a keytab file for it has not been distributed... process it.
+          // This principal has been processed but a keytab file for it has been distributed... process it.
           processPrincipal = true;
         }
       }
@@ -231,7 +232,7 @@ public class CreatePrincipalsServerAction extends KerberosServerAction {
       String password = securePasswordHelper.createSecurePassword(length, minLowercaseLetters, minUppercaseLetters, minDigits, minPunctuation, minWhitespace);
 
       try {
-        /*
+        /**
          * true indicates a new principal was created, false indicates an existing principal was updated
          */
         boolean created;

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java

@@ -28,7 +28,6 @@ import org.apache.ambari.server.security.credential.PrincipalKeyCredential;
 import org.apache.ambari.server.serveraction.AbstractServerAction;
 import org.apache.ambari.server.state.Cluster;
 import org.apache.ambari.server.state.Clusters;
-import org.apache.ambari.server.utils.StageUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -515,19 +514,12 @@ public abstract class KerberosServerAction extends AbstractServerAction {
 
     if (record != null) {
       String principal = record.get(KerberosIdentityDataFileReader.PRINCIPAL);
+      String host = record.get(KerberosIdentityDataFileReader.HOSTNAME);
 
       if (principal != null) {
-        String hostname = record.get(KerberosIdentityDataFileReader.HOSTNAME);
-
-        if(KerberosHelper.AMBARI_SERVER_HOST_NAME.equals(hostname)) {
-          // Replace KerberosHelper.AMBARI_SERVER_HOST_NAME with the actual hostname where the Ambari
-          // server is... this host
-          hostname = StageUtils.getHostName();
-        }
-
         // Evaluate the principal "pattern" found in the record to generate the "evaluated principal"
         // by replacing the _HOST and _REALM variables.
-        String evaluatedPrincipal = principal.replace("_HOST", hostname).replace("_REALM", defaultRealm);
+        String evaluatedPrincipal = principal.replace("_HOST", host).replace("_REALM", defaultRealm);
 
         commandReport = processIdentity(record, evaluatedPrincipal, operationHandler, kerberosConfiguration, requestSharedDataContext);
       }

ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml

@@ -30,11 +30,16 @@
     <custom-filter ref="ambariAuthorizationFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
   </http>
 
+  <!--<ldap-server id="ldapServer" root="dc=ambari,dc=apache,dc=org"/>-->
+
   <authentication-manager alias="authenticationManager">
+
     <authentication-provider ref="ambariLocalAuthenticationProvider"/>
+
     <authentication-provider ref="ambariLdapAuthenticationProvider"/>
+
     <authentication-provider ref="ambariInternalAuthenticationProvider"/>
-    <authentication-provider ref="kerberosServiceAuthenticationProvider"/>
+
   </authentication-manager>
 
   <beans:bean id="ambariEntryPoint" class="org.apache.ambari.server.security.AmbariEntryPoint">
@@ -44,7 +49,6 @@
     <beans:constructor-arg>
       <beans:list>
         <beans:ref bean="ambariBasicAuthenticationFilter"/>
-        <beans:ref bean="ambariKerberosAuthenticationFilter"/>
         <beans:ref bean="ambariJwtAuthenticationFilter"/>
       </beans:list>
     </beans:constructor-arg>
@@ -65,14 +69,6 @@
     <beans:constructor-arg ref="permissionHelper"/>
   </beans:bean>
 
-  <beans:bean id="ambariKerberosAuthenticationFilter" class="org.apache.ambari.server.security.authentication.kerberos.AmbariKerberosAuthenticationFilter">
-    <beans:constructor-arg ref="authenticationManager"/>
-    <beans:constructor-arg ref="ambariEntryPoint"/>
-    <beans:constructor-arg ref="ambariConfiguration"/>
-    <beans:constructor-arg ref="auditLogger"/>
-    <beans:constructor-arg ref="permissionHelper"/>
-  </beans:bean>
-
   <beans:bean id="ambariAuthorizationFilter" class="org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter">
     <beans:constructor-arg ref="ambariEntryPoint"/>
     <beans:constructor-arg ref="ambariConfiguration"/>
@@ -81,20 +77,4 @@
     <beans:constructor-arg ref="permissionHelper"/>
   </beans:bean>
 
-  <beans:bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider">
-    <beans:property name="ticketValidator">
-      <beans:bean class="org.apache.ambari.server.security.authentication.kerberos.AmbariKerberosTicketValidator">
-        <beans:constructor-arg ref="ambariConfiguration"/>
-        <beans:property name="debug" value="false"/>
-      </beans:bean>
-    </beans:property>
-
-    <beans:property name="userDetailsService" ref="authToLocalUserDetailsService"/>
-  </beans:bean>
-
-  <beans:bean id="authToLocalUserDetailsService" class="org.apache.ambari.server.security.authentication.kerberos.AmbariAuthToLocalUserDetailsService">
-    <beans:constructor-arg ref="ambariConfiguration"/>
-    <beans:constructor-arg ref="ambariUsers"/>
-  </beans:bean>
-
 </beans:beans>

ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java

@@ -104,6 +104,7 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -3754,7 +3755,6 @@ public class KerberosHelperTest extends EasyMockSupport {
     KerberosDescriptor kerberosDescriptor = createMock(KerberosDescriptor.class);
     if (createAmbariPrincipal) {
       expect(kerberosDescriptor.getIdentity(KerberosHelper.AMBARI_IDENTITY_NAME)).andReturn(ambariKerberosIdentity).once();
-      expect(kerberosDescriptor.getIdentity(KerberosHelper.SPNEGO_IDENTITY_NAME)).andReturn(ambariKerberosIdentity).once();
     }
 
     List<KerberosIdentityDescriptor> identities = new ArrayList<KerberosIdentityDescriptor>();
@@ -3764,12 +3764,12 @@ public class KerberosHelperTest extends EasyMockSupport {
     // Needed by infrastructure
     injector.getInstance(AmbariMetaInfo.class).init();
 
-    kerberosHelper.addAmbariServerIdentities(kerberosEnvProperties, kerberosDescriptor, identities);
+    kerberosHelper.addAmbariServerIdentity(kerberosEnvProperties, kerberosDescriptor, identities);
 
     verifyAll();
 
     if (createAmbariPrincipal) {
-      Assert.assertEquals(2, identities.size());
+      Assert.assertEquals(1, identities.size());
       Assert.assertSame(ambariKerberosIdentity, identities.get(0));
     } else {
       Assert.assertTrue(identities.isEmpty());

ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsServiceTest.java

@@ -1,92 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import junit.framework.Assert;
-import org.apache.ambari.server.configuration.Configuration;
-import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
-import org.apache.ambari.server.security.authorization.User;
-import org.apache.ambari.server.security.authorization.UserType;
-import org.apache.ambari.server.security.authorization.Users;
-import org.easymock.EasyMockSupport;
-import org.junit.Test;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.core.userdetails.UsernameNotFoundException;
-
-import java.util.Collection;
-import java.util.Collections;
-
-import static org.easymock.EasyMock.expect;
-
-public class AmbariAuthToLocalUserDetailsServiceTest extends EasyMockSupport {
-  @Test
-  public void loadUserByUsernameSuccess() throws Exception {
-    AmbariKerberosAuthenticationProperties properties = new AmbariKerberosAuthenticationProperties();
-
-    Configuration configuration = createMock(Configuration.class);
-    expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    User user = createMock(User.class);
-    expect(user.getUserName()).andReturn("user1").once();
-    expect(user.getUserType()).andReturn(UserType.LDAP).once();
-
-    Collection<AmbariGrantedAuthority> userAuthorities = Collections.singletonList(createNiceMock(AmbariGrantedAuthority.class));
-
-    Users users = createMock(Users.class);
-    expect(users.getUser("user1", UserType.LDAP)).andReturn(user).once();
-    expect(users.getUserAuthorities("user1", UserType.LDAP)).andReturn(userAuthorities).once();
-
-    replayAll();
-
-    UserDetailsService userdetailsService = new AmbariAuthToLocalUserDetailsService(configuration, users);
-
-    UserDetails userDetails = userdetailsService.loadUserByUsername("user1@EXAMPLE.COM");
-
-    verifyAll();
-
-    Assert.assertNotNull(userDetails);
-    Assert.assertEquals("user1", userDetails.getUsername());
-    Assert.assertEquals(userAuthorities.size(), userDetails.getAuthorities().size());
-    Assert.assertEquals("", userDetails.getPassword());
-  }
-
-  @Test(expected = UsernameNotFoundException.class)
-  public void loadUserByUsernameUserNotFound() throws Exception {
-    AmbariKerberosAuthenticationProperties properties = new AmbariKerberosAuthenticationProperties();
-
-    Configuration configuration = createMock(Configuration.class);
-    expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    Users users = createMock(Users.class);
-    expect(users.getUser("user1", UserType.LDAP)).andReturn(null).once();
-    expect(users.getUser("user1", UserType.LOCAL)).andReturn(null).once();
-
-    replayAll();
-
-    UserDetailsService userdetailsService = new AmbariAuthToLocalUserDetailsService(configuration, users);
-
-    userdetailsService.loadUserByUsername("user1@EXAMPLE.COM");
-
-    verifyAll();
-
-    Assert.fail("UsernameNotFoundException was not thrown");
-  }
-
-}

ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilterTest.java

@@ -1,133 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import org.apache.ambari.server.audit.AuditLogger;
-import org.apache.ambari.server.configuration.Configuration;
-import org.apache.ambari.server.security.authorization.PermissionHelper;
-import org.easymock.EasyMockSupport;
-import org.junit.Assert;
-import org.junit.Test;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.web.AuthenticationEntryPoint;
-
-import javax.servlet.http.HttpServletRequest;
-
-import static org.easymock.EasyMock.expect;
-
-public class AmbariKerberosAuthenticationFilterTest extends EasyMockSupport {
-  @Test
-  public void shouldApplyTrue() throws Exception {
-    HttpServletRequest httpServletRequest = createMock(HttpServletRequest.class);
-    expect(httpServletRequest.getHeader("Authorization")).andReturn("Negotiate .....").once();
-
-    AmbariKerberosAuthenticationProperties properties = createMock(AmbariKerberosAuthenticationProperties.class);
-    expect(properties.isKerberosAuthenticationEnabled()).andReturn(true).once();
-
-    Configuration configuration = createMock(Configuration.class);
-    expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    AuthenticationManager authenticationManager = createMock(AuthenticationManager.class);
-    AuthenticationEntryPoint entryPoint = createMock(AuthenticationEntryPoint.class);
-    AuditLogger auditLogger = createMock(AuditLogger.class);
-    PermissionHelper permissionHelper = createMock(PermissionHelper.class);
-
-    replayAll();
-
-    AmbariKerberosAuthenticationFilter filter = new AmbariKerberosAuthenticationFilter(
-        authenticationManager,
-        entryPoint,
-        configuration,
-        auditLogger,
-        permissionHelper
-    );
-
-    Assert.assertTrue(filter.shouldApply(httpServletRequest));
-
-    verifyAll();
-  }
-
-  @Test
-  public void shouldApplyFalseMissingHeader() throws Exception {
-    HttpServletRequest httpServletRequest = createMock(HttpServletRequest.class);
-    expect(httpServletRequest.getHeader("Authorization")).andReturn(null).once();
-
-    AmbariKerberosAuthenticationProperties properties = createMock(AmbariKerberosAuthenticationProperties.class);
-    expect(properties.isKerberosAuthenticationEnabled()).andReturn(true).once();
-
-    Configuration configuration = createMock(Configuration.class);
-    expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    AuthenticationManager authenticationManager = createMock(AuthenticationManager.class);
-    AuthenticationEntryPoint entryPoint = createMock(AuthenticationEntryPoint.class);
-    AuditLogger auditLogger = createMock(AuditLogger.class);
-    PermissionHelper permissionHelper = createMock(PermissionHelper.class);
-
-    replayAll();
-
-    AmbariKerberosAuthenticationFilter filter = new AmbariKerberosAuthenticationFilter(
-        authenticationManager,
-        entryPoint,
-        configuration,
-        auditLogger,
-        permissionHelper
-    );
-
-    Assert.assertFalse(filter.shouldApply(httpServletRequest));
-
-    verifyAll();
-  }
-
-  @Test
-  public void shouldApplyNotFalseEnabled() throws Exception {
-    HttpServletRequest httpServletRequest = createMock(HttpServletRequest.class);
-
-    AmbariKerberosAuthenticationProperties properties = createMock(AmbariKerberosAuthenticationProperties.class);
-    expect(properties.isKerberosAuthenticationEnabled()).andReturn(false).once();
-
-    Configuration configuration = createMock(Configuration.class);
-    expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    AuthenticationManager authenticationManager = createMock(AuthenticationManager.class);
-    AuthenticationEntryPoint entryPoint = createMock(AuthenticationEntryPoint.class);
-    AuditLogger auditLogger = createMock(AuditLogger.class);
-    PermissionHelper permissionHelper = createMock(PermissionHelper.class);
-
-    replayAll();
-
-    AmbariKerberosAuthenticationFilter filter = new AmbariKerberosAuthenticationFilter(
-        authenticationManager,
-        entryPoint,
-        configuration,
-        auditLogger,
-        permissionHelper
-    );
-
-    Assert.assertFalse(filter.shouldApply(httpServletRequest));
-
-    verifyAll();
-  }
-
-  @Test
-  public void doFilter() throws Exception {
-    // Skip this test since the real work is being done by SpnegoAuthenticationProcessingFilter, which
-    // is a class in the Spring libraries.
-  }
-
-}

ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidatorTest.java

@@ -1,49 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authentication.kerberos;
-
-import org.apache.ambari.server.configuration.Configuration;
-import org.easymock.EasyMockSupport;
-import org.junit.Test;
-
-import static org.easymock.EasyMock.expect;
-
-public class AmbariKerberosTicketValidatorTest extends EasyMockSupport {
-
-  /**
-   * Tests an {@link AmbariKerberosTicketValidator} to ensure that the Spnego identity is properly
-   * set in the base class during construction.
-   */
-  @Test
-  public void testConstructor() throws NoSuchMethodException {
-    AmbariKerberosAuthenticationProperties properties = createMock(AmbariKerberosAuthenticationProperties.class);
-    expect(properties.isKerberosAuthenticationEnabled()).andReturn(true).once();
-    expect(properties.getSpnegoPrincipalName()).andReturn("HTTP/somehost.example.com").times(1);
-    expect(properties.getSpnegoKeytabFilePath()).andReturn("/etc/security/keytabs/spnego.service.keytab").times(2);
-
-    Configuration configuration = createMock(Configuration.class);
-    expect(configuration.getKerberosAuthenticationProperties()).andReturn(properties).once();
-
-    replayAll();
-
-    new AmbariKerberosTicketValidator(configuration);
-
-    verifyAll();
-  }
-}