AMBARI-6185. Secure cluster: JCE policy files not distributed on non-client hosts. (aonishuk)

ambari-server/src/main/resources/stacks/HDP/1.3.2/hooks/before-INSTALL/scripts/shared_initialization.py

@@ -170,29 +170,5 @@ def setup_java():
           not_if = format("test -e {java_exec}")
   )
 
-  if params.jce_policy_zip is not None:
-    jce_curl_target = format("{artifact_dir}/{jce_policy_zip}")
-    download_jce = format("mkdir -p {artifact_dir}; curl -kf "
-                          "--retry 10 {jce_location}/{jce_policy_zip} "
-                          "-o {jce_curl_target}")
-    Execute( download_jce,
-             path = ["/bin","/usr/bin/"],
-             not_if =format("test -e {jce_curl_target}"),
-             environment = environment,
-             ignore_failures = True
-    )
-  elif params.security_enabled:
-    # Something weird is happening
-    raise Fail("Security is enabled, but JCE policy zip is not specified.")
-
-  if params.security_enabled:
-    security_dir = format("{java_home}/jre/lib/security")
-    extract_cmd = format("rm -f local_policy.jar; rm -f US_export_policy.jar; unzip -o -j -q {jce_curl_target}")
-    Execute(extract_cmd,
-            only_if = format("test -e {security_dir} && test -f {jce_curl_target}"),
-            cwd  = security_dir,
-            path = ['/bin/','/usr/bin']
-    )
-
 def install_packages():
   Package(['unzip'])

ambari-server/src/main/resources/stacks/HDP/1.3.2/hooks/before-START/scripts/hook.py

@@ -32,6 +32,7 @@ class BeforeConfigureHook(Hook):
     setup_hadoop()
     setup_database()
     setup_configs()
+    setup_jce()
     create_javahome_symlink()
 
 if __name__ == "__main__":

ambari-server/src/main/resources/stacks/HDP/1.3.2/hooks/before-START/scripts/params.py

@@ -132,6 +132,10 @@ mapred_local_dir = "/tmp/hadoop-mapred/mapred/local"
 
 dfs_hosts = default('/configurations/hdfs-site/dfs.hosts', None)
 
+artifact_dir = "/tmp/HDP-artifacts/"
+jce_policy_zip = default("/hostLevelParams/jce_name", None) # None when jdk is already installed by user
+jce_location = config['hostLevelParams']['jdk_location']
+
 #log4j.properties
 rca_properties = format('''
 

ambari-server/src/main/resources/stacks/HDP/1.3.2/hooks/before-START/scripts/shared_initialization.py

@@ -135,6 +135,38 @@ def setup_configs():
     )
 
   # generate_include_file()
+  
+def setup_jce():
+  import params
+  
+  environment = {
+    "no_proxy": format("{ambari_server_hostname}")
+  }
+  
+  if params.jce_policy_zip is not None:
+    jce_curl_target = format("{artifact_dir}/{jce_policy_zip}")
+    download_jce = format("mkdir -p {artifact_dir}; \
+    curl -kf --retry 10 \
+    {jce_location}/{jce_policy_zip} -o {jce_curl_target}")
+    Execute( download_jce,
+             path = ["/bin","/usr/bin/"],
+             not_if =format("test -e {jce_curl_target}"),
+             ignore_failures = True,
+             environment = environment
+    )
+  elif params.security_enabled:
+    # Something weird is happening
+    raise Fail("Security is enabled, but JCE policy zip is not specified.")
+  
+  if params.security_enabled:
+    security_dir = format("{java_home}/jre/lib/security")
+    extract_cmd = format("rm -f local_policy.jar; rm -f US_export_policy.jar; unzip -o -j -q {jce_curl_target}")
+    Execute(extract_cmd,
+            only_if = format("test -e {security_dir} && test -f {jce_curl_target}"),
+            cwd  = security_dir,
+            path = ['/bin/','/usr/bin']
+    )
+
 
 def generate_include_file():
   import params

ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-INSTALL/scripts/shared_initialization.py

@@ -192,29 +192,5 @@ def setup_java():
           not_if = format("test -e {java_exec}")
   )
 
-  if params.jce_policy_zip is not None:
-    jce_curl_target = format("{artifact_dir}/{jce_policy_zip}")
-    download_jce = format("mkdir -p {artifact_dir}; \
-    curl -kf --retry 10 \
-    {jce_location}/{jce_policy_zip} -o {jce_curl_target}")
-    Execute( download_jce,
-             path = ["/bin","/usr/bin/"],
-             not_if =format("test -e {jce_curl_target}"),
-             ignore_failures = True,
-             environment = environment
-    )
-  elif params.security_enabled:
-    # Something weird is happening
-    raise Fail("Security is enabled, but JCE policy zip is not specified.")
-
-  if params.security_enabled:
-    security_dir = format("{java_home}/jre/lib/security")
-    extract_cmd = format("rm -f local_policy.jar; rm -f US_export_policy.jar; unzip -o -j -q {jce_curl_target}")
-    Execute(extract_cmd,
-            only_if = format("test -e {security_dir} && test -f {jce_curl_target}"),
-            cwd  = security_dir,
-            path = ['/bin/','/usr/bin']
-    )
-
 def install_packages():
   Package(['unzip', 'curl'])

ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/hook.py

@@ -31,6 +31,7 @@ class BeforeConfigureHook(Hook):
     self.run_custom_hook('after-INSTALL')
     setup_hadoop()
     setup_configs()
+    setup_jce()
     create_javahome_symlink()
 
 if __name__ == "__main__":

ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/params.py

@@ -129,6 +129,10 @@ mapreduce_libs_path = "/usr/lib/hadoop-mapreduce/*"
 hadoop_libexec_dir = "/usr/lib/hadoop/libexec"
 mapred_log_dir_prefix = default("mapred_log_dir_prefix","/var/log/hadoop-mapreduce")
 
+artifact_dir = "/tmp/HDP-artifacts/"
+jce_policy_zip = default("/hostLevelParams/jce_name", None) # None when jdk is already installed by user
+jce_location = config['hostLevelParams']['jdk_location']
+
 #log4j.properties
 
 yarn_log_dir_prefix = default("yarn_log_dir_prefix","/var/log/hadoop-yarn")

ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/scripts/shared_initialization.py

@@ -134,6 +134,37 @@ def setup_configs():
     )
 
   generate_include_file()
+  
+def setup_jce():
+  import params
+  
+  environment = {
+    "no_proxy": format("{ambari_server_hostname}")
+  }
+  
+  if params.jce_policy_zip is not None:
+    jce_curl_target = format("{artifact_dir}/{jce_policy_zip}")
+    download_jce = format("mkdir -p {artifact_dir}; \
+    curl -kf --retry 10 \
+    {jce_location}/{jce_policy_zip} -o {jce_curl_target}")
+    Execute( download_jce,
+             path = ["/bin","/usr/bin/"],
+             not_if =format("test -e {jce_curl_target}"),
+             ignore_failures = True,
+             environment = environment
+    )
+  elif params.security_enabled:
+    # Something weird is happening
+    raise Fail("Security is enabled, but JCE policy zip is not specified.")
+  
+  if params.security_enabled:
+    security_dir = format("{java_home}/jre/lib/security")
+    extract_cmd = format("rm -f local_policy.jar; rm -f US_export_policy.jar; unzip -o -j -q {jce_curl_target}")
+    Execute(extract_cmd,
+            only_if = format("test -e {security_dir} && test -f {jce_curl_target}"),
+            cwd  = security_dir,
+            path = ['/bin/','/usr/bin']
+    )
 
 
 def generate_include_file():