AMBARI-14702. disabling kerberos does not remove auth to local rules (rlevas)

ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java

@@ -126,7 +126,6 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 @Singleton
 public class KerberosHelperImpl implements KerberosHelper {
@@ -135,17 +134,6 @@ public class KerberosHelperImpl implements KerberosHelper {
 
   private static final Logger LOG = LoggerFactory.getLogger(KerberosHelperImpl.class);
 
-  /**
-   * Regular expression pattern used to parse auth_to_local property specifications into the following
-   * parts:
-   * <ul>
-   * <li>configuration type (optional, if _global_)</li>
-   * <li>property name</li>
-   * <li>concatenation type (optional, if using the default behavior)</li>
-   * </ul>
-   */
-  private static final Pattern AUTH_TO_LOCAL_PROPERTY_SPECIFICATION_PATTERN = Pattern.compile("^(?:(.+?)/)?(.+?)(?:\\|(.+?))?$");
-
   @Inject
   private AmbariCustomCommandExecutionHelper customCommandExecutionHelper;
 
@@ -759,7 +747,7 @@ public class KerberosHelperImpl implements KerberosHelper {
 
       if (!authToLocalPropertiesToSet.isEmpty()) {
         for (String authToLocalProperty : authToLocalPropertiesToSet) {
-          Matcher m = AUTH_TO_LOCAL_PROPERTY_SPECIFICATION_PATTERN.matcher(authToLocalProperty);
+          Matcher m = KerberosDescriptor.AUTH_TO_LOCAL_PROPERTY_SPECIFICATION_PATTERN.matcher(authToLocalProperty);
 
           if (m.matches()) {
             AuthToLocalBuilder builder = authToLocalBuilder.copy();

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/PrepareDisableKerberosServerAction.java

@@ -42,6 +42,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentMap;
+import java.util.regex.Matcher;
 
 /**
  * PrepareEnableKerberosServerAction is a ServerAction implementation that prepares metadata needed
@@ -114,6 +115,29 @@ public class PrepareDisableKerberosServerAction extends AbstractPrepareKerberosS
 
     processServiceComponentHosts(cluster, kerberosDescriptor, schToProcess, identityFilter, dataDirectory, kerberosConfigurations, false);
 
+    // Add auth-to-local configurations to the set of changes
+    Set<String> authToLocalProperties = kerberosDescriptor.getAllAuthToLocalProperties();
+    if(authToLocalProperties != null) {
+      for (String authToLocalProperty : authToLocalProperties) {
+        Matcher m = KerberosDescriptor.AUTH_TO_LOCAL_PROPERTY_SPECIFICATION_PATTERN.matcher(authToLocalProperty);
+
+        if (m.matches()) {
+          String configType = m.group(1);
+          String propertyName = m.group(2);
+
+          if (configType == null) {
+            configType = "";
+          }
+
+          // Add existing auth_to_local configuration, if set
+          Map<String, String> configuration = kerberosConfigurations.get(configType);
+          if (configuration != null) {
+            configuration.put(propertyName, "DEFAULT");
+          }
+        }
+      }
+    }
+
     actionLog.writeStdOut("Determining configuration changes");
     // Ensure the cluster-env/security_enabled flag is set properly
     Map<String, String> clusterEnvProperties = kerberosConfigurations.get(KerberosHelper.SECURITY_ENABLED_CONFIG_TYPE);

ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/AbstractKerberosDescriptorContainer.java

@@ -29,6 +29,7 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 /**
  * AbstractKerberosDescriptorContainer is an abstract class implementing AbstractKerberosDescriptor
@@ -85,6 +86,17 @@ import java.util.Set;
  */
 public abstract class AbstractKerberosDescriptorContainer extends AbstractKerberosDescriptor {
 
+  /**
+   * Regular expression pattern used to parse auth_to_local property specifications into the following
+   * parts:
+   * <ul>
+   * <li>configuration type (optional, if _global_)</li>
+   * <li>property name</li>
+   * <li>concatenation type (optional, if using the default behavior)</li>
+   * </ul>
+   */
+  public static final Pattern AUTH_TO_LOCAL_PROPERTY_SPECIFICATION_PATTERN = Pattern.compile("^(?:(.+?)/)?(.+?)(?:\\|(.+?))?$");
+
   /**
    * A List of KerberosIdentityDescriptors contained in this AbstractKerberosDescriptorContainer
    */

ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java

@@ -20,8 +20,10 @@ package org.apache.ambari.server.state.kerberos;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 /**
  * KerberosDescriptor is an implementation of an AbstractKerberosDescriptorContainer that
@@ -344,4 +346,43 @@ public class KerberosDescriptor extends AbstractKerberosDescriptorContainer {
       return false;
     }
   }
+
+  /**
+   * Recursively gets the entire set of <code>auth_to_local</code> property names contain within this
+   * KerberosDescriptor.
+   *
+   * @return a Set of String values where each value is in the form of config-type/property_name
+   */
+  public Set<String> getAllAuthToLocalProperties() {
+    Set<String> authToLocalProperties = new HashSet<>();
+
+    Set<String> set;
+
+    set = getAuthToLocalProperties();
+    if (set != null) {
+      authToLocalProperties.addAll(set);
+    }
+
+    if (services != null) {
+      for (KerberosServiceDescriptor service : services.values()) {
+        Map<String, KerberosComponentDescriptor> components = service.getComponents();
+
+        if (components != null) {
+          for (KerberosComponentDescriptor component : components.values()) {
+            set = component.getAuthToLocalProperties();
+            if (set != null) {
+              authToLocalProperties.addAll(set);
+            }
+          }
+        }
+
+        set = service.getAuthToLocalProperties();
+        if (set != null) {
+          authToLocalProperties.addAll(set);
+        }
+      }
+    }
+
+    return authToLocalProperties;
+  }
 }

ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorTest.java

@@ -118,7 +118,14 @@ public class KerberosDescriptorTest {
     Set<String> authToLocalProperties = descriptor.getAuthToLocalProperties();
     Assert.assertNotNull(authToLocalProperties);
     Assert.assertEquals(1, authToLocalProperties.size());
-    Assert.assertEquals("generic.name.rules", authToLocalProperties.iterator().next());
+    Assert.assertTrue(authToLocalProperties.contains("generic.name.rules"));
+
+    authToLocalProperties = descriptor.getAllAuthToLocalProperties();
+    Assert.assertNotNull(authToLocalProperties);
+    Assert.assertEquals(3, authToLocalProperties.size());
+    Assert.assertTrue(authToLocalProperties.contains("component.name.rules1"));
+    Assert.assertTrue(authToLocalProperties.contains("generic.name.rules"));
+    Assert.assertTrue(authToLocalProperties.contains("service.name.rules1"));
 
     Map<String, KerberosServiceDescriptor> serviceDescriptors = descriptor.getServices();
     Assert.assertNotNull(serviceDescriptors);