AMBARI-771. Add security between the server and agent and authentication for the API. (mahadev)

git-svn-id: https://svn.apache.org/repos/asf/incubator/ambari/branches/AMBARI-666@1390838 13f79535-47bb-0310-9956-ffa450edef68

AMBARI-666-CHANGES.txt

@@ -12,6 +12,9 @@ AMBARI-666 branch (unreleased changes)
 
   NEW FEATURES
 
+  AMBARI-771. Add security between the server and agent and authentication for
+  the API. (mahadev)
+
   AMBARI-770. Cluster Management pages for Ambari Web. (yusaku)
 
   AMBARI-769. Implement step 9 (Install,start and test) of installer wizard.

ambari-agent/src/main/python/ambari_agent/Controller.py

@@ -28,6 +28,8 @@ import time
 import threading
 import urllib2
 from urllib2 import Request, urlopen, URLError
+import httplib
+import ssl
 import AmbariConfig
 import pprint
 from Heartbeat import Heartbeat
@@ -35,9 +37,11 @@ from Register import Register
 from ActionQueue import ActionQueue
 from optparse import OptionParser
 from wsgiref.simple_server import ServerHandler
+import security
 
 logger = logging.getLogger()
 
+
 class Controller(threading.Thread):
 
   def __init__(self, config):
@@ -53,9 +57,9 @@ class Controller(threading.Thread):
     #                      'password' : config.get('controller', 'password')
     #  }
     self.hostname = socket.gethostname()
-    self.registerUrl = config.get('server', 'url') + \
+    self.registerUrl = config.get('server', 'secured_url') + \
       '/agent/register/' + self.hostname
-    self.heartbeatUrl = config.get('server', 'url') + \
+    self.heartbeatUrl = config.get('server', 'secured_url') + \
        '/agent/heartbeat/' + self.hostname
      
   def start(self):
@@ -80,7 +84,7 @@ class Controller(threading.Thread):
         data = json.dumps(self.register.build(id))
         req = urllib2.Request(self.registerUrl, data, {'Content-Type': 
                                                       'application/json'})
-        stream = urllib2.urlopen(req)
+        stream = security.secured_url_open(req)
         response = stream.read()
         stream.close()
         ret = json.loads(response)
@@ -103,8 +107,12 @@ class Controller(threading.Thread):
       try:
         if retry==False:
           data = json.dumps(self.heartbeat.build(id))
+
         req = urllib2.Request(self.heartbeatUrl, data, {'Content-Type': 'application/json'})
-        f = urllib2.urlopen(req)
+        
+        logger.info(data)
+        
+        f = security.secured_url_open(req)
         response = f.read()
         f.close()
         data = json.loads(response)

ambari-agent/src/main/python/ambari_agent/main.py

@@ -31,6 +31,7 @@ from Controller import Controller
 from shell import getTempFiles
 from shell import killstaleprocesses 
 import AmbariConfig
+from security import CertificateManager
 
 logger = logging.getLogger()
 agentPid = os.getpid()
@@ -133,6 +134,13 @@ def main():
   killstaleprocesses()
   logger.info("Connecting to Server at: "+config.get('server', 'url'))
 
+
+  #Initiate security
+  
+  certMan = CertificateManager(config)
+  
+  certMan.initSecurity()
+
   # Launch Controller communication
   controller = Controller(config) 
   controller.start()

ambari-agent/src/main/python/ambari_agent/security.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python2.6
+
 import httplib
 import urllib2
 from urllib2 import Request
@@ -7,59 +9,126 @@ import os
 import logging
 from subprocess import Popen, PIPE
 import AmbariConfig
-
+import json
+import pprint
 logger = logging.getLogger()
 
 GEN_AGENT_KEY="openssl req -new -newkey rsa:1024 -nodes -keyout %(keysdir)s/%(hostname)s.key\
 	-subj /OU=%(hostname)s/\
         -out %(keysdir)s/%(hostname)s.csr"
 
+
+class VerifiedHTTPSConnection(httplib.HTTPSConnection):
+  def connect(self):
+    sock = socket.create_connection((self.host, self.port), self.timeout)
+    if self._tunnel_host:
+      self.sock = sock
+      self._tunnel()
+    agent_key = AmbariConfig.config.get('security', 'keysdir') + os.sep + socket.gethostname() + ".key"
+    agent_crt = AmbariConfig.config.get('security', 'keysdir') + os.sep + socket.gethostname() + ".crt"
+    server_crt = AmbariConfig.config.get('security', 'keysdir') + os.sep + "ca.crt"
+    self.sock = ssl.wrap_socket(sock,
+                                keyfile=agent_key,
+                                certfile=agent_crt,
+                                cert_reqs=ssl.CERT_REQUIRED,
+                                ca_certs=server_crt)
+class VerifiedHTTPSHandler(urllib2.HTTPSHandler):
+  def __init__(self, connection_class = VerifiedHTTPSConnection):
+    self.specialized_conn_class = connection_class
+    urllib2.HTTPSHandler.__init__(self)
+  def https_open(self, req):
+    return self.do_open(self.specialized_conn_class, req)
+
+def secured_url_open(req):
+  logger.info("Secured url open")
+  https_handler = VerifiedHTTPSHandler()
+  url_opener = urllib2.build_opener(https_handler)
+  stream = url_opener.open(req)
+  return stream
 class CertificateManager():
-    def __init__(self, config):
-        self.config = config
-        self.keysdir = self.config.get('security', 'keysdir')
-        self.server_crt=self.config.get('security', 'server_crt')
-    def getAgentKeyName(self):
-        return self.keysdir + os.sep + socket.gethostname() + ".key"
-    def getAgentCrtName(self):
-        return self.keysdir + os.sep + socket.gethostname() + ".key"
-    def getSrvrCrtName(self):
-        return self.keysdir + os.sep + "ca.crt"
-        
-    def checkCertExists(self):
-        
-        server_crt_exists = os.path.exists(self.getSrvrCrtName())
-        
-        if not server_crt_exists:
-            logger.info("Server certicate not exists, downloading")
-            self.loadSrvrCrt()
-        else:
-            logger.info("Server certicate exists, ok")
-            
-        agent_crt_exists = os.path.exists(self.getAgentCrtName())
-        
-        logger.info(self.getAgentCrtName())
-        
-        if not agent_crt_exists:
-            logger.info("Agent certicate not exists, generating request")
-            self.genAgentCrtReq()
-        else:
-            logger.info("Agent certicate exists, ok")
+  def __init__(self, config):
+    self.config = config
+    self.keysdir = self.config.get('security', 'keysdir')
+    self.server_crt=self.config.get('security', 'server_crt')
+    
+  def getAgentKeyName(self):
+    keysdir = self.config.get('security', 'keysdir')
+    return keysdir + os.sep + socket.gethostname() + ".key"
+  def getAgentCrtName(self):
+    keysdir = self.config.get('security', 'keysdir')
+    return keysdir + os.sep + socket.gethostname() + ".crt"
+  def getAgentCrtReqName(self):
+    keysdir = self.config.get('security', 'keysdir')
+    return keysdir + os.sep + socket.gethostname() + ".csr"
+  def getSrvrCrtName(self):
+    keysdir = self.config.get('security', 'keysdir')
+    return keysdir + os.sep + "ca.crt"
+    
+  def checkCertExists(self):
+    
+    s = self.config.get('security', 'keysdir') + os.sep + "ca.crt"
+
+    server_crt_exists = os.path.exists(s)
+    
+    if not server_crt_exists:
+      logger.info("Server certicate not exists, downloading")
+      self.loadSrvrCrt()
+    else:
+      logger.info("Server certicate exists, ok")
+      
+    agent_key_exists = os.path.exists(self.getAgentKeyName())
+    
+    if not agent_key_exists:
+      logger.info("Agent key not exists, generating request")
+      self.genAgentCrtReq()
+    else:
+      logger.info("Agent key exists, ok")
+      
+    agent_crt_exists = os.path.exists(self.getAgentCrtName())
+    
+    if not agent_crt_exists:
+        logger.info("Agent certificate not exists, sending sign request")
+        self.reqSignCrt()
+    else:
+        logger.info("Agent certificate exists, ok")
             
-        
-    def loadSrvrCrt(self):
-      get_ca_url = self.config.get('server', 'url') + '/cert/ca/'
-      stream = urllib2.urlopen(get_ca_url)
-      response = stream.read()
-      stream.close()
-      srvr_crt_f = open(self.getSrvrCrtName(), 'w+')
-      srvr_crt_f.write(response)
+  def loadSrvrCrt(self):
+    get_ca_url = self.config.get('server', 'url') + '/cert/ca/'
+    stream = urllib2.urlopen(get_ca_url)
+    response = stream.read()
+    stream.close()
+    srvr_crt_f = open(self.getSrvrCrtName(), 'w+')
+    srvr_crt_f.write(response)
       
-    def genAgentCrtReq(self):
-        generate_script = GEN_AGENT_KEY % {'hostname': socket.gethostname(),
-                                           'keysdir' : self.config.get('security', 'keysdir')}
-        logger.info(generate_script)
-        pp = Popen([generate_script], shell=True, stdout=PIPE)
+  def reqSignCrt(self):
+    sign_crt_req_url = self.config.get('server', 'url') + '/certs/' + socket.gethostname()
+    agent_crt_req_f = open(self.getAgentCrtReqName())
+    agent_crt_req_content = agent_crt_req_f.read()
+    passphrase_env_var = self.config.get('security', 'passphrase_env_var_name')
+    passphrase = os.environ[passphrase_env_var]
+    register_data = {'csr'       : agent_crt_req_content,
+                    'passphrase' : passphrase}
+    data = json.dumps(register_data)
+    req = urllib2.Request(sign_crt_req_url, data, {'Content-Type': 'application/json'})
+    f = urllib2.urlopen(req)
+    response = f.read()
+    f.close()
+    data = json.loads(response)
+    logger.info("Sign response from Server: \n" + pprint.pformat(data))
+    result=data['result']
+    if result == 'OK':
+      agentCrtContent=data['signedCa']
+      agentCrtF = open(self.getAgentCrtName(), "w")
+      agentCrtF.write(agentCrtContent)
+    else:
+      logger.error("Certificate signing failed")
 
-    def initSecurity(self):
-        self.checkCertExists()
+  def genAgentCrtReq(self):
+    generate_script = GEN_AGENT_KEY % {'hostname': socket.gethostname(),
+                                     'keysdir' : self.config.get('security', 'keysdir')}
+    logger.info(generate_script)
+    p = Popen([generate_script], shell=True, stdout=PIPE)
+    p.wait()
+      
+  def initSecurity(self):
+    self.checkCertExists()

ambari-agent/src/test/python/TestCertGeneration.py

@@ -0,0 +1,45 @@
+#!/usr/bin/env python2.6
+
+'''
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+'''
+import os
+import tempfile
+import shutil
+from unittest import TestCase
+import ConfigParser
+import security
+from security import CertificateManager
+from ambari_agent import AmbariConfig
+
+class TestCertGeneration(TestCase):
+  def setUp(self):
+    self.tmpdir = tempfile.mkdtemp()
+    config = ConfigParser.RawConfigParser()
+    config.add_section('security')
+    config.set('security', 'keysdir', self.tmpdir)
+    config.set('security', 'server_crt', 'ca.crt')
+    self.certMan = CertificateManager(config)
+    
+  def test_generation(self):
+    self.certMan.genAgentCrtReq()
+    self.assertTrue(os.path.exists(self.certMan.getAgentKeyName()))
+    self.assertTrue(os.path.exists(self.certMan.getAgentCrtReqName()))
+  def tearDown(self):
+    shutil.rmtree(self.tmpdir)
+    
+

ambari-agent/src/test/python/unitTests.py

@@ -21,6 +21,8 @@ limitations under the License.
 import unittest
 import doctest
 
+
+
 class TestAgent(unittest.TestSuite):
   def run(self, result):
     run = unittest.TestSuite.run
@@ -34,8 +36,9 @@ def all_tests_suite():
     'TestServerStatus',
     'TestFileUtil',
     'TestActionQueue',
-    'TestAmbariComponent',
-    'TestAgentActions'
+    #'TestAmbariComponent',
+    'TestAgentActions',
+    'TestCertGeneration'
   ])
   return TestAgent([suite])
 
@@ -48,4 +51,6 @@ if __name__ == '__main__':
   import os
   import sys
   sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))))
+  sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) + os.sep + 'main' + os.sep + 'python')
+  sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) + os.sep + 'main' + os.sep + 'python' + os.sep + 'ambari_agent')
   main()

ambari-project/pom.xml

@@ -152,7 +152,7 @@
       <dependency>
         <groupId>org.slf4j</groupId>
         <artifactId>slf4j-log4j12</artifactId>
-        <version>1.0.1</version>
+        <version>1.5.5</version>
       </dependency>
       <dependency>
         <groupId>org.eclipse.persistence</groupId>

ambari-server/pom.xml

@@ -104,10 +104,6 @@
       <groupId>org.apache.directory.server</groupId>
       <artifactId>apacheds-all</artifactId>
     </dependency>
-    <!--<dependency>-->
-      <!--<groupId>org.apache.directory.shared</groupId>-->
-      <!--<artifactId>shared-ldap</artifactId>-->
-    <!--</dependency>-->
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>

ambari-server/src/main/assemblies/server.xml

@@ -29,11 +29,6 @@
       <outputDirectory>ambari-server-${project.version}/lib</outputDirectory>
     </file>
 
-    <file>
-      <source>${basedir}/src/main/resources/pass.txt</source>
-      <outputDirectory>/ambari-server-${project.version}</outputDirectory>
-    </file>
-
   </files>
   <fileSets>
     <!-- Distro files, readme, licenses, etc -->
@@ -54,6 +49,17 @@
       <fileMode>0755</fileMode>
     </fileSet>
     -->
+
+    <fileSet>
+      <directory>${basedir}/src/main/resources/</directory>
+      <outputDirectory>/ambari-server-${project.version}/keystore</outputDirectory>
+      <includes>
+        <include>db/*</include>
+        <include>ca.config</include>
+	<include>pass.txt</include>
+      </includes>
+    </fileSet>
+
   </fileSets>
   <dependencySets>
     <dependencySet>

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -21,13 +21,12 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Properties;
+import java.util.*;
 
+import org.apache.ambari.server.security.ClientSecurityType;
+import org.apache.ambari.server.security.authorization.LdapServerProperties;
 import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -41,8 +40,8 @@ import com.google.inject.Singleton;
 @Singleton
 public class Configuration {
 
-  private static final String AMBARI_CONF_VAR = "AMBARI_CONF_DIR";
-  private static final String CONFIG_FILE = "ambari.properties";
+  public static final String AMBARI_CONF_VAR = "AMBARI_CONF_DIR";
+  public static final String CONFIG_FILE = "ambari.properties";
   public static final String BOOTSTRAP_DIR = "bootstrap.dir";
   public static final String BOOTSTRAP_SCRIPT = "bootstrap.script";
   public static final String SRVR_KSTR_DIR_KEY = "security.server.keys_dir";
@@ -51,14 +50,39 @@ public class Configuration {
   public static final String KSTR_NAME_KEY = "security.server.keystore_name";
   public static final String SRVR_CRT_PASS_FILE_KEY = "security.server.crt_pass_file";
   public static final String SRVR_CRT_PASS_KEY = "security.server.crt_pass";
+  public static final String PASSPHRASE_ENV_KEY = "security.server.passphrase_env_var";
+  public static final String PASSPHRASE_KEY = "security.server.passphrase";
+ 
   public static final String CLIENT_SECURITY_KEY = "client.security";
+  public static final String LDAP_USE_SSL_KEY = "authorization.ldap.useSSL";
+  public static final String LDAP_PRIMARY_URL_KEY = "authorization.ldap.primaryUrl";
+  public static final String LDAP_SECONDARY_URL_KEY = "authorization.ldap.secondaryUrl";
+  public static final String LDAP_BASE_DN_KEY = "authorization.ldap.baseDn";
+  public static final String LDAP_BIND_ANONYMOUSLY_KEY = "authorization.ldap.bindAnonymously";
+  public static final String LDAP_MANAGER_DN_KEY = "authorization.ldap.managerDn";
+  public static final String LDAP_MANAGER_PASSWORD_KEY = "authorization.ldap.managerPassword";
+  public static final String LDAP_USERNAME_ATTRIBUTE_KEY = "authorization.ldap.usernameAttribute";
+  public static final String LDAP_USER_DEFAULT_ROLE_KEY = "authorization.ldap.userDefaultRole";
+
   private static final String SRVR_KSTR_DIR_DEFAULT = ".";
-  private static final String SRVR_CRT_NAME_DEFAULT = "ca.crt";
-  private static final String SRVR_KEY_NAME_DEFAULT = "ca.key";
-  private static final String KSTR_NAME_DEFAULT = "keystore.p12";
+  public static final String SRVR_CRT_NAME_DEFAULT = "ca.crt";
+  public static final String SRVR_KEY_NAME_DEFAULT = "ca.key";
+  public static final String KSTR_NAME_DEFAULT = "keystore.p12";
   private static final String SRVR_CRT_PASS_FILE_DEFAULT ="pass.txt";
+  private static final String PASSPHRASE_ENV_DEFAULT = "AMBARI_PASSPHRASE";
+  
+  
   private static final String CLIENT_SECURITY_DEFAULT = "local";
 
+  private static final String LDAP_USER_SEARCH_FILTER_DEFAULT = "({attribute}={0})";
+  private static final String LDAP_USER_DEFAULT_ROLE_DEFAULT = "user";
+  private static final String LDAP_BIND_ANONYMOUSLY_DEFAULT = "true";
+
+  //For embedded server only - should be removed later
+  private static final String LDAP_PRIMARY_URL_DEFAULT = "localhost:33389";
+  private static final String LDAP_BASE_DN_DEFAULT = "dc=ambari,dc=apache,dc=org";
+  private static final String LDAP_USERNAME_ATTRIBUTE_DEFAULT = "uid";
+
 
 
   
@@ -91,7 +115,11 @@ public class Configuration {
     configsMap.put(SRVR_KEY_NAME_KEY, properties.getProperty(SRVR_KEY_NAME_KEY, SRVR_KEY_NAME_DEFAULT));
     configsMap.put(KSTR_NAME_KEY, properties.getProperty(KSTR_NAME_KEY, KSTR_NAME_DEFAULT));
     configsMap.put(SRVR_CRT_PASS_FILE_KEY, properties.getProperty(SRVR_CRT_PASS_FILE_KEY, SRVR_CRT_PASS_FILE_DEFAULT));
+
+    configsMap.put(PASSPHRASE_ENV_KEY, properties.getProperty(PASSPHRASE_ENV_KEY, PASSPHRASE_ENV_DEFAULT));
+	configsMap.put(PASSPHRASE_KEY, System.getenv(configsMap.get(PASSPHRASE_ENV_KEY)));
     configsMap.put(CLIENT_SECURITY_KEY, properties.getProperty(CLIENT_SECURITY_KEY, CLIENT_SECURITY_DEFAULT));
+    configsMap.put(LDAP_USER_DEFAULT_ROLE_KEY, properties.getProperty(LDAP_USER_DEFAULT_ROLE_KEY, LDAP_USER_DEFAULT_ROLE_DEFAULT));
 
     try {
         File passFile = new File(configsMap.get(SRVR_KSTR_DIR_KEY) + File.separator 
@@ -116,7 +144,10 @@ public class Configuration {
     Properties properties = new Properties();
 
     // get the configuration directory and filename
-    String confDir = System.getenv(AMBARI_CONF_VAR);
+
+    String confDir = System.getProperty(AMBARI_CONF_VAR);
+    if (confDir == null)
+      confDir = System.getenv(AMBARI_CONF_VAR);
     if (confDir == null) {
       confDir = "/etc/ambari";
     }
@@ -159,4 +190,35 @@ public class Configuration {
     return configsMap;
   }
 
+  /**
+   * Gets client security type
+   * @return appropriate ClientSecurityType
+   */
+  public ClientSecurityType getClientSecurityType() {
+    return ClientSecurityType.fromString(properties.getProperty(CLIENT_SECURITY_KEY));
+  }
+
+  public void setClientSecurityType(ClientSecurityType type) {
+    properties.setProperty(CLIENT_SECURITY_KEY, type.toString());
+  }
+
+  /**
+   * Gets parameters of LDAP server to connect to
+   * @return LdapServerProperties object representing connection parameters
+   */
+  public LdapServerProperties getLdapServerProperties() {
+    LdapServerProperties ldapServerProperties = new LdapServerProperties();
+
+    ldapServerProperties.setPrimaryUrl(properties.getProperty(LDAP_PRIMARY_URL_KEY, LDAP_PRIMARY_URL_DEFAULT));
+    ldapServerProperties.setSecondaryUrl(properties.getProperty(LDAP_SECONDARY_URL_KEY));
+    ldapServerProperties.setUseSsl("true".equalsIgnoreCase(properties.getProperty(LDAP_USE_SSL_KEY)));
+    ldapServerProperties.setAnonymousBind("true".equalsIgnoreCase(properties.getProperty(LDAP_BIND_ANONYMOUSLY_KEY, LDAP_BIND_ANONYMOUSLY_DEFAULT)));
+    ldapServerProperties.setManagerDn(properties.getProperty(LDAP_MANAGER_DN_KEY));
+    ldapServerProperties.setManagerPassword(properties.getProperty(LDAP_MANAGER_PASSWORD_KEY));
+    ldapServerProperties.setBaseDN(properties.getProperty(LDAP_BASE_DN_KEY, LDAP_BASE_DN_DEFAULT));
+    ldapServerProperties.setUsernameAttribute(properties.getProperty(LDAP_USERNAME_ATTRIBUTE_KEY, LDAP_USERNAME_ATTRIBUTE_DEFAULT));
+
+    return ldapServerProperties;
+  }
+
 }

ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java

@@ -28,6 +28,7 @@ import com.sun.jersey.spi.container.servlet.ServletContainer;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.GuiceJpaInitializer;
 import org.apache.ambari.server.security.CertificateManager;
+import org.apache.ambari.server.security.SecurityFilter;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.mortbay.jetty.Server;
@@ -52,8 +53,8 @@ import java.util.Map;
 public class AmbariServer {
   public static final String PERSISTENCE_PROVIDER = "ambari-postgres";
   private static Log LOG = LogFactory.getLog(AmbariServer.class);
-  public static int CLIENT_PORT = 4080;
-  public static int CLIENT_SECURED_PORT = 8443;
+  public static int CLIENT_ONE_WAY = 4080;
+  public static int CLIENT_TWO_WAY = 8443;
   private Server server = null;
   public volatile boolean running = true; // true while controller runs
 
@@ -71,7 +72,7 @@ public class AmbariServer {
   Injector injector;
 
   public void run() {
-    server = new Server(CLIENT_PORT);
+    server = new Server();
 
     try {
       ClassPathXmlApplicationContext parentSpringAppContext = new ClassPathXmlApplicationContext();
@@ -90,6 +91,7 @@ public class AmbariServer {
 
       webAppContext.getServletContext().setAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, springWebAppContext);
 
+      
       server.setHandler(webAppContext);
 
       certMan.initRootCert();
@@ -99,26 +101,42 @@ public class AmbariServer {
 
       ServletHolder rootServlet = root.addServlet(DefaultServlet.class, "/");
       rootServlet.setInitOrder(1);
-
-
+    
+      root.addFilter(SecurityFilter.class, "/*", 1);
       //Secured connector for 2-way auth
-      SslSocketConnector sslConnector = new SslSocketConnector();
-      sslConnector.setPort(CLIENT_SECURED_PORT);
+      SslSocketConnector sslConnectorTwoWay = new SslSocketConnector();
+      sslConnectorTwoWay.setPort(CLIENT_TWO_WAY);
 
       Map<String, String> configsMap = configs.getConfigsMap();
       String keystore = configsMap.get(Configuration.SRVR_KSTR_DIR_KEY) + File.separator + configsMap.get(Configuration.KSTR_NAME_KEY);
       String srvrCrtPass = configsMap.get(Configuration.SRVR_CRT_PASS_KEY);
 
-      sslConnector.setKeystore(keystore);
-      sslConnector.setTruststore(keystore);
-      sslConnector.setPassword(srvrCrtPass);
-      sslConnector.setKeyPassword(srvrCrtPass);
-      sslConnector.setTrustPassword(srvrCrtPass);
-      sslConnector.setKeystoreType("PKCS12");
-      sslConnector.setTruststoreType("PKCS12");
-      sslConnector.setNeedClientAuth(true);
-
-      server.addConnector(sslConnector);
+      sslConnectorTwoWay.setKeystore(keystore);
+      sslConnectorTwoWay.setTruststore(keystore);
+      sslConnectorTwoWay.setPassword(srvrCrtPass);
+      sslConnectorTwoWay.setKeyPassword(srvrCrtPass);
+      sslConnectorTwoWay.setTrustPassword(srvrCrtPass);
+      sslConnectorTwoWay.setKeystoreType("PKCS12");
+      sslConnectorTwoWay.setTruststoreType("PKCS12");
+      sslConnectorTwoWay.setNeedClientAuth(true);
+      
+      //Secured connector for 1-way auth
+      SslSocketConnector sslConnectorOneWay = new SslSocketConnector();
+      sslConnectorOneWay.setPort(CLIENT_ONE_WAY);
+      
+      sslConnectorOneWay.setKeystore(keystore);
+      sslConnectorOneWay.setTruststore(keystore);
+      sslConnectorOneWay.setPassword(srvrCrtPass);
+      sslConnectorOneWay.setKeyPassword(srvrCrtPass);
+      sslConnectorOneWay.setTrustPassword(srvrCrtPass);
+      sslConnectorOneWay.setKeystoreType("PKCS12");
+      sslConnectorOneWay.setTruststoreType("PKCS12");
+      sslConnectorOneWay.setNeedClientAuth(false);
+      
+      
+
+      server.addConnector(sslConnectorOneWay);
+      server.addConnector(sslConnectorTwoWay);
 
       ServletHolder sh = new ServletHolder(ServletContainer.class);
       sh.setInitParameter("com.sun.jersey.config.property.resourceConfigClass",
@@ -143,6 +161,14 @@ public class AmbariServer {
               "org.apache.ambari.server.security.unsecured.rest");
       root.addServlet(cert, "/cert/*");
       cert.setInitOrder(4);
+      
+      ServletHolder certs = new ServletHolder(ServletContainer.class);
+      certs.setInitParameter("com.sun.jersey.config.property.resourceConfigClass",
+        "com.sun.jersey.api.core.PackagesResourceConfig");
+      certs.setInitParameter("com.sun.jersey.config.property.packages",
+        "org.apache.ambari.server.security.unsecured.rest");
+      root.addServlet(cert, "/certs/*");
+      certs.setInitOrder(5);
 
       server.setStopAtShutdown(true);
 
@@ -183,4 +209,4 @@ public class AmbariServer {
       LOG.error("Failed to run the Ambari Server", t);
     }
   }
-}
+}

ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java

@@ -18,6 +18,7 @@
 package org.apache.ambari.server.controller;
 import org.apache.ambari.server.agent.rest.AgentResource;
 import org.apache.ambari.server.security.unsecured.rest.CertificateDownload;
+import org.apache.ambari.server.security.unsecured.rest.CertificateSign;
 
 import com.google.inject.AbstractModule;
 
@@ -31,5 +32,6 @@ public class ControllerModule extends AbstractModule {
   protected void configure() {
     requestStaticInjection(AgentResource.class);
     requestStaticInjection(CertificateDownload.class);
+    requestStaticInjection(CertificateSign.class);
   }
 }

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/ClusterDAO.java

@@ -37,6 +37,7 @@ public class ClusterDAO {
     return entityManagerProvider.get().find(ClusterEntity.class, clusterName);
   }
 
+  @Transactional
   public void create(ClusterEntity clusterEntity) {
     entityManagerProvider.get().persist(clusterEntity);
   }

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/RoleDAO.java

@@ -33,6 +33,7 @@ public class RoleDAO {
     return entityManagerProvider.get().find(RoleEntity.class, roleName);
   }
 
+  @Transactional
   public void create(RoleEntity roleName) {
     entityManagerProvider.get().persist(roleName);
   }

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/UserDAO.java

@@ -21,18 +21,44 @@ import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.persist.Transactional;
 import org.apache.ambari.server.orm.entities.UserEntity;
+import org.apache.ambari.server.orm.entities.UserEntityPK;
 
 import javax.persistence.EntityManager;
+import javax.persistence.NoResultException;
+import javax.persistence.TypedQuery;
 
 public class UserDAO {
 
   @Inject
   Provider<EntityManager> entityManagerProvider;
 
-  public UserEntity findByName(String userName) {
-    return entityManagerProvider.get().find(UserEntity.class, userName);
+  @Transactional
+  public UserEntity findByPK(UserEntityPK userPK) {
+    return entityManagerProvider.get().find(UserEntity.class, userPK);
+  }
+
+  @Transactional
+  public UserEntity findLocalUserByName(String userName) {
+    TypedQuery<UserEntity> query = entityManagerProvider.get().createNamedQuery("localUserByName", UserEntity.class);
+    query.setParameter("username", userName);
+    try {
+      return query.getSingleResult();
+    } catch (NoResultException e) {
+      return null;
+    }
   }
 
+  public UserEntity findLdapUserByName(String userName) {
+    TypedQuery<UserEntity> query = entityManagerProvider.get().createNamedQuery("ldapUserByName", UserEntity.class);
+    query.setParameter("username", userName);
+    try {
+      return query.getSingleResult();
+    } catch (NoResultException e) {
+      return null;
+    }
+  }
+
+  @Transactional
   public void create(UserEntity userName) {
     entityManagerProvider.get().persist(userName);
   }
@@ -48,8 +74,8 @@ public class UserDAO {
   }
 
   @Transactional
-  public void removeByName(String userName) {
-    remove(findByName(userName));
+  public void removeByPK(UserEntityPK userPK) {
+    remove(findByPK(userPK));
   }
 
 }

ambari-server/src/main/java/org/apache/ambari/server/orm/entities/UserEntity.java

@@ -2,10 +2,16 @@ package org.apache.ambari.server.orm.entities;
 
 import javax.persistence.*;
 import java.sql.Timestamp;
+import java.util.Date;
 import java.util.Set;
 
+@IdClass(UserEntityPK.class)
 @javax.persistence.Table(name = "users", schema = "ambari", catalog = "")
 @Entity
+@NamedQueries({
+        @NamedQuery(name = "localUserByName", query = "SELECT user FROM UserEntity user where user.userName=:username AND user.ldapUser=false"),
+        @NamedQuery(name = "ldapUserByName", query = "SELECT user FROM UserEntity user where user.userName=:username AND user.ldapUser=true")
+})
 public class UserEntity {
 
   private String userName;
@@ -20,6 +26,18 @@ public class UserEntity {
     this.userName = userName;
   }
 
+  private Boolean ldapUser = false;
+
+  @javax.persistence.Column(name = "ldap_user")
+  @Id
+  public Boolean getLdapUser() {
+    return ldapUser;
+  }
+
+  public void setLdapUser(Boolean ldapUser) {
+    this.ldapUser = ldapUser;
+  }
+
   private String userPassword;
 
   @javax.persistence.Column(name = "user_password")
@@ -32,27 +50,16 @@ public class UserEntity {
     this.userPassword = userPassword;
   }
 
-  private Boolean ldapUser;
-
-  @javax.persistence.Column(name = "ldap_user")
-  @Basic
-  public Boolean getLdapUser() {
-    return ldapUser;
-  }
-
-  public void setLdapUser(Boolean ldapUser) {
-    this.ldapUser = ldapUser;
-  }
-
-  private Timestamp createTime;
+  private Date createTime = new Date();
 
   @javax.persistence.Column(name = "create_time")
   @Basic
-  public Timestamp getCreateTime() {
+  @Temporal(value = TemporalType.TIMESTAMP)
+  public Date getCreateTime() {
     return createTime;
   }
 
-  public void setCreateTime(Timestamp createTime) {
+  public void setCreateTime(Date createTime) {
     this.createTime = createTime;
   }
 
@@ -82,7 +89,10 @@ public class UserEntity {
 
   private Set<RoleEntity> roleEntities;
 
-  @javax.persistence.JoinTable(name = "user_roles", catalog = "", schema = "ambari", joinColumns = {@JoinColumn(name = "user_name")}, inverseJoinColumns = {@JoinColumn(name = "user_name")})
+  @javax.persistence.JoinTable(name = "user_roles", catalog = "", schema = "ambari",
+          joinColumns = {@JoinColumn(name = "user_name", referencedColumnName = "user_name"),
+                  @JoinColumn(name = "ldap_user", referencedColumnName = "ldap_user")},
+          inverseJoinColumns = {@JoinColumn(name = "role_name", referencedColumnName = "role_name")})
   @ManyToMany
   public Set<RoleEntity> getRoleEntities() {
     return roleEntities;

ambari-server/src/main/java/org/apache/ambari/server/orm/entities/UserEntityPK.java

@@ -0,0 +1,69 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.orm.entities;
+
+import javax.persistence.Id;
+import java.io.Serializable;
+
+public class UserEntityPK implements Serializable {
+
+  private String userName;
+
+  @javax.persistence.Column(name = "user_name")
+  @Id
+  public String getUserName() {
+    return userName;
+  }
+
+  public void setUserName(String userName) {
+    this.userName = userName;
+  }
+
+  private Boolean ldapUser;
+
+  @javax.persistence.Column(name = "ldap_user")
+  @Id
+  public Boolean getLdapUser() {
+    return ldapUser;
+  }
+
+  public void setLdapUser(Boolean ldapUser) {
+    this.ldapUser = ldapUser;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) return true;
+    if (o == null || getClass() != o.getClass()) return false;
+
+    UserEntityPK that = (UserEntityPK) o;
+
+    if (userName != null ? !userName.equals(that.userName) : that.userName != null) return false;
+    if (ldapUser != null ? !ldapUser.equals(that.ldapUser) : that.ldapUser != null) return false;
+
+    return true;
+  }
+
+  @Override
+  public int hashCode() {
+    int result = userName != null ? userName.hashCode() : 0;
+    result = 31 * result + (ldapUser != null ? ldapUser.hashCode() : 0);
+    return result;
+  }
+
+}

ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java

@@ -48,8 +48,7 @@ public class CertificateManager {
   private static final String GEN_SRVR_REQ = "openssl req -passin pass:{0} -new -key {1}/{2} -out {1}/{3} -batch";
   private static final String SIGN_SRVR_CRT = "openssl x509 -passin pass:{0} -req -days 365 -in {1}/{3} -signkey {1}/{2} -out {1}/{3} \n";
   private static final String EXPRT_KSTR = "openssl pkcs12 -export -in {1}/{3} -inkey {1}/{2} -certfile {1}/{3} -out {1}/{4} -password pass:{0} -passin pass:{0} \n";
-	
-  /**
+  private static final String SIGN_AGENT_CRT = "openssl ca -config {0}/ca.config -in {0}/{1} -out {0}/{2} -batch -passin pass:{3} -keyfile {0}/{4} -cert {0}/{5}"; /**
    * Verify that root certificate exists, generate it otherwise.
    */
   public void initRootCert() {
@@ -83,7 +82,7 @@ public class CertificateManager {
    * Runs os command
    */
   private void runCommand(String command) {
-	  
+	  LOG.info("Executing command:" + command);
 	  String line = null;
       Process process = null;
       try {
@@ -121,27 +120,15 @@ public class CertificateManager {
 			               srvrCrtName, kstrName};
 
     String command = MessageFormat.format(GEN_SRVR_KEY,scriptArgs);
-
-    LOG.info("Executing command:" + command);
-    
 	runCommand(command);
 	
     command = MessageFormat.format(GEN_SRVR_REQ,scriptArgs);
-    
-    LOG.info("Executing command:" + command);
-    
 	runCommand(command);
 	
     command = MessageFormat.format(SIGN_SRVR_CRT,scriptArgs);
-    
-    LOG.info("Executing command:" + command);
-    
 	runCommand(command);
 	
     command = MessageFormat.format(EXPRT_KSTR,scriptArgs);
-    
-    LOG.info("Executing command:" + command);
-    
 	runCommand(command);
 	
 	}
@@ -161,4 +148,62 @@ public class CertificateManager {
 	}   
     return srvrCrtContent;
 	}
+  
+  /**
+   * Signs agent certificate
+   * Adds agent certificate to server keystore
+   * @return string with agent signed certificate content
+   */
+  public String signAgentCrt(String agentHostname, String agentCrtReqContent, String passphraseAgent) {
+    LOG.info("Signing of agent certificate");
+    LOG.info("Verifying passphrase");
+    
+    
+    
+    String passphraseSrvr = configs.getConfigsMap().get(Configuration.PASSPHRASE_KEY);
+    
+    System.out.println(passphraseSrvr);
+    System.out.println(passphraseAgent);
+    
+    if (!passphraseAgent.equals(passphraseSrvr)) {
+      LOG.warn("Incorrect passphrase from agent");
+      return "";
+    }
+    
+    Map<String, String> configsMap = configs.getConfigsMap();
+    String srvrKstrDir = configsMap.get(Configuration.SRVR_KSTR_DIR_KEY);
+    String srvrCrtPass = configsMap.get(Configuration.SRVR_CRT_PASS_KEY);
+    String srvrCrtName = configsMap.get(Configuration.SRVR_CRT_NAME_KEY);
+    String srvrKeyName = configsMap.get(Configuration.SRVR_KEY_NAME_KEY);
+    String agentCrtReqName = agentHostname + ".csr";
+    String agentCrtName = agentHostname + ".crt";
+    
+    
+    File agentCrtReqFile = new File(srvrKstrDir + File.separator + agentCrtReqName);
+    try {
+		FileUtils.writeStringToFile(agentCrtReqFile, agentCrtReqContent);
+	} catch (IOException e1) {
+		// TODO Auto-generated catch block
+		e1.printStackTrace();
+	}
+    Object[] scriptArgs = {srvrKstrDir,agentCrtReqName,agentCrtName,
+    					   srvrCrtPass,srvrKeyName,srvrCrtName};
+
+    String command = MessageFormat.format(SIGN_AGENT_CRT,scriptArgs);
+    
+    LOG.error(command);
+    
+	runCommand(command);
+	
+	File agentCrtFile = new File(srvrKstrDir + File.separator + agentCrtName);
+	String agentCrtContent = "";
+	try {
+		agentCrtContent = FileUtils.readFileToString(agentCrtFile);
+	} catch (IOException e) {
+		e.printStackTrace();
+		LOG.error("Error reading signed agent certificate");
+	}
+    
+    return agentCrtContent;
+	}
 }

ambari-server/src/main/java/org/apache/ambari/server/security/ClientSecurityType.java

@@ -1,3 +1,20 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.ambari.server.security;
 
 public enum ClientSecurityType {
@@ -9,13 +26,18 @@ public enum ClientSecurityType {
     this.value = value;
   }
 
+  /**
+   * Constructs enum object from string representation
+   * @param value string representation of client security type
+   * @return ClientSecurityType (defaults to LOCAL if not recognized)
+   */
   public static ClientSecurityType fromString(String value) {
     for (ClientSecurityType securityType : ClientSecurityType.values()) {
-      if (securityType.toString().equals(value)) {
+      if (securityType.toString().equalsIgnoreCase(value)) {
         return securityType;
       }
     }
-    return null;
+    return LOCAL;
   }
 
 

ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java

@@ -0,0 +1,85 @@
+/**
+* Licensed to the Apache Software Foundation (ASF) under one
+* or more contributor license agreements.  See the NOTICE file
+* distributed with this work for additional information
+* regarding copyright ownership.  The ASF licenses this file
+* to you under the Apache License, Version 2.0 (the
+* "License"); you may not use this file except in compliance
+* with the License.  You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package org.apache.ambari.server.security;
+
+import java.io.IOException;
+import java.util.regex.Pattern;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.ambari.server.controller.AmbariServer;
+
+public class SecurityFilter implements Filter {
+	
+  //Allowed pathes for one way auth https
+  private static String CA = "/ca";
+
+  @Override
+  public void destroy() {
+  }
+
+  @Override
+  public void doFilter(ServletRequest serReq, ServletResponse serResp,
+		FilterChain filtCh) throws IOException, ServletException {
+
+    HttpServletRequest req = (HttpServletRequest) serReq;
+    String reqUrl = req.getRequestURL().toString();
+    
+    System.out.println("req url:" + reqUrl);
+    
+    //req.getC
+	
+    if (serReq.getLocalPort() == AmbariServer.CLIENT_ONE_WAY) {
+      if (isRequestAllowed(reqUrl))
+        filtCh.doFilter(serReq, serResp);
+      else
+        System.out.println("Such request is not allowed on this port");
+
+	}
+	else
+      filtCh.doFilter(serReq, serResp);
+  }
+
+  @Override
+  public void init(FilterConfig arg0) throws ServletException {
+  }
+
+  private boolean isRequestAllowed(String reqUrl) {
+	try {
+      boolean isMatch = Pattern.matches("https://[A-z]*:[0-9]*/cert/ca[/]*", reqUrl);
+		 
+      if (isMatch)
+    	  return true;
+		 
+		 isMatch = Pattern.matches("https://[A-z]*:[0-9]*/certs/[A-z0-9-]*", reqUrl);
+		 
+		 if (isMatch)
+			 return true;
+		
+	} catch (Exception e) {
+	}
+	return false;
+  }
+}

ambari-server/src/main/java/org/apache/ambari/server/security/SignCertResponse.java

@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.security;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+import org.apache.commons.logging.Log;
+
+
+
+/**
+ *
+ * Sign certificate response data model.
+ *
+ */
+@XmlRootElement
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "", propOrder = {})
+public class SignCertResponse {
+	
+  public static final String ERROR_STATUS = "ERROR";
+  public static final String OK_STATUS = "OK";
+
+  @XmlElement
+  private String result;
+  @XmlElement
+  private String signedCa;
+  
+  public String getResult() {
+    return result;
+  }
+  public void setResult(String result) {
+    this.result = result;
+  }
+  public String getSignedCa() {
+    return signedCa;
+  }
+  public void setSignedCa(String signedCa) {
+    this.signedCa = signedCa;
+  }
+}
+

ambari-server/src/main/java/org/apache/ambari/server/security/SignMessage.java

@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.security;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+
+
+/**
+ *
+ * Sign certificate request data model.
+ *
+ */
+@XmlRootElement
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "", propOrder = {})
+public class SignMessage {
+
+  @XmlElement
+  private String csr;
+  @XmlElement
+  private String passphrase;
+  public String getCsr() {
+    return csr;
+  }
+  public void setCsr(String csr) {
+    this.csr = csr;
+  }
+  public String getPassphrase() {
+    return passphrase;
+  }
+  public void setPassphrase(String passphrase) {
+    this.passphrase = passphrase;
+  }
+}
+

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java

@@ -0,0 +1,135 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.inject.Inject;
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.security.ClientSecurityType;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
+import org.springframework.security.ldap.authentication.BindAuthenticator;
+import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
+import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
+
+
+/**
+ * Provides LDAP user authorization logic for Ambari Server
+ */
+public class AmbariLdapAuthenticationProvider implements AuthenticationProvider {
+  private static final Logger log = LoggerFactory.getLogger(AmbariLdapAuthenticationProvider.class);
+
+  Configuration configuration;
+
+  private AmbariLdapAuthoritiesPopulator authoritiesPopulator;
+
+  private ThreadLocal<LdapServerProperties> ldapServerProperties = new ThreadLocal<LdapServerProperties>();
+  private ThreadLocal<LdapAuthenticationProvider> providerThreadLocal = new ThreadLocal<LdapAuthenticationProvider>();
+
+  @Inject
+  public AmbariLdapAuthenticationProvider(Configuration configuration, AmbariLdapAuthoritiesPopulator authoritiesPopulator) {
+    this.configuration = configuration;
+    this.authoritiesPopulator = authoritiesPopulator;
+  }
+
+  @Override
+  public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+
+    if (isLdapEnabled()) {
+
+      return loadLdapAuthenticationProvider().authenticate(authentication);
+
+    } else {
+      throw new UsernameNotFoundException("LDAP authorization is not enabled");
+    }
+
+  }
+
+  @Override
+  public boolean supports(Class<?> authentication) {
+    return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
+  }
+
+  /**
+   * Reloads LDAP Context Source and depending objects if properties were changed
+   * @return corresponding LDAP authentication provider
+   */
+  private LdapAuthenticationProvider loadLdapAuthenticationProvider() {
+    if (reloadLdapServerProperties()) {
+      log.info("LDAP Properties changed - rebuilding Context");
+      DefaultSpringSecurityContextSource springSecurityContextSource =
+              new DefaultSpringSecurityContextSource(ldapServerProperties.get().getLdapUrls(), ldapServerProperties.get().getBaseDN());
+
+      if (!ldapServerProperties.get().isAnonymousBind()) {
+        springSecurityContextSource.setUserDn(ldapServerProperties.get().getManagerDn());
+        springSecurityContextSource.setPassword(ldapServerProperties.get().getManagerPassword());
+      }
+
+      try {
+        springSecurityContextSource.afterPropertiesSet();
+      } catch (Exception e) {
+        log.error("LDAP Context Source not loaded ", e);
+        throw new UsernameNotFoundException("LDAP Context Source not loaded", e);
+      }
+
+      //TODO change properties
+      String userSearchBase = ldapServerProperties.get().getUserSearchBase();
+      String userSearchFilter = ldapServerProperties.get().getUserSearchFilter();
+
+      FilterBasedLdapUserSearch userSearch = new FilterBasedLdapUserSearch(userSearchBase, userSearchFilter, springSecurityContextSource);
+
+      BindAuthenticator bindAuthenticator = new BindAuthenticator(springSecurityContextSource);
+      bindAuthenticator.setUserSearch(userSearch);
+
+      LdapAuthenticationProvider authenticationProvider = new LdapAuthenticationProvider(bindAuthenticator, authoritiesPopulator);
+
+      providerThreadLocal.set(authenticationProvider);
+    }
+
+    return providerThreadLocal.get();
+  }
+
+
+  /**
+   * Check if LDAP authentication is enabled in server properties
+   * @return true if enabled
+   */
+  private boolean isLdapEnabled() {
+    return configuration.getClientSecurityType() == ClientSecurityType.LDAP;
+  }
+
+  /**
+   * Reloads LDAP Server properties from configuration
+   *
+   * @return true if properties were reloaded
+   */
+  private boolean reloadLdapServerProperties() {
+    LdapServerProperties properties = configuration.getLdapServerProperties();
+    if (!properties.equals(ldapServerProperties.get())) {
+      log.info("Reloading properties");
+      ldapServerProperties.set(properties);
+      return true;
+    }
+    return false;
+  }
+}

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java

@@ -0,0 +1,97 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.inject.Inject;
+import com.google.inject.persist.Transactional;
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.orm.dao.RoleDAO;
+import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.RoleEntity;
+import org.apache.ambari.server.orm.entities.UserEntity;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
+
+import javax.persistence.NoResultException;
+import java.util.Collection;
+
+/**
+ * Provides authorities population for LDAP user from local DB
+ */
+public class AmbariLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
+  private static final Logger log = LoggerFactory.getLogger(AmbariLdapAuthoritiesPopulator.class);
+
+  Configuration configuration;
+  private AuthorizationHelper authorizationHelper;
+  UserDAO userDAO;
+  RoleDAO roleDAO;
+
+  @Inject
+  public AmbariLdapAuthoritiesPopulator(Configuration configuration, AuthorizationHelper authorizationHelper,
+                                        UserDAO userDAO, RoleDAO roleDAO) {
+    this.configuration = configuration;
+    this.authorizationHelper = authorizationHelper;
+    this.userDAO = userDAO;
+    this.roleDAO = roleDAO;
+  }
+
+  @Override
+  @Transactional
+  public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
+    log.info("Get roles for user " + username + " from local DB");
+
+    UserEntity user = null;
+
+    user = userDAO.findLdapUserByName(username);
+
+    if (user == null) {
+      log.info("User " + username + " not present in local DB - creating");
+
+      UserEntity newUser = new UserEntity();
+      newUser.setLdapUser(true);
+      newUser.setUserName(username);
+
+      String roleName = (configuration.getConfigsMap().get(Configuration.LDAP_USER_DEFAULT_ROLE_KEY));
+      log.info("Using default role name " + roleName);
+
+      RoleEntity role = roleDAO.findByName(roleName);
+
+      if (role == null) {
+        log.info("Role " + roleName + " not present in local DB - creating");
+        role = new RoleEntity();
+        role.setRoleName(roleName);
+        roleDAO.create(role);
+        role = roleDAO.findByName(role.getRoleName());
+      }
+
+      userDAO.create(newUser);
+
+      user = userDAO.findLdapUserByName(newUser.getUserName());
+
+      user.getRoleEntities().add(role);
+      role.getUserEntities().add(user);
+      roleDAO.merge(role);
+      userDAO.merge(user);
+    }
+
+    return authorizationHelper.convertRolesToAuthorities(user.getRoleEntities());
+  }
+}

ambari-server/src/main/java/org/apache/ambari/server/security/AmbariUserDetailsService.java → ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java

@@ -15,11 +15,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.ambari.server.security;
+package org.apache.ambari.server.security.authorization;
 
 import com.google.inject.Inject;
 import com.google.inject.Injector;
 import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
@@ -31,27 +32,34 @@ import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.ldap.userdetails.LdapUserDetailsService;
 
+import javax.persistence.NoResultException;
 import java.util.ArrayList;
 import java.util.List;
 
-public class AmbariUserDetailsService implements UserDetailsService {
-  private static final Logger log = LoggerFactory.getLogger(AmbariUserDetailsService.class);
+public class AmbariLocalUserDetailsService implements UserDetailsService {
+  private static final Logger log = LoggerFactory.getLogger(AmbariLocalUserDetailsService.class);
 
   Injector injector;
   Configuration configuration;
+  private AuthorizationHelper authorizationHelper;
   UserDAO userDAO;
-
+  RoleDAO roleDAO;
 
   @Inject
-  public AmbariUserDetailsService(Injector injector, Configuration configuration, UserDAO userDAO) {
+  public AmbariLocalUserDetailsService(Injector injector, Configuration configuration,
+                                       AuthorizationHelper authorizationHelper, UserDAO userDAO, RoleDAO roleDAO) {
     this.injector = injector;
     this.configuration = configuration;
+    this.authorizationHelper = authorizationHelper;
     this.userDAO = userDAO;
+    this.roleDAO = roleDAO;
   }
 
   /**
    * Loads Spring Security UserDetails from identity storage according to Configuration
+   *
    * @param username username
    * @return UserDetails
    * @throws UsernameNotFoundException when user not found or have empty roles
@@ -60,37 +68,18 @@ public class AmbariUserDetailsService implements UserDetailsService {
   public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
     log.info("Loading user by name: " + username);
 
-    UserEntity user = null;
-    try {
-      user = userDAO.findByName(username);
-    } catch (Exception e) {
-      System.err.println(e);
-    }
-
-    if (isLdapEnabled() && (user == null || user.getLdapUser())) {
-      //TODO implement LDAP
-    }
+    UserEntity user = userDAO.findLocalUserByName(username);
 
     if (user == null) {
       log.info("user not found ");
       throw new UsernameNotFoundException("Username " + username + " not found");
-    }else if (user.getRoleEntities().isEmpty()) {
-      System.err.println("no roles ex");
+    } else if (user.getRoleEntities().isEmpty()) {
+      log.info("No authorities for user");
       throw new UsernameNotFoundException("Username " + username + " has no roles");
     }
 
-    List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(user.getRoleEntities().size());
-
-    System.err.println("Authorities number = " + user.getRoleEntities().size());
-    for (RoleEntity roleEntity : user.getRoleEntities()) {
-      authorities.add(new SimpleGrantedAuthority(roleEntity.getRoleName().toUpperCase()));
-    }
-
-    return new User(user.getUserName(), user.getUserPassword(), authorities);
-  }
-
-  private boolean isLdapEnabled() {
-    return ClientSecurityType.fromString(configuration.getConfigsMap().get(Configuration.CLIENT_SECURITY_KEY)) == ClientSecurityType.LDAP;
+    return new User(user.getUserName(), user.getUserPassword(),
+            authorizationHelper.convertRolesToAuthorities(user.getRoleEntities()));
   }
 
 }

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java

@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.inject.Singleton;
+import org.apache.ambari.server.orm.entities.RoleEntity;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
+
+@Singleton
+/**
+ * Provides utility methods for authentication functionality
+ */
+public class AuthorizationHelper {
+
+  /**
+   * Converts collection of RoleEntities to collection of GrantedAuthorities
+   */
+  public Collection<GrantedAuthority> convertRolesToAuthorities(Collection<RoleEntity> roleEntities) {
+    List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(roleEntities.size());
+
+    for (RoleEntity roleEntity : roleEntities) {
+      authorities.add(new SimpleGrantedAuthority(roleEntity.getRoleName().toUpperCase()));
+    }
+
+    return authorities;
+  }
+}

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java

@@ -0,0 +1,171 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import org.apache.commons.lang.StringUtils;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Describes LDAP Server connection parameters
+ */
+public class LdapServerProperties {
+
+  private String primaryUrl;
+  private String secondaryUrl;
+  private boolean useSsl;
+  private boolean anonymousBind;
+  private String managerDn;
+  private String managerPassword;
+  private String baseDN;
+  private String userSearchBase = "";
+  private String usernameAttribute;
+
+  private static final String userSearchFilter = "({attribute}={0})";
+
+  public List<String> getLdapUrls() {
+    String protocol = useSsl ? "ldaps://" : "ldap://";
+
+    if (StringUtils.isEmpty(primaryUrl)) {
+      return Collections.emptyList();
+    } else {
+      List<String> list = new ArrayList<String>();
+      list.add(protocol + primaryUrl);
+      if (!StringUtils.isEmpty(secondaryUrl)) {
+        list.add(protocol + secondaryUrl);
+      }
+      return list;
+    }
+  }
+
+  public String getPrimaryUrl() {
+    return primaryUrl;
+  }
+
+  public void setPrimaryUrl(String primaryUrl) {
+    this.primaryUrl = primaryUrl;
+  }
+
+  public String getSecondaryUrl() {
+    return secondaryUrl;
+  }
+
+  public void setSecondaryUrl(String secondaryUrl) {
+    this.secondaryUrl = secondaryUrl;
+  }
+
+  public boolean isUseSsl() {
+    return useSsl;
+  }
+
+  public void setUseSsl(boolean useSsl) {
+    this.useSsl = useSsl;
+  }
+
+  public boolean isAnonymousBind() {
+    return anonymousBind;
+  }
+
+  public void setAnonymousBind(boolean anonymousBind) {
+    this.anonymousBind = anonymousBind;
+  }
+
+  public String getManagerDn() {
+    return managerDn;
+  }
+
+  public void setManagerDn(String managerDn) {
+    this.managerDn = managerDn;
+  }
+
+  public String getManagerPassword() {
+    return managerPassword;
+  }
+
+  public void setManagerPassword(String managerPassword) {
+    this.managerPassword = managerPassword;
+  }
+
+  public String getBaseDN() {
+    return baseDN;
+  }
+
+  public void setBaseDN(String baseDN) {
+    this.baseDN = baseDN;
+  }
+
+  public String getUserSearchBase() {
+    return userSearchBase;
+  }
+
+  public void setUserSearchBase(String userSearchBase) {
+    this.userSearchBase = userSearchBase;
+  }
+
+  public String getUserSearchFilter() {
+    return userSearchFilter.replace("{attribute}", usernameAttribute);
+  }
+
+  public String getUsernameAttribute() {
+    return usernameAttribute;
+  }
+
+  public void setUsernameAttribute(String usernameAttribute) {
+    this.usernameAttribute = usernameAttribute;
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (this == obj) return true;
+    if (obj == null || getClass() != obj.getClass()) return false;
+
+    LdapServerProperties that = (LdapServerProperties) obj;
+
+    if (primaryUrl != null ? !primaryUrl.equals(that.primaryUrl) : that.primaryUrl != null) return false;
+    if (secondaryUrl != null ? !secondaryUrl.equals(that.secondaryUrl) : that.secondaryUrl != null) return false;
+    if (useSsl!=that.useSsl) return false;
+    if (anonymousBind!=that.anonymousBind) return false;
+    if (managerDn != null ? !managerDn.equals(that.managerDn) : that.managerDn != null) return false;
+    if (managerPassword != null ? !managerPassword.equals(that.managerPassword) : that.managerPassword != null)
+      return false;
+    if (baseDN != null ? !baseDN.equals(that.baseDN) : that.baseDN != null) return false;
+    if (userSearchBase != null ? !userSearchBase.equals(that.userSearchBase) : that.userSearchBase != null)
+      return false;
+    if (usernameAttribute != null ? !usernameAttribute.equals(that.usernameAttribute) : that.usernameAttribute != null)
+      return false;
+
+    return true;
+  }
+
+  @Override
+  public int hashCode() {
+    int result = primaryUrl != null ? primaryUrl.hashCode() : 0;
+    result = 31 * result + (secondaryUrl != null ? secondaryUrl.hashCode() : 0);
+    result = 31 * result + (useSsl ? 1 : 0);
+    result = 31 * result + (anonymousBind ? 1 : 0);
+    result = 31 * result + (managerDn != null ? managerDn.hashCode() : 0);
+    result = 31 * result + (managerPassword != null ? managerPassword.hashCode() : 0);
+    result = 31 * result + (baseDN != null ? baseDN.hashCode() : 0);
+    result = 31 * result + (userSearchBase != null ? userSearchBase.hashCode() : 0);
+    result = 31 * result + (usernameAttribute != null ? usernameAttribute.hashCode() : 0);
+    return result;
+  }
+
+}

ambari-server/src/main/java/org/apache/ambari/server/security/unsecured/rest/CertificateDownload.java

@@ -44,4 +44,6 @@ public class CertificateDownload {
   public String downloadSrvrCrt() {
     return certMan.getServerCert();
   }
+  
+  
 }

ambari-server/src/main/java/org/apache/ambari/server/security/unsecured/rest/CertificateSign.java

@@ -0,0 +1,72 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.unsecured.rest;
+
+
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+
+import org.apache.ambari.server.security.CertificateManager;
+import org.apache.ambari.server.security.SignCertResponse;
+import org.apache.ambari.server.security.SignMessage;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import com.google.inject.Inject;
+@Path("/")
+public class CertificateSign {
+  private static Log LOG = LogFactory.getLog(CertificateSign.class);
+  private static CertificateManager certMan;
+  
+  @Inject
+  static void init(CertificateManager instance) {
+    certMan = instance;
+  }
+  
+  /**
+   * Signs agent certificate
+   * @response.representation.200.doc This API is invoked by Ambari agent running
+   *  on a cluster to register with the server.
+   * @response.representation.200.mediaType application/json
+   * @response.representation.406.doc Error in register message format
+   * @response.representation.408.doc Request Timed out
+   * @param message Register message
+   * @throws Exception
+   */
+  @Path("{hostName}")
+  @POST
+  @Consumes(MediaType.APPLICATION_JSON)
+  @Produces({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML})
+  public SignCertResponse signAgentCrt(@PathParam("hostName") String hostname,SignMessage message, @Context HttpServletRequest req) {
+	  SignCertResponse response = new SignCertResponse();
+	  String signedCa;
+	  signedCa = certMan.signAgentCrt(hostname, message.getCsr(), message.getPassphrase());
+	  response.setSignedCa(signedCa);
+	  if (response.getSignedCa().length()>0)
+		  response.setResult(SignCertResponse.OK_STATUS);
+	  else
+		  response.setResult(SignCertResponse.ERROR_STATUS);
+      return response;
+  }
+}

ambari-server/src/main/resources/ca.config

@@ -0,0 +1,24 @@
+[ ca ]
+default_ca             = CA_CLIENT
+[ CA_CLIENT ]
+dir		       = keystore/db
+certs                  = $dir/certs
+new_certs_dir          = $dir/newcerts
+
+database               = $dir/index.txt
+serial                 = $dir/serial
+default_days           = 365    
+
+default_crl_days       = 7  
+default_md             = md5 
+
+policy                 = policy_anything 
+
+[ policy_anything ]
+countryName            = optional
+stateOrProvinceName    = optional 
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = supplied 
+commonName             = optional   
+emailAddress           = optional       

ambari-server/src/main/resources/db/serial

@@ -0,0 +1 @@
+01

ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml

@@ -23,8 +23,7 @@
                     http://www.springframework.org/schema/security/spring-security-3.1.xsd">
 
   <http use-expressions="true" auto-config="true"
-        disable-url-rewriting="true"
-          >
+        disable-url-rewriting="true">
     <http-basic/>
     <intercept-url pattern="/api/*" access="hasRole('ADMIN')"/>
     <intercept-url pattern="/**" access="isAuthenticated()"/>
@@ -34,19 +33,30 @@
 
   <authentication-manager>
 
-    <authentication-provider user-service-ref="ambariUserService">
-
+    <authentication-provider user-service-ref="ambariLocalUserService">
+      <password-encoder ref="passwordEncoder"/>
     </authentication-provider>
 
+    <authentication-provider ref="ambariLdapAuthenticationProvider"/>
+
   </authentication-manager>
 
-  <beans:bean id="ambariUserService"
-              class="org.springframework.security.core.userdetails.UserDetailsService"
+  <beans:bean id="ambariLocalUserService"
+              class="org.apache.ambari.server.security.authorization.AmbariLocalUserDetailsService"
               factory-bean="guiceInjector"
-              factory-method="getInstance"
-              lazy-init="true">
-    <beans:constructor-arg type="java.lang.Class" value="org.apache.ambari.server.security.AmbariUserDetailsService"/>
+              factory-method="getInstance">
+    <beans:constructor-arg type="java.lang.Class"
+                           value="org.apache.ambari.server.security.authorization.AmbariLocalUserDetailsService"/>
   </beans:bean>
 
+  <beans:bean id="ambariLdapAuthenticationProvider"
+              class="org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProvider"
+              factory-bean="guiceInjector"
+              factory-method="getInstance">
+    <beans:constructor-arg type="java.lang.Class"
+                           value="org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProvider"/>
+  </beans:bean>
 
+  <beans:bean id="passwordEncoder"
+              class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>
 </beans:beans>

ambari-server/src/test/java/org/apache/ambari/server/bootstrap/BootStrapTest.java

@@ -63,6 +63,7 @@ public class BootStrapTest extends TestCase {
     properties.setProperty(Configuration.BOOTSTRAP_DIR, 
        bootdir);
     properties.setProperty(Configuration.BOOTSTRAP_SCRIPT, "echo");
+    properties.setProperty(Configuration.SRVR_KSTR_DIR_KEY, "target" + File.separator + "classes");
     Configuration conf = new Configuration(properties);
     BootStrapImpl impl = new BootStrapImpl(conf);
     impl.init();

ambari-server/src/test/java/org/apache/ambari/server/orm/OrmTestHelper.java

@@ -20,28 +20,33 @@ package org.apache.ambari.server.orm;
 
 import com.google.inject.Inject;
 import com.google.inject.Injector;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
 import com.google.inject.persist.Transactional;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
-import org.apache.ambari.server.orm.entities.ClusterEntity;
-import org.apache.ambari.server.orm.entities.ClusterServiceEntity;
-import org.apache.ambari.server.orm.entities.HostEntity;
-import org.apache.ambari.server.orm.entities.HostStateEntity;
+import org.apache.ambari.server.orm.dao.RoleDAO;
+import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.*;
+import org.springframework.security.crypto.password.PasswordEncoder;
 
 import javax.persistence.EntityManager;
 import javax.persistence.Query;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
+import java.util.*;
 
+@Singleton
 public class OrmTestHelper {
 
   @Inject
-  EntityManager entityManager;
+  public Provider<EntityManager> entityManagerProvider;
   @Inject
-  Injector injector;
+  public Injector injector;
+  @Inject
+  public UserDAO userDAO;
+  @Inject
+  public RoleDAO roleDAO;
 
   public EntityManager getEntityManager() {
-    return entityManager;
+    return entityManagerProvider.get();
   }
 
   /**
@@ -91,13 +96,42 @@ public class OrmTestHelper {
     clusterServiceEntities.add(clusterServiceEntity);
     clusterEntity.setClusterServiceEntities(clusterServiceEntities);
 
+    getEntityManager().persist(host1);
+    getEntityManager().persist(host2);
+    getEntityManager().persist(clusterEntity);
+    getEntityManager().persist(hostStateEntity1);
+    getEntityManager().persist(hostStateEntity2);
+    getEntityManager().persist(clusterServiceEntity);
+
+  }
+
+  @Transactional
+  public void createTestUsers() {
+    PasswordEncoder encoder = injector.getInstance(PasswordEncoder.class);
+
+    RoleEntity adminRole = new RoleEntity();
+    adminRole.setRoleName("admin");
+
+    UserEntity admin = new UserEntity();
+    admin.setUserName("administrator");
+    admin.setUserPassword(encoder.encode("admin"));
+
+    Set<RoleEntity> roles = new HashSet<RoleEntity>();
+    Set<UserEntity> users = new HashSet<UserEntity>();
+
+    roles.add(adminRole);
+    users.add(admin);
+
+    admin.setRoleEntities(roles);
+    adminRole.setUserEntities(users);
+
+    userDAO.create(admin);
+    roleDAO.create(adminRole);
 
-    entityManager.persist(host1);
-    entityManager.persist(host2);
-    entityManager.persist(clusterEntity);
-    entityManager.persist(hostStateEntity1);
-    entityManager.persist(hostStateEntity2);
-    entityManager.persist(clusterServiceEntity);
+    UserEntity userWithoutRoles = new UserEntity();
+    userWithoutRoles.setUserName("userWithoutRoles");
+    userWithoutRoles.setUserPassword(encoder.encode("test"));
+    userDAO.create(userWithoutRoles);
 
   }
 
@@ -105,12 +139,12 @@ public class OrmTestHelper {
   public void performTransactionMarkedForRollback() {
     ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
     clusterDAO.removeByName("test_cluster1");
-    entityManager.getTransaction().setRollbackOnly();
+    getEntityManager().getTransaction().setRollbackOnly();
   }
 
   public int getClusterSizeByHostName(String hostName) {
 
-    Query query = entityManager.createQuery(
+    Query query = getEntityManager().createQuery(
             "SELECT host2 from HostEntity host join host.clusterEntity cluster join cluster.hostEntities host2 where host.hostName=:hostName");
     query.setParameter("hostName", hostName);
 

ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java

@@ -0,0 +1,107 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.security;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.util.Properties;
+
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import com.google.inject.AbstractModule;
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+
+import junit.framework.TestCase;
+
+public class CertGenerationTest extends TestCase {
+	
+  private static Log LOG = LogFactory.getLog(CertGenerationTest.class);
+  public TemporaryFolder temp = new TemporaryFolder();
+  
+  Injector injector;
+  
+  private static CertificateManager certMan;
+  
+  @Inject
+  static void init(CertificateManager instance) {
+    certMan = instance;
+  }
+
+  
+  private class SecurityModule extends AbstractModule {
+    @Override
+    protected void configure() {
+      requestStaticInjection(CertGenerationTest.class);
+    }
+  }
+	  
+  @Before
+  public void setUp() throws IOException {
+    temp.create();
+    System.setProperty(Configuration.AMBARI_CONF_VAR, temp.getRoot().getAbsolutePath());
+    Properties props = new Properties();
+    props.setProperty(Configuration.SRVR_KSTR_DIR_KEY, temp.getRoot().getAbsolutePath());
+    FileOutputStream out = new FileOutputStream(temp.getRoot().getAbsolutePath() + File.separator + Configuration.CONFIG_FILE);
+    props.store(out, "");
+    out.close();
+  
+    injector = Guice.createInjector(new SecurityModule());
+    certMan = injector.getInstance(CertificateManager.class);
+  
+    certMan.initRootCert();
+  }
+	  
+  @After
+  public void tearDown() throws IOException {
+	  temp.delete();
+  }
+	  
+  @Test
+  public void testServerCertGen() throws Exception {
+    
+    File serverCrt = new File(temp.getRoot().getAbsoluteFile() +
+    						  File.separator + Configuration.SRVR_CRT_NAME_DEFAULT);
+    assertTrue(serverCrt.exists());
+  }
+  
+  @Test
+  public void testServerKeyGen() throws Exception {
+    
+    File serverKey = new File(temp.getRoot().getAbsoluteFile() +
+    						  File.separator + Configuration.SRVR_KEY_NAME_DEFAULT);
+    assertTrue(serverKey.exists());
+  }
+  
+  @Test
+  public void testServerKeystoreGen() throws Exception {
+    
+    File serverKeyStrore = new File(temp.getRoot().getAbsoluteFile() +
+    						  File.separator + Configuration.KSTR_NAME_DEFAULT);
+    assertTrue(serverKeyStrore.exists());
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java

@@ -0,0 +1,96 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+import com.google.inject.persist.jpa.JpaPersistModule;
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.orm.GuiceJpaInitializer;
+import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.security.ClientSecurityType;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.ldap.server.ApacheDSContainer;
+
+import static org.junit.Assert.*;
+
+public class AmbariLdapAuthenticationProviderTest{
+
+  private static ApacheDSContainer apacheDSContainer;
+  private static Injector injector;
+
+  @Inject
+  private AmbariLdapAuthenticationProvider authenticationProvider;
+  @Inject
+  private UserDAO userDAO;
+  @Inject
+  Configuration configuration;
+
+  @BeforeClass
+  public static void beforeClass() throws Exception{
+    injector = Guice.createInjector(new AuthorizationTestModule(), new JpaPersistModule("ambari-javadb"));
+    injector.getInstance(GuiceJpaInitializer.class);
+
+    apacheDSContainer = new ApacheDSContainer("dc=ambari,dc=apache,dc=org", "classpath:/users.ldif");
+    apacheDSContainer.setPort(33389);
+    apacheDSContainer.afterPropertiesSet();
+  }
+
+  @Before
+  public void setUp() {
+    injector.injectMembers(this);
+    configuration.setClientSecurityType(ClientSecurityType.LDAP);
+  }
+
+  @Test(expected = BadCredentialsException.class)
+  public void testBadCredential() throws Exception {
+    Authentication authentication = new UsernamePasswordAuthenticationToken("notFound", "wrong");
+    authenticationProvider.authenticate(authentication);
+  }
+
+  @Test
+  public void testAuthenticate() throws Exception {
+    assertNull("User alread exists in DB", userDAO.findLdapUserByName("allowedUser"));
+    Authentication authentication = new UsernamePasswordAuthenticationToken("allowedUser", "password");
+    Authentication result = authenticationProvider.authenticate(authentication);
+    assertTrue(result.isAuthenticated());
+    assertNotNull("User was not created", userDAO.findLdapUserByName("allowedUser"));
+    result = authenticationProvider.authenticate(authentication);
+    assertTrue(result.isAuthenticated());
+  }
+
+  @Test(expected = UsernameNotFoundException.class)
+  public void testDisabled() throws Exception {
+    configuration.setClientSecurityType(ClientSecurityType.LOCAL);
+    Authentication authentication = new UsernamePasswordAuthenticationToken("allowedUser", "password");
+    authenticationProvider.authenticate(authentication);
+  }
+
+  @AfterClass
+  public static void afterClass() {
+    apacheDSContainer.stop();
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsServiceTest.java

@@ -0,0 +1,80 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+import com.google.inject.persist.jpa.JpaPersistModule;
+import org.apache.ambari.server.orm.GuiceJpaInitializer;
+import org.apache.ambari.server.orm.OrmTestHelper;
+import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.UserEntity;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class AmbariLocalUserDetailsServiceTest {
+
+  private static Injector injector;
+
+  @Inject
+  AmbariLocalUserDetailsService userDetailsService;
+  @Inject
+  PasswordEncoder passwordEncoder;
+  @Inject
+  UserDAO userDAO;
+
+  @BeforeClass
+  public static void prepareData() {
+    injector = Guice.createInjector(new AuthorizationTestModule(), new JpaPersistModule("ambari-javadb"));
+    injector.getInstance(GuiceJpaInitializer.class);
+    injector.getInstance(OrmTestHelper.class).createTestUsers();
+  }
+
+  @Before
+  public void setUp() throws Exception {
+    injector.injectMembers(this);
+  }
+
+  @Test
+  public void testLoadUserByUsername() throws Exception {
+    UserDetails userDetails = userDetailsService.loadUserByUsername("administrator");
+    assertEquals("Wrong username", "administrator", userDetails.getUsername());
+    assertTrue("Password not matches", passwordEncoder.matches("admin", userDetails.getPassword()));
+    assertFalse("Wrong password accepted", passwordEncoder.matches("wrong", userDetails.getPassword()));
+  }
+
+  @Test(expected = UsernameNotFoundException.class)
+  public void testUsernameNotFound() throws Exception {
+    userDetailsService.loadUserByUsername("notExists_123123123");
+  }
+
+  @Test(expected = UsernameNotFoundException.class)
+  public void testEmptyRoles() throws Exception {
+    UserEntity user = userDAO.findLocalUserByName("userWithoutRoles");
+    userDetailsService.loadUserByUsername(user.getUserName());
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java

@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import org.apache.ambari.server.orm.entities.RoleEntity;
+import org.junit.Test;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
+
+import static org.junit.Assert.assertEquals;
+
+public class AuthorizationHelperTest {
+
+  @Test
+  public void testConvertRolesToAuthorities() throws Exception {
+    Collection<RoleEntity> roles = new ArrayList<RoleEntity>();
+    RoleEntity role = new RoleEntity();
+    role.setRoleName("admin");
+    roles.add(role);
+    role = new RoleEntity();
+    role.setRoleName("user");
+    roles.add(role);
+
+    Collection<GrantedAuthority> authorities = new AuthorizationHelper().convertRolesToAuthorities(roles);
+
+    assertEquals("Wrong number of authorities", 2, authorities.size());
+    Iterator<GrantedAuthority> iterator = authorities.iterator();
+    assertEquals("Wrong authority name", "ADMIN", iterator.next().getAuthority());
+
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModule.java

@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.inject.AbstractModule;
+import org.apache.ambari.server.configuration.Configuration;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.crypto.password.StandardPasswordEncoder;
+
+import java.lang.reflect.Constructor;
+import java.util.Properties;
+
+public class AuthorizationTestModule extends AbstractModule {
+  @Override
+  protected void configure() {
+
+    bind(PasswordEncoder.class).to(StandardPasswordEncoder.class);
+    bind(Properties.class).toInstance(buildTestProperties());
+    bind(Configuration.class).toConstructor(getConfigurationConstructor());
+  }
+
+  protected Properties buildTestProperties() {
+    Properties properties = new Properties();
+    properties.setProperty(Configuration.CLIENT_SECURITY_KEY, "ldap");
+    return properties;
+  }
+
+  protected Constructor<Configuration> getConfigurationConstructor() {
+    try {
+      return Configuration.class.getConstructor(Properties.class);
+    } catch (NoSuchMethodException e) {
+      throw new RuntimeException("Expected constructor not found in Configuration.java", e);
+    }
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java

@@ -0,0 +1,95 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+import org.apache.ambari.server.configuration.Configuration;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.util.List;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class LdapServerPropertiesTest {
+
+  private final Injector injector;
+
+  private static final String INCORRECT_URL_LIST = "Incorrect LDAP URL list created";
+  private static final String INCORRECT_USER_SEARCH_FILTER = "Incorrect search filter";
+
+  protected LdapServerProperties ldapServerProperties;
+
+  @Inject
+  Configuration configuration;
+
+  public LdapServerPropertiesTest() {
+    injector = Guice.createInjector(new AuthorizationTestModule());
+    injector.injectMembers(this);
+  }
+
+  @Before
+  public void setUp() throws Exception {
+    ldapServerProperties =  new LdapServerProperties();
+    ldapServerProperties.setAnonymousBind(true);
+    ldapServerProperties.setBaseDN("dc=ambari,dc=apache,dc=org");
+    ldapServerProperties.setManagerDn("uid=manager," + ldapServerProperties.getBaseDN());
+    ldapServerProperties.setManagerPassword("password");
+    ldapServerProperties.setUseSsl(false);
+    ldapServerProperties.setPrimaryUrl("1.2.3.4:389");
+    ldapServerProperties.setUsernameAttribute("uid");
+  }
+
+  @Test
+  public void testGetLdapUrls() throws Exception {
+    List<String> urls = ldapServerProperties.getLdapUrls();
+    assertEquals(INCORRECT_URL_LIST, 1, urls.size());
+    assertEquals(INCORRECT_URL_LIST, "ldap://1.2.3.4:389", urls.get(0));
+    ldapServerProperties.setSecondaryUrl("4.3.2.1:1234");
+    urls = ldapServerProperties.getLdapUrls();
+    assertEquals(INCORRECT_URL_LIST, 2, urls.size());
+    assertEquals(INCORRECT_URL_LIST, "ldap://4.3.2.1:1234", urls.get(1));
+    ldapServerProperties.setUseSsl(true);
+    urls = ldapServerProperties.getLdapUrls();
+    assertEquals(INCORRECT_URL_LIST, "ldaps://1.2.3.4:389", urls.get(0));
+    assertEquals(INCORRECT_URL_LIST, "ldaps://4.3.2.1:1234", urls.get(1));
+  }
+
+  @Test
+  public void testGetUserSearchFilter() throws Exception {
+    assertEquals(INCORRECT_USER_SEARCH_FILTER, "(uid={0})", ldapServerProperties.getUserSearchFilter());
+    ldapServerProperties.setUsernameAttribute("anotherName");
+    assertEquals(INCORRECT_USER_SEARCH_FILTER, "(anotherName={0})", ldapServerProperties.getUserSearchFilter());
+  }
+
+  @Test
+  public void testEquals() throws Exception {
+    LdapServerProperties properties1 = configuration.getLdapServerProperties();
+    LdapServerProperties properties2 = configuration.getLdapServerProperties();
+    assertTrue("Properties object is same", properties1 != properties2);
+    assertTrue("Objects are not equal", properties1.equals(properties2));
+    assertTrue("Hash codes are not equal", properties1.hashCode() == properties2.hashCode());
+    properties2.setSecondaryUrl("5.6.7.8:389");
+    assertFalse("Objects are equal", properties1.equals(properties2));
+  }
+}

ambari-server/src/test/resources/log4j.properties

@@ -12,8 +12,10 @@
 
 # log4j configuration used during build and unit tests
 
-log4j.rootLogger=DEBUG,stdout
+log4j.rootLogger=INFO,stdout
 log4j.threshhold=ALL
 log4j.appender.stdout=org.apache.log4j.ConsoleAppender
 log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
 log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2} (%F:%M(%L)) - %m%n
+
+log4j.logger.org.apache.ambari=DEBUG