10 years ago · e22b671035
--- a/ambari-server/conf/unix/ambari.properties
+++ b/ambari-server/conf/unix/ambari.properties
@@ -48,7 +48,7 @@ bootstrap.script=/usr/lib/python2.6/site-packages/ambari_server/bootstrap.py
 
				 bootstrap.setup_agent.script=/usr/lib/python2.6/site-packages/ambari_server/setupAgent.py
			
 
				 recommendations.dir=/var/run/ambari-server/stack-recommendations
			
 
				 stackadvisor.script=/var/lib/ambari-server/resources/scripts/stack_advisor.py
			
 
				-server.tmp.dir=/var/lib/ambari-server/tmp
			
 
				+server.tmp.dir=/var/lib/ambari-server/data/tmp
			
 
				 ambari.python.wrap=ambari-python-wrap
			
 
				 
			
 
				 api.authenticate=true
			
--- a/ambari-server/conf/windows/ambari.properties
+++ b/ambari-server/conf/windows/ambari.properties
@@ -55,7 +55,7 @@ kerberos.keytab.cache.dir = data\\cache
 
				 
			
 
				 recommendations.dir=\\var\\run\\ambari-server\\stack-recommendations
			
 
				 stackadvisor.script=resources\\scripts\\stack_advisor.py
			
 
				-server.tmp.dir=\\var\\run\\ambari-server\\tmp
			
 
				+server.tmp.dir=\\var\\run\\ambari-server\\data\\tmp
			
 
				 views.dir=resources\\views
			
 
				 ambari.python.wrap=python.exe
			
 
				 
			
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
@@ -353,7 +353,6 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
 
				 
			
 
				     try {
			
 
				       keytab.write(cachedKeytabFile);
			
 
				-      ensureAmbariOnlyAccess(cachedKeytabFile);
			
 
				     } catch (IOException e) {
			
 
				       String message = String.format("Failed to write the keytab for %s to the cache location (%s)",
			
 
				           principal, cachedKeytabFile.getAbsolutePath());
			
@@ -361,6 +360,8 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
 
				       throw new AmbariException(message, e);
			
 
				     }
			
 
				 
			
 
				+    ensureAmbariOnlyAccess(cachedKeytabFile);
			
 
				+
			
 
				     return cachedKeytabFile;
			
 
				   }
			
 
				 
			
@@ -370,23 +371,31 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
 
				    *
			
 
				    * @param file the file or directory for which to modify access
			
 
				    */
			
 
				-  private void ensureAmbariOnlyAccess(File file) {
			
 
				+  protected void ensureAmbariOnlyAccess(File file) throws AmbariException {
			
 
				     if (file.exists()) {
			
 
				       if (!file.setReadable(false, false) || !file.setReadable(true, true)) {
			
 
				-        LOG.warn(String.format("Failed to set %s readable only by Ambari", file.getAbsolutePath()));
			
 
				+        String message = String.format("Failed to set %s readable only by Ambari", file.getAbsolutePath());
			
 
				+        LOG.warn(message);
			
 
				+        throw new AmbariException(message);
			
 
				       }
			
 
				 
			
 
				       if (!file.setWritable(false, false) || !file.setWritable(true, true)) {
			
 
				-        LOG.warn(String.format("Failed to set %s writable only by Ambari", file.getAbsolutePath()));
			
 
				+        String message = String.format("Failed to set %s writable only by Ambari", file.getAbsolutePath());
			
 
				+        LOG.warn(message);
			
 
				+        throw new AmbariException(message);
			
 
				       }
			
 
				 
			
 
				       if (file.isDirectory()) {
			
 
				-        if (!file.setExecutable(false, false) && !file.setExecutable(true, true)) {
			
 
				-          LOG.warn(String.format("Failed to set %s executable by Ambari", file.getAbsolutePath()));
			
 
				+        if (!file.setExecutable(false, false) || !file.setExecutable(true, true)) {
			
 
				+          String message = String.format("Failed to set %s executable by Ambari", file.getAbsolutePath());
			
 
				+          LOG.warn(message);
			
 
				+          throw new AmbariException(message);
			
 
				         }
			
 
				       } else {
			
 
				         if (!file.setExecutable(false, false)) {
			
 
				-          LOG.warn(String.format("Failed to set %s not executable", file.getAbsolutePath()));
			
 
				+          String message = String.format("Failed to set %s not executable", file.getAbsolutePath());
			
 
				+          LOG.warn(message);
			
 
				+          throw new AmbariException(message);
			
 
				         }
			
 
				       }
			
 
				     }
			
--- a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java
@@ -0,0 +1,91 @@
 
				+/*
			
 
				+ * Licensed to the Apache Software Foundation (ASF) under one
			
 
				+ * or more contributor license agreements.  See the NOTICE file
			
 
				+ * distributed with this work for additional information
			
 
				+ * regarding copyright ownership.  The ASF licenses this file
			
 
				+ * to you under the Apache License, Version 2.0 (the
			
 
				+ * "License"); you may not use this file except in compliance
			
 
				+ * with the License.  You may obtain a copy of the License at
			
 
				+ *
			
 
				+ *     http://www.apache.org/licenses/LICENSE-2.0
			
 
				+ *
			
 
				+ * Unless required by applicable law or agreed to in writing, software
			
 
				+ * distributed under the License is distributed on an "AS IS" BASIS,
			
 
				+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			
 
				+ * See the License for the specific language governing permissions and
			
 
				+ * limitations under the License.
			
 
				+ */
			
 
				+
			
 
				+package org.apache.ambari.server.serveraction.kerberos;
			
 
				+
			
 
				+import junit.framework.Assert;
			
 
				+import org.junit.Rule;
			
 
				+import org.junit.Test;
			
 
				+import org.junit.rules.TemporaryFolder;
			
 
				+
			
 
				+import java.io.File;
			
 
				+import java.nio.file.Files;
			
 
				+import java.nio.file.Path;
			
 
				+import java.nio.file.Paths;
			
 
				+import java.nio.file.attribute.PosixFilePermission;
			
 
				+import java.util.Set;
			
 
				+
			
 
				+public class CreateKeytabFilesServerActionTest {
			
 
				+
			
 
				+  @Rule
			
 
				+  public TemporaryFolder testFolder = new TemporaryFolder();
			
 
				+
			
 
				+  @Test
			
 
				+  public void testEnsureAmbariOnlyAccess() throws Exception {
			
 
				+    Path path;
			
 
				+    Set<PosixFilePermission> permissions;
			
 
				+
			
 
				+    File directory = testFolder.newFolder();
			
 
				+    Assert.assertNotNull(directory);
			
 
				+
			
 
				+    new CreateKeytabFilesServerAction().ensureAmbariOnlyAccess(directory);
			
 
				+
			
 
				+    // The directory is expected to have the following permissions: rwx------ (700)
			
 
				+    path = Paths.get(directory.getAbsolutePath());
			
 
				+    Assert.assertNotNull(path);
			
 
				+
			
 
				+    permissions = Files.getPosixFilePermissions(path);
			
 
				+    Assert.assertNotNull(permissions);
			
 
				+
			
 
				+    Assert.assertNotNull(permissions);
			
 
				+    Assert.assertEquals(3, permissions.size());
			
 
				+    Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_READ));
			
 
				+    Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_WRITE));
			
 
				+    Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_EXECUTE));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_READ));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_WRITE));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_EXECUTE));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_READ));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_WRITE));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_EXECUTE));
			
 
				+
			
 
				+    File file = File.createTempFile("temp_", "", directory);
			
 
				+    Assert.assertNotNull(file);
			
 
				+    Assert.assertTrue(file.exists());
			
 
				+
			
 
				+    new CreateKeytabFilesServerAction().ensureAmbariOnlyAccess(file);
			
 
				+
			
 
				+    // The file is expected to have the following permissions: rw------- (600)
			
 
				+    path = Paths.get(file.getAbsolutePath());
			
 
				+    Assert.assertNotNull(path);
			
 
				+
			
 
				+    permissions = Files.getPosixFilePermissions(path);
			
 
				+    Assert.assertNotNull(permissions);
			
 
				+
			
 
				+    Assert.assertEquals(2, permissions.size());
			
 
				+    Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_READ));
			
 
				+    Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_WRITE));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.OWNER_EXECUTE));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_READ));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_WRITE));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_EXECUTE));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_READ));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_WRITE));
			
 
				+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_EXECUTE));
			
 
				+  }
			
 
				+}