AMBARI-9209. Add the ability to append a random value to values in LDAP attributes when generating principals in Active Directory (rlevas)

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java

@@ -21,7 +21,7 @@ package org.apache.ambari.server.serveraction.kerberos;
 
 import com.google.common.reflect.TypeToken;
 import com.google.gson.Gson;
-import org.apache.ambari.server.utils.StageUtils;
+import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.velocity.VelocityContext;
@@ -42,8 +42,6 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Properties;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 /**
  * Implementation of <code>KerberosOperationHandler</code> to created principal in Active Directory
@@ -52,15 +50,6 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
 
   private static Log LOG = LogFactory.getLog(ADKerberosOperationHandler.class);
 
-  /**
-   * Regular expression to parse the different principal formats:
-   * primary/instance@REALM
-   * primary@REALM
-   * primary/instance
-   * primary
-   */
-  private static Pattern PATTERN_PRINCIPAL = Pattern.compile("^(([^ /@]+)(?:/([^ /@]+))?)(?:@(.+)?)?$");
-
   private static final String LDAP_CONTEXT_FACTORY_CLASS = "com.sun.jndi.ldap.LdapCtxFactory";
 
   public final static String KERBEROS_ENV_LDAP_URL = "ldap_url";
@@ -213,27 +202,14 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
     if (principal == null) {
       throw new KerberosOperationException("principal is null");
     }
-    NamingEnumeration<SearchResult> searchResultEnum = null;
+
+    DeconstructedPrincipal deconstructPrincipal = deconstructPrincipal(principal);
+
     try {
-      searchResultEnum = ldapContext.search(
-          principalContainerDn,
-          "(userPrincipalName=" + principal + ")",
-          searchControls);
-      if (searchResultEnum.hasMore()) {
-        return true;
-      }
+      return (findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal()) != null);
     } catch (NamingException ne) {
       throw new KerberosOperationException("can not check if principal exists: " + principal, ne);
-    } finally {
-      try {
-        if (searchResultEnum != null) {
-          searchResultEnum.close();
-        }
-      } catch (NamingException ne) {
-        // ignore, we can not do anything about it
-      }
     }
-    return false;
   }
 
   /**
@@ -262,31 +238,24 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
     }
 
     // TODO: (rlevas) pass components and realm in separately (AMBARI-9122)
-    String realm = null;
-    String principal_primary = null;
-    String principal_instance = null;
-
-    Matcher matcher = PATTERN_PRINCIPAL.matcher(principal);
-    if (matcher.matches()) {
-      principal = matcher.group(1);
-      principal_primary = matcher.group(2);
-      principal_instance = matcher.group(3);
-      realm = matcher.group(4);
-    }
+    DeconstructedPrincipal deconstructedPrincipal = deconstructPrincipal(principal);
 
-    if ((realm == null) || realm.isEmpty()) {
-      realm = getDefaultRealm();
+    String realm = deconstructedPrincipal.getRealm();
+    if (realm == null) {
+      realm = "";
     }
 
     Map<String, Object> context = new HashMap<String, Object>();
-    context.put("principal", principal);
-    context.put("principal_primary", principal_primary);
-    context.put("principal_instance", principal_instance);
+    context.put("normalized_principal", deconstructedPrincipal.getNormalizedPrincipal());
+    context.put("principal_name", deconstructedPrincipal.getPrincipalName());
+    context.put("principal_primary", deconstructedPrincipal.getPrimary());
+    context.put("principal_instance", deconstructedPrincipal.getInstance());
     context.put("realm", realm);
-    context.put("realm_lowercase", (realm == null) ? null : realm.toLowerCase());
+    context.put("realm_lowercase", realm.toLowerCase());
     context.put("password", password);
     context.put("is_service", service);
     context.put("container_dn", this.principalContainerDn);
+    context.put("principal_digest", DigestUtils.sha1Hex(deconstructedPrincipal.getNormalizedPrincipal()));
 
     Map<String, Object> data = processCreateTemplate(context);
 
@@ -300,13 +269,11 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
 
         if ("unicodePwd".equals(key)) {
           if (value instanceof String) {
-            Attribute passwordAttr = new BasicAttribute("unicodePwd");  // password
             try {
-              passwordAttr.add(((String) value).getBytes("UTF-16LE"));
+              attributes.put(new BasicAttribute("unicodePwd", String.format("\"%s\"", password).getBytes("UTF-16LE")));
             } catch (UnsupportedEncodingException ue) {
               throw new KerberosOperationException("Can not encode password with UTF-16LE", ue);
             }
-            attributes.put(passwordAttr);
           }
         } else {
           Attribute attribute = new BasicAttribute(key);
@@ -327,7 +294,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
     }
 
     if (cn == null) {
-      cn = String.format("%s@%s", principal, realm);
+      cn = deconstructedPrincipal.getNormalizedPrincipal();
     }
     try {
       Name name = new CompositeName().add(String.format("cn=%s,%s", cn, principalContainerDn));
@@ -359,26 +326,27 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
     if (password == null) {
       throw new KerberosOperationException("principal password is null");
     }
+
+    DeconstructedPrincipal deconstructPrincipal = deconstructPrincipal(principal);
+
     try {
-      if (!principalExists(principal)) {
-        throw new KerberosOperationException("principal not found : " + principal);
+      String dn = findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal());
+
+      if (dn != null) {
+        ldapContext.modifyAttributes(dn,
+            new ModificationItem[]{
+                new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", String.format("\"%s\"", password).getBytes("UTF-16LE")))
+            }
+        );
+      } else {
+        throw new KerberosOperationException(String.format("Can not set password for principal %s: Not Found", principal));
       }
-    } catch (KerberosOperationException e) {
-      e.printStackTrace();
-    }
-    try {
-      ModificationItem[] mods = new ModificationItem[1];
-      String quotedPasswordVal = "\"" + password + "\"";
-      mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
-          new BasicAttribute("UnicodePwd", quotedPasswordVal.getBytes("UTF-16LE")));
-      ldapContext.modifyAttributes(
-          new CompositeName().add("cn=" + principal + "," + principalContainerDn),
-          mods);
-    } catch (NamingException ne) {
-      throw new KerberosOperationException("Can not set password for principal : " + principal, ne);
-    } catch (UnsupportedEncodingException ue) {
-      throw new KerberosOperationException("Unsupported encoding UTF-16LE", ue);
+    } catch (NamingException e) {
+      throw new KerberosOperationException(String.format("Can not set password for principal %s: %s", principal, e.getMessage()), e);
+    } catch (UnsupportedEncodingException e) {
+      throw new KerberosOperationException("Unsupported encoding UTF-16LE", e);
     }
+
     return 0;
   }
 
@@ -399,18 +367,17 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
     if (principal == null) {
       throw new KerberosOperationException("principal is null");
     }
+
+    DeconstructedPrincipal deconstructPrincipal = deconstructPrincipal(principal);
+
     try {
-      if (!principalExists(principal)) {
-        return false;
+      String dn = findPrincipalDN(deconstructPrincipal.getNormalizedPrincipal());
+
+      if (dn != null) {
+        ldapContext.destroySubcontext(dn);
       }
-    } catch (KerberosOperationException e) {
-      e.printStackTrace();
-    }
-    try {
-      Name name = new CompositeName().add("cn=" + principal + "," + principalContainerDn);
-      ldapContext.destroySubcontext(name);
-    } catch (NamingException ne) {
-      throw new KerberosOperationException("Can not remove principal: " + principal);
+    } catch (NamingException e) {
+      throw new KerberosOperationException(String.format("Can not remove principal %s: %s", principal, e.getMessage()), e);
     }
 
     return true;
@@ -531,14 +498,14 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
     if ((createTemplate == null) || createTemplate.isEmpty()) {
       template = "{" +
           "\"objectClass\": [\"top\", \"person\", \"organizationalPerson\", \"user\"]," +
-          "\"cn\": \"$principal\"," +
+          "\"cn\": \"$principal_name\"," +
           "#if( $is_service )" +
-          "  \"servicePrincipalName\": \"$principal\"," +
+          "  \"servicePrincipalName\": \"$principal_name\"," +
           "#end" +
-          "\"userPrincipalName\": \"$principal@$realm.toLowerCase()\"," +
-          "\"unicodePwd\": \"\\\"$password\\\"\"," +
+          "\"userPrincipalName\": \"$normalized_principal.toLowerCase()\"," +
+          "\"unicodePwd\": \"$password\"," +
           "\"accountExpires\": \"0\"," +
-          "\"userAccountControl\": \"512\"" +
+          "\"userAccountControl\": \"66048\"" +
           "}";
     } else {
       template = createTemplate;
@@ -566,4 +533,34 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
     return data;
   }
 
+  private String findPrincipalDN(String normalizedPrincipal) throws NamingException, KerberosOperationException {
+    String dn = null;
+
+    if (normalizedPrincipal != null) {
+      NamingEnumeration<SearchResult> results = null;
+
+      try {
+        results = ldapContext.search(
+            principalContainerDn,
+            String.format("(userPrincipalName=%s)", normalizedPrincipal),
+            searchControls
+        );
+
+        if ((results != null) && results.hasMore()) {
+          SearchResult result = results.next();
+          dn = result.getNameInNamespace();
+        }
+      } finally {
+        try {
+          if (results != null) {
+            results.close();
+          }
+        } catch (NamingException ne) {
+          // ignore, we can not do anything about it
+        }
+      }
+    }
+
+    return dn;
+  }
 }

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipal.java

@@ -0,0 +1,201 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.serveraction.kerberos;
+
+import javax.annotation.Nullable;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * DeconstructedPrincipal manages the different parts of a principal and can be used to get a
+ * normalized principal value
+ * <p/>
+ * A "normalized" principal has the following forms:
+ * <ul>
+ * <li>primary/instance@realm</li>
+ * <li>primary@realm</li>
+ * </ul>
+ * <p/>
+ * This class will create a DeconstructedPrincipal from a String containing a principal using
+ * {@link DeconstructedPrincipal#valueOf(String, String)}
+ */
+class DeconstructedPrincipal {
+  /**
+   * Regular expression to parse the different principal formats:
+   * <ul>
+   * <li>primary/instance@REALM</li>
+   * <li>primary@REALM</li>
+   * <li>primary/instance</li>
+   * <li>primary</li>
+   * </ul>
+   */
+  private static Pattern PATTERN_PRINCIPAL = Pattern.compile("^([^ /@]+)(?:/([^ /@]+))?(?:@(.+)?)?$");
+
+  /**
+   * A String containing the "primary" component of a principal
+   */
+  private final String primary;
+
+  /**
+   * A String containing the "instance" component of a principal
+   */
+  private final String instance;
+
+  /**
+   * A String containing the "realm" component of a principal
+   */
+  private final String realm;
+
+  /**
+   * A String containing the principal name portion of the principal.
+   * The principal name is the combination of the primary and instance components.
+   * This value is generated using the primary, instance, and realm components.
+   */
+  private final String principalName;
+
+  /**
+   * A String containing the complete normalized principal
+   * The normalized principal is the combination of the primary, instance, and realm components.
+   * This value is generated using the primary, instance, and realm components.
+   */
+  private final String normalizedPrincipal;
+
+  /**
+   * Given a principal and a default realm, creates a new DeconstructedPrincipal
+   * <p/>
+   * If the supplied principal does not have a realm component, the default realm (supplied) will be
+   * used.
+   *
+   * @param principal    a String containing the principal to deconstruct
+   * @param defaultRealm a String containing the default realm
+   * @return a new DeconstructedPrincipal
+   */
+  public static DeconstructedPrincipal valueOf(String principal, @Nullable String defaultRealm) {
+    if (principal == null) {
+      throw new IllegalArgumentException("The principal may not be null");
+    }
+
+    Matcher matcher = PATTERN_PRINCIPAL.matcher(principal);
+
+    if (matcher.matches()) {
+      String primary = matcher.group(1);
+      String instance = matcher.group(2);
+      String realm = matcher.group(3);
+
+      if ((realm == null) || realm.isEmpty()) {
+        realm = defaultRealm;
+      }
+
+      return new DeconstructedPrincipal(primary, instance, realm);
+    } else {
+      throw new IllegalArgumentException(String.format("Invalid principal value: %s", principal));
+    }
+  }
+
+
+  /**
+   * Constructs a new DeconstructedPrincipal
+   *
+   * @param primary  a String containing the "primary" component of the principal
+   * @param instance a String containing the "instance" component of the principal
+   * @param realm    a String containing the "realm" component of the principal
+   */
+  protected DeconstructedPrincipal(String primary, String instance, String realm) {
+    this.primary = primary;
+    this.instance = instance;
+    this.realm = realm;
+
+    StringBuilder builder = new StringBuilder();
+
+    if (this.primary != null) {
+      builder.append(primary);
+    }
+
+    if (this.instance != null) {
+      builder.append('/');
+      builder.append(this.instance);
+    }
+
+    this.principalName = builder.toString();
+
+    if (this.realm != null) {
+      builder.append('@');
+      builder.append(this.realm);
+    }
+
+    this.normalizedPrincipal = builder.toString();
+  }
+
+  /**
+   * Gets the primary component of this DeconstructedPrincipal
+   *
+   * @return a String containing the "primary" component of this DeconstructedPrincipal
+   */
+  public String getPrimary() {
+    return primary;
+  }
+
+  /**
+   * Gets the instance component of this DeconstructedPrincipal
+   *
+   * @return a String containing the "instance" component of this DeconstructedPrincipal
+   */
+  public String getInstance() {
+    return instance;
+  }
+
+  /**
+   * Gets the realm component of this DeconstructedPrincipal
+   *
+   * @return a String containing the "realm" component of this DeconstructedPrincipal
+   */
+  public String getRealm() {
+    return realm;
+  }
+
+  /**
+   * Gets the constructed principal name for this DeconstructedPrincipal
+   * <p/>
+   * The principal name is the combination of the primary and instance components:
+   * <ul>
+   * <li>primary/instance</li>
+   * <li>primary</li>
+   * </ul>
+   *
+   * @return a String containing the "realm" component of this DeconstructedPrincipal
+   */
+  public String getPrincipalName() {
+    return principalName;
+  }
+
+  /**
+   * Gets the constructed normalized  principal for this DeconstructedPrincipal
+   * <p/>
+   * The normalized principal is the combination of the primary, instance, and realm components:
+   * <ul>
+   * <li>primary/instance@realm</li>
+   * <li>primary@realm</li>
+   * </ul>
+   *
+   * @return a String containing the "realm" component of this DeconstructedPrincipal
+   */
+  public String getNormalizedPrincipal() {
+    return normalizedPrincipal;
+  }
+}

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java

@@ -63,7 +63,6 @@ public abstract class KerberosOperationHandler {
   private final static char[] SECURE_PASSWORD_CHARS =
       "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890?.!$%^*()-_+=~".toCharArray();
 
-
   /**
    * The default set of ciphers to use for creating keytab entries
    */
@@ -432,4 +431,13 @@ public abstract class KerberosOperationHandler {
       }
     }
   }
+
+  protected DeconstructedPrincipal deconstructPrincipal(String principal) throws KerberosOperationException {
+    try {
+      return DeconstructedPrincipal.valueOf(principal, getDefaultRealm());
+    } catch (IllegalArgumentException e) {
+      throw new KerberosOperationException(e.getMessage(), e);
+    }
+  }
+
 }

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml

@@ -40,19 +40,23 @@
   <property require-input="true">
     <name>create_attributes_template</name>
     <description>
-      Customizable JSON document representing the LDAP attributes needed to create a new Kerberos entity in the KDC (Velocity template engine).
+      A Velocity template to use to generate a JSON-formatted document containing the set of
+      attribute names and values needed to create a new Kerberos identity in the relevant KDC.
+      Variables include:
+      principal_name, principal_primary, principal_instance, realm, realm_lowercase,
+      normalized_principal, principal digest, password, is_service, container_dn
     </description>
     <value>
 {
   "objectClass": ["top", "person", "organizationalPerson", "user"],
-  "cn": "$principal",
+  "cn": "$principal_name",
   #if( $is_service )
-  "servicePrincipalName": "$principal",
+  "servicePrincipalName": "$principal_name",
   #end
-  "userPrincipalName": "$principal@$realm.toLowerCase()",
-  "unicodePwd": "\"$password\"",
+  "userPrincipalName": "$normalized_principal.toLowerCase()",
+  "unicodePwd": "$password",
   "accountExpires": "0",
-  "userAccountControl": "512"
+  "userAccountControl": "66048"
 }
     </value>
   </property>

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java

@@ -19,6 +19,8 @@
 package org.apache.ambari.server.serveraction.kerberos;
 
 import junit.framework.Assert;
+import org.easymock.Capture;
+import org.easymock.CaptureType;
 import org.easymock.EasyMockSupport;
 import org.easymock.IAnswer;
 import org.junit.Ignore;
@@ -26,21 +28,22 @@ import org.junit.Test;
 
 import javax.naming.AuthenticationException;
 import javax.naming.CommunicationException;
+import javax.naming.Name;
 import javax.naming.NamingEnumeration;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.Control;
 import javax.naming.ldap.LdapContext;
 
-import java.util.ArrayList;
-import java.util.Arrays;
+import java.nio.charset.Charset;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 
-import static org.easymock.EasyMock.anyObject;
-import static org.easymock.EasyMock.expect;
-import static org.easymock.EasyMock.replay;
+import static org.easymock.EasyMock.*;
 
 public class ADKerberosOperationHandlerTest extends EasyMockSupport {
   private static final String DEFAULT_ADMIN_PRINCIPAL = "cluser_admin@HDP01.LOCAL";
@@ -235,32 +238,30 @@ public class ADKerberosOperationHandlerTest extends EasyMockSupport {
       }
     };
 
+    Capture<Name> capturedName = new Capture<Name>(CaptureType.ALL);
+    Capture<Attributes> capturedAttributes = new Capture<Attributes>(CaptureType.ALL);
+
     ADKerberosOperationHandler handler = createMockBuilder(ADKerberosOperationHandler.class)
         .addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createInitialLdapContext", Properties.class, Control[].class))
         .addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createSearchControls"))
         .createNiceMock();
 
+    NamingEnumeration<SearchResult> searchResult = createNiceMock(NamingEnumeration.class);
+    expect(searchResult.hasMore()).andReturn(false).once();
+
+    LdapContext ldapContext = createNiceMock(LdapContext.class);
+    expect(ldapContext.search(anyObject(String.class), anyObject(String.class), anyObject(SearchControls.class)))
+        .andReturn(searchResult)
+        .once();
+
+    expect(ldapContext.createSubcontext(capture(capturedName), capture(capturedAttributes)))
+        .andReturn(createNiceMock(DirContext.class))
+        .anyTimes();
+
     expect(handler.createInitialLdapContext(anyObject(Properties.class), anyObject(Control[].class)))
-        .andAnswer(new IAnswer<LdapContext>() {
-          @Override
-          public LdapContext answer() throws Throwable {
-            LdapContext ldapContext = createNiceMock(LdapContext.class);
-            expect(ldapContext.search(anyObject(String.class), anyObject(String.class), anyObject(SearchControls.class)))
-                .andAnswer(new IAnswer<NamingEnumeration<SearchResult>>() {
-                  @Override
-                  public NamingEnumeration<SearchResult> answer() throws Throwable {
-                    NamingEnumeration<SearchResult> result = createNiceMock(NamingEnumeration.class);
-                    expect(result.hasMore()).andReturn(false).once();
-                    replay(result);
-                    return result;
-                  }
-                })
-                .once();
-            replay(ldapContext);
-            return ldapContext;
-          }
-        })
+        .andReturn(ldapContext)
         .once();
+
     expect(handler.createSearchControls()).andAnswer(new IAnswer<SearchControls>() {
       @Override
       public SearchControls answer() throws Throwable {
@@ -273,45 +274,67 @@ public class ADKerberosOperationHandlerTest extends EasyMockSupport {
     replayAll();
 
     handler.open(kc, DEFAULT_REALM, kerberosEnvMap);
+    handler.createPrincipal("nn/c6501.ambari.apache.org", "secret", true);
+    handler.createPrincipal("hdfs@" + DEFAULT_REALM, "secret", false);
+    handler.close();
 
-    Map<String, Object> context = new HashMap<String, Object>();
-    context.put("principal", "nn/c6501.ambari.apache.org");
-    context.put("principal_primary", "nn");
-    context.put("principal_instance", "c6501.ambari.apache.org");
-    context.put("realm", "EXAMPLE.COM");
-    context.put("realm_lowercase", "example.com");
-    context.put("password", "secret");
-    context.put("is_service", true);
-    context.put("container_dn", "ou=cluster,DC=EXAMPLE,DC=COM");
-
-    Map<String, Object> data;
-
-    data = handler.processCreateTemplate(context);
-
-    Assert.assertNotNull(data);
-    Assert.assertEquals(7, data.size());
-    Assert.assertEquals(new ArrayList<String>(Arrays.asList("top", "person", "organizationalPerson", "user")), data.get("objectClass"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org", data.get("cn"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org", data.get("servicePrincipalName"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org@example.com", data.get("userPrincipalName"));
-    Assert.assertEquals("\"secret\"", data.get("unicodePwd"));
-    Assert.assertEquals("0", data.get("accountExpires"));
-    Assert.assertEquals("512", data.get("userAccountControl"));
-
-
-    context.put("is_service", false);
-    data = handler.processCreateTemplate(context);
-
-    Assert.assertNotNull(data);
-    Assert.assertEquals(6, data.size());
-    Assert.assertEquals(new ArrayList<String>(Arrays.asList("top", "person", "organizationalPerson", "user")), data.get("objectClass"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org", data.get("cn"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org@example.com", data.get("userPrincipalName"));
-    Assert.assertEquals("\"secret\"", data.get("unicodePwd"));
-    Assert.assertEquals("0", data.get("accountExpires"));
-    Assert.assertEquals("512", data.get("userAccountControl"));
+    List<Attributes> attributesList = capturedAttributes.getValues();
+    Attributes attributes;
 
-    handler.close();
+    attributes = attributesList.get(0);
+    String[] objectClasses = new String[]{"top", "person", "organizationalPerson", "user"};
+
+    Assert.assertNotNull(attributes);
+    Assert.assertEquals(7, attributes.size());
+
+    Assert.assertNotNull(attributes.get("objectClass"));
+    Assert.assertEquals(objectClasses.length, attributes.get("objectClass").size());
+    for (int i = 0; i < objectClasses.length; i++) {
+      Assert.assertEquals(objectClasses[i], attributes.get("objectClass").get(i));
+    }
+
+    Assert.assertNotNull(attributes.get("cn"));
+    Assert.assertEquals("nn/c6501.ambari.apache.org", attributes.get("cn").get());
+
+    Assert.assertNotNull(attributes.get("servicePrincipalName"));
+    Assert.assertEquals("nn/c6501.ambari.apache.org", attributes.get("servicePrincipalName").get());
+
+    Assert.assertNotNull(attributes.get("userPrincipalName"));
+    Assert.assertEquals("nn/c6501.ambari.apache.org@hdp01.local", attributes.get("userPrincipalName").get());
+
+    Assert.assertNotNull(attributes.get("unicodePwd"));
+    Assert.assertEquals("\"secret\"", new String((byte[]) attributes.get("unicodePwd").get(), Charset.forName("UTF-16LE")));
+
+    Assert.assertNotNull(attributes.get("accountExpires"));
+    Assert.assertEquals("0", attributes.get("accountExpires").get());
+
+    Assert.assertNotNull(attributes.get("userAccountControl"));
+    Assert.assertEquals("66048", attributes.get("userAccountControl").get());
+
+    attributes = attributesList.get(1);
+    Assert.assertNotNull(attributes);
+    Assert.assertEquals(6, attributes.size());
+
+    Assert.assertNotNull(attributes.get("objectClass"));
+    Assert.assertEquals(objectClasses.length, attributes.get("objectClass").size());
+    for (int i = 0; i < objectClasses.length; i++) {
+      Assert.assertEquals(objectClasses[i], attributes.get("objectClass").get(i));
+    }
+
+    Assert.assertNotNull(attributes.get("cn"));
+    Assert.assertEquals("hdfs", attributes.get("cn").get());
+
+    Assert.assertNotNull(attributes.get("userPrincipalName"));
+    Assert.assertEquals("hdfs@hdp01.local", attributes.get("userPrincipalName").get());
+
+    Assert.assertNotNull(attributes.get("unicodePwd"));
+    Assert.assertEquals("\"secret\"", new String((byte[]) attributes.get("unicodePwd").get(), Charset.forName("UTF-16LE")));
+
+    Assert.assertNotNull(attributes.get("accountExpires"));
+    Assert.assertEquals("0", attributes.get("accountExpires").get());
+
+    Assert.assertNotNull(attributes.get("userAccountControl"));
+    Assert.assertEquals("66048", attributes.get("userAccountControl").get());
   }
 
   @Test
@@ -321,54 +344,52 @@ public class ADKerberosOperationHandlerTest extends EasyMockSupport {
       {
         put(ADKerberosOperationHandler.KERBEROS_ENV_LDAP_URL, DEFAULT_LDAP_URL);
         put(ADKerberosOperationHandler.KERBEROS_ENV_PRINCIPAL_CONTAINER_DN, DEFAULT_PRINCIPAL_CONTAINER_DN);
-        put(ADKerberosOperationHandler.KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE, "{" +
+        put(ADKerberosOperationHandler.KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE, "" +
+            "#set( $user = \"${principal_primary}-${principal_digest}\" )" +
+            "{" +
             "  \"objectClass\": [" +
             "    \"top\"," +
             "    \"person\"," +
             "    \"organizationalPerson\"," +
             "    \"user\"" +
             "  ]," +
-            "  \"cn\": \"$principal@$realm\"," +
-            "  \"dn\": \"$principal@$realm,$container_dn\"," +
-            "  \"distinguishedName\": \"$principal@$realm,$container_dn\"," +
-            "  \"sAMAccountName\": \"$principal\"," +
+            "  \"cn\": \"$user\"," +
+            "  \"sAMAccountName\": \"$user.substring(0,20)\"," +
             "  #if( $is_service )" +
-            "  \"servicePrincipalName\": \"$principal\"," +
+            "  \"servicePrincipalName\": \"$principal_name\"," +
             "  #end" +
-            "  \"userPrincipalName\": \"$principal@$realm.toLowerCase()\"," +
-            "  \"unicodePwd\": \"`$password`\"," +
+            "  \"userPrincipalName\": \"$normalized_principal.toLowerCase()\"," +
+            "  \"unicodePwd\": \"$password\"," +
             "  \"accountExpires\": \"0\"," +
             "  \"userAccountControl\": \"66048\"" +
             "}");
       }
     };
 
+    Capture<Name> capturedName = new Capture<Name>();
+    Capture<Attributes> capturedAttributes = new Capture<Attributes>();
+
     ADKerberosOperationHandler handler = createMockBuilder(ADKerberosOperationHandler.class)
         .addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createInitialLdapContext", Properties.class, Control[].class))
         .addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createSearchControls"))
         .createNiceMock();
 
+    NamingEnumeration<SearchResult> searchResult = createNiceMock(NamingEnumeration.class);
+    expect(searchResult.hasMore()).andReturn(false).once();
+
+    LdapContext ldapContext = createNiceMock(LdapContext.class);
+    expect(ldapContext.search(anyObject(String.class), anyObject(String.class), anyObject(SearchControls.class)))
+        .andReturn(searchResult)
+        .once();
+
+    expect(ldapContext.createSubcontext(capture(capturedName), capture(capturedAttributes)))
+        .andReturn(createNiceMock(DirContext.class))
+        .once();
+
     expect(handler.createInitialLdapContext(anyObject(Properties.class), anyObject(Control[].class)))
-        .andAnswer(new IAnswer<LdapContext>() {
-          @Override
-          public LdapContext answer() throws Throwable {
-            LdapContext ldapContext = createNiceMock(LdapContext.class);
-            expect(ldapContext.search(anyObject(String.class), anyObject(String.class), anyObject(SearchControls.class)))
-                .andAnswer(new IAnswer<NamingEnumeration<SearchResult>>() {
-                  @Override
-                  public NamingEnumeration<SearchResult> answer() throws Throwable {
-                    NamingEnumeration<SearchResult> result = createNiceMock(NamingEnumeration.class);
-                    expect(result.hasMore()).andReturn(false).once();
-                    replay(result);
-                    return result;
-                  }
-                })
-                .once();
-            replay(ldapContext);
-            return ldapContext;
-          }
-        })
+        .andReturn(ldapContext)
         .once();
+
     expect(handler.createSearchControls()).andAnswer(new IAnswer<SearchControls>() {
       @Override
       public SearchControls answer() throws Throwable {
@@ -381,34 +402,43 @@ public class ADKerberosOperationHandlerTest extends EasyMockSupport {
     replayAll();
 
     handler.open(kc, DEFAULT_REALM, kerberosEnvMap);
+    handler.createPrincipal("nn/c6501.ambari.apache.org", "secret", true);
+    handler.close();
 
+    Attributes attributes = capturedAttributes.getValue();
+    String[] objectClasses = new String[]{"top", "person", "organizationalPerson", "user"};
 
-    Map<String, Object> context = new HashMap<String, Object>();
-    context.put("principal", "nn/c6501.ambari.apache.org");
-    context.put("principal_primary", "nn");
-    context.put("principal_instance", "c6501.ambari.apache.org");
-    context.put("realm", "EXAMPLE.COM");
-    context.put("realm_lowercase", "example.com");
-    context.put("password", "secret");
-    context.put("is_service", true);
-    context.put("container_dn", "ou=cluster,DC=EXAMPLE,DC=COM");
-
-    Map<String, Object> data = handler.processCreateTemplate(context);
-
-    Assert.assertNotNull(data);
-    Assert.assertEquals(10, data.size());
-    Assert.assertEquals(new ArrayList<String>(Arrays.asList("top", "person", "organizationalPerson", "user")), data.get("objectClass"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org@EXAMPLE.COM", data.get("cn"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org", data.get("servicePrincipalName"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org@example.com", data.get("userPrincipalName"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org", data.get("sAMAccountName"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org@EXAMPLE.COM,ou=cluster,DC=EXAMPLE,DC=COM", data.get("distinguishedName"));
-    Assert.assertEquals("nn/c6501.ambari.apache.org@EXAMPLE.COM,ou=cluster,DC=EXAMPLE,DC=COM", data.get("dn"));
-    Assert.assertEquals("`secret`", data.get("unicodePwd"));
-    Assert.assertEquals("0", data.get("accountExpires"));
-    Assert.assertEquals("66048", data.get("userAccountControl"));
+    Assert.assertNotNull(attributes);
+    Assert.assertEquals(8, attributes.size());
+
+    Assert.assertNotNull(attributes.get("objectClass"));
+    Assert.assertEquals(objectClasses.length, attributes.get("objectClass").size());
+    for (int i = 0; i < objectClasses.length; i++) {
+      Assert.assertEquals(objectClasses[i], attributes.get("objectClass").get(i));
+    }
+
+    Assert.assertNotNull(attributes.get("cn"));
+    Assert.assertEquals("nn-995e1580db28198e7fda1417ab5d894c877937d2", attributes.get("cn").get());
+
+    Assert.assertNotNull(attributes.get("servicePrincipalName"));
+    Assert.assertEquals("nn/c6501.ambari.apache.org", attributes.get("servicePrincipalName").get());
+
+    Assert.assertNotNull(attributes.get("userPrincipalName"));
+    Assert.assertEquals("nn/c6501.ambari.apache.org@hdp01.local", attributes.get("userPrincipalName").get());
+
+    Assert.assertNotNull(attributes.get("sAMAccountName"));
+    Assert.assertTrue(attributes.get("sAMAccountName").get().toString().length() <= 20);
+    Assert.assertEquals("nn-995e1580db28198e7", attributes.get("sAMAccountName").get());
+
+    Assert.assertNotNull(attributes.get("unicodePwd"));
+    Assert.assertEquals("\"secret\"", new String((byte[]) attributes.get("unicodePwd").get(), Charset.forName("UTF-16LE")));
+
+    Assert.assertNotNull(attributes.get("accountExpires"));
+    Assert.assertEquals("0", attributes.get("accountExpires").get());
+
+    Assert.assertNotNull(attributes.get("userAccountControl"));
+    Assert.assertEquals("66048", attributes.get("userAccountControl").get());
 
-    handler.close();
   }
 
   /**
@@ -458,31 +488,40 @@ public class ADKerberosOperationHandlerTest extends EasyMockSupport {
     // does the principal already exist?
     System.out.println("Principal exists: " + handler.principalExists("nn/c1508.ambari.apache.org"));
 
-    //create principal
-//    handler.createPrincipal("nn/c1508.ambari.apache.org@" + DEFAULT_REALM, handler.createSecurePassword(), true);
-
     handler.close();
 
-    kerberosEnvMap.put(ADKerberosOperationHandler.KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE, "{" +
-        "\"objectClass\": [\"top\", \"person\", \"organizationalPerson\", \"user\"]," +
-        "\"distinguishedName\": \"CN=$principal@$realm,$container_dn\"," +
-        "#if( $is_service )" +
-        "\"servicePrincipalName\": \"$principal\"," +
-        "#end" +
-        "\"userPrincipalName\": \"$principal@$realm.toLowerCase()\"," +
-        "\"unicodePwd\": \"\\\"$password\\\"\"," +
-        "\"accountExpires\": \"0\"," +
-        "\"userAccountControl\": \"66048\"" +
-        "}");
+    kerberosEnvMap.put(ADKerberosOperationHandler.KERBEROS_ENV_CREATE_ATTRIBUTES_TEMPLATE,
+        "#set( $user = \"${principal_primary}-${principal_digest}\" )" +
+            "{" +
+            "  \"objectClass\": [" +
+            "    \"top\"," +
+            "    \"person\"," +
+            "    \"organizationalPerson\"," +
+            "    \"user\"" +
+            "  ]," +
+            "  \"cn\": \"$user\"," +
+            "  \"sAMAccountName\": \"$user.substring(0,20)\"," +
+            "  #if( $is_service )" +
+            "  \"servicePrincipalName\": \"$principal_name\"," +
+            "  #end" +
+            "  \"userPrincipalName\": \"$normalized_principal.toLowerCase()\"," +
+            "  \"unicodePwd\": \"$password\"," +
+            "  \"accountExpires\": \"0\"," +
+            "  \"userAccountControl\": \"66048\"" +
+            "}"
+    );
 
     handler.open(credentials, realm, kerberosEnvMap);
+
+    // remove the principal
+    handler.removePrincipal("abcdefg");
+    handler.removePrincipal("abcdefg/c1509.ambari.apache.org@" + DEFAULT_REALM);
+
     handler.createPrincipal("abcdefg/c1509.ambari.apache.org@" + DEFAULT_REALM, handler.createSecurePassword(), true);
+    handler.createPrincipal("abcdefg@" + DEFAULT_REALM, handler.createSecurePassword(), false);
 
     //update the password
-    handler.setPrincipalPassword("nn/c1508.ambari.apache.org", handler.createSecurePassword());
-
-    // remove the principal
-    // handler.removeServicePrincipal("nn/c1508.ambari.apache.org");
+    handler.setPrincipalPassword("abcdefg/c1509.ambari.apache.org@" + DEFAULT_REALM, handler.createSecurePassword());
 
     handler.close();
   }

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipalTest.java

@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.serveraction.kerberos;
+
+import org.junit.Test;
+
+import static org.junit.Assert.*;
+
+public class DeconstructedPrincipalTest {
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testNullPrincipal() throws Exception {
+    DeconstructedPrincipal.valueOf(null, null);
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testEmptyPrincipal() throws Exception {
+    DeconstructedPrincipal.valueOf("", null);
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testInvalidPrincipal() throws Exception {
+    DeconstructedPrincipal.valueOf("/invalid", null);
+  }
+
+  @Test
+  public void testPrimary() throws Exception {
+    DeconstructedPrincipal deconstructedPrincipal = DeconstructedPrincipal.valueOf("primary", "REALM");
+
+    assertNotNull(deconstructedPrincipal);
+    assertEquals("primary", deconstructedPrincipal.getPrimary());
+    assertNull(deconstructedPrincipal.getInstance());
+    assertEquals("REALM", deconstructedPrincipal.getRealm());
+    assertEquals("primary", deconstructedPrincipal.getPrincipalName());
+    assertEquals("primary@REALM", deconstructedPrincipal.getNormalizedPrincipal());
+  }
+
+  @Test
+  public void testPrimaryRealm() throws Exception {
+    DeconstructedPrincipal deconstructedPrincipal = DeconstructedPrincipal.valueOf("primary@MYREALM", "REALM");
+
+    assertNotNull(deconstructedPrincipal);
+    assertEquals("primary", deconstructedPrincipal.getPrimary());
+    assertNull(deconstructedPrincipal.getInstance());
+    assertEquals("MYREALM", deconstructedPrincipal.getRealm());
+    assertEquals("primary", deconstructedPrincipal.getPrincipalName());
+    assertEquals("primary@MYREALM", deconstructedPrincipal.getNormalizedPrincipal());
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testInstance() throws Exception {
+    DeconstructedPrincipal.valueOf("/instance", "REALM");
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testInstanceRealm() throws Exception {
+    DeconstructedPrincipal.valueOf("/instance@MYREALM", "REALM");
+  }
+
+  @Test
+  public void testPrimaryInstance() throws Exception {
+    DeconstructedPrincipal deconstructedPrincipal = DeconstructedPrincipal.valueOf("primary/instance", "REALM");
+
+    assertNotNull(deconstructedPrincipal);
+    assertEquals("primary", deconstructedPrincipal.getPrimary());
+    assertEquals("instance", deconstructedPrincipal.getInstance());
+    assertEquals("instance", deconstructedPrincipal.getInstance());
+    assertEquals("REALM", deconstructedPrincipal.getRealm());
+    assertEquals("primary/instance", deconstructedPrincipal.getPrincipalName());
+    assertEquals("primary/instance@REALM", deconstructedPrincipal.getNormalizedPrincipal());
+  }
+
+  @Test
+  public void testPrimaryInstanceRealm() throws Exception {
+    DeconstructedPrincipal deconstructedPrincipal = DeconstructedPrincipal.valueOf("primary/instance@MYREALM", "REALM");
+
+    assertNotNull(deconstructedPrincipal);
+    assertEquals("primary", deconstructedPrincipal.getPrimary());
+    assertEquals("instance", deconstructedPrincipal.getInstance());
+    assertEquals("MYREALM", deconstructedPrincipal.getRealm());
+    assertEquals("primary/instance", deconstructedPrincipal.getPrincipalName());
+    assertEquals("primary/instance@MYREALM", deconstructedPrincipal.getNormalizedPrincipal());
+  }
+
+  @Test
+  public void testOddCharacters() throws Exception {
+    DeconstructedPrincipal deconstructedPrincipal = DeconstructedPrincipal.valueOf("p_ri.ma-ry/i.n_s-tance@M_Y-REALM.COM", "REALM");
+
+    assertNotNull(deconstructedPrincipal);
+    assertEquals("p_ri.ma-ry", deconstructedPrincipal.getPrimary());
+    assertEquals("i.n_s-tance", deconstructedPrincipal.getInstance());
+    assertEquals("M_Y-REALM.COM", deconstructedPrincipal.getRealm());
+    assertEquals("p_ri.ma-ry/i.n_s-tance", deconstructedPrincipal.getPrincipalName());
+    assertEquals("p_ri.ma-ry/i.n_s-tance@M_Y-REALM.COM", deconstructedPrincipal.getNormalizedPrincipal());
+  }
+
+}