AMBARI-8722. Add method to retrieve KerberosDescriptor from AmbariMetaInfo. (Robert Levas via rnettleton)

ambari-server/src/main/java/org/apache/ambari/server/api/services/AmbariMetaInfo.java

@@ -21,6 +21,7 @@ package org.apache.ambari.server.api.services;
 import java.io.File;
 import java.io.FileReader;
 import java.io.FilenameFilter;
+import java.io.IOException;
 import java.lang.reflect.Type;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -65,6 +66,8 @@ import org.apache.ambari.server.state.StackId;
 import org.apache.ambari.server.state.StackInfo;
 import org.apache.ambari.server.state.alert.AlertDefinition;
 import org.apache.ambari.server.state.alert.AlertDefinitionFactory;
+import org.apache.ambari.server.state.kerberos.KerberosDescriptor;
+import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor;
 import org.apache.ambari.server.state.stack.MetricDefinition;
 import org.apache.ambari.server.state.stack.OsFamily;
 import org.apache.ambari.server.state.stack.UpgradePack;
@@ -1004,4 +1007,90 @@ public class AmbariMetaInfo {
 
     return Collections.emptyMap();
   }
+
+  /**
+   * Gets the fully compiled Kerberos descriptor for the relevant stack and version.
+   * <p/>
+   * All of the kerberos.json files from the specified stack (and version) are read, parsed and
+   * complied into a complete Kerberos descriptor hierarchy.
+   *
+   * @param stackName    a String declaring the stack name
+   * @param stackVersion a String declaring the stack version
+   * @return a new complete KerberosDescriptor, or null if no Kerberos descriptor information is available
+   * @throws AmbariException if an error occurs reading or parsing the stack's kerberos.json files
+   */
+  public KerberosDescriptor getKerberosDescriptor(String stackName, String stackVersion) throws AmbariException {
+    StackInfo stackInfo = getStack(stackName, stackVersion);
+
+    String kerberosDescriptorFileLocation = stackInfo.getKerberosDescriptorFileLocation();
+
+    KerberosDescriptor kerberosDescriptor = null;
+
+    // Read in the stack-level Kerberos descriptor
+    if (kerberosDescriptorFileLocation != null) {
+      File file = new File(kerberosDescriptorFileLocation);
+
+      if (file.canRead()) {
+        try {
+          kerberosDescriptor = KerberosDescriptor.fromFile(file);
+        } catch (IOException e) {
+          throw new AmbariException(String.format("Failed to parse kerberos descriptor file %s",
+              file.getAbsolutePath()), e);
+        }
+      }
+      else
+        throw new AmbariException(String.format("Unable to read kerberos descriptor file %s",
+            file.getAbsolutePath()));
+    }
+
+    if (kerberosDescriptor == null) {
+      kerberosDescriptor = new KerberosDescriptor();
+    }
+
+    // Read in the service-level Kerberos descriptors
+    Map<String, ServiceInfo> services = getServices(stackName, stackVersion);
+
+    if (services != null) {
+      for (ServiceInfo service : services.values()) {
+        KerberosServiceDescriptor[] serviceDescriptors = getKerberosDescriptor(service);
+
+        if (serviceDescriptors != null) {
+          for (KerberosServiceDescriptor serviceDescriptor : serviceDescriptors) {
+            kerberosDescriptor.putService(serviceDescriptor);
+          }
+        }
+      }
+    }
+
+    return kerberosDescriptor;
+  }
+
+  /**
+   * Gets the requested service-level Kerberos descriptor(s)
+   * <p/>
+   * An array of descriptors are returned since the kerberos.json in a service directory may contain
+   * descriptor details for one or more services.
+   *
+   * @param serviceInfo a ServiceInfo declaring the stack name, version, a service (directory) name
+   *                    details
+   * @return an array of KerberosServiceDescriptors, or null if the relevant service (directory)
+   * does not contain Kerberos descriptor details
+   * @throws AmbariException if an error occurs reading or parsing the service's kerberos.json files
+   */
+  public KerberosServiceDescriptor[] getKerberosDescriptor(ServiceInfo serviceInfo) throws AmbariException {
+
+    KerberosServiceDescriptor[] kerberosServiceDescriptors = null;
+    File kerberosFile = (serviceInfo == null) ? null : serviceInfo.getKerberosDescriptorFile();
+
+    if (kerberosFile != null) {
+      try {
+        kerberosServiceDescriptors = KerberosServiceDescriptor.fromFile(kerberosFile);
+      } catch (Exception e) {
+        LOG.error("Could not read the kerberos descriptor file", e);
+        throw new AmbariException("Could not read kerberos descriptor file", e);
+      }
+    }
+
+    return kerberosServiceDescriptors;
+  }
 }

ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java

@@ -77,6 +77,7 @@ import org.apache.ambari.server.state.alert.MetricSource;
 import org.apache.ambari.server.state.alert.PortSource;
 import org.apache.ambari.server.state.alert.Reporting;
 import org.apache.ambari.server.state.alert.Source;
+import org.apache.ambari.server.state.kerberos.KerberosDescriptor;
 import org.apache.ambari.server.state.stack.MetricDefinition;
 import org.apache.ambari.server.state.stack.OsFamily;
 import org.apache.commons.io.FileUtils;
@@ -1727,13 +1728,35 @@ public class AmbariMetaInfoTest {
     Assert.assertNotNull(service);
     Assert.assertNotNull(service.getKerberosDescriptorFile());
 
-
     // Test that kerberos.json file can be parsed into mapped data
     Map<?,?> kerberosDescriptorData = new Gson()
         .fromJson(new FileReader(service.getKerberosDescriptorFile()), Map.class);
 
     Assert.assertNotNull(kerberosDescriptorData);
-    Assert.assertEquals(2, kerberosDescriptorData.size());
+    Assert.assertEquals(1, kerberosDescriptorData.size());
+  }
+
+  @Test
+  public void testGetKerberosDescriptor() throws AmbariException {
+    KerberosDescriptor descriptor = metaInfo.getKerberosDescriptor(STACK_NAME_HDP, "2.0.8");
+
+    Assert.assertNotNull(descriptor);
+    Assert.assertNotNull(descriptor.getProperties());
+    Assert.assertEquals(2, descriptor.getProperties().size());
+
+    Assert.assertNotNull(descriptor.getIdentities());
+    Assert.assertEquals(1, descriptor.getIdentities().size());
+    Assert.assertEquals("spnego", descriptor.getIdentities().get(0).getName());
+
+    Assert.assertNotNull(descriptor.getConfigurations());
+    Assert.assertEquals(1, descriptor.getConfigurations().size());
+    Assert.assertNotNull(descriptor.getConfigurations().get("core-site"));
+    Assert.assertNotNull(descriptor.getConfiguration("core-site"));
+
+    Assert.assertNotNull(descriptor.getServices());
+    Assert.assertEquals(1, descriptor.getServices().size());
+    Assert.assertNotNull(descriptor.getServices().get("HDFS"));
+    Assert.assertNotNull(descriptor.getService("HDFS"));
   }
 
 

ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json

@@ -0,0 +1,37 @@
+{
+  "properties": {
+    "realm": "${cluster-env/kerberos_domain}",
+    "keytab_dir": "/etc/security/keytabs"
+  },
+  "identities": [
+    {
+      "name": "spnego",
+      "principal": {
+        "value": "HTTP/_HOST@${realm}"
+      },
+      "keytab": {
+        "file": "${keytab_dir}/spnego.service.keytab",
+        "owner": {
+          "name": "root",
+          "access": "r"
+        },
+        "group": {
+          "name": "${cluster-env/user_group}",
+          "access": "r"
+        }
+      }
+    }
+  ],
+  "configurations": [
+    {
+      "core-site": {
+        "hadoop.security.authentication": "kerberos",
+        "hadoop.rpc.protection": "authentication",
+        "hadoop.security.authorization": "true",
+        "hadoop.security.auth_to_local": "RULE:[2:$1@$0]([jt]t@.*${realm})s/.*/mapred/\nRULE:[2:$1@$0]([nd]n@.*${realm})s/.*/hdfs/\nRULE:[2:$1@$0](hm@.*${realm})s/.*/hbase/\nRULE:[2:$1@$0](rs@.*${realm})s/.*/hbase/\nDEFAULT",
+        "hadoop.proxyuser.superuser.hosts": "",
+        "hadoop.proxyuser.superuser.groups": ""
+      }
+    }
+  ]
+}

ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json

@@ -1,147 +1,151 @@
 {
-  "name": "HDFS",
-  "components": [
+  "services": [
     {
-      "name": "NAMENODE",
-      "identities": [
+      "name": "HDFS",
+      "components": [
         {
-          "name": "namenode_nn",
-          "principal": {
-            "value": "nn/_HOST@${realm}",
-            "configuration": "hdfs-site/dfs.namenode.kerberos.principal"
-          },
-          "keytab": {
-            "file": "${keytab_dir}/nn.service.keytab",
-            "owner": {
-              "name": "${hadoop-env/hdfs_user}",
-              "access": "r"
+          "name": "NAMENODE",
+          "identities": [
+            {
+              "name": "namenode_nn",
+              "principal": {
+                "value": "nn/_HOST@${realm}",
+                "configuration": "hdfs-site/dfs.namenode.kerberos.principal"
+              },
+              "keytab": {
+                "file": "${keytab_dir}/nn.service.keytab",
+                "owner": {
+                  "name": "${hadoop-env/hdfs_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                },
+                "configuration": "hdfs-site/dfs.namenode.keytab.file"
+              }
             },
-            "group": {
-              "name": "${cluster-env/user_group}",
-              "access": ""
+            {
+              "name": "namenode_host",
+              "principal": {
+                "value": "host/_HOST@${realm}"
+              },
+              "keytab": {
+                "file": "${keytab_dir}/nn.service.keytab",
+                "owner": {
+                  "name": "${hadoop-env/hdfs_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                }
+              }
             },
-            "configuration": "hdfs-site/dfs.namenode.keytab.file"
-          }
-        },
-        {
-          "name": "namenode_host",
-          "principal": {
-            "value": "host/_HOST@${realm}"
-          },
-          "keytab": {
-            "file": "${keytab_dir}/nn.service.keytab",
-            "owner": {
-              "name": "${hadoop-env/hdfs_user}",
-              "access": "r"
-            },
-            "group": {
-              "name": "${cluster-env/user_group}",
-              "access": ""
+            {
+              "name": "/spnego",
+              "principal": {
+                "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal"
+              }
             }
-          }
-        },
-        {
-          "name": "/spnego",
-          "principal": {
-            "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal"
-          }
-        }
-      ],
-      "configurations": [
-        {
-          "hdfs-site": {
-            "dfs.block.access.token.enable": "true"
-          }
-        }
-      ]
-    },
-    {
-      "name": "DATANODE",
-      "identities": [
-        {
-          "name": "datanode_dn",
-          "principal": {
-            "value": "dn/_HOST@${realm}",
-            "configuration": "hdfs-site/dfs.datanode.kerberos.principal"
-          },
-          "keytab": {
-            "file": "${keytab_dir}/dn.service.keytab",
-            "owner": {
-              "name": "${hadoop-env/hdfs_user}",
-              "access": "r"
-            },
-            "group": {
-              "name": "${cluster-env/user_group}",
-              "access": ""
-            },
-            "configuration": "hdfs-site/dfs.datanode.keytab.file"
-          }
+          ],
+          "configurations": [
+            {
+              "hdfs-site": {
+                "dfs.block.access.token.enable": "true"
+              }
+            }
+          ]
         },
         {
-          "name": "datanode_host",
-          "principal": {
-            "value": "host/_HOST@${realm}"
-          },
-          "keytab": {
-            "file": "${keytab_dir}/dn.service.keytab",
-            "owner": {
-              "name": "${hadoop-env/hdfs_user}",
-              "access": "r"
+          "name": "DATANODE",
+          "identities": [
+            {
+              "name": "datanode_dn",
+              "principal": {
+                "value": "dn/_HOST@${realm}",
+                "configuration": "hdfs-site/dfs.datanode.kerberos.principal"
+              },
+              "keytab": {
+                "file": "${keytab_dir}/dn.service.keytab",
+                "owner": {
+                  "name": "${hadoop-env/hdfs_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                },
+                "configuration": "hdfs-site/dfs.datanode.keytab.file"
+              }
             },
-            "group": {
-              "name": "${cluster-env/user_group}",
-              "access": ""
+            {
+              "name": "datanode_host",
+              "principal": {
+                "value": "host/_HOST@${realm}"
+              },
+              "keytab": {
+                "file": "${keytab_dir}/dn.service.keytab",
+                "owner": {
+                  "name": "${hadoop-env/hdfs_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                }
+              }
             }
-          }
-        }
-      ]
-    },
-    {
-      "name": "SECONDARY_NAMENODE",
-      "identities": [
-        {
-          "name": "secondary_namenode_nn",
-          "principal": {
-            "value": "nn/_HOST@${realm}",
-            "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.principal"
-          },
-          "keytab": {
-            "file": "${keytab_dir}/snn.service.keytab",
-            "owner": {
-              "name": "${hadoop-env/hdfs_user}",
-              "access": "r"
-            },
-            "group": {
-              "name": "${cluster-env/user_group}",
-              "access": ""
-            },
-            "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.principal"
-          }
+          ]
         },
         {
-          "name": "secondary_namenode_host",
-          "principal": {
-            "value": "host/_HOST@${realm}"
-          },
-          "keytab": {
-            "file": "${keytab_dir}/snn.service.keytab",
-            "owner": {
-              "name": "${hadoop-env/hdfs_user}",
-              "access": "r"
+          "name": "SECONDARY_NAMENODE",
+          "identities": [
+            {
+              "name": "secondary_namenode_nn",
+              "principal": {
+                "value": "nn/_HOST@${realm}",
+                "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.principal"
+              },
+              "keytab": {
+                "file": "${keytab_dir}/snn.service.keytab",
+                "owner": {
+                  "name": "${hadoop-env/hdfs_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                },
+                "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.principal"
+              }
+            },
+            {
+              "name": "secondary_namenode_host",
+              "principal": {
+                "value": "host/_HOST@${realm}"
+              },
+              "keytab": {
+                "file": "${keytab_dir}/snn.service.keytab",
+                "owner": {
+                  "name": "${hadoop-env/hdfs_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                }
+              }
             },
-            "group": {
-              "name": "${cluster-env/user_group}",
-              "access": ""
+            {
+              "name": "/spnego",
+              "principal": {
+                "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal"
+              }
             }
-          }
-        },
-        {
-          "name": "/spnego",
-          "principal": {
-            "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal"
-          }
+          ]
         }
       ]
     }
   ]
-}
+}