AMBARI-15911. Choose Authorization [Hive]' with value None was added after upgrade, but should has value according to security type (after upgrade secured cluster from 1.7.0,2.0.1, 2.0.2 etc) to 2.2.2.0] (dgrinenko via dlysnichenko)

ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java

@@ -191,18 +191,18 @@ public abstract class AbstractUpgradeCatalog implements UpgradeCatalog {
     return doc;
   }
 
-  protected static boolean isRangerPluginEnabled(Cluster cluster) {
-    boolean isRangerPluginEnabled = false;
+  protected static boolean isRangerKnoxPluginEnabled(Cluster cluster) {
+    boolean isRangerKnoxPluginEnabled = false;
     if (cluster != null) {
       Config rangerKnoxPluginProperties = cluster.getDesiredConfigByType(CONFIGURATION_TYPE_RANGER_KNOX_PLUGIN_PROPERTIES);
       if (rangerKnoxPluginProperties != null) {
         String rangerKnoxPluginEnabled = rangerKnoxPluginProperties.getProperties().get(PROPERTY_RANGER_KNOX_PLUGIN_ENABLED);
         if (StringUtils.isNotEmpty(rangerKnoxPluginEnabled)) {
-          isRangerPluginEnabled = rangerKnoxPluginEnabled.toLowerCase().equals("yes");
+          isRangerKnoxPluginEnabled =  "yes".equalsIgnoreCase(rangerKnoxPluginEnabled);
         }
       }
     }
-    return isRangerPluginEnabled;
+    return isRangerKnoxPluginEnabled;
   }
 
   protected static class VersionComparator implements Comparator<UpgradeCatalog> {

ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog210.java

@@ -1408,14 +1408,11 @@ public class UpgradeCatalog210 extends AbstractUpgradeCatalog {
                     && RangerHiveConfig.getProperties().get("ranger-hive-plugin-enabled").equalsIgnoreCase("yes")) {
               newHiveEnvProperties.put("hive_security_authorization", "Ranger");
               newHiveServerProperties.put("hive.security.authorization.enabled", "true");
-            } else {
-              newHiveEnvProperties.put("hive_security_authorization", "None");
             }
             boolean updateProperty = cluster.getDesiredConfigByType("hive-env").getProperties().containsKey("hive_security_authorization");
             updateConfigurationPropertiesForCluster(cluster, "hive-env", newHiveEnvProperties, updateProperty, true);
             updateConfigurationPropertiesForCluster(cluster, "hiveserver2-site", newHiveServerProperties, updateProperty, true);
-            updateConfigurationPropertiesForCluster(cluster, "ranger-hive-plugin-properties", new HashMap<String, String>(),
-                    removeRangerHiveProperties, false, true);
+            removeConfigurationPropertiesFromCluster(cluster, "ranger-hive-plugin-properties", removeRangerHiveProperties);
           }
         }
       }
@@ -1524,6 +1521,13 @@ public class UpgradeCatalog210 extends AbstractUpgradeCatalog {
       if (clusterMap != null && !clusterMap.isEmpty()) {
         for (final Cluster cluster : clusterMap.values()) {
           String content = null;
+          String hive_server2_auth = "";
+          if (cluster.getDesiredConfigByType("hive-site") != null &&
+              cluster.getDesiredConfigByType("hive-site").getProperties().containsKey("hive.server2.authentication")) {
+
+            hive_server2_auth = cluster.getDesiredConfigByType("hive-site").getProperties().get("hive.server2.authentication");
+          }
+
           if(cluster.getDesiredConfigByType("hive-env") != null) {
             Map<String, String> hiveEnvProps = new HashMap<String, String>();
             Set<String> hiveServerSiteRemoveProps = new HashSet<String>();
@@ -1540,22 +1544,32 @@ public class UpgradeCatalog210 extends AbstractUpgradeCatalog {
             if (!cluster.getDesiredConfigByType("hive-env").getProperties().containsKey("hive.metastore.heapsize")) {
               hiveEnvProps.put("hive.metastore.heapsize", "1024");
             }
-            if (cluster.getDesiredConfigByType("hive-env").getProperties().containsKey("hive_security_authorization") &&
-                    "none".equalsIgnoreCase(cluster.getDesiredConfigByType("hive-env").getProperties().get("hive_security_authorization"))) {
+
+            boolean isHiveSecurityAuthPresent = cluster.getDesiredConfigByType("hive-env").getProperties().containsKey("hive_security_authorization");
+            String hiveSecurityAuth="";
+
+            if ("kerberos".equalsIgnoreCase(hive_server2_auth) && cluster.getServices().containsKey("KERBEROS")){
+              hiveSecurityAuth = "SQLStdAuth";
+              isHiveSecurityAuthPresent = true;
+              hiveEnvProps.put("hive_security_authorization", hiveSecurityAuth);
+            } else {
+              if (isHiveSecurityAuthPresent) {
+                hiveSecurityAuth = cluster.getDesiredConfigByType("hive-env").getProperties().get("hive_security_authorization");
+              }
+            }
+
+            if (isHiveSecurityAuthPresent && "none".equalsIgnoreCase(hiveSecurityAuth)) {
               hiveServerSiteRemoveProps.add("hive.security.authorization.manager");
               hiveServerSiteRemoveProps.add("hive.security.authenticator.manager");
             }
             updateConfigurationPropertiesForCluster(cluster, "hive-env", hiveEnvProps, true, true);
-            updateConfigurationPropertiesForCluster(cluster, "hiveserver2-site", new HashMap<String, String>(), hiveServerSiteRemoveProps, false, true);
+            removeConfigurationPropertiesFromCluster(cluster, "hiveserver2-site", hiveServerSiteRemoveProps);
           }
 
           if(cluster.getDesiredConfigByType("hive-site") != null) {
             Set<String> hiveSiteRemoveProps = new HashSet<String>();
             Map<String, String> hiveSiteAddProps = new HashMap<String, String>();
-            String hive_server2_auth = "";
-            if (cluster.getDesiredConfigByType("hive-site").getProperties().containsKey("hive.server2.authentication")) {
-              hive_server2_auth = cluster.getDesiredConfigByType("hive-site").getProperties().get("hive.server2.authentication");
-            }
+
             if (!"pam".equalsIgnoreCase(hive_server2_auth)) {
               hiveSiteRemoveProps.add("hive.server2.authentication.pam.services");
             } else {

ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java

@@ -383,7 +383,7 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
               if (!authorizationProviderExists) {
                 NodeList nodeList = root.getElementsByTagName("gateway");
                 if (nodeList != null && nodeList.getLength() > 0) {
-                  boolean rangerPluginEnabled = isRangerPluginEnabled(cluster);
+                  boolean rangerPluginEnabled = isRangerKnoxPluginEnabled(cluster);
 
                   Node gatewayNode = nodeList.item(0);
                   Element newProvider = topologyXml.createElement("provider");

ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog210Test.java

@@ -57,6 +57,7 @@ import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.api.services.AmbariMetaInfo;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.controller.AmbariManagementController;
+import org.apache.ambari.server.controller.ConfigurationRequest;
 import org.apache.ambari.server.controller.ServiceConfigVersionResponse;
 import org.apache.ambari.server.orm.DBAccessor;
 import org.apache.ambari.server.orm.DBAccessor.DBColumnInfo;
@@ -89,6 +90,7 @@ import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory;
 import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor;
 import org.apache.ambari.server.state.stack.OsFamily;
 import org.easymock.Capture;
+import org.easymock.CaptureType;
 import org.easymock.EasyMock;
 import org.easymock.EasyMockSupport;
 import org.junit.After;
@@ -467,6 +469,81 @@ public class UpgradeCatalog210Test {
     }
   }
 
+  @Test
+  public void testUpdateHiveConfigsWithKerberos() throws Exception {
+    EasyMockSupport easyMockSupport = new EasyMockSupport();
+    final ConfigHelper mockConfigHelper = easyMockSupport.createMock(ConfigHelper.class);
+    final AmbariManagementController  mockAmbariManagementController = easyMockSupport.createNiceMock(AmbariManagementController.class);
+
+    final Clusters mockClusters = easyMockSupport.createStrictMock(Clusters.class);
+    final Cluster mockClusterExpected = easyMockSupport.createNiceMock(Cluster.class);
+    final Config mockHiveEnv = easyMockSupport.createNiceMock(Config.class);
+    final Config mockHiveSite = easyMockSupport.createNiceMock(Config.class);
+    final Config mockHiveServerSite = easyMockSupport.createNiceMock(Config.class);
+
+    final Map<String, String> propertiesExpectedHiveEnv = new HashMap<String, String>();
+    final Map<String, String> propertiesExpectedHiveSite = new HashMap<String, String>() {{
+      put("hive.server2.authentication", "kerberos");
+    }};
+    final Map<String, String> propertiesExpectedHiveServerSite = new HashMap<String, String>() {{
+    }};
+    final Map<String, Service> servicesExpected = new HashMap<String, Service>(){{
+      put("KERBEROS", null);
+    }};
+
+    final Injector mockInjector = Guice.createInjector(new AbstractModule() {
+      @Override
+      protected void configure() {
+        bind(AmbariManagementController.class).toInstance(mockAmbariManagementController);
+        bind(ConfigHelper.class).toInstance(mockConfigHelper);
+        bind(Clusters.class).toInstance(mockClusters);
+        bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
+        bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
+      }
+    });
+
+    final UpgradeCatalog210 upgradeCatalog210 =  mockInjector.getInstance(UpgradeCatalog210.class);
+
+    expect(mockAmbariManagementController.getClusters()).andReturn(mockClusters).once();
+    expect(mockClusters.getClusters()).andReturn(new HashMap<String, Cluster>() {{
+      put("normal", mockClusterExpected);
+    }}).once();
+
+    Capture<Map<String,String>> configCreation = Capture.newInstance(CaptureType.ALL);
+
+    expect(mockClusterExpected.getDesiredConfigByType("hive-env")).andReturn(mockHiveEnv).atLeastOnce();
+    expect(mockClusterExpected.getDesiredConfigByType("hiveserver2-site")).andReturn(mockHiveServerSite).atLeastOnce();
+    expect(mockHiveEnv.getProperties()).andReturn(propertiesExpectedHiveEnv).anyTimes();
+    expect(mockHiveServerSite.getProperties()).andReturn(propertiesExpectedHiveServerSite).anyTimes();
+
+    expect(mockClusterExpected.getDesiredConfigByType("hive-site")).andReturn(mockHiveSite).atLeastOnce();
+    expect(mockHiveSite.getProperties()).andReturn(propertiesExpectedHiveSite).anyTimes();
+    expect(mockClusterExpected.getServices()).andReturn(servicesExpected).atLeastOnce();
+    expect(mockAmbariManagementController.createConfig((Cluster)anyObject(),
+      anyString(),
+      capture(configCreation),
+      anyString(),
+      (Map<String, Map<String, String>>)anyObject())).andReturn(null).atLeastOnce();
+
+    easyMockSupport.replayAll();
+    upgradeCatalog210.updateHiveConfigs();
+    easyMockSupport.verifyAll();
+
+    Assert.assertEquals(2, configCreation.getValues().size());
+
+    boolean hiveSecFound = false;
+
+    for (Map<String, String> cfg: configCreation.getValues()){
+      if (cfg.containsKey("hive_security_authorization")) {
+        hiveSecFound = true;
+        Assert.assertTrue("sqlstdauth".equalsIgnoreCase(cfg.get("hive_security_authorization")));
+        break;
+      }
+    }
+
+    Assert.assertTrue(hiveSecFound);
+  }
+
   @Test
   public void TestUpdateHiveEnvContent() {
     EasyMockSupport easyMockSupport = new EasyMockSupport();