AMBARI-19987 Oozie start failed after enabling credential store (dsen)

ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py

@@ -238,6 +238,7 @@ class CustomServiceOrchestrator():
                 value_names.append(value_name) # Gather the value_name for deletion
           if len(credentials) > 0:
             configtype_credentials[config_type] = credentials
+            logger.info("Identifying config {0} for CS: ".format(config_type))
           for value_name in value_names:
             # Remove the clear text password
             config.pop(value_name, None)
@@ -255,8 +256,11 @@ class CustomServiceOrchestrator():
     roleCommand = None
     if 'roleCommand' in commandJson:
       roleCommand = commandJson['roleCommand']
+    task_id = None
+    if 'taskId' in commandJson:
+      task_id = commandJson['taskId']
 
-    logger.info('generateJceks: roleCommand={0}'.format(roleCommand))
+    logger.info('Generating the JCEKS file: roleCommand={0} and taskId = {1}'.format(roleCommand, task_id))
 
     # Set up the variables for the external command to generate a JCEKS file
     java_home = commandJson['hostLevelParams']['java_home']
@@ -267,6 +271,12 @@ class CustomServiceOrchestrator():
 
     # Gather the password values and remove them from the configuration
     configtype_credentials = self.getConfigTypeCredentials(commandJson)
+
+    # CS is enabled but no config property is available for this command
+    if len(configtype_credentials) == 0:
+      logger.info("Credential store is enabled but no property are found that can be encrypted.")
+      commandJson['credentialStoreEnabled'] = "false"
+
     for config_type, credentials in configtype_credentials.items():
       config = commandJson['configurations'][config_type]
       file_path = os.path.join(self.getProviderDirectory(serviceName), "{0}.jceks".format(config_type))

ambari-common/src/main/python/ambari_commons/credential_store_helper.py

@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+import os
+
+from resource_management.core.resources.system import File
+from resource_management.core.shell import checked_call
+from resource_management.core.source import DownloadSource
+
+credential_util_cmd = 'org.apache.ambari.server.credentialapi.CredentialUtil'
+credential_util_jar = 'CredentialUtil.jar'
+
+def get_password_from_credential_store(alias, provider_path, cs_lib_path, java_home, jdk_location):
+    # Try to download CredentialUtil.jar from ambari-server resources
+    credential_util_dir = cs_lib_path.split('*')[0] # Remove the trailing '*'
+    credential_util_path = os.path.join(credential_util_dir, credential_util_jar)
+    credential_util_url =  jdk_location + credential_util_jar
+    File(credential_util_path,
+         content = DownloadSource(credential_util_url),
+         mode = 0755,
+         )
+
+    # Execute a get command on the CredentialUtil CLI to get the password for the specified alias
+    java_bin = '{java_home}/bin/java'.format(java_home=java_home)
+    cmd = (java_bin, '-cp', cs_lib_path, credential_util_cmd, 'get', alias, '-provider', provider_path)
+    cmd_result, std_out_msg  = checked_call(cmd)
+    std_out_lines = std_out_msg.split('\n')
+    return std_out_lines[-1] # Get the last line of the output, to skip warnings if any.

ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java

@@ -286,11 +286,9 @@ public class ClusterBlueprintRenderer extends BaseRenderer implements Renderer {
 
       //service_settings population
       property = new HashMap<>();
-      if (ServiceInfoMap.get("credential_store_supported").equals("true")) {
-        if (ServiceInfoMap.get("credential_store_enabled").equals("true")) {
-          property.put("name", ServiceInfoMap.get("service_name").toString());
-          property.put("credential_store_enabled", "true");
-        }
+      if (ServiceInfoMap.get("credential_store_enabled").equals("true")) {
+        property.put("name", ServiceInfoMap.get("service_name").toString());
+        property.put("credential_store_enabled", "true");
       }
 
       //Fetch the service Components to obtain ServiceComponentInfo

ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java

@@ -368,7 +368,6 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
       AmbariMetaInfo ambariMetaInfo = getManagementController().getAmbariMetaInfo();
       ServiceInfo serviceInfo = ambariMetaInfo.getService(stackId.getStackName(),
           stackId.getStackVersion(), request.getServiceName());
-      s.setCredentialStoreSupported(serviceInfo.isCredentialStoreSupported());
       LOG.info("Service: {}, credential_store_supported from stack definition:{}", request.getServiceName(),
           serviceInfo.isCredentialStoreSupported());
 

ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ServiceDesiredStateEntity.java

@@ -67,9 +67,6 @@ public class ServiceDesiredStateEntity {
   @Enumerated(value = EnumType.STRING)
   private SecurityState securityState = SecurityState.UNSECURED;
 
-  @Column(name = "credential_store_supported", nullable = false, insertable = true, updatable = true)
-  private short credentialStoreSupported = 0;
-
   @Column(name = "credential_store_enabled", nullable = false, insertable = true, updatable = true)
   private short credentialStoreEnabled = 0;
 
@@ -137,24 +134,6 @@ public class ServiceDesiredStateEntity {
     this.securityState = securityState;
   }
 
-  /**
-   * Gets a value indicating if credential store is supported or not.
-   *
-   * @return true or false
-   */
-  public boolean isCredentialStoreSupported() {
-    return credentialStoreSupported != 0;
-  }
-
-  /**
-   * Sets a value indicating if credential store is supported or not.
-   *
-   * @param credentialStoreSupported
-   */
-  public void setCredentialStoreSupported(boolean credentialStoreSupported) {
-    this.credentialStoreSupported = (short)((credentialStoreSupported == false) ? 0 : 1);
-  }
-
   /**
    * Gets a value indicating if credential store use is enabled or not.
    *

ambari-server/src/main/java/org/apache/ambari/server/state/Service.java

@@ -109,14 +109,6 @@ public interface Service {
    */
   boolean isCredentialStoreSupported();
 
-  /**
-   * Set a true or false value specifying if this
-   * service supports credential store.
-   *
-   * @param credentialStoreSupported - true or false
-   */
-  void setCredentialStoreSupported(boolean credentialStoreSupported);
-
   /**
    * Get a true or false value specifying whether
    * credential store use is enabled for this service.

ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java

@@ -70,6 +70,7 @@ public class ServiceImpl implements Service {
   private final Cluster cluster;
   private final ConcurrentMap<String, ServiceComponent> components = new ConcurrentHashMap<>();
   private final boolean isClientOnlyService;
+  private final boolean isCredentialStoreSupported;
 
   @Inject
   private ServiceConfigDAO serviceConfigDAO;
@@ -130,6 +131,8 @@ public class ServiceImpl implements Service {
 
     isClientOnlyService = sInfo.isClientOnlyService();
 
+    isCredentialStoreSupported = sInfo.isCredentialStoreSupported();
+
     persist(serviceEntity);
   }
 
@@ -174,6 +177,7 @@ public class ServiceImpl implements Service {
     ServiceInfo sInfo = ambariMetaInfo.getService(stackId.getStackName(),
         stackId.getStackVersion(), getName());
     isClientOnlyService = sInfo.isClientOnlyService();
+    isCredentialStoreSupported = sInfo.isCredentialStoreSupported();
   }
 
   @Override
@@ -327,45 +331,11 @@ public class ServiceImpl implements Service {
    */
   @Override
   public boolean isCredentialStoreSupported() {
-    ServiceDesiredStateEntity desiredStateEntity = getServiceDesiredStateEntity();
-
-    if (desiredStateEntity != null) {
-      return desiredStateEntity.isCredentialStoreSupported();
-    } else {
-      LOG.warn("Trying to fetch a member from an entity object that may " +
-              "have been previously deleted, serviceName = " + getName());
-    }
-    return false;
+    return isCredentialStoreSupported;
   }
 
 
-  /**
-   * Set a true or false value specifying whether this
-   * service supports credential store.
-   *
-   * @param credentialStoreSupported - true or false
-   */
-  @Override
-  public void setCredentialStoreSupported(boolean credentialStoreSupported) {
-    if (LOG.isDebugEnabled()) {
-      LOG.debug("Setting CredentialStoreEnabled of Service" + ", clusterName="
-              + cluster.getClusterName() + ", clusterId="
-              + cluster.getClusterId() + ", serviceName=" + getName()
-              + ", oldCredentialStoreSupported=" + isCredentialStoreSupported()
-              + ", newCredentialStoreSupported=" + credentialStoreSupported);
-    }
-
-    ServiceDesiredStateEntity desiredStateEntity = getServiceDesiredStateEntity();
-
-    if (desiredStateEntity != null) {
-      desiredStateEntity.setCredentialStoreSupported(credentialStoreSupported);
-      desiredStateEntity = serviceDesiredStateDAO.merge(desiredStateEntity);
 
-    } else {
-      LOG.warn("Setting a member on an entity object that may have been "
-              + "previously deleted, serviceName = " + getName());
-    }
-  }
 
   /**
    * Get a true or false value specifying whether

ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java

@@ -83,7 +83,6 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog {
   public static final String COMPONENT_VERSION_FK_REPO_VERSION = "FK_scv_repo_version_id";
 
   protected static final String SERVICE_DESIRED_STATE_TABLE = "servicedesiredstate";
-  protected static final String CREDENTIAL_STORE_SUPPORTED_COL = "credential_store_supported";
   protected static final String CREDENTIAL_STORE_ENABLED_COL = "credential_store_enabled";
 
   protected static final String HOST_COMPONENT_DESIREDSTATE_TABLE = "hostcomponentdesiredstate";
@@ -542,11 +541,7 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog {
    */
   private void updateServiceDesiredStateTable() throws SQLException {
     // ALTER TABLE servicedesiredstate ADD COLUMN
-    // credential_store_supported SMALLINT DEFAULT 0 NOT NULL
     // credential_store_enabled SMALLINT DEFAULT 0 NOT NULL
-    dbAccessor.addColumn(SERVICE_DESIRED_STATE_TABLE,
-      new DBColumnInfo(CREDENTIAL_STORE_SUPPORTED_COL, Short.class, null, 0, false));
-
     dbAccessor.addColumn(SERVICE_DESIRED_STATE_TABLE,
       new DBColumnInfo(CREDENTIAL_STORE_ENABLED_COL, Short.class, null, 0, false));
   }

ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql

@@ -262,7 +262,6 @@ CREATE TABLE servicedesiredstate (
   service_name VARCHAR(255) NOT NULL,
   maintenance_state VARCHAR(32) NOT NULL,
   security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED',
-  credential_store_supported SMALLINT NOT NULL DEFAULT 0,
   credential_store_enabled SMALLINT NOT NULL DEFAULT 0,
   CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name),
   CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),

ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql

@@ -272,7 +272,6 @@ CREATE TABLE servicedesiredstate (
   service_name VARCHAR(255) NOT NULL,
   maintenance_state VARCHAR(32) NOT NULL DEFAULT 'ACTIVE',
   security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED',
-  credential_store_supported SMALLINT NOT NULL DEFAULT 0,
   credential_store_enabled SMALLINT NOT NULL DEFAULT 0,
   CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name),
   CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),

ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql

@@ -252,7 +252,6 @@ CREATE TABLE servicedesiredstate (
   service_name VARCHAR2(255) NOT NULL,
   maintenance_state VARCHAR2(32) NOT NULL,
   security_state VARCHAR2(32) DEFAULT 'UNSECURED' NOT NULL,
-  credential_store_supported SMALLINT DEFAULT 0 NOT NULL,
   credential_store_enabled SMALLINT DEFAULT 0 NOT NULL,
   CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name),
   CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),

ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql

@@ -261,7 +261,6 @@ CREATE TABLE servicedesiredstate (
   service_name VARCHAR(255) NOT NULL,
   maintenance_state VARCHAR(32) NOT NULL,
   security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED',
-  credential_store_supported SMALLINT NOT NULL DEFAULT 0,
   credential_store_enabled SMALLINT NOT NULL DEFAULT 0,
   CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name),
   CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),

ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql

@@ -250,7 +250,6 @@ CREATE TABLE servicedesiredstate (
   service_name VARCHAR(255) NOT NULL,
   maintenance_state VARCHAR(32) NOT NULL DEFAULT 'ACTIVE',
   security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED',
-  credential_store_supported SMALLINT NOT NULL DEFAULT 0,
   credential_store_enabled SMALLINT NOT NULL DEFAULT 0,
   CONSTRAINT PK_servicedesiredstate PRIMARY KEY (cluster_id, service_name),
   CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),

ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql

@@ -265,7 +265,6 @@ CREATE TABLE servicedesiredstate (
   service_name VARCHAR(255) NOT NULL,
   maintenance_state VARCHAR(32) NOT NULL,
   security_state VARCHAR(32) NOT NULL DEFAULT 'UNSECURED',
-  credential_store_supported SMALLINT NOT NULL DEFAULT 0,
   credential_store_enabled SMALLINT NOT NULL DEFAULT 0,
   CONSTRAINT PK_servicedesiredstate PRIMARY KEY CLUSTERED (cluster_id,service_name),
   CONSTRAINT FK_sds_desired_stack_id FOREIGN KEY (desired_stack_id) REFERENCES stack(stack_id),

ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py

@@ -48,9 +48,7 @@ from resource_management.libraries.functions.get_architecture import get_archite
 
 from resource_management.core.utils import PasswordString
 from resource_management.core.shell import checked_call
-from resource_management.core.logger import Logger
-from resource_management.core.resources.system import File
-from resource_management.core.source import DownloadSource
+from ambari_commons.credential_store_helper import get_password_from_credential_store
 
 # Default log4j version; put config files under /etc/hive/conf
 log4j_version = '1'
@@ -230,36 +228,15 @@ hive_jdbc_connection_url = config['configurations']['hive-site']['javax.jdo.opti
 
 jdk_location = config['hostLevelParams']['jdk_location']
 
-credential_util_cmd = 'org.apache.ambari.server.credentialapi.CredentialUtil'
-credential_util_jar = 'CredentialUtil.jar'
-
-# Gets the hive metastore password from its JCEKS provider, if available.
-def getHiveMetastorePassword():
-  passwd = ''
+if credential_store_enabled:
   if 'hadoop.security.credential.provider.path' in config['configurations']['hive-site']:
-    # Try to download CredentialUtil.jar from ambari-server resources
     cs_lib_path = config['configurations']['hive-site']['credentialStoreClassPath']
-    credential_util_dir = cs_lib_path.split('*')[0] # Remove the trailing '*'
-    credential_util_path = os.path.join(credential_util_dir, credential_util_jar)
-    credential_util_url =  jdk_location + credential_util_jar
-    File(credential_util_path,
-         content = DownloadSource(credential_util_url),
-         mode = 0644,
-    )
-
-    # Execute a get command on the CredentialUtil CLI to get the password for the specified alias
     java_home = config['hostLevelParams']['java_home']
-    java_bin = '{java_home}/bin/java'.format(java_home=java_home)
     alias = 'javax.jdo.option.ConnectionPassword'
     provider_path = config['configurations']['hive-site']['hadoop.security.credential.provider.path']
-    cmd = (java_bin, '-cp', cs_lib_path, credential_util_cmd, 'get', alias, '-provider', provider_path)
-    cmd_result, std_out_msg  = checked_call(cmd)
-    std_out_lines = std_out_msg.split('\n')
-    passwd = std_out_lines[-1] # Get the last line of the output, to skip warnings if any.
-  return passwd
-
-if credential_store_enabled:
-  hive_metastore_user_passwd = PasswordString(getHiveMetastorePassword())
+    hive_metastore_user_passwd = PasswordString(get_password_from_credential_store(alias, provider_path, cs_lib_path, java_home, jdk_location))
+  else:
+    raise Exception("hadoop.security.credential.provider.path property should be set")
 else:
   hive_metastore_user_passwd = config['configurations']['hive-site']['javax.jdo.option.ConnectionPassword']
 hive_metastore_user_passwd = unicode(hive_metastore_user_passwd) if not is_empty(hive_metastore_user_passwd) else hive_metastore_user_passwd
@@ -842,4 +819,4 @@ if enable_ranger_hive:
   if has_ranger_admin and stack_supports_ranger_audit_db and xa_audit_db_flavor.lower() == 'sqla':
     xa_audit_db_is_enabled = False
 
-# ranger hive plugin section end
+# ranger hive plugin section end

ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py

@@ -36,6 +36,8 @@ from resource_management.libraries.functions.expect import expect
 from resource_management.libraries.functions.get_architecture import get_architecture
 from resource_management.libraries.functions.stack_features import get_stack_feature_version
 
+from resource_management.core.utils import PasswordString
+from ambari_commons.credential_store_helper import get_password_from_credential_store
 from urlparse import urlparse
 
 import status_params
@@ -164,6 +166,10 @@ zk_connection_string = default('/configurations/oozie-site/oozie.zookeeper.conne
 jaas_file = os.path.join(conf_dir, 'zkmigrator_jaas.conf')
 stack_supports_zk_security = check_stack_feature(StackFeature.SECURE_ZOOKEEPER, version_for_stack_feature_checks)
 
+credential_store_enabled = False
+if 'credentialStoreEnabled' in config:
+  credential_store_enabled = config['credentialStoreEnabled']
+
 if security_enabled:
   oozie_site = dict(config['configurations']['oozie-site'])
   oozie_principal_with_host = oozie_principal.replace('_HOST', hostname)
@@ -193,7 +199,19 @@ oozie_env_sh_template = config['configurations']['oozie-env']['content']
 oracle_driver_jar_name = "ojdbc6.jar"
 
 oozie_metastore_user_name = config['configurations']['oozie-site']['oozie.service.JPAService.jdbc.username']
-oozie_metastore_user_passwd = default("/configurations/oozie-site/oozie.service.JPAService.jdbc.password","")
+
+if credential_store_enabled:
+  if 'hadoop.security.credential.provider.path' in config['configurations']['oozie-site']:
+    cs_lib_path = config['configurations']['oozie-site']['credentialStoreClassPath']
+    java_home = config['hostLevelParams']['java_home']
+    alias = 'oozie.service.JPAService.jdbc.password'
+    provider_path = config['configurations']['oozie-site']['hadoop.security.credential.provider.path']
+    oozie_metastore_user_passwd = PasswordString(get_password_from_credential_store(alias, provider_path, cs_lib_path, java_home, jdk_location))
+  else:
+    raise Exception("hadoop.security.credential.provider.path property should be set")
+else:
+  oozie_metastore_user_passwd = default("/configurations/oozie-site/oozie.service.JPAService.jdbc.password","")
+
 oozie_jdbc_connection_url = default("/configurations/oozie-site/oozie.service.JPAService.jdbc.url", "")
 oozie_log_dir = config['configurations']['oozie-env']['oozie_log_dir']
 oozie_data_dir = config['configurations']['oozie-env']['oozie_data_dir']

ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java

@@ -187,9 +187,7 @@ public class UpgradeCatalog250Test {
       eq("repo_version"), eq("repo_version_id"), eq(false));
 
     // servicedesiredstate table
-    Capture<DBAccessor.DBColumnInfo> capturedCredentialStoreSupportedCol = newCapture();
     Capture<DBAccessor.DBColumnInfo> capturedCredentialStoreEnabledCol = newCapture();
-    dbAccessor.addColumn(eq(UpgradeCatalog250.SERVICE_DESIRED_STATE_TABLE), capture(capturedCredentialStoreSupportedCol));
     dbAccessor.addColumn(eq(UpgradeCatalog250.SERVICE_DESIRED_STATE_TABLE), capture(capturedCredentialStoreEnabledCol));
 
     expect(dbAccessor.getConnection()).andReturn(connection).anyTimes();
@@ -251,16 +249,8 @@ public class UpgradeCatalog250Test {
     // did we get them all?
     Assert.assertEquals(0, expected.size());
 
-    // Verify if credential_store_supported & credential_store_enabled columns
+    // Verify if credential_store_enabled columns
     // were added to servicedesiredstate table
-    DBAccessor.DBColumnInfo capturedCredentialStoreSupportedColValues = capturedCredentialStoreSupportedCol.getValue();
-    Assert.assertNotNull(capturedCredentialStoreSupportedColValues);
-
-    Assert.assertEquals(UpgradeCatalog250.CREDENTIAL_STORE_SUPPORTED_COL, capturedCredentialStoreSupportedColValues.getName());
-    Assert.assertEquals(null, capturedCredentialStoreSupportedColValues.getLength());
-    Assert.assertEquals(Short.class, capturedCredentialStoreSupportedColValues.getType());
-    Assert.assertEquals(0, capturedCredentialStoreSupportedColValues.getDefaultValue());
-    Assert.assertEquals(false, capturedCredentialStoreSupportedColValues.isNullable());
 
     DBAccessor.DBColumnInfo capturedCredentialStoreEnabledColValues = capturedCredentialStoreEnabledCol.getValue();
     Assert.assertNotNull(capturedCredentialStoreEnabledColValues);