From 2dbaddb2ca7e75a28d41992dae0767748cc50c45 Mon Sep 17 00:00:00 2001
From: Ihor Lukianov <ihor.lukianov@cloudera.com>
Date: Wed, 23 Oct 2019 12:36:24 +0300
Subject: [PATCH] AMBARI-25399 Add hive PAM support for service check and
 alerts (ihorlukianov)

---
 .../libraries/functions/hive_check.py               |  8 +++++++-
 .../alerts/alert_hive_interactive_thrift_port.py    | 13 +++++++++++--
 .../package/alerts/alert_hive_thrift_port.py        | 13 +++++++++++--
 .../HIVE/0.12.0.2.0/package/scripts/params_linux.py |  5 +++++
 .../0.12.0.2.0/package/scripts/service_check.py     |  3 ++-
 5 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/hive_check.py b/ambari-common/src/main/python/resource_management/libraries/functions/hive_check.py
index 538bcfb89bb..398a93281cb 100644
--- a/ambari-common/src/main/python/resource_management/libraries/functions/hive_check.py
+++ b/ambari-common/src/main/python/resource_management/libraries/functions/hive_check.py
@@ -28,7 +28,7 @@
 def check_thrift_port_sasl(address, port, hive_auth="NOSASL", key=None, kinitcmd=None, smokeuser='ambari-qa',
                            hive_user='hive', transport_mode="binary", http_endpoint="cliservice",
                            ssl=False, ssl_keystore=None, ssl_password=None, check_command_timeout=30,
-                           ldap_username="", ldap_password=""):
+                           ldap_username="", ldap_password="", pam_username="", pam_password=""):
   """
   Hive thrift SASL port check
   """
@@ -60,6 +60,12 @@ def check_thrift_port_sasl(address, port, hive_auth="NOSASL", key=None, kinitcmd
     quoted_ldap_password = quote_bash_args(ldap_password)
     credential_str = "-n {ldap_username} -p {quoted_ldap_password!p}"
 
+  # append username and password for PAM
+  if hive_auth == "PAM":
+    # password might contain special characters that need to be escaped
+    quoted_pam_password = quote_bash_args(pam_password)
+    credential_str = "-n '{pam_username}' -p '{quoted_pam_password!p}'"
+
   # append url according to ssl configuration
   if ssl and ssl_keystore is not None and ssl_password is not None:
     beeline_url.extend(['ssl={ssl_str}', 'sslTrustStore={ssl_keystore}', 'trustStorePassword={ssl_password!p}'])
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_interactive_thrift_port.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_interactive_thrift_port.py
index 39c982e5a4c..bc2582cf63a 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_interactive_thrift_port.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_interactive_thrift_port.py
@@ -48,6 +48,8 @@
 HIVE_SSL_KEYSTORE_PASSWORD = '{{hive-interactive-site/hive.server2.keystore.password}}'
 HIVE_LDAP_USERNAME = '{{hive-env/alert_ldap_username}}'
 HIVE_LDAP_PASSWORD = '{{hive-env/alert_ldap_password}}'
+HIVE_PAM_USERNAME = '{{hive-env/alert_pam_username}}'
+HIVE_PAM_PASSWORD = '{{hive-env/alert_pam_password}}'
 
 # The configured Kerberos executable search paths, if any
 KERBEROS_EXECUTABLE_SEARCH_PATHS_KEY = '{{kerberos-env/executable_search_paths}}'
@@ -89,7 +91,7 @@ def get_tokens():
           HIVE_SERVER_INTERACTIVE_THRIFT_HTTP_PORT_KEY, HIVE_SERVER_INTERACTIVE_TRANSPORT_MODE_KEY,
           HIVE_SERVER_TRANSPORT_MODE_KEY, KERBEROS_EXECUTABLE_SEARCH_PATHS_KEY, HIVE_SSL,
           HIVE_SSL_KEYSTORE_PATH, HIVE_SSL_KEYSTORE_PASSWORD, HIVE_LDAP_USERNAME, HIVE_LDAP_PASSWORD,
-          HIVE_USER_KEY)
+          HIVE_USER_KEY, HIVE_PAM_USERNAME, HIVE_PAM_PASSWORD)
 
 
 @OsFamilyFuncImpl(os_family=OsFamilyImpl.DEFAULT)
@@ -178,6 +180,13 @@ def execute(configurations={}, parameters={}, host_name=None):
   if HIVE_LDAP_PASSWORD in configurations:
     ldap_password = configurations[HIVE_LDAP_PASSWORD]
 
+  pam_username = ""
+  pam_password = ""
+  if HIVE_PAM_USERNAME in configurations:
+    pam_username = configurations[HIVE_PAM_USERNAME]
+  if HIVE_PAM_PASSWORD in configurations:
+    pam_password = configurations[HIVE_PAM_PASSWORD]
+
   result_code = None
 
   if security_enabled:
@@ -211,7 +220,7 @@ def execute(configurations={}, parameters={}, host_name=None):
                                         kinitcmd, smokeuser, hive_user = hive_user, transport_mode=transport_mode, ssl=hive_ssl,
                                         ssl_keystore=hive_ssl_keystore_path, ssl_password=hive_ssl_keystore_password,
                                         check_command_timeout=int(check_command_timeout), ldap_username=ldap_username,
-                                        ldap_password=ldap_password)
+                                        ldap_password=ldap_password, pam_username=pam_username, pam_password=pam_password)
       result_code = 'OK'
       total_time = time.time() - start_time
       label = OK_MESSAGE.format(total_time, port)
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_thrift_port.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_thrift_port.py
index 3f5794706ba..231a0401d49 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_thrift_port.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_thrift_port.py
@@ -47,6 +47,8 @@
 HIVE_SSL_KEYSTORE_PASSWORD = '{{hive-site/hive.server2.keystore.password}}'
 HIVE_LDAP_USERNAME = '{{hive-env/alert_ldap_username}}'
 HIVE_LDAP_PASSWORD = '{{hive-env/alert_ldap_password}}'
+HIVE_PAM_USERNAME = '{{hive-env/alert_pam_username}}'
+HIVE_PAM_PASSWORD = '{{hive-env/alert_pam_password}}'
 
 
 # The configured Kerberos executable search paths, if any
@@ -88,7 +90,7 @@ def get_tokens():
           SMOKEUSER_KEYTAB_KEY, SMOKEUSER_PRINCIPAL_KEY, HIVE_SERVER_THRIFT_HTTP_PORT_KEY,
           HIVE_SERVER_TRANSPORT_MODE_KEY, KERBEROS_EXECUTABLE_SEARCH_PATHS_KEY, HIVE_SSL,
           HIVE_SSL_KEYSTORE_PATH, HIVE_SSL_KEYSTORE_PASSWORD, HIVE_LDAP_USERNAME, HIVE_LDAP_PASSWORD,
-          HIVE_USER_KEY)
+          HIVE_USER_KEY, HIVE_PAM_USERNAME, HIVE_PAM_PASSWORD)
 
 
 @OsFamilyFuncImpl(os_family=OsFamilyImpl.DEFAULT)
@@ -172,6 +174,13 @@ def execute(configurations={}, parameters={}, host_name=None):
   if HIVE_LDAP_PASSWORD in configurations:
     ldap_password = configurations[HIVE_LDAP_PASSWORD]
 
+  pam_username = ""
+  pam_password = ""
+  if HIVE_PAM_USERNAME in configurations:
+    pam_username = configurations[HIVE_PAM_USERNAME]
+  if HIVE_PAM_PASSWORD in configurations:
+    pam_password = configurations[HIVE_PAM_PASSWORD]
+
   result_code = None
 
   if security_enabled:
@@ -205,7 +214,7 @@ def execute(configurations={}, parameters={}, host_name=None):
                                         kinitcmd, smokeuser, hive_user = hive_user, transport_mode=transport_mode, ssl=hive_ssl,
                                         ssl_keystore=hive_ssl_keystore_path, ssl_password=hive_ssl_keystore_password,
                                         check_command_timeout=int(check_command_timeout),ldap_username=ldap_username,
-                                        ldap_password=ldap_password)
+                                        ldap_password=ldap_password,pam_username=pam_username,pam_password=pam_password)
       result_code = 'OK'
       total_time = time.time() - start_time
       label = OK_MESSAGE.format(total_time, port)
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py
index 668fca560b4..1f608431c54 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/params_linux.py
@@ -868,6 +868,11 @@
 # For ldap - hive_check
 hive_ldap_user= config['configurations']['hive-env'].get('alert_ldap_username','')
 hive_ldap_passwd=config['configurations']['hive-env'].get('alert_ldap_password','')
+
+# For pam - hive_check
+hive_pam_username = config['configurations']['hive-env'].get('alert_pam_username','')
+hive_pam_password = config['configurations']['hive-env'].get('alert_pam_password','')
+
 # For druid metadata password
 druid_metadata_password = ""
 if 'druid-common' in config['configurations'] \
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py
index f78a7d682a8..90033d2c87b 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py
@@ -124,7 +124,8 @@ def check_hive_server(self, env, server_component_name, kinit_cmd, address_list,
                                transport_mode=params.hive_transport_mode, http_endpoint=params.hive_http_endpoint,
                                ssl=params.hive_ssl, ssl_keystore=ssl_keystore,
                                ssl_password=ssl_password, ldap_username=params.hive_ldap_user,
-                               ldap_password=params.hive_ldap_passwd)
+                               ldap_password=params.hive_ldap_passwd, pam_username=params.hive_pam_username,
+                               pam_password=params.hive_pam_password)
         Logger.info("Successfully connected to {0} on port {1}".format(address, server_port))
         workable_server_available = True
       except: