Skip to content

[AMBARI-24616] Disable Kerberos from Ambari UI didn't clean up keytab directories #2334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rlevas merged 3 commits into from
Sep 18, 2018
Merged

[AMBARI-24616] Disable Kerberos from Ambari UI didn't clean up keytab directories #2334

rlevas merged 3 commits into from
Sep 18, 2018

Conversation

@rlevas
Copy link
Contributor

@rlevas rlevas commented Sep 17, 2018

What changes were proposed in this pull request?

Disable Kerberos from Ambari UI didn't clean up keytab directories,

stderr:

2018-09-08 05:27:19,276 - Failed to remove identity for amsmon/ctr-e138-1518143905142-467151-01-000002.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,298 - Failed to remove identity for amsmon/ctr-e138-1518143905142-467151-01-000006.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,325 - Failed to remove identity for amsmon/ctr-e138-1518143905142-467151-01-000005.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,348 - Failed to remove identity for amsmon/ctr-e138-1518143905142-467151-01-000003.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,465 - Failed to remove identity for dn/ctr-e138-1518143905142-467151-01-000003.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,491 - Failed to remove identity for dn/ctr-e138-1518143905142-467151-01-000002.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,515 - Failed to remove identity for dn/ctr-e138-1518143905142-467151-01-000005.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,539 - Failed to remove identity for dn/ctr-e138-1518143905142-467151-01-000004.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,671 - Failed to remove identity for hbase/ctr-e138-1518143905142-467151-01-000006.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,696 - Failed to remove identity for hbase/ctr-e138-1518143905142-467151-01-000003.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,723 - Failed to remove identity for hbase/ctr-e138-1518143905142-467151-01-000004.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,744 - Failed to remove identity for hbase/ctr-e138-1518143905142-467151-01-000002.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,959 - Failed to remove identity for nm/ctr-e138-1518143905142-467151-01-000005.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:19,987 - Failed to remove identity for nm/ctr-e138-1518143905142-467151-01-000006.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:20,049 - Failed to remove identity for nn/ctr-e138-1518143905142-467151-01-000003.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:20,376 - Failed to remove identity for HTTP/ctr-e138-1518143905142-467151-01-000002.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:20,399 - Failed to remove identity for HTTP/ctr-e138-1518143905142-467151-01-000004.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:20,420 - Failed to remove identity for HTTP/ctr-e138-1518143905142-467151-01-000003.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:20,441 - Failed to remove identity for HTTP/ctr-e138-1518143905142-467151-01-000005.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:20,590 - Failed to remove identity for yarn-ats-hbase/ctr-e138-1518143905142-467151-01-000003.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:20,617 - Failed to remove identity for yarn-ats-hbase/ctr-e138-1518143905142-467151-01-000002.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:20,647 - Failed to remove identity for yarn-ats-hbase/ctr-e138-1518143905142-467151-01-000004.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:20,677 - Failed to remove identity for yarn-ats-hbase/ctr-e138-1518143905142-467151-01-000005.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:20,768 - Failed to remove identity for zookeeper/ctr-e138-1518143905142-467151-01-000006.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type.
2018-09-08 05:27:20,798 - Failed to remove identity for zookeeper/ctr-e138-1518143905142-467151-01-000004.hwx.site@EXAMPLE.COM from the Ambari database - Object: null is not a known Entity type

[root@ctr-e138-1518143905142-467151-01-000002 ~]# ls -lrt /etc/security/keytabs/
total 56
-rw-r----- 1 ambari-qa  hadoop 318 Sep  7 23:00 kerberos.service_check.090718.keytab
-r-------- 1 slava      slava  353 Sep  7 23:05 ambari.server.keytab
-r--r----- 1 root       hadoop 538 Sep  7 23:05 spnego.service.keytab
-r-------- 1 cstm-ams   hadoop 548 Sep  7 23:05 ams-monitor.keytab
-r-------- 1 cstm-hdfs  hadoop 533 Sep  7 23:05 nfs.service.keytab
-r--r----- 1 cstm-hbase hadoop 338 Sep  7 23:05 hbase.headless.keytab
-r-------- 1 yarn-ats   hadoop 328 Sep  7 23:05 yarn-ats.hbase-client.headless.keytab
-r-------- 1 cstm-hdfs  hadoop 528 Sep  7 23:05 dn.service.keytab
-r-------- 1 yarn-ats   hadoop 588 Sep  7 23:05 yarn-ats.hbase-regionserver.service.keytab
-r--r----- 1 ambari-qa  hadoop 333 Sep  7 23:05 smokeuser.headless.keytab
-r-------- 1 cstm-hbase hadoop 543 Sep  7 23:05 hbase.service.keytab
-r-------- 1 cstm-hdfs  hadoop 528 Sep  7 23:05 nn.service.keytab
-r-------- 1 yarn-ats   hadoop 588 Sep  7 23:05 yarn-ats.hbase-master.service.keytab
-r-------- 1 cstm-hdfs  hadoop 333 Sep  7 23:05 hdfs.headless.keytab

This occurred for several reasons related to many iterations of changes to the Kerberos enable and clean up processes. This patch attempts to fix the inconsistencies the lead to the cleanup failures - whether a service, component, or host was removed or Kerberos was being disabled. Now the keytab files, principals/accounts, and Ambari DB records are being properly cleaned up.

How was this patch tested?

Manually tested various scenarios when Kerberos was enabled

  • remove a service
  • remove a component
  • move a component
  • remove a host
  • regenerate keytab files
  • regenerate missing keytab file
  • disable Kerberos
  • Ambari upgrade
  • stack upgrade

Unit tests were updated and all passed.

Please review Ambari Contributing Guide before opening a pull request.

@rlevas rlevas self-assigned this Sep 17, 2018
@rlevas
Copy link
Contributor Author

rlevas commented Sep 17, 2018

Sorry for the large patch, there were lots of changes needed to clean up the code.

@rlevas rlevas mentioned this pull request Sep 17, 2018
Merged
@asfgit
Copy link

asfgit commented Sep 17, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/3982/
Test PASSed.

ghost
ghost approved these changes Sep 17, 2018
View reviewed changes
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java Outdated

// *****************************************************************
// Create stage to remove principals
// - this should be the last opterion that deals with principals and keytab files since the
Copy link

@ghost ghost Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

opterion

Copy link
Contributor Author

@rlevas rlevas Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Fixing.

ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java Outdated

// *****************************************************************
// Create stage to delete principals
// - this should be the last opterion that deals with principals and keytab files since the
Copy link

@ghost ghost Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

opterion

Copy link
Contributor Author

@rlevas rlevas Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Fixing.

...-server/src/main/java/org/apache/ambari/server/events/publishers/AgentCommandsPublisher.java Outdated
}

/**
* KerberosCommandParameterProcessor is an abstract class providing common implementions for processing
Copy link

@ghost ghost Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

implementions

Copy link
Contributor Author

@rlevas rlevas Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks.. fixing.

...-server/src/main/java/org/apache/ambari/server/events/publishers/AgentCommandsPublisher.java Outdated

if (keytabFilePath != null) {
String sha1Keytab = DigestUtils.sha256Hex(keytabFilePath);
File keytabFile = new File(dataDir + File.separator + hostName + File.separator + sha1Keytab);
Copy link

@ghost ghost Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you might prefer https://docs.oracle.com/javase/8/docs/api/java/nio/file/Paths.html#get-java.lang.String-java.lang.String...- as it is less error-prone

Copy link
Contributor Author

@rlevas rlevas Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I totally agree, but this was the code that was already there and I didn't want to mess with it.

ncole
ncole approved these changes Sep 17, 2018
View reviewed changes
Copy link
Contributor

@ncole ncole left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple import fixes and nits (optional).

ambari-server/src/main/java/org/apache/ambari/server/controller/DeleteIdentityHandler.java Outdated
import org.apache.ambari.server.state.kerberos.KerberosDescriptor;
import org.apache.ambari.server.state.svccomphost.ServiceComponentHostServerActionEvent;
import org.apache.ambari.server.utils.StageUtils;
import org.springframework.util.CollectionUtils;
Copy link
Contributor

@ncole ncole Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should probably be org.apache.commons.collections.CollectionUtils

Copy link
Contributor Author

@rlevas rlevas Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I knew I was going to mess this up. Fixed other places where my IDE choose the wrong impl. Nice catch.

ambari-server/src/main/java/org/apache/ambari/server/controller/DeleteIdentityHandler.java Outdated
requestParams);
customCommandExecutionHelper.addExecutionCommandsToStage(actionExecContext, stage, requestParams, null);
stageContainer.addStage(stage);
if(!CollectionUtils.isEmpty(hostNames)) {
Copy link
Contributor

@ncole ncole Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: CollectionUtils.isNotEmpty(...)

ambari-server/src/main/java/org/apache/ambari/server/controller/DeleteIdentityHandler.java Outdated

ActionExecutionContext actionExecContext = new ActionExecutionContext(
cluster.getClusterName(),
"REMOVE_KEYTAB",
Copy link
Contributor

@ncole ncole Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a constant somewhere for this?

Copy link
Contributor Author

@rlevas rlevas Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup.

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosKeytabDAO.java Outdated
import org.apache.ambari.server.orm.entities.KerberosKeytabPrincipalEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.CollectionUtils;
Copy link
Contributor

@ncole ncole Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

org.apache.commons.collections.CollectionUtils

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosKeytabPrincipalDAO.java Outdated
import org.apache.ambari.server.orm.entities.KerberosKeytabPrincipalEntity;
import org.apache.ambari.server.orm.entities.KerberosKeytabServiceMappingEntity;
import org.apache.ambari.server.orm.entities.KerberosPrincipalEntity;
import org.springframework.util.CollectionUtils;
Copy link
Contributor

@ncole ncole Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

org.apache.commons.collections.CollectionUtils

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosKeytabDAO.java Outdated
*/
public boolean removeIfNotReferenced(KerberosKeytabEntity kerberosKeytabEntity) {
if (kerberosKeytabEntity != null) {
if (!CollectionUtils.isEmpty(kerberosKeytabEntity.getKerberosKeytabPrincipalEntities())) {
Copy link
Contributor

@ncole ncole Sep 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: CollectionUtils.isNotEmpty(...)

@asfgit
Copy link

asfgit commented Sep 17, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/3985/
Test FAILed.
Test FAILured.

@asfgit
Copy link

asfgit commented Sep 17, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/3988/
Test PASSed.

@rlevas rlevas merged commit 620539f into apache:trunk Sep 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonathan-hurley jonathan-hurley Awaiting requested review from jonathan-hurley

5 more reviewers

@smolnar82 smolnar82 smolnar82 left review comments

@zeroflag zeroflag zeroflag approved these changes

@ncole ncole ncole approved these changes

@rnettleton rnettleton rnettleton approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rlevas rlevas

Labels

cleanup kerberos

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rlevas @asfgit @zeroflag @ncole @rnettleton @smolnar82