Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] AMBARI-25043. Sensitive Ambari configuration values are encrypted in Ambari Server DB #2742

Merged
merged 2 commits into from Dec 22, 2018
Merged

[WIP] AMBARI-25043. Sensitive Ambari configuration values are encrypted in Ambari Server DB #2742

merged 2 commits into from Dec 22, 2018

Conversation

smolnar82
Copy link
Contributor

@smolnar82 smolnar82 commented Dec 21, 2018
edited

What changes were proposed in this pull request?

Ambari configuration value types are defined in org.apache.ambari.server.configuration.AmbariServerConfigurationKey. Sensitive properties have property type of org.apache.ambari.server.configuration.ConfigurationPropertyType#PASSWORD.

Using this information, if this feature is enabled, the Ambari server should encrypt sensitive values before storing them in theambari_configuration table in the Ambari DB.

The Ambari server should encrypt sensitive configuration values if the following has been met:

  1. A master key has been setup using the ambari-server setup-security CLI (using option # 2 - Encrypt passwords stored in ambari.properties file)
  2. The Ambari server configuration property named security.server.encrypt_sensitive_data is set to true

WIP: the API still return the encrypted form; I'm not sure if this needs to be changed...

How was this patch tested?

Updated unit tests and they passed:

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 24:50 min
[INFO] Finished at: 2018-12-21T14:31:01+01:00
[INFO] Final Memory: 103M/1814M
[INFO] ------------------------------------------------------------------------

In addition to uni tests the following steps have been done to check if everything works as expected:

  1. installed the latest Ambari and replaced the setupSecurity.py and the generated JAR then restarted the server and the agents
  2. configured LDAP by running ambari-server setup-ldap (some attributes are changed in the below sample such as server name, etc...)
  3. checked the database: the manager password was stored in encrypted form
  4. synced LDAP users successfully
[root@c7401 ~]# ambari-server setup-ldap --ambari-admin-username=admin --ambari-admin-password=admin --ldap-url=TEST_LDAP_SERVER --ldap-user-class=user --ldap-user-attr=sAMAccountName --ldap-group-class=group --ldap-group-attr=cn --ldap-member-attr=member --ldap-dn=distinguishedName --ldap-base-dn=TEST_BASE_DN --ldap-bind-anonym=false --ldap-manager-dn=cn=manager,cn=Users,dc=TEST_DC,dc=hortonworks,dc=com --ldap-manager-password=TEST_PASSWORD --ldap-referral=follow --ldap-sync-username-collisions-behavior=convert --ldap-force-lowercase-usernames=false --ldap-pagination-enabled=false --ldap-ssl=false --ldap-force-setup --ldap-save-settings --ldap-enabled-ambari=true --ldap-manage-services=true --ldap-enabled-services=* --ldap-user-group-member-attr=myMemberOf
Using python  /usr/bin/python

Fetching LDAP configuration from DB.
====================
Review Settings
====================
...
Saving LDAP properties...
Saving LDAP properties finished
Ambari Server 'setup-ldap' completed successfully.


[root@c7401 ~]# ambari-server sync-ldap --all --ldap-sync-admin-name admin --ldap-sync-admin-password admin
Using python  /usr/bin/python
Syncing with LDAP...

Fetching LDAP configuration from DB.
Syncing all.................

Completed LDAP Sync.
Summary:
  memberships:
    removed = 0
    created = 9
  users:
    skipped = 0
    removed = 0
    updated = 0
    created = 1006
  groups:
    updated = 0
    removed = 0
    created = 22

Ambari Server 'sync-ldap' completed successfully.

@smolnar82 smolnar82 requested review from rlevas and a user December 21, 2018 13:55
@smolnar82 smolnar82 self-assigned this Dec 21, 2018
@asfgit
Copy link

asfgit commented Dec 21, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/4784/
Test FAILed.
Test FAILured.

ghost
ghost approved these changes Dec 21, 2018
View reviewed changes
...i-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfiguration.java Outdated
@@ -64,5 +73,38 @@ protected String getValue(String propertyName, Map<String, String> configuration
return defaultValue;
}
}

/**
* @return
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's remove or populate

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will add the missing JavaDoc; thanks for pointing out.

...in/java/org/apache/ambari/server/security/encryption/AmbariServerConfigurationEncryptor.java Outdated

@Override
public void decryptSensitiveData(AmbariServerConfiguration decryptible) {
decryptible.toMap().entrySet().stream().filter(f -> passwordConfigurations.contains(f.getKey())).filter(f -> isEncryptedPassword(f.getValue()))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about making this code multi-line?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine by me; let me submit a new patchset soon

@asfgit
Copy link

asfgit commented Dec 21, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/4785/
Test PASSed.

@smolnar82 smolnar82 merged commit 563d508 into apache:trunk Dec 22, 2018
@smolnar82 smolnar82 deleted the AMBARI-25043 branch December 22, 2018 07:47
@smolnar82 smolnar82 mentioned this pull request Jan 14, 2019
Merged
vishalsuvagia pushed a commit to vishalsuvagia/ambari that referenced this pull request Feb 26, 2019
@smolnar82
AMBARI-25043. Sensitive Ambari configuration values are encrypted in …
eb8c69b 
…Ambari Server DB (apache#2742)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rlevas rlevas rlevas approved these changes

Assignees

@smolnar82 smolnar82

Labels
encryption security
Projects
None yet
Milestone
No milestone
3 participants
@smolnar82 @asfgit @rlevas