def _set_file_access(file_path, access_details, default_group=None): if (file_path is not None) and os.path.isfile(file_path) and (access_details is not None): import stat import pwd import grp owner = get_property_value(access_details, 'owner/name') owner_access = get_property_value(access_details, 'owner/access', 'rw') group = get_property_value(access_details, 'group/name', default_group) group_access = get_property_value(access_details, 'group/access', '') pwnam = pwd.getpwnam(owner) if (owner is not None) and (len(owner) > 0) else None uid = pwnam.pw_uid if pwnam is not None else os.geteuid() grnam = grp.getgrnam(group) if (group is not None) and (len(group) > 0) else None gid = grnam.gr_gid if grnam is not None else os.getegid() chmod = 0 if owner_access == 'r': chmod |= stat.S_IREAD else: chmod |= stat.S_IREAD | stat.S_IWRITE if group_access == 'rw': chmod |= stat.S_IRGRP | stat.S_IWGRP elif group_access == 'r': chmod |= stat.S_IRGRP os.chmod(file_path, chmod) os.chown(file_path, uid, gid)
def test_kinit(identity, user=None): principal = get_property_value(identity, 'principal') kinit_path_local = functions.get_kinit_path() kdestroy_path_local = functions.get_kdestroy_path() if principal is not None: keytab_file = get_property_value(identity, 'keytab_file') keytab = get_property_value(identity, 'keytab') password = get_property_value(identity, 'password') # If a test keytab file is available, simply use it if (keytab_file is not None) and (os.path.isfile(keytab_file)): command = '%s -k -t %s %s' % (kinit_path_local, keytab_file, principal) Execute( command, user=user, ) return shell.checked_call(kdestroy_path_local) # If base64-encoded test keytab data is available; then decode it, write it to a temporary file # use it, and then remove the temporary file elif keytab is not None: (fd, test_keytab_file) = tempfile.mkstemp() os.write(fd, base64.b64decode(keytab)) os.close(fd) try: command = '%s -k -t %s %s' % (kinit_path_local, test_keytab_file, principal) Execute( command, user=user, ) return shell.checked_call(kdestroy_path_local) except: raise finally: if test_keytab_file is not None: os.remove(test_keytab_file) # If no keytab data is available and a password was supplied, simply use it. elif password is not None: process = subprocess.Popen([kinit_path_local, principal], stdin=subprocess.PIPE) stdout, stderr = process.communicate(password) if process.returncode: err_msg = Logger.filter_text( "Execution of kinit returned %d. %s" % (process.returncode, stderr)) raise Fail(err_msg) else: return shell.checked_call(kdestroy_path_local) else: return 0, '' else: return 0, ''
def write_keytab_file(self): import params import stat if params.kerberos_command_params is not None: for item in params.kerberos_command_params: keytab_content_base64 = get_property_value( item, 'keytab_content_base64') if (keytab_content_base64 is not None) and (len(keytab_content_base64) > 0): keytab_file_path = get_property_value( item, 'keytab_file_path') if (keytab_file_path is not None) and (len(keytab_file_path) > 0): keytab_file_path = keytab_file_path.replace( "_HOST", params.hostname) head, tail = os.path.split(keytab_file_path) if head: Directory(head, create_parents=True, mode=0755, owner="root", group="root") owner = "root" group = "root" mode = 0 mode |= stat.S_IREAD | stat.S_IWRITE mode |= stat.S_IRGRP | stat.S_IWGRP keytab_content = base64.b64decode( keytab_content_base64) # to hide content in command output def make_lambda(data): return lambda: data File(keytab_file_path, content=make_lambda(keytab_content), mode=mode, owner=owner, group=group) principal = get_property_value(item, 'principal') if principal is not None: curr_content = Script.structuredOut if "keytabs" not in curr_content: curr_content['keytabs'] = {} curr_content['keytabs'][principal.replace( "_HOST", params.hostname)] = keytab_file_path self.put_structured_out(curr_content)
def invoke_kadmin(query, admin_identity=None, default_realm=None): """ Executes the kadmin or kadmin.local command (depending on whether auth_identity is set or not and returns command result code and standard out data. :param query: the kadmin query to execute :param admin_identity: the identity for the administrative user (optional) :param default_realm: the default realm to assume :return: return_code, out """ if (query is not None) and (len(query) > 0): auth_principal = None auth_keytab_file = None if admin_identity is not None: auth_principal = get_property_value(admin_identity, 'principal') if auth_principal is None: kadmin = 'kadmin.local' credential = '' else: kadmin = 'kadmin -p "%s"' % auth_principal auth_password = get_property_value(admin_identity, 'password') if auth_password is None: auth_keytab = get_property_value(admin_identity, 'keytab') if auth_keytab is not None: (fd, auth_keytab_file) = tempfile.mkstemp() os.write(fd, base64.b64decode(auth_keytab)) os.close(fd) credential = '-k -t %s' % auth_keytab_file else: credential = '-w "%s"' % auth_password if (default_realm is not None) and (len(default_realm) > 0): realm = '-r %s' % default_realm else: realm = '' try: import params command = '%s %s %s -w %s -q "%s"' % ( kadmin, credential, realm, params.kdc_adminpassword, query.replace('"', '\\"')) return shell.checked_call(command) except: raise finally: if auth_keytab_file is not None: os.remove(auth_keytab_file)
def write_keytab_file(): import params if params.keytab_details is not None: data = get_property_value(params.keytab_details, 'data') if (data is not None) and (len(data) > 0): file_path = get_property_value(params.keytab_details, 'file-path') if (file_path is not None) and (len(file_path) > 0): with open(file_path, 'w') as f: f.write(base64.b64decode(data)) KerberosScript._set_file_access(file_path, params.keytab_details, params.default_group)
def test_kinit(identity, user=None): principal = get_property_value(identity, 'principal') kinit_path_local = functions.get_kinit_path(default('/configurations/kerberos-env/executable_search_paths', None)) kdestroy_path_local = functions.get_kdestroy_path(default('/configurations/kerberos-env/executable_search_paths', None)) if principal is not None: keytab_file = get_property_value(identity, 'keytab_file') keytab = get_property_value(identity, 'keytab') password = get_property_value(identity, 'password') # If a test keytab file is available, simply use it if (keytab_file is not None) and (os.path.isfile(keytab_file)): command = '%s -k -t %s %s' % (kinit_path_local, keytab_file, principal) Execute(command, user = user, ) return shell.checked_call(kdestroy_path_local) # If base64-encoded test keytab data is available; then decode it, write it to a temporary file # use it, and then remove the temporary file elif keytab is not None: (fd, test_keytab_file) = tempfile.mkstemp() os.write(fd, base64.b64decode(keytab)) os.close(fd) try: command = '%s -k -t %s %s' % (kinit_path_local, test_keytab_file, principal) Execute(command, user = user, ) return shell.checked_call(kdestroy_path_local) except: raise finally: if test_keytab_file is not None: os.remove(test_keytab_file) # If no keytab data is available and a password was supplied, simply use it. elif password is not None: process = subprocess.Popen([kinit_path_local, principal], stdin=subprocess.PIPE) stdout, stderr = process.communicate(password) if process.returncode: err_msg = Logger.filter_text("Execution of kinit returned %d. %s" % (process.returncode, stderr)) raise Fail(err_msg) else: return shell.checked_call(kdestroy_path_local) else: return 0, '' else: return 0, ''
def invoke_kadmin(query, admin_identity=None, default_realm=None): """ Executes the kadmin or kadmin.local command (depending on whether auth_identity is set or not and returns command result code and standard out data. :param query: the kadmin query to execute :param admin_identity: the identity for the administrative user (optional) :param default_realm: the default realm to assume :return: return_code, out """ if (query is not None) and (len(query) > 0): auth_principal = None auth_keytab_file = None if admin_identity is not None: auth_principal = get_property_value(admin_identity, 'principal') if auth_principal is None: kadmin = 'kadmin.local' credential = '' else: kadmin = 'kadmin -p "%s"' % auth_principal auth_password = get_property_value(admin_identity, 'password') if auth_password is None: auth_keytab = get_property_value(admin_identity, 'keytab') if auth_keytab is not None: (fd, auth_keytab_file) = tempfile.mkstemp() os.write(fd, base64.b64decode(auth_keytab)) os.close(fd) credential = '-k -t %s' % auth_keytab_file else: credential = '-w "%s"' % auth_password if (default_realm is not None) and (len(default_realm) > 0): realm = '-r %s' % default_realm else: realm = '' try: command = '%s %s %s -q "%s"' % (kadmin, credential, realm, query.replace('"', '\\"')) return shell.checked_call(command) except: raise finally: if auth_keytab_file is not None: os.remove(auth_keytab_file)
def test_kinit(identity): principal = get_property_value(identity, 'principal') if principal is not None: keytab_file = get_property_value(identity, 'keytab_file') keytab = get_property_value(identity, 'keytab') password = get_property_value(identity, 'password') # If a test keytab file is available, simply use it if (keytab_file is not None) and (os.path.isfile(keytab_file)): command = 'kinit -k -t %s %s' % (keytab_file, principal) shell.checked_call(command) return shell.checked_call('kdestroy') # If base64-encoded test keytab data is available; then decode it, write it to a temporary file # use it, and then remove the temporary file elif keytab is not None: (fd, test_keytab_file) = tempfile.mkstemp() os.write(fd, base64.b64decode(keytab)) os.close(fd) try: command = 'kinit -k -t %s %s' % (test_keytab_file, principal) shell.checked_call(command) return shell.checked_call('kdestroy') except: raise finally: if test_keytab_file is not None: os.remove(test_keytab_file) # If no keytab data is available and a password was supplied, simply use it. elif password is not None: process = subprocess.Popen(['kinit', principal], stdin=subprocess.PIPE) stdout, stderr = process.communicate(password) if process.returncode: err_msg = Logger.get_protected_text("Execution of kinit returned %d. %s" % (process.returncode, stderr)) raise Fail(err_msg) else: return shell.checked_call('kdestroy') else: return 0, '' else: return 0, ''
def delete_keytab_file(self): import params if params.kerberos_command_params is not None: for item in params.kerberos_command_params: keytab_file_path = get_property_value(item, 'keytab_file_path') if (keytab_file_path is not None) and (len(keytab_file_path) > 0): print 'Removing keytab file, ', keytab_file_path, "\n" remove_file(keytab_file_path) principal = get_property_value(item, 'principal') if principal is not None: curr_content = Script.structuredOut if "keytabs" not in curr_content: curr_content['keytabs'] = {} curr_content['keytabs'][principal.replace("_HOST", params.hostname)] = '_REMOVED_' self.put_structured_out(curr_content)
def delete_keytab_file(self): import params if params.kerberos_command_params is not None: for item in params.kerberos_command_params: keytab_file_path = get_property_value(item, 'keytab_file_path') if (keytab_file_path is not None) and (len(keytab_file_path) > 0): # Delete the keytab file File(keytab_file_path, action="delete") principal = get_property_value(item, 'principal') if principal is not None: curr_content = Script.structuredOut if "keytabs" not in curr_content: curr_content['keytabs'] = {} curr_content['keytabs'][principal.replace("_HOST", params.hostname)] = '_REMOVED_' self.put_structured_out(curr_content)
def _set_file_access(file_path, access_details, default_group=None): if (file_path is not None) and os.path.isfile(file_path) and (access_details is not None): import stat import pwd import grp owner = get_property_value(access_details, 'owner/name') owner_access = get_property_value(access_details, 'owner/access', 'rw') group = get_property_value(access_details, 'group/name', default_group) group_access = get_property_value(access_details, 'group/access', '') pwnam = pwd.getpwnam(owner) if (owner is not None) and ( len(owner) > 0) else None uid = pwnam.pw_uid if pwnam is not None else os.geteuid() grnam = grp.getgrnam(group) if (group is not None) and ( len(group) > 0) else None gid = grnam.gr_gid if grnam is not None else os.getegid() chmod = 0 if owner_access == 'r': chmod |= stat.S_IREAD else: chmod |= stat.S_IREAD | stat.S_IWRITE if group_access == 'rw': chmod |= stat.S_IRGRP | stat.S_IWGRP elif group_access == 'r': chmod |= stat.S_IRGRP os.chmod(file_path, chmod) os.chown(file_path, uid, gid)
def write_keytab_file(self): import params import stat if params.kerberos_command_params is not None: for item in params.kerberos_command_params: keytab_content_base64 = get_property_value(item, 'keytab_content_base64') if (keytab_content_base64 is not None) and (len(keytab_content_base64) > 0): keytab_file_path = get_property_value(item, 'keytab_file_path') if (keytab_file_path is not None) and (len(keytab_file_path) > 0): head, tail = os.path.split(keytab_file_path) if head: Directory(head, recursive=True, mode=0755, owner="root", group="root") owner = get_property_value(item, 'keytab_file_owner_name') owner_access = get_property_value(item, 'keytab_file_owner_access') group = get_property_value(item, 'keytab_file_group_name') group_access = get_property_value(item, 'keytab_file_group_access') mode = 0 if owner_access == 'rw': mode |= stat.S_IREAD | stat.S_IWRITE else: mode |= stat.S_IREAD if group_access == 'rw': mode |= stat.S_IRGRP | stat.S_IWGRP elif group_access == 'r': mode |= stat.S_IRGRP keytab_content = base64.b64decode(keytab_content_base64) # to hide content in command output def make_lambda(data): return lambda: data File(keytab_file_path, content=make_lambda(keytab_content), mode=mode, owner=owner, group=group) principal = get_property_value(item, 'principal') if principal is not None: curr_content = Script.structuredOut if "keytabs" not in curr_content: curr_content['keytabs'] = {} curr_content['keytabs'][principal.replace("_HOST", params.hostname)] = keytab_file_path self.put_structured_out(curr_content)
def create_principal(identity, auth_identity=None): success = False if identity is not None: principal = get_property_value(identity, 'principal') if (principal is not None) and (len(principal) > 0): password = get_property_value(identity, 'password') if password is None: credentials = '-randkey' else: credentials = '-pw "%s"' % password try: result_code, out = KerberosScript.invoke_kadmin( 'addprinc %s %s' % (credentials, principal), auth_identity) success = (result_code == 0) except: raise Fail("Failed to create principal: %s" % principal) return success
def principal_exists(identity, auth_identity=None): exists = False if identity is not None: principal = get_property_value(identity, 'principal') if (principal is not None) and (len(principal) > 0): try: result_code, output = KerberosScript.invoke_kadmin('getprinc %s' % principal, auth_identity) exists = (output is not None) and (("Principal: %s" % principal) in output) except: raise Fail("Failed to determine if principal exists: %s" % principal) return exists
kdc_server_host = None cluster_host_info = None kdb5_util_path = "kdb5_util" kdamin_pid_path = "/var/run/kadmind.pid" krb5kdc_pid_path = "/var/run/krb5kdc.pid" smoke_test_principal = None smoke_test_keytab_file = None # If a test keytab file is available, simply use it if config is not None: command_params = get_property_value(config, "commandParams") if command_params is not None: keytab_details = get_unstructured_data(command_params, "keytab") configurations = get_property_value(config, "configurations") if configurations is not None: cluster_env = get_property_value(configurations, "cluster-env") if cluster_env is not None: smoke_test_principal = get_property_value(cluster_env, "smokeuser") smoke_test_keytab_file = get_property_value(cluster_env, "smokeuser_keytab") default_group = get_property_value(cluster_env, "user_group") if default_group is None: default_group = get_property_value(cluster_env, "user-group")
def test_get_property(self): package_dir = os.path.join(RMFTestCase._getCommonServicesFolder(), self.COMMON_SERVICES_PACKAGE_DIR) scripts_dir = os.path.join(package_dir, "scripts") sys.path += [scripts_dir] from utils import get_property_value d = { 'non_empty': "Nonempty value", 'unicode_non_empty': u"Nonempty value", 'number': 33, 'number_string': "33", 'empty': "", 'unicode_empty': u"", 'whitespace': " ", 'unicode_whitespace': u" ", 'none': None, } self.assertEqual('Nonempty value', get_property_value(d, 'non_empty')) self.assertEqual('Nonempty value', get_property_value(d, 'non_empty', None, True, None)) self.assertEqual('Nonempty value', get_property_value(d, 'unicode_non_empty')) self.assertEqual( 'Nonempty value', get_property_value(d, 'unicode_non_empty', None, True, None)) self.assertEqual('33', get_property_value(d, 'number_string')) self.assertEqual( '33', get_property_value(d, 'number_string', None, True, None)) self.assertEqual(33, get_property_value(d, 'number')) self.assertEqual(33, get_property_value(d, 'number', None, True, None)) self.assertEqual('', get_property_value(d, 'empty')) self.assertEqual( "I'm empty", get_property_value(d, 'empty', None, True, "I'm empty")) self.assertEqual( '', get_property_value(d, 'empty', None, False, "I'm empty")) self.assertEqual('', get_property_value(d, 'unicode_empty')) self.assertEqual( "I'm empty", get_property_value(d, 'unicode_empty', None, True, "I'm empty")) self.assertEqual( '', get_property_value(d, 'unicode_empty', None, False, "I'm empty")) self.assertEqual(" ", get_property_value(d, 'whitespace')) self.assertEqual( "I'm empty", get_property_value(d, 'whitespace', None, True, "I'm empty")) self.assertEqual( ' ', get_property_value(d, 'whitespace', None, False, "I'm empty")) self.assertEqual(" ", get_property_value(d, 'unicode_whitespace')) self.assertEqual( "I'm empty", get_property_value(d, 'unicode_whitespace', None, True, "I'm empty")) self.assertEqual( ' ', get_property_value(d, 'unicode_whitespace', None, False, "I'm empty")) self.assertEqual(None, get_property_value(d, 'none')) self.assertEqual( "I'm empty", get_property_value(d, 'none', None, True, "I'm empty")) self.assertEqual( None, get_property_value(d, 'none', None, False, "I'm empty")) self.assertEqual("I'm empty", get_property_value(d, 'none', '', True, "I'm empty")) self.assertEqual("", get_property_value(d, 'none', '', False, "I'm empty"))
smoke_user = '******' manage_identities = 'true' artifact_dir = format("{tmp_dir}/AMBARI-artifacts/") jce_policy_zip = default("/hostLevelParams/jce_name", None) # None when jdk is already installed by user jce_location = config['hostLevelParams']['jdk_location'] jdk_name = default("/hostLevelParams/jdk_name", None) java_home = config['hostLevelParams']['java_home'] java_version = expect("/hostLevelParams/java_version", int) security_enabled = config['configurations']['cluster-env']['security_enabled'] if config is not None: kerberos_command_params = get_property_value(config, 'kerberosCommandParams') cluster_host_info = get_property_value(config, 'clusterHostInfo') if cluster_host_info is not None: kdc_server_hosts = get_property_value(cluster_host_info, 'kdc_server_hosts') if (kdc_server_hosts is not None) and (len(kdc_server_hosts) > 0): kdc_server_host = kdc_server_hosts[0] configurations = get_property_value(config, 'configurations') if configurations is not None: cluster_env = get_property_value(configurations, 'cluster-env') if cluster_env is not None: smoke_test_principal = get_property_value(
def keytab_has_principal(kerberos_record, hostname): principal = get_property_value(kerberos_record, 'principal').replace("_HOST", hostname) keytab = get_property_value(kerberos_record, 'keytab_file_path') klist = Klist.find_in_search_path() return principal in klist.list_principals(keytab)
def keytab_exists(kerberos_record): return sudo.path_exists( get_property_value(kerberos_record, 'keytab_file_path'))
def fromKerberosRecord(item, hostname): return MissingKeytabs.Identity( get_property_value(item, 'principal').replace("_HOST", hostname), get_property_value(item, 'keytab_file_path'))
hostname = config['hostname'] kdb5_util_path = 'kdb5_util' kdamin_pid_path = '/var/run/kadmind.pid' krb5kdc_pid_path = '/var/run/krb5kdc.pid' smoke_test_principal = None smoke_test_keytab_file = None smoke_user = config['configurations']['cluster-env']['smokeuser'] # If a test keytab file is available, simply use it if config is not None: command_params = get_property_value(config, 'commandParams') if command_params is not None: keytab_details = get_unstructured_data(command_params, 'keytab') kerberos_command_params = get_property_value(config, 'kerberosCommandParams') configurations = get_property_value(config, 'configurations') if configurations is not None: cluster_env = get_property_value(configurations, 'cluster-env') if cluster_env is not None: smoke_test_principal = get_property_value( cluster_env, 'smokeuser_principal_name', None, True, None) smoke_test_keytab_file = get_property_value( cluster_env, 'smokeuser_keytab', None, True, None)
def test_get_property(self): package_dir = os.path.join(RMFTestCase._getCommonServicesFolder(), self.COMMON_SERVICES_PACKAGE_DIR) scripts_dir = os.path.join(package_dir, "scripts") sys.path += [scripts_dir] from utils import get_property_value d = { 'non_empty' : "Nonempty value", 'unicode_non_empty' : u"Nonempty value", 'number' : 33, 'number_string' : "33", 'empty' : "", 'unicode_empty' : u"", 'whitespace' : " ", 'unicode_whitespace' : u" ", 'none' : None, } self.assertEqual('Nonempty value', get_property_value(d, 'non_empty')) self.assertEqual('Nonempty value', get_property_value(d, 'non_empty', None, True, None)) self.assertEqual('Nonempty value', get_property_value(d, 'unicode_non_empty')) self.assertEqual('Nonempty value', get_property_value(d, 'unicode_non_empty', None, True, None)) self.assertEqual('33', get_property_value(d, 'number_string')) self.assertEqual('33', get_property_value(d, 'number_string', None, True, None)) self.assertEqual(33, get_property_value(d, 'number')) self.assertEqual(33, get_property_value(d, 'number', None, True, None)) self.assertEqual('', get_property_value(d, 'empty')) self.assertEqual("I'm empty", get_property_value(d, 'empty', None, True, "I'm empty")) self.assertEqual('', get_property_value(d, 'empty', None, False, "I'm empty")) self.assertEqual('', get_property_value(d, 'unicode_empty')) self.assertEqual("I'm empty", get_property_value(d, 'unicode_empty', None, True, "I'm empty")) self.assertEqual('', get_property_value(d, 'unicode_empty', None, False, "I'm empty")) self.assertEqual(" ", get_property_value(d, 'whitespace')) self.assertEqual("I'm empty", get_property_value(d, 'whitespace', None, True, "I'm empty")) self.assertEqual(' ', get_property_value(d, 'whitespace', None, False, "I'm empty")) self.assertEqual(" ", get_property_value(d, 'unicode_whitespace')) self.assertEqual("I'm empty", get_property_value(d, 'unicode_whitespace', None, True, "I'm empty")) self.assertEqual(' ', get_property_value(d, 'unicode_whitespace', None, False, "I'm empty")) self.assertEqual(None, get_property_value(d, 'none')) self.assertEqual("I'm empty", get_property_value(d, 'none', None, True, "I'm empty")) self.assertEqual(None, get_property_value(d, 'none', None, False, "I'm empty")) self.assertEqual("I'm empty", get_property_value(d, 'none', '', True, "I'm empty")) self.assertEqual("", get_property_value(d, 'none', '', False, "I'm empty"))
smoke_user = '******' manage_identities = 'true' artifact_dir = format("{tmp_dir}/AMBARI-artifacts/") jce_policy_zip = default("/hostLevelParams/jce_name", None) # None when jdk is already installed by user jce_location = config['hostLevelParams']['jdk_location'] jdk_name = default("/hostLevelParams/jdk_name", None) java_home = config['hostLevelParams']['java_home'] java_version = int(config['hostLevelParams']['java_version']) security_enabled = config['configurations']['cluster-env']['security_enabled'] if config is not None: kerberos_command_params = get_property_value(config, 'kerberosCommandParams') cluster_host_info = get_property_value(config, 'clusterHostInfo') if cluster_host_info is not None: kdc_server_hosts = get_property_value(cluster_host_info, 'kdc_server_hosts') if (kdc_server_hosts is not None) and (len(kdc_server_hosts) > 0): kdc_server_host = kdc_server_hosts[0] configurations = get_property_value(config, 'configurations') if configurations is not None: cluster_env = get_property_value(configurations, 'cluster-env') if cluster_env is not None: smoke_test_principal = get_property_value(cluster_env, 'smokeuser_principal_name', None, True, None) smoke_test_keytab_file = get_property_value(cluster_env, 'smokeuser_keytab', None, True, None)