Merge "Remove hardcoded password for Oozie service"

releasenotes/notes/remove-hard-coded-oozie-password-b97475c8772aa1bd.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - Fixed issues with hardcoded password during creation MySQL database
+    for Oozie, bug 1541122.

sahara/plugins/vanilla/hadoop2/config.py

@@ -144,7 +144,7 @@ def _get_hadoop_configs(pctx, instance):
 
         oozie_cfg = o_helper.get_oozie_required_xml_configs(HADOOP_CONF_DIR)
         if c_helper.is_mysql_enabled(pctx, cluster):
-            oozie_cfg.update(o_helper.get_oozie_mysql_configs())
+            oozie_cfg.update(o_helper.get_oozie_mysql_configs(cluster))
 
         confs['JobFlow'] = oozie_cfg
 

sahara/plugins/vanilla/hadoop2/oozie_helper.py

@@ -12,6 +12,7 @@
 # implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+from sahara.plugins.vanilla.hadoop2 import utils as u
 
 
 def get_oozie_required_xml_configs(hadoop_conf_dir):
@@ -38,12 +39,13 @@ def get_oozie_required_xml_configs(hadoop_conf_dir):
     }
 
 
-def get_oozie_mysql_configs():
+def get_oozie_mysql_configs(cluster):
     return {
         'oozie.service.JPAService.jdbc.driver':
         'com.mysql.jdbc.Driver',
         'oozie.service.JPAService.jdbc.url':
         'jdbc:mysql://localhost:3306/oozie',
         'oozie.service.JPAService.jdbc.username': 'oozie',
-        'oozie.service.JPAService.jdbc.password': 'oozie'
+        'oozie.service.JPAService.jdbc.password': u.get_oozie_password(
+            cluster)
     }

sahara/plugins/vanilla/hadoop2/resources/create_oozie_db.sql

@@ -1,4 +1,4 @@
 create database oozie;
-grant all privileges on oozie.* to 'oozie'@'localhost' identified by 'oozie';
+grant all privileges on oozie.* to 'oozie'@'localhost' identified by 'password';
-grant all privileges on oozie.* to 'oozie'@'%' identified by 'oozie';
+grant all privileges on oozie.* to 'oozie'@'%' identified by 'password';
 exit

sahara/plugins/vanilla/hadoop2/run_scripts.py

@@ -22,6 +22,7 @@ from sahara.i18n import _
 from sahara.i18n import _LI
 from sahara.plugins import utils as pu
 from sahara.plugins.vanilla.hadoop2 import config_helper as c_helper
+from sahara.plugins.vanilla.hadoop2 import oozie_helper
 from sahara.plugins.vanilla import utils as vu
 from sahara.utils import cluster_progress_ops as cpo
 from sahara.utils import edp
@@ -88,6 +89,12 @@ def start_oozie_process(pctx, instance):
                 LOG.debug("Creating Oozie DB Schema")
                 sql_script = files.get_file_text(
                     'plugins/vanilla/hadoop2/resources/create_oozie_db.sql')
+
+                password = oozie_helper.get_oozie_mysql_configs(
+                    instance.cluster)[
+                    'oozie.service.JPAService.jdbc.password']
+                sql_script = sql_script.replace("password", password)
+
                 script_location = "create_oozie_db.sql"
                 r.write_file_to(script_location, sql_script)
                 r.execute_command('mysql -u root < %(script_location)s && '

sahara/plugins/vanilla/hadoop2/utils.py

@@ -15,7 +15,17 @@
 
 import re
 
+from oslo_log import log as logging
+
+from sahara import conductor as cond
+from sahara import context
+from sahara.i18n import _LW
 from sahara.plugins.vanilla import utils as u
+from sahara.service.castellan import utils as castellan
+
+conductor = cond.API
+
+LOG = logging.getLogger(__name__)
 
 
 def get_datanodes_status(cluster):
@@ -44,3 +54,20 @@ def get_nodemanagers_status(cluster):
         statuses[host] = status.lower()
 
     return statuses
+
+
+def get_oozie_password(cluster):
+    cluster = conductor.cluster_get(context.ctx(), cluster)
+    extra = cluster.extra.to_dict()
+    if 'oozie_pass_id' not in extra:
+        extra['oozie_pass_id'] = u.generate_random_password()
+        conductor.cluster_update(context.ctx(), cluster, {'extra': extra})
+    return castellan.get_secret(extra['oozie_pass_id'])
+
+
+def delete_oozie_password(cluster):
+    extra = cluster.extra.to_dict()
+    if 'oozie_pass_id' in extra:
+        castellan.delete_secret(extra['oozie_pass_id'])
+    else:
+        LOG.warning(_LW("Cluster hasn't Oozie password"))

sahara/plugins/vanilla/utils.py

@@ -13,7 +13,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import uuid
+
+import six
+
 from sahara.plugins import utils as u
+from sahara.service.castellan import utils as castellan
 
 
 def get_namenode(cluster):
@@ -50,3 +55,8 @@ def get_historyserver(cluster):
 
 def get_instance_hostname(instance):
     return instance.hostname() if instance else None
+
+
+def generate_random_password():
+    password = six.text_type(uuid.uuid4())
+    return castellan.store_secret(password)

sahara/plugins/vanilla/v2_7_1/versionhandler.py

@@ -26,6 +26,7 @@ from sahara.plugins.vanilla.hadoop2 import recommendations_utils as ru
 from sahara.plugins.vanilla.hadoop2 import run_scripts as run
 from sahara.plugins.vanilla.hadoop2 import scaling as sc
 from sahara.plugins.vanilla.hadoop2 import starting_scripts as s_scripts
+from sahara.plugins.vanilla.hadoop2 import utils as u
 from sahara.plugins.vanilla.hadoop2 import validation as vl
 from sahara.plugins.vanilla import utils as vu
 from sahara.plugins.vanilla.v2_7_1 import config_helper as c_helper
@@ -142,6 +143,7 @@ class VersionHandler(avm.AbstractVersionHandler):
         return edp_engine.EdpOozieEngine.get_possible_job_config(job_type)
 
     def on_terminate_cluster(self, cluster):
+        u.delete_oozie_password(cluster)
         keypairs.drop_key(cluster)
 
     def get_open_ports(self, node_group):

sahara/tests/unit/plugins/vanilla/hadoop2/test_utils.py

@@ -64,3 +64,42 @@ class UtilsTestCase(base.SaharaTestCase):
         inst.remote.return_value = inst_remote
 
         return inst
+
+    @mock.patch('sahara.conductor.API.cluster_get')
+    @mock.patch('sahara.service.castellan.utils.get_secret')
+    @mock.patch('sahara.service.castellan.utils.store_secret')
+    @mock.patch('sahara.plugins.vanilla.utils')
+    @mock.patch('sahara.conductor.API.cluster_update')
+    def test_oozie_password(self, cluster_update, vu,
+                            store_secret, get_secret, conductor):
+        cluster = mock.MagicMock()
+        cluster.extra = mock.MagicMock()
+        cluster.extra.to_dict.return_value = {"oozie_pass_id": "31415926"}
+
+        conductor.return_value = cluster
+
+        get_secret.return_value = "oozie_pass"
+        result = u.get_oozie_password(cluster)
+
+        get_secret.assert_called_once_with("31415926")
+        vu.generate_random_password.assert_not_called()
+        self.assertEqual('oozie_pass', result)
+
+        cluster.extra.to_dict.return_value = {}
+
+        store_secret.return_value = 'oozie_pass'
+        result = u.get_oozie_password(cluster)
+        self.assertEqual('oozie_pass', result)
+
+    @mock.patch('sahara.service.castellan.utils.delete_secret')
+    def test_delete_oozie_password(self, delete_secret):
+        cluster = mock.MagicMock()
+        cluster.extra.to_dict = mock.MagicMock()
+
+        cluster.extra.to_dict.return_value = {}
+        u.delete_oozie_password(cluster)
+        delete_secret.assert_not_called()
+
+        cluster.extra.to_dict.return_value = {"oozie_pass_id": "31415926"}
+        u.delete_oozie_password(cluster)
+        delete_secret.assert_called_once_with("31415926")