Author: jaimin
Date: Thu Mar 14 00:33:10 2013
New Revision: 1456293
URL: http://svn.apache.org/r1456293
Log:
AMBARI-1634. Integrate Frontend Security work to enable security on Oozie,
Hive, and WebHCat Server. (jaimin)
Modified:
incubator/ambari/trunk/CHANGES.txt
incubator/ambari/trunk/ambari-web/app/controllers/main/admin.js
incubator/ambari/trunk/ambari-web/app/controllers/main/admin/security/add/step3.js
incubator/ambari/trunk/ambari-web/app/data/secure_configs.js
incubator/ambari/trunk/ambari-web/app/data/secure_mapping.js
incubator/ambari/trunk/ambari-web/app/data/secure_properties.js
Modified: incubator/ambari/trunk/CHANGES.txt
URL:
http://svn.apache.org/viewvc/incubator/ambari/trunk/CHANGES.txt?rev=1456293&r1=1456292&r2=1456293&view=diff
==============================================================================
--- incubator/ambari/trunk/CHANGES.txt (original)
+++ incubator/ambari/trunk/CHANGES.txt Thu Mar 14 00:33:10 2013
@@ -11,6 +11,9 @@ Trunk (unreleased changes):
INCOMPATIBLE CHANGES
NEW FEATURES
+
+ AMBARI-1634. Integrate Frontend Security work to enable security on
+ Oozie, Hive, and WebHCat Server. (jaimin)
AMBARI-1633. Reassign Master Wizard - Step 5. (yusaku)
Modified: incubator/ambari/trunk/ambari-web/app/controllers/main/admin.js
URL:
http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-web/app/controllers/main/admin.js?rev=1456293&r1=1456292&r2=1456293&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-web/app/controllers/main/admin.js (original)
+++ incubator/ambari/trunk/ambari-web/app/controllers/main/admin.js Thu Mar 14
00:33:10 2013
@@ -119,12 +119,17 @@ App.MainAdminController = Em.Controller.
if (configs['mapred_user']) {
serviceUsers.pushObject({id: 'puppet var', name: 'mapred_user', value:
configs['mapred_user']});
} else {
- serviceUsers.pushObject({id: 'puppet var', name: 'hdfs_user', value:
'mapred'});
+ serviceUsers.pushObject({id: 'puppet var', name: 'mapred_user', value:
'mapred'});
}
if (configs['hbase_user']) {
serviceUsers.pushObject({id: 'puppet var', name: 'hbase_user', value:
configs['hbase_user']});
} else {
- serviceUsers.pushObject({id: 'puppet var', name: 'hdfs_user', value:
'hbase'});
+ serviceUsers.pushObject({id: 'puppet var', name: 'hbase_user', value:
'hbase'});
+ }
+ if (configs['hive_user']) {
+ serviceUsers.pushObject({id: 'puppet var', name: 'hive_user', value:
configs['hive_user']});
+ } else {
+ serviceUsers.pushObject({id: 'puppet var', name: 'hive_user', value:
'hive'});
}
}
Modified:
incubator/ambari/trunk/ambari-web/app/controllers/main/admin/security/add/step3.js
URL:
http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-web/app/controllers/main/admin/security/add/step3.js?rev=1456293&r1=1456292&r2=1456293&view=diff
==============================================================================
---
incubator/ambari/trunk/ambari-web/app/controllers/main/admin/security/add/step3.js
(original)
+++
incubator/ambari/trunk/ambari-web/app/controllers/main/admin/security/add/step3.js
Thu Mar 14 00:33:10 2013
@@ -27,6 +27,17 @@ App.MainAdminSecurityAddStep3Controller
secureServices: [],
serviceConfigTags: [],
globalProperties: [],
+
+ isSubmitDisabled: true,
+
+ isOozieSelected: function () {
+ return this.get('content.services').someProperty('serviceName', 'OOZIE');
+ }.property('content.services'),
+
+ isWebHcatSelected: function () {
+ return this.get('content.services').someProperty('serviceName', 'WEBHCAT');
+ }.property('content.services'),
+
serviceUsersBinding: 'App.router.mainAdminController.serviceUsers',
hasHostPopup:true,
services:[],
@@ -34,6 +45,7 @@ App.MainAdminSecurityAddStep3Controller
clearStep: function () {
this.get('stages').clear();
+ this.set('isSubmitDisabled',true);
},
loadStep: function () {
@@ -171,9 +183,17 @@ App.MainAdminSecurityAddStep3Controller
newValue = globalProperty.value;
var isInstanceName = this.get('globalProperties').findProperty('name',
'instance_name');
if (isInstanceName) {
- if (/primary_name?$/.test(globalProperty.name) && property !==
'hadoop.security.auth_to_local') {
- if (!/_HOST?$/.test(newValue)) {
- newValue = newValue + '/_HOST';
+ if (/primary_name?$/.test(globalProperty.name) && property !==
'hadoop.security.auth_to_local' && property !==
'oozie.authentication.kerberos.name.rules') {
+ if (this.get('isOozieSelected') && (property ===
'oozie.service.HadoopAccessorService.kerberos.principal' || property ===
'oozie.authentication.kerberos.principal')) {
+ var oozieServerName =
App.Service.find('OOZIE').get('hostComponents').findProperty('componentName',
'OOZIE_SERVER').get('host.hostName');
+ newValue = newValue + '/' + oozieServerName;
+ } else if (this.get('isWebHcatSelected') && property ===
'templeton.kerberos.principal') {
+ var webHcatName =
App.Service.find('WEBHCAT').get('hostComponents').findProperty('componentName',
'WEBHCAT_SERVER').get('host.hostName');
+ newValue = newValue + '/' + webHcatName;
+ } else {
+ if (!/_HOST?$/.test(newValue)) {
+ newValue = newValue + '/_HOST';
+ }
}
}
}
@@ -303,6 +323,7 @@ App.MainAdminSecurityAddStep3Controller
serviceUsers.pushObject({id: 'puppet var', name: 'hdfs_user', value:
'hdfs'});
serviceUsers.pushObject({id: 'puppet var', name: 'mapred_user', value:
'mapred'});
serviceUsers.pushObject({id: 'puppet var', name: 'hbase_user', value:
'hbase'});
+ serviceUsers.pushObject({id: 'puppet var', name: 'hive_user', value:
'hive'});
} else {
App.router.get('mainAdminController').getHDFSDetailsFromServer();
}
@@ -482,8 +503,8 @@ App.MainAdminSecurityAddStep3Controller
moveToNextStage: function () {
var nextStage = this.get('stages').findProperty('isStarted', false);
if (nextStage) {
- //
this.get('content').saveCurrentStage(nextStage.get('stage').charAt(nextStage.get('stage').length
- 1));
nextStage.set('isStarted', true);
+ this.set('isSubmitDisabled', true);
} else {
this.set('isSubmitDisabled', false);
}
@@ -521,7 +542,6 @@ App.MainAdminSecurityAddStep3Controller
console.log("TRACE: In error function for the
getServiceConfigsFromServer call");
console.log("TRACE: value of the url is: " + url);
console.log("TRACE: error code status is: " + request.status);
-
},
statusCode: require('data/statusCodes')
Modified: incubator/ambari/trunk/ambari-web/app/data/secure_configs.js
URL:
http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-web/app/data/secure_configs.js?rev=1456293&r1=1456292&r2=1456293&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-web/app/data/secure_configs.js (original)
+++ incubator/ambari/trunk/ambari-web/app/data/secure_configs.js Thu Mar 14
00:33:10 2013
@@ -40,7 +40,7 @@ module.exports = [
configCategories: [
App.ServiceConfigCategory.create({ name: 'General', displayName:
'General'}),
App.ServiceConfigCategory.create({ name: 'NameNode', displayName:
'NameNode'}),
- // App.ServiceConfigCategory.create({ name: 'SNameNode'}),
+ App.ServiceConfigCategory.create({ name: 'SNameNode',displayName:
'SNameNode'}),
App.ServiceConfigCategory.create({ name: 'DataNode', displayName:
'DataNode'})
],
configs: configProperties.filterProperty('serviceName', 'HDFS')
@@ -86,7 +86,7 @@ module.exports = [
App.ServiceConfigCategory.create({ name: 'RegionServer', displayName:
'RegionServer'})
],
configs: configProperties.filterProperty('serviceName', 'HBASE')
- }
+ },
/*
{
serviceName: 'ZOOKEEPER',
@@ -97,7 +97,7 @@ module.exports = [
configs: configProperties.filterProperty('serviceName', 'ZOOKEEPER')
},
-
+ */
{
serviceName: 'OOZIE',
@@ -107,6 +107,6 @@ module.exports = [
App.ServiceConfigCategory.create({ name: 'Oozie Server'})
],
configs: configProperties.filterProperty('serviceName', 'OOZIE')
- },
- */
+ }
+
];
Modified: incubator/ambari/trunk/ambari-web/app/data/secure_mapping.js
URL:
http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-web/app/data/secure_mapping.js?rev=1456293&r1=1456292&r2=1456293&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-web/app/data/secure_mapping.js (original)
+++ incubator/ambari/trunk/ambari-web/app/data/secure_mapping.js Thu Mar 14
00:33:10 2013
@@ -34,13 +34,11 @@ module.exports = [
{
"name": "hadoop.security.auth_to_local",
- "templateName": ["jobtracker_primary_name", "kerberos_domain",
"mapred_user", "tasktracker_primary_name","namenode_primary_name", "hdfs_user",
"datanode_primary_name", "hbase_master_primary_name", "hbase_user",
"regionserver_primary_name"],
+ "templateName": ["jobtracker_primary_name", "kerberos_domain",
"mapred_user", "tasktracker_primary_name", "namenode_primary_name",
"hdfs_user", "datanode_primary_name", "hbase_master_primary_name",
"hbase_user", "regionserver_primary_name"],
"foreignKey": null,
"value":
"RULE:[2:$1@$0](<templateName[0]>@.*<templateName[1]>)s/.*/<templateName[2]>/
RULE:[2:$1@$0](<templateName[3]>@.*<templateName[1]>)s/.*/<templateName[2]>/
RULE:[2:$1@$0](<templateName[4]>@.*<templateName[1]>)s/.*/<templateName[5]>/
RULE:[2:$1@$0](<templateName[6]>@.*<templateName[1]>)s/.*/<templateName[5]>/
RULE:[2:$1@$0](<templateName[7]>@.*<templateName[1]>)s/.*/<templateName[8]>/
RULE:[2:$1@$0](<templateName[9]>@.*<templateName[1]>)s/.*/<templateName[8]>/
DEFAULT",
"filename": "core-site.xml"
},
-
-
{
"name": "dfs.namenode.kerberos.principal",
"templateName": ["namenode_primary_name", "kerberos_domain"],
@@ -64,7 +62,7 @@ module.exports = [
},
{
"name": "dfs.secondary.namenode.keytab.file",
- "templateName": ["namenode_keytab"],
+ "templateName": ["snamenode_keytab"],
"foreignKey": null,
"value": "<templateName[0]>",
"filename": "hdfs-site.xml"
@@ -224,18 +222,96 @@ module.exports = [
"filename": "hive-site.xml"
},
{
+ "name": "oozie.service.AuthorizationService.security.enabled",
+ "templateName": [],
+ "foreignKey": null,
+ "value": "true",
+ "filename": "oozie-site.xml"
+ },
+ {
+ "name": "oozie.service.HadoopAccessorService.kerberos.enabled",
+ "templateName": [],
+ "foreignKey": null,
+ "value": "true",
+ "filename": "oozie-site.xml"
+ },
+ {
+ "name": "local.realm",
+ "templateName": ["kerberos_domain"],
+ "foreignKey": null,
+ "value": "<templateName[0]>",
+ "filename": "oozie-site.xml"
+ },
+ {
+ "name": "oozie.service.HadoopAccessorService.keytab.file",
+ "templateName": ["oozie_keytab"],
+ "foreignKey": null,
+ "value": "<templateName[0]>",
+ "filename": "oozie-site.xml"
+ },
+ {
+ "name": "oozie.service.HadoopAccessorService.kerberos.principal",
+ "templateName": ["oozie_primary_name", "kerberos_domain"],
+ "foreignKey": null,
+ "value": "<templateName[0]>@<templateName[1]>",
+ "filename": "oozie-site.xml"
+ },
+ {
+ "name": "oozie.authentication.type",
+ "templateName": [],
+ "foreignKey": null,
+ "value": "kerberos",
+ "filename": "oozie-site.xml"
+ },
+ {
+ "name": "oozie.authentication.kerberos.principal",
+ "templateName": ["oozie_http_primary_name", "kerberos_domain"],
+ "foreignKey": null,
+ "value": "<templateName[0]>@<templateName[1]>",
+ "filename": "oozie-site.xml"
+ },
+ {
+ "name": "oozie.authentication.kerberos.keytab",
+ "templateName": ["oozie_http_keytab"],
+ "foreignKey": null,
+ "value": "<templateName[0]>",
+ "filename": "oozie-site.xml"
+ },
+ {
+ "name": "oozie.authentication.kerberos.name.rules",
+ "templateName": ["jobtracker_primary_name", "kerberos_domain",
"mapred_user", "tasktracker_primary_name", "namenode_primary_name",
"hdfs_user", "datanode_primary_name", "hbase_master_primary_name",
"hbase_user", "regionserver_primary_name"],
+ "foreignKey": null,
+ "value":
"RULE:[2:$1@$0](<templateName[0]>@.*<templateName[1]>)s/.*/<templateName[2]>/
RULE:[2:$1@$0](<templateName[3]>@.*<templateName[1]>)s/.*/<templateName[2]>/
RULE:[2:$1@$0](<templateName[4]>@.*<templateName[1]>)s/.*/<templateName[5]>/
RULE:[2:$1@$0](<templateName[6]>@.*<templateName[1]>)s/.*/<templateName[5]>/
RULE:[2:$1@$0](<templateName[7]>@.*<templateName[1]>)s/.*/<templateName[8]>/
RULE:[2:$1@$0](<templateName[9]>@.*<templateName[1]>)s/.*/<templateName[8]>/
DEFAULT",
+ "filename": "oozie-site.xml"
+ },
+ {
"name": "templeton.kerberos.principal",
"templateName": ["webhcat_http_primary_name", "kerberos_domain"],
"foreignKey": null,
"value": "<templateName[0]>@<templateName[1]>",
- "filename": "hive-site.xml"
+ "filename": "webhcat-site.xml"
},
{
"name": "templeton.kerberos.keytab",
"templateName": ["webhcat_http_keytab"],
"foreignKey": null,
"value": "<templateName[0]>",
- "filename": "hive-site.xml"
+ "filename": "webhcat-site.xml"
+ },
+ {
+ "name": "templeton.kerberos.secret",
+ "templateName": [""],
+ "foreignKey": null,
+ "value": "secret",
+ "filename": "webhcat-site.xml"
+ },
+ {
+ "name": "templeton.kerberos.properties",
+ "templateName": ["hive_user"],
+ "foreignKey": null,
+ "value": "hive.metastore.local=false,
hive.metastore.uris=thrift://MetastoreHost_FQDN:9083, hive.q" +
+ "metastore.sasl.enabled=true,hive.metastore.execute.setugi= true,
hive.exec.mode.local.auto=false,
hive.metastore.kerberos.principal=<templateName[0]>/[email protected]",
+ "filename": "webhcat-site.xml"
}
];
Modified: incubator/ambari/trunk/ambari-web/app/data/secure_properties.js
URL:
http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-web/app/data/secure_properties.js?rev=1456293&r1=1456292&r2=1456293&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-web/app/data/secure_properties.js (original)
+++ incubator/ambari/trunk/ambari-web/app/data/secure_properties.js Thu Mar 14
00:33:10 2013
@@ -139,24 +139,26 @@ module.exports =
"serviceName": "HDFS",
"category": "General"
},
- {
- "id": "puppet var",
- "name": "snamenode_primary_name",
- "displayName": "primary name",
- "value": "",
- "defaultValue": "sn",
- "description": "Primary name for SecondaryNameNode",
- "displayType": "principal",
- "isVisible": true,
- "serviceName": "HDFS",
- "category": "SNameNode"
- },
+ /*
+ {
+ "id": "puppet var",
+ "name": "snamenode_primary_name",
+ "displayName": "primary name",
+ "value": "",
+ "defaultValue": "sn",
+ "description": "Primary name for SecondaryNameNode",
+ "displayType": "principal",
+ "isVisible": true,
+ "serviceName": "HDFS",
+ "category": "SNameNode"
+ },
+ */
{
"id": "puppet var",
"name": "snamenode_keytab",
"displayName": "Path to keytab file",
"value": "",
- "defaultValue": "/etc/security/keytabs/nn.service.keytab",
+ "defaultValue": "/etc/security/keytabs/sn.service.keytab",
"description": "path to SecondaryNameNode keytab file",
"displayType": "directory",
"isVisible": true,
@@ -305,7 +307,7 @@ module.exports =
"name": "hive_metastore__keytab",
"displayName": "Path to Keytab file",
"value": "",
- "defaultValue": "/etc/security/keytabs",
+ "defaultValue": "/etc/security/keytabs/hive.service.keytab",
"description": "keytab for Hive Metastore",
"displayType": "directory",
"isVisible": true,
@@ -317,6 +319,18 @@ module.exports =
//OOZIE
{
"id": "puppet var",
+ "name": "oozie_server_name",
+ "displayName": "Oozie server host",
+ "value": "",
+ "defaultValue": "",
+ "description": "Oozie server host",
+ "displayType": "masterHosts",
+ "isVisible": false,
+ "serviceName": "OOZIE",
+ "category": "Oozie Server"
+ },
+ {
+ "id": "puppet var",
"name": "oozie_primary_name",
"displayName": "primary name",
"value": "",
@@ -332,7 +346,7 @@ module.exports =
"name": "oozie_keytab",
"displayName": "Path to keytab file",
"value": "",
- "defaultValue": "/etc/security/keytabs",
+ "defaultValue": "/etc/security/keytabs/oozie.service.keytab",
"description": "Keytab for Oozie server",
"displayType": "directory",
"isVisible": true,
@@ -357,7 +371,7 @@ module.exports =
"name": "oozie_http_keytab",
"displayName": "Path to HTTP Keytab file",
"value": "",
- "defaultValue": "/etc/security/keytabs",
+ "defaultValue": "/etc/security/keytabs/spnego.service.keytab",
"description": "Keytab for http Oozie server",
"displayType": "directory",
"isVisible": true,
@@ -385,7 +399,7 @@ module.exports =
"name": "webhcat_http_keytab",
"displayName": "Path to HTTP Keytab file",
"value": "",
- "defaultValue": "/etc/security/keytabs",
+ "defaultValue": "/etc/security/keytabs/spnego.service.keytab",
"description": "Keytab for http webHCat",
"displayType": "directory",
"isVisible": true,
@@ -394,6 +408,7 @@ module.exports =
},
//HUE
+
//NAGIOS
{
"id": "puppet var",
