Author: jaimin
Date: Thu May 30 21:01:14 2013
New Revision: 1488012
URL: http://svn.apache.org/r1488012
Log:
AMBARI-2225. Security fixes with HBase service check. (jaimin)
Modified:
incubator/ambari/trunk/CHANGES.txt
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/hbase/service_check.pp
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/init.pp
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/params.pp
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/templates/hbase_grant_permissions.erb
Modified: incubator/ambari/trunk/CHANGES.txt
URL:
http://svn.apache.org/viewvc/incubator/ambari/trunk/CHANGES.txt?rev=1488012&r1=1488011&r2=1488012&view=diff
==============================================================================
--- incubator/ambari/trunk/CHANGES.txt (original)
+++ incubator/ambari/trunk/CHANGES.txt Thu May 30 21:01:14 2013
@@ -907,6 +907,8 @@ Trunk (unreleased changes):
BUG FIXES
+ AMBARI-2225. Security fixes with HBase service check. (jaimin)
+
AMBARI-2233. Ensure version values are used appropriately throughout
Ambari. (smohanty)
Modified:
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/hbase/service_check.pp
URL:
http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/hbase/service_check.pp?rev=1488012&r1=1488011&r2=1488012&view=diff
==============================================================================
---
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/hbase/service_check.pp
(original)
+++
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/hbase/service_check.pp
Thu May 30 21:01:14 2013
@@ -18,15 +18,18 @@
# under the License.
#
#
-class hdp-hbase::hbase::service_check()
+class hdp-hbase::hbase::service_check() inherits hdp-hbase::params
{
$smoke_test_user = $hdp::params::smokeuser
-
+ $security_enabled = $hdp::params::security_enabled
$output_file = "/apps/hbase/data/ambarismoketest"
$conf_dir = $hdp::params::hbase_conf_dir
-
+ $smoke_user_keytab =
"${hdp-hbase::params::keytab_path}/${smoke_test_user}.headless.keytab"
+ $hbase_user = $hdp-hbase::params::hbase_user
+ $hbase_keytab =
"${hdp-hbase::params::keytab_path}/${hbase_user}.headless.keytab"
$test_cmd = "fs -test -e ${output_file}"
$serviceCheckData = hdp_unique_id_and_date()
+ $kinit_cmd = "${hdp::params::kinit_path_local} -kt ${smoke_user_keytab}
${smoke_test_user};"
anchor { 'hdp-hbase::hbase::service_check::begin':}
@@ -42,9 +45,16 @@ class hdp-hbase::hbase::service_check()
mode => '0755',
content => template('hdp-hbase/hbase-smoke.sh.erb'),
}
+ if ($security_enabled == true) {
+ $servicecheckcmd = "su - ${smoke_test_user} -c '$kinit_cmd hbase --config
$conf_dir shell $hbase_servicecheck_file'"
+ $smokeverifycmd = "su - ${smoke_test_user} -c '$kinit_cmd
/tmp/hbaseSmokeVerify.sh $conf_dir ${serviceCheckData}'"
+ } else {
+ $servicecheckcmd = "su - ${smoke_test_user} -c 'hbase --config $conf_dir
shell $hbase_servicecheck_file'"
+ $smokeverifycmd = "su - ${smoke_test_user} -c '/tmp/hbaseSmokeVerify.sh
$conf_dir ${serviceCheckData}'"
+ }
exec { $hbase_servicecheck_file:
- command => "su - ${smoke_test_user} -c 'hbase --config $conf_dir shell
$hbase_servicecheck_file'",
+ command => $servicecheckcmd,
tries => 3,
try_sleep => 5,
path => '/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin',
@@ -52,7 +62,7 @@ class hdp-hbase::hbase::service_check()
}
exec { '/tmp/hbaseSmokeVerify.sh':
- command => "su - ${smoke_test_user} -c '/tmp/hbaseSmokeVerify.sh
$conf_dir ${serviceCheckData}'",
+ command => $smokeverifycmd,
tries => 3,
try_sleep => 5,
path => '/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin',
@@ -67,9 +77,30 @@ class hdp-hbase::hbase::service_check()
before => Anchor['hdp-hbase::hbase::service_check::end'] #TODO:
remove after testing
}
- Anchor['hdp-hbase::hbase::service_check::begin'] ->
File['/tmp/hbaseSmokeVerify.sh']
- File[$hbase_servicecheck_file] -> Exec[$hbase_servicecheck_file] ->
Exec['/tmp/hbaseSmokeVerify.sh']
- -> Anchor['hdp-hbase::hbase::service_check::end']
-
+ if ($security_enabled == true) {
+ $hbase_grant_premissions_file = '/tmp/hbase_grant_permissions.sh'
+ $hbase_kinit_cmd = "${hdp::params::kinit_path_local} -kt ${hbase_keytab}
${hbase_user};"
+ $grantprivelegecmd = "$hbase_kinit_cmd hbase shell
${hbase_grant_premissions_file}"
+
+ file { $hbase_grant_premissions_file:
+ owner => $hbase_user,
+ group => $hdp::params::user_group,
+ mode => '0644',
+ content => template('hdp-hbase/hbase_grant_permissions.erb')
+ }
+ hdp::exec { '${smokeuser}_grant_privileges' :
+ command => $grantprivelegecmd,
+ require => File[$hbase_grant_premissions_file],
+ user => $hbase_user
+ }
+ Anchor['hdp-hbase::hbase::service_check::begin'] ->
File['/tmp/hbaseSmokeVerify.sh']
+ File[$hbase_servicecheck_file] -> File[$hbase_grant_premissions_file]
->
+ Hdp::Exec['${smokeuser}_grant_privileges'] ->
Exec[$hbase_servicecheck_file] ->
+ Exec['/tmp/hbaseSmokeVerify.sh'] ->
Anchor['hdp-hbase::hbase::service_check::end']
+ } else {
+ Anchor['hdp-hbase::hbase::service_check::begin'] ->
File['/tmp/hbaseSmokeVerify.sh']
+ File[$hbase_servicecheck_file] -> Exec[$hbase_servicecheck_file] ->
Exec['/tmp/hbaseSmokeVerify.sh']
+ -> Anchor['hdp-hbase::hbase::service_check::end']
+ }
anchor{ 'hdp-hbase::hbase::service_check::end':}
}
\ No newline at end of file
Modified:
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/init.pp
URL:
http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/init.pp?rev=1488012&r1=1488011&r2=1488012&view=diff
==============================================================================
---
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/init.pp
(original)
+++
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/init.pp
Thu May 30 21:01:14 2013
@@ -29,6 +29,7 @@ class hdp-hbase(
$hdp::params::component_exists['hdp-hbase'] = true
$smokeuser = $hdp::params::smokeuser
+ $security_enabled = $hdp::params::security_enabled
#Configs generation
@@ -102,26 +103,6 @@ class hdp-hbase(
if ($security_enabled == true) {
if ($type == 'master' and $service_state == 'running') {
hdp-hbase::configfile { 'hbase_master_jaas.conf' : }
-
- $hbase_grant_premissions_file = '/tmp/hbase_grant_permissions.sh'
-
- file { $hbase_grant_premissions_file:
- owner => $hbase_user,
- group => $hdp::params::user_group,
- mode => '0644',
- content => template('hdp-hbase/hbase_grant_permissions.erb')
- }
- $hbase_principal = $hdp-hbase::params::hbase_master_principal
- $hbase_user_keytab = $hdp-hbase::params::hbase_keytab_path
- $kinit_cmd = "${hdp::params::kinit_path_local} -kt
${hbase_user_keytab} ${hbase_principal};"
- hdp::exec { '${smokeuser}_grant_privileges' :
- command => "su - ${hbase_user} -c '$kinit_cmd hbase --config
$conf_dir shell ${hbase_grant_premissions_file}'",
- require => File[$hbase_grant_premissions_file]
- }
-
- Hdp-hbase::Configfile<||> -> File[$hbase_grant_premissions_file] ->
- Hdp::Exec['${smokeuser}_grant_privileges'] -> Anchor['hdp-hbase::end']
-
} elsif ($type == 'regionserver' and $service_state == 'running') {
hdp-hbase::configfile { 'hbase_regionserver_jaas.conf' : }
} elsif ($type == 'client') {
Modified:
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/params.pp
URL:
http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/params.pp?rev=1488012&r1=1488011&r2=1488012&view=diff
==============================================================================
---
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/params.pp
(original)
+++
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/manifests/params.pp
Thu May 30 21:01:14 2013
@@ -83,6 +83,7 @@ class hdp-hbase::params() inherits hdp::
$regionserver_memstore_upperlimit =
hdp_default("hbase-site/regionserver.memstore.upperlimit","0.4")
+ $keytab_path = hdp_default("keytab_path","/etc/security/keytabs")
$hbase_client_jaas_config_file =
hdp_default("hbase_client_jaas_config_file",
"${conf_dir}/hbase_client_jaas.conf")
$hbase_master_jaas_config_file =
hdp_default("hbase_master_jaas_config_file",
"${conf_dir}/hbase_master_jaas.conf")
$hbase_regionserver_jaas_config_file =
hdp_default("hbase_regionserver_jaas_config_file",
"${conf_dir}/hbase_regionserver_jaas.conf")
Modified:
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/templates/hbase_grant_permissions.erb
URL:
http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/templates/hbase_grant_permissions.erb?rev=1488012&r1=1488011&r2=1488012&view=diff
==============================================================================
---
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/templates/hbase_grant_permissions.erb
(original)
+++
incubator/ambari/trunk/ambari-agent/src/main/puppet/modules/hdp-hbase/templates/hbase_grant_permissions.erb
Thu May 30 21:01:14 2013
@@ -17,4 +17,5 @@
# under the License.
#
#
-grant '<%=scope.function_hdp_template_var("::hdp::params::smokeuser")%>',
'<%=scope.function_hdp_template_var("::hdp-hbase::params::smokeuser_permissions")%>'
\ No newline at end of file
+grant '<%=scope.function_hdp_template_var("::hdp::params::smokeuser")%>',
'<%=scope.function_hdp_template_var("::hdp-hbase::params::smokeuser_permissions")%>'
+exit
\ No newline at end of file
