AMBARI-18737 Perf: Allow Kerberizing the PERF stack (dsen)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/338c2c5b Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/338c2c5b Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/338c2c5b Branch: refs/heads/branch-feature-AMBARI-18901 Commit: 338c2c5be000fb6a681bc5c82f8c4cb20c192500 Parents: 9cc66e4 Author: Dmytro Sen <[email protected]> Authored: Thu Dec 8 13:55:33 2016 +0200 Committer: Dmytro Sen <[email protected]> Committed: Thu Dec 8 13:58:49 2016 +0200 ---------------------------------------------------------------------- .../libraries/script/dummy.py | 11 + .../PERF/1.0/configuration/cluster-env.xml | 27 +- .../resources/stacks/PERF/1.0/kerberos.json | 78 ++++ .../GRUMPY/configuration/grumpy-site.xml | 12 + .../PERF/1.0/services/GRUMPY/kerberos.json | 78 ++++ .../services/GRUMPY/package/scripts/dwarf.py | 4 + .../services/HAPPY/configuration/happy-site.xml | 12 + .../PERF/1.0/services/HAPPY/kerberos.json | 78 ++++ .../1.0/services/HAPPY/package/scripts/dwarf.py | 4 + .../HBASE/package/scripts/hbase_master.py | 4 + .../HBASE/package/scripts/hbase_regionserver.py | 4 + .../package/scripts/phoenix_queryserver.py | 4 + .../services/HDFS/package/scripts/datanode.py | 4 + .../HDFS/package/scripts/journalnode.py | 4 + .../services/HDFS/package/scripts/namenode.py | 4 + .../services/HDFS/package/scripts/nfsgateway.py | 4 + .../services/HDFS/package/scripts/snamenode.py | 4 + .../KERBEROS/configuration/kerberos-env.xml | 380 +++++++++++++++ .../KERBEROS/configuration/krb5-conf.xml | 109 +++++ .../PERF/1.0/services/KERBEROS/kerberos.json | 17 + .../PERF/1.0/services/KERBEROS/metainfo.xml | 123 +++++ .../KERBEROS/package/scripts/kerberos_client.py | 80 ++++ .../KERBEROS/package/scripts/kerberos_common.py | 468 +++++++++++++++++++ .../services/KERBEROS/package/scripts/params.py | 200 ++++++++ .../KERBEROS/package/scripts/service_check.py | 30 ++ .../KERBEROS/package/scripts/status_params.py | 32 ++ .../services/KERBEROS/package/scripts/utils.py | 105 +++++ .../KERBEROS/package/templates/krb5_conf.j2 | 54 +++ .../SLEEPY/configuration/sleepy-site.xml | 12 + .../PERF/1.0/services/SLEEPY/kerberos.json | 78 ++++ .../services/SLEEPY/package/scripts/dwarf.py | 4 + .../services/SNOW/configuration/snow-site.xml | 12 + .../stacks/PERF/1.0/services/SNOW/kerberos.json | 78 ++++ .../services/SNOW/package/scripts/snow_white.py | 4 + .../scripts/application_timeline_server.py | 4 + .../YARN/package/scripts/historyserver.py | 4 + .../YARN/package/scripts/nodemanager.py | 4 + .../YARN/package/scripts/resourcemanager.py | 4 + .../PERF/1.0/services/ZOOKEEPER/kerberos.json | 39 ++ .../package/scripts/zookeeper_server.py | 4 + 40 files changed, 2180 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-common/src/main/python/resource_management/libraries/script/dummy.py ---------------------------------------------------------------------- diff --git a/ambari-common/src/main/python/resource_management/libraries/script/dummy.py b/ambari-common/src/main/python/resource_management/libraries/script/dummy.py index 2a48de3..3dcece5 100644 --- a/ambari-common/src/main/python/resource_management/libraries/script/dummy.py +++ b/ambari-common/src/main/python/resource_management/libraries/script/dummy.py @@ -31,6 +31,9 @@ from ambari_commons.constants import AMBARI_SUDO_BINARY from resource_management.core.exceptions import ComponentIsNotRunning +from resource_management.libraries.functions.default import default +from resource_management.libraries.functions import get_kinit_path + class Dummy(Script): """ Dummy component to be used for performance testing since doesn't actually run a service. @@ -75,6 +78,14 @@ class Dummy(Script): print "Start" self.prepare() + if self.config['configurations']['cluster-env']['security_enabled'] : + print "Executing kinit... " + kinit_path_local = get_kinit_path(default('/configurations/kerberos-env/executable_search_paths', None)) + principal_replaced = self.config['configurations'][self.principal_conf_name][self.principal_name].replace("_HOST", self.host_name) + keytab_path_replaced = self.config['configurations'][self.keytab_conf_name][self.keytab_name].replace("_HOST", self.host_name) + Execute("%s -kt %s %s" % (kinit_path_local, keytab_path_replaced, principal_replaced), + user="root") + if not os.path.isfile(self.pid_file): print "Creating pid file: %s" % self.pid_file http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/configuration/cluster-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/configuration/cluster-env.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/configuration/cluster-env.xml index 7d6dac4..7df00ee 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/configuration/cluster-env.xml +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/configuration/cluster-env.xml @@ -71,5 +71,30 @@ <description>Security</description> <on-ambari-upgrade add="false"/> </property> - + <property> + <name>user_group</name> + <display-name>Hadoop Group</display-name> + <value>hadoop</value> + <property-type>GROUP</property-type> + <description>Hadoop user group.</description> + <value-attributes> + <type>user</type> + <visible>false</visible> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>smokeuser</name> + <display-name>Smoke User</display-name> + <value>ambari-qa</value> + <property-type>USER</property-type> + <description>User executing service checks</description> + <value-attributes> + <type>user</type> + <visible>false</visible> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/kerberos.json b/ambari-server/src/main/resources/stacks/PERF/1.0/kerberos.json new file mode 100644 index 0000000..a2a667b --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/kerberos.json @@ -0,0 +1,78 @@ +{ + "properties": { + "realm": "${kerberos-env/realm}", + "keytab_dir": "/home/_HOST/etc/security/keytabs", + "additional_realms": "" + }, + "identities": [ + { + "name": "spnego", + "principal": { + "value": "HTTP/_HOST@${realm}", + "type": "service" + }, + "keytab": { + "file": "${keytab_dir}/spnego.service.keytab", + "owner": { + "name": "root", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "r" + } + } + }, + { + "name": "smokeuser", + "principal": { + "value": "${cluster-env/smokeuser}-${cluster_name|toLower()}@${realm}", + "type": "user", + "configuration": "cluster-env/smokeuser_principal_name", + "local_username": "${cluster-env/smokeuser}" + }, + "keytab": { + "file": "${keytab_dir}/smokeuser.headless.keytab", + "owner": { + "name": "${cluster-env/smokeuser}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "r" + }, + "configuration": "cluster-env/smokeuser_keytab" + } + } + ], + "services": [ + { + "name": "AMBARI", + "components": [ + { + "name": "AMBARI_SERVER", + "identities": [ + { + "name": "ambari-server", + "principal": { + "value": "ambari-server-${cluster_name|toLower()}@${realm}", + "type": "user", + "configuration": "cluster-env/ambari_principal_name" + }, + "keytab": { + "file": "/etc/security/keytabs/ambari.server.keytab", + "owner": { + "access": "r" + } + } + }, + { + "name" : "ambari-server_spnego", + "reference" : "/spnego" + } + ] + } + ] + } + ] +} http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/configuration/grumpy-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/configuration/grumpy-site.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/configuration/grumpy-site.xml index 7952789..3cf8ea1 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/configuration/grumpy-site.xml +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/configuration/grumpy-site.xml @@ -33,4 +33,16 @@ </value-attributes> <on-ambari-upgrade add="false"/> </property> + <property> + <name>grumpy_user</name> + <display-name>grumpy User</display-name> + <value>grumpy</value> + <property-type>USER</property-type> + <description>grumpy Username.</description> + <value-attributes> + <type>user</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/kerberos.json b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/kerberos.json new file mode 100644 index 0000000..3bf5fbd --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/kerberos.json @@ -0,0 +1,78 @@ +{ + "services": [ + { + "name": "GRUMPY", + "identities": [ + { + "name": "/spnego" + }, + { + "name": "grumpy", + "principal": { + "value": "${grumpy-site/grumpy_user}-${cluster_name|toLower()}@${realm}", + "type" : "user", + "configuration": "grumpy-site/grumpy_principal_name", + "local_username": "${grumpy-site/grumpy_user}" + }, + "keytab": { + "file": "${keytab_dir}/grumpy.headless.keytab", + "owner": { + "name": "${grumpy-site/grumpy_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "r" + }, + "configuration": "grumpy-site/grumpy_user_keytab" + } + }, + { + "name": "/smokeuser" + } + ], + "configurations": [ + ], + "components": [ + { + "name": "GRUMPY", + "identities": [ + { + "name": "/HDFS/NAMENODE/hdfs" + }, + { + "name": "grumpy_grumpy", + "principal": { + "value": "grumpy/_HOST@${realm}", + "type" : "service", + "configuration": "grumpy-site/grumpy.grumpy.kerberos.principal", + "local_username": "${grumpy-site/grumpy_user}" + }, + "keytab": { + "file": "${keytab_dir}/grumpy.service.keytab", + "owner": { + "name": "${grumpy-site/grumpy_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "grumpy-site/grumpy.grumpy.keytab.file" + } + }, + { + "name": "/spnego", + "principal": { + "configuration": "grumpy-site/grumpy.security.authentication.spnego.kerberos.principal" + }, + "keytab": { + "configuration": "grumpy-site/grumpy.security.authentication.spnego.kerberos.keytab" + } + } + ] + } + ] + } + ] +} http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/package/scripts/dwarf.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/package/scripts/dwarf.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/package/scripts/dwarf.py index cf4206c..de2f4b4 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/package/scripts/dwarf.py +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/package/scripts/dwarf.py @@ -33,6 +33,10 @@ class Grumpy(Dummy): def __init__(self): super(Grumpy, self).__init__() self.component_name = "GRUMPY" + self.principal_conf_name = "grumpy-site" + self.principal_name = "grumpy.grumpy.kerberos.principal" + self.keytab_conf_name = "grumpy-site" + self.keytab_name = "grumpy.grumpy.keytab.file" if __name__ == "__main__": Grumpy().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/configuration/happy-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/configuration/happy-site.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/configuration/happy-site.xml index 67762a5..693046e 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/configuration/happy-site.xml +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/configuration/happy-site.xml @@ -33,4 +33,16 @@ </value-attributes> <on-ambari-upgrade add="false"/> </property> + <property> + <name>happy_user</name> + <display-name>happy User</display-name> + <value>happy</value> + <property-type>USER</property-type> + <description>happy Username.</description> + <value-attributes> + <type>user</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/kerberos.json b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/kerberos.json new file mode 100644 index 0000000..ae84eaf --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/kerberos.json @@ -0,0 +1,78 @@ +{ + "services": [ + { + "name": "HAPPY", + "identities": [ + { + "name": "/spnego" + }, + { + "name": "happy", + "principal": { + "value": "${happy-site/happy_user}-${cluster_name|toLower()}@${realm}", + "type" : "user", + "configuration": "happy-site/happy_principal_name", + "local_username": "${happy-site/happy_user}" + }, + "keytab": { + "file": "${keytab_dir}/happy.headless.keytab", + "owner": { + "name": "${happy-site/happy_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "r" + }, + "configuration": "happy-site/happy_user_keytab" + } + }, + { + "name": "/smokeuser" + } + ], + "configurations": [ + ], + "components": [ + { + "name": "HAPPY", + "identities": [ + { + "name": "/HDFS/NAMENODE/hdfs" + }, + { + "name": "happy_happy", + "principal": { + "value": "happy/_HOST@${realm}", + "type" : "service", + "configuration": "happy-site/happy.happy.kerberos.principal", + "local_username": "${happy-site/happy_user}" + }, + "keytab": { + "file": "${keytab_dir}/happy.service.keytab", + "owner": { + "name": "${happy-site/happy_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "happy-site/happy.happy.keytab.file" + } + }, + { + "name": "/spnego", + "principal": { + "configuration": "happy-site/happy.security.authentication.spnego.kerberos.principal" + }, + "keytab": { + "configuration": "happy-site/happy.security.authentication.spnego.kerberos.keytab" + } + } + ] + } + ] + } + ] +} http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/package/scripts/dwarf.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/package/scripts/dwarf.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/package/scripts/dwarf.py index b86c4c7..dc8198d 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/package/scripts/dwarf.py +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/package/scripts/dwarf.py @@ -33,6 +33,10 @@ class Happy(Dummy): def __init__(self): super(Happy, self).__init__() self.component_name = "HAPPY" + self.principal_conf_name = "happy-site" + self.principal_name = "happy.happy.kerberos.principal" + self.keytab_conf_name = "happy-site" + self.keytab_name = "happy.happy.keytab.file" if __name__ == "__main__": Happy().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_master.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_master.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_master.py index 7ea42ab..3761fcf 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_master.py +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_master.py @@ -33,6 +33,10 @@ class HBaseMaster(Dummy): def __init__(self): super(HBaseMaster, self).__init__() self.component_name = "HBASE_MASTER" + self.principal_conf_name = "hbase-site" + self.principal_name = "hbase.master.kerberos.principal" + self.keytab_conf_name = "hbase-site" + self.keytab_name = "hbase.master.keytab.file" def decommission(self, env): print "Decommission" http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_regionserver.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_regionserver.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_regionserver.py index a866715..101c36f 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_regionserver.py +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_regionserver.py @@ -33,6 +33,10 @@ class HBaseRegionServer(Dummy): def __init__(self): super(HBaseRegionServer, self).__init__() self.component_name = "HBASE_REGIONSERVER" + self.principal_conf_name = "hbase-site" + self.principal_name = "hbase.regionserver.kerberos.principal" + self.keytab_conf_name = "hbase-site" + self.keytab_name = "hbase.regionserver.keytab.file" def decommission(self, env): print "Decommission" http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/phoenix_queryserver.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/phoenix_queryserver.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/phoenix_queryserver.py index 9cf3cec..76a49d9 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/phoenix_queryserver.py +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/phoenix_queryserver.py @@ -33,6 +33,10 @@ class PhoenixQueryServer(Dummy): def __init__(self): super(PhoenixQueryServer, self).__init__() self.component_name = "PHOENIX_QUERY_SERVER" + self.principal_conf_name = "hbase-site" + self.principal_name = "phoenix.queryserver.kerberos.principal" + self.keytab_conf_name = "hbase-site" + self.keytab_name = "phoenix.queryserver.keytab.file" if __name__ == "__main__": PhoenixQueryServer().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/datanode.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/datanode.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/datanode.py index 36edc31..6fc338b 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/datanode.py +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/datanode.py @@ -33,6 +33,10 @@ class DataNode(Dummy): def __init__(self): super(DataNode, self).__init__() self.component_name = "DATANODE" + self.principal_conf_name = "hdfs-site" + self.principal_name = "dfs.datanode.kerberos.principal" + self.keytab_conf_name = "hdfs-site" + self.keytab_name = "dfs.datanode.keytab.file" if __name__ == "__main__": DataNode().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/journalnode.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/journalnode.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/journalnode.py index 1ad13b7..96be630 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/journalnode.py +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/journalnode.py @@ -33,6 +33,10 @@ class JournalNode(Dummy): def __init__(self): super(JournalNode, self).__init__() self.component_name = "JOURNALNODE" + self.principal_conf_name = "hdfs-site" + self.principal_name = "dfs.journalnode.kerberos.principal" + self.keytab_conf_name = "hdfs-site" + self.keytab_name = "dfs.journalnode.keytab.file" if __name__ == "__main__": JournalNode().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/namenode.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/namenode.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/namenode.py index ded09cb..c3488e8 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/namenode.py +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/namenode.py @@ -34,6 +34,10 @@ class NameNode(Dummy): def __init__(self): super(NameNode, self).__init__() self.component_name = "NAMENODE" + self.principal_conf_name = "hdfs-site" + self.principal_name = "dfs.namenode.kerberos.principal" + self.keytab_conf_name = "hdfs-site" + self.keytab_name = "dfs.namenode.keytab.file" def rebalancehdfs(self, env): print "Rebalance HDFS" http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/nfsgateway.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/nfsgateway.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/nfsgateway.py index ab9855d..b750522 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/nfsgateway.py +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/nfsgateway.py @@ -33,6 +33,10 @@ class NFSGateway(Dummy): def __init__(self): super(NFSGateway, self).__init__() self.component_name = "NFS_GATEWAY" + self.principal_conf_name = "hdfs-site" + self.principal_name = "nfs.kerberos.principal" + self.keytab_conf_name = "hdfs-site" + self.keytab_name = "nfs.keytab.file" if __name__ == "__main__": NFSGateway().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/snamenode.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/snamenode.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/snamenode.py index 8815aa3..91ce7da 100644 --- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/snamenode.py +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/snamenode.py @@ -33,6 +33,10 @@ class SNameNode(Dummy): def __init__(self): super(SNameNode, self).__init__() self.component_name = "SECONDARY_NAMENODE" + self.principal_conf_name = "hdfs-site" + self.principal_name = "dfs.secondary.namenode.kerberos.principal" + self.keytab_conf_name = "hdfs-site" + self.keytab_name = "dfs.secondary.namenode.keytab.file" if __name__ == "__main__": SNameNode().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/kerberos-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/kerberos-env.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/kerberos-env.xml new file mode 100644 index 0000000..7016437 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/kerberos-env.xml @@ -0,0 +1,380 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration supports_final="false" supports_adding_forbidden="true"> + <property require-input="true"> + <name>kdc_type</name> + <description> + The type of KDC being used. Either mit-kdc, ipa, or active-directory + </description> + <value>mit-kdc</value> + <display-name>KDC type</display-name> + <value-attributes> + <type>componentHost</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>manage_identities</name> + <description> + Indicates whether the Ambari user and service Kerberos identities (principals and keytab files) + should be managed (created, deleted, updated, etc...) by Ambari or managed manually. + </description> + <value>true</value> + <display-name>Manage Kerberos Identities</display-name> + <value-attributes> + <visible>false</visible> + <overridable>false</overridable> + <type>boolean</type> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>manage_auth_to_local</name> + <description> + Indicates whether the hadoop auth_to_local rules should be managed by Ambari or managed manually. + </description> + <value>true</value> + <display-name>Manage Hadoop auth_to_local rules</display-name> + <value-attributes> + <visible>true</visible> + <overridable>false</overridable> + <type>boolean</type> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>install_packages</name> + <display-name>Install OS-specific Kerberos client package(s)</display-name> + <description> + Indicates whether Ambari should install the Kerberos client package(s) or not. If not, it is + expected that Kerberos utility programs (such as kadmin, kinit, klist, and kdestroy) are + compatible with MIT Kerberos 5 version 1.10.3 in command line options and behaviors. + </description> + <value>true</value> + <value-attributes> + <type>boolean</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>ldap_url</name> + <display-name>LDAP url</display-name> + <description> + The URL to the Active Directory LDAP Interface + Example: ldaps://ad.example.com:636 + </description> + <value/> + <value-attributes> + <visible>false</visible> + <overridable>false</overridable> + <type>ldap_url</type> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>container_dn</name> + <display-name>Container DN</display-name> + <description> + The distinguished name (DN) of the container used store service principals + </description> + <value-attributes> + <visible>false</visible> + <overridable>false</overridable> + </value-attributes> + <value/> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>encryption_types</name> + <display-name>Encryption Types</display-name> + <description> + The supported list of session key encryption types that should be returned by the KDC. + </description> + <value>aes des3-cbc-sha1 rc4 des-cbc-md5</value> + <value-attributes> + <type>multiLine</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property require-input="true"> + <name>realm</name> + <description> + The default realm to use when creating service principals + </description> + <display-name>Realm name</display-name> + <value/> + <value-attributes> + <type>host</type> + <editable-only-at-install>true</editable-only-at-install> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>kdc_hosts</name> + <description> + A comma-delimited list of IP addresses or FQDNs declaring the KDC hosts. + Optionally a port number may be included in each entry by separating each host and port by a + colon (:). Example: kdc1.example.com:88, kdc2.example.com:88 + </description> + <display-name>KDC hosts</display-name> + <value/> + <value-attributes> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>admin_server_host</name> + <display-name>Kadmin host</display-name> + <description> + The IP address or FQDN for the KDC Kerberos administrative host. Optionally a port number may be included. + </description> + <value/> + <value-attributes> + <type>host</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>executable_search_paths</name> + <display-name>Executable Search Paths</display-name> + <description> + A comma-delimited list of search paths to use to find Kerberos utilities like kadmin, kinit and ipa. + </description> + <value>/usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin</value> + <value-attributes> + <overridable>false</overridable> + <type>multiLine</type> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>password_length</name> + <display-name>Password Length</display-name> + <description> + The length required length for generated passwords. + </description> + <value>20</value> + <value-attributes> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>password_min_lowercase_letters</name> + <display-name>Password Minimum # Lowercase Letters</display-name> + <description> + The minimum number of lowercase letters (a-z) required in generated passwords + </description> + <value>1</value> + <value-attributes> + <type>int</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>password_min_uppercase_letters</name> + <display-name>Password Minimum # Uppercase Letters</display-name> + <description> + The minimum number of uppercase letters (A-Z) required in generated passwords + </description> + <value>1</value> + <value-attributes> + <type>int</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>password_min_digits</name> + <display-name>Password Minimum # Digits</display-name> + <description> + The minimum number of digits (0-9) required in generated passwords + </description> + <value>1</value> + <value-attributes> + <type>int</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>password_min_punctuation</name> + <display-name>Password Minimum # Punctuation Characters</display-name> + <description> + The minimum number of punctuation characters (?.!$%^*()-_+=~) required in generated passwords + </description> + <value>1</value> + <value-attributes> + <type>int</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>password_min_whitespace</name> + <display-name>Password Minimum # Whitespace Characters</display-name> + <description> + The minimum number of whitespace characters required in generated passwords + </description> + <value>0</value> + <value-attributes> + <type>int</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>service_check_principal_name</name> + <display-name>Test Kerberos Principal</display-name> + <description> + The principal name to use when executing the Kerberos service check + </description> + <value>${cluster_name|toLower()}-${short_date}</value> + <value-attributes> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>case_insensitive_username_rules</name> + <display-name>Enable case insensitive username rules</display-name> + <description> + Force principal names to resolve to lowercase local usernames in auth-to-local rules + </description> + <value>false</value> + <value-attributes> + <overridable>false</overridable> + <type>boolean</type> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>ad_create_attributes_template</name> + <display-name>Account Attribute Template</display-name> + <description> + A Velocity template to use to generate a JSON-formatted document containing the set of + attribute names and values needed to create a new Kerberos identity in the relevant + Active Directory. + Variables include: + principal_name, principal_primary, principal_instance, realm, realm_lowercase, + normalized_principal, principal digest, password, is_service, container_dn + </description> + <value> +{ + "objectClass": ["top", "person", "organizationalPerson", "user"], + "cn": "$principal_name", + #if( $is_service ) + "servicePrincipalName": "$principal_name", + #end + "userPrincipalName": "$normalized_principal", + "unicodePwd": "$password", + "accountExpires": "0", + "userAccountControl": "66048" +} + </value> + <value-attributes> + <type>content</type> + <empty-value-valid>true</empty-value-valid> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>create_ambari_principal</name> + <description> + Indicates whether Ambari should create the principal, keytab for itself, used by different views. + </description> + <value>true</value> + <display-name>Create Ambari Principal & Keytab</display-name> + <value-attributes> + <visible>true</visible> + <overridable>false</overridable> + <type>boolean</type> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>kdc_create_attributes</name> + <display-name>Principal Attributes</display-name> + <description> + The set of attributes to use when creating a new Kerberos identity in the relevant (MIT) KDC. + </description> + <value/> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>group</name> + <display-name>IPA Group</display-name> + <description> + The group in IPA user principals should be member of + </description> + <value>ambari-managed-principals</value> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + <visible>false</visible> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>set_password_expiry</name> + <display-name>Set IPA principal password expiry</display-name> + <description> + Indicates whether Ambari should set the password expiry for the principals it creates. By default + IPA does not allow this. It requires write permission of the admin principal to the krbPasswordExpiry + attribute. If set IPA principal password expiry is not true it is assumed that a suitable password + policy is in place for the IPA Group principals are added to. + </description> + <value>false</value> + <value-attributes> + <type>boolean</type> + <overridable>false</overridable> + <visible>false</visible> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>password_chat_timeout</name> + <display-name>Set IPA kinit password chat timeout</display-name> + <description> + Indicates the timeout in seconds that Ambari should wait for a response during a password chat. This is + because it can take some time due to lookups before a response is there. + </description> + <value>5</value> + <value-attributes> + <visible>false</visible> + <type>int</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/krb5-conf.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/krb5-conf.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/krb5-conf.xml new file mode 100644 index 0000000..c692b92 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/krb5-conf.xml @@ -0,0 +1,109 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration> + <property require-input="false"> + <name>domains</name> + <display-name>Domains</display-name> + <description> + A comma-separated list of domain names used to map server host names to the Realm name (e.g. .example.com,example.com). This is optional + </description> + <value/> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>manage_krb5_conf</name> + <display-name>Manage Kerberos client krb5.conf</display-name> + <description> + Indicates whether your krb5.conf file should be managed by the wizard or should you manage it yourself + </description> + <value>true</value> + <value-attributes> + <overridable>false</overridable> + <type>boolean</type> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>conf_dir</name> + <display-name>krb5-conf directory path</display-name> + <description>The krb5.conf configuration directory</description> + <value>/etc</value> + <value-attributes> + <type>directory</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>content</name> + <display-name>krb5-conf template</display-name> + <description>Customizable krb5.conf template (Jinja template engine)</description> + <value> +[libdefaults] + renew_lifetime = 7d + forwardable = true + default_realm = {{realm}} + ticket_lifetime = 24h + dns_lookup_realm = false + dns_lookup_kdc = false + default_ccache_name = /tmp/krb5cc_%{uid} + #default_tgs_enctypes = {{encryption_types}} + #default_tkt_enctypes = {{encryption_types}} +{% if domains %} +[domain_realm] +{%- for domain in domains.split(',') %} + {{domain|trim()}} = {{realm}} +{%- endfor %} +{% endif %} +[logging] + default = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + kdc = FILE:/var/log/krb5kdc.log + +[realms] + {{realm}} = { +{%- if kdc_hosts > 0 -%} +{%- set kdc_host_list = kdc_hosts.split(',') -%} +{%- if kdc_host_list and kdc_host_list|length > 0 %} + admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}} +{%- if kdc_host_list -%} +{% for kdc_host in kdc_host_list %} + kdc = {{kdc_host|trim()}} +{%- endfor -%} +{% endif %} +{%- endif %} +{%- endif %} + } + +{# Append additional realm declarations below #} + </value> + <value-attributes> + <type>content</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/kerberos.json b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/kerberos.json new file mode 100644 index 0000000..6ab7610 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/kerberos.json @@ -0,0 +1,17 @@ +{ + "services": [ + { + "name": "KERBEROS", + "identities": [ + { + "name": "/smokeuser" + } + ], + "components": [ + { + "name": "KERBEROS_CLIENT" + } + ] + } + ] +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/metainfo.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/metainfo.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/metainfo.xml new file mode 100644 index 0000000..3ec6340 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/metainfo.xml @@ -0,0 +1,123 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<metainfo> + <schemaVersion>2.0</schemaVersion> + <services> + <service> + <name>KERBEROS</name> + <displayName>Kerberos</displayName> + <comment>A computer network authentication protocol which works on + the basis of 'tickets' to allow nodes communicating over a + non-secure network to prove their identity to one another in a + secure manner. + </comment> + <version>1.10.3-10</version> + + <components> + <component> + <name>KERBEROS_CLIENT</name> + <displayName>Kerberos Client</displayName> + <category>CLIENT</category> + <cardinality>ALL</cardinality> + <versionAdvertised>false</versionAdvertised> + <auto-deploy> + <enabled>true</enabled> + </auto-deploy> + <commandScript> + <script>scripts/kerberos_client.py</script> + <scriptType>PYTHON</scriptType> + <timeout>1200</timeout> + </commandScript> + <customCommands> + <customCommand> + <name>SET_KEYTAB</name> + <commandScript> + <script>scripts/kerberos_client.py</script> + <scriptType>PYTHON</scriptType> + <timeout>1000</timeout> + </commandScript> + </customCommand> + <customCommand> + <name>REMOVE_KEYTAB</name> + <commandScript> + <script>scripts/kerberos_client.py</script> + <scriptType>PYTHON</scriptType> + <timeout>1000</timeout> + </commandScript> + </customCommand> + </customCommands> + <configFiles> + <configFile> + <type>env</type> + <fileName>krb5.conf</fileName> + <dictionaryName>krb5-conf</dictionaryName> + </configFile> + </configFiles> + </component> + </components> + + <osSpecifics> + <osSpecific> + <osFamily>redhat7,amazon2015,redhat6</osFamily> + <packages> + <package> + <name>krb5-workstation</name> + <skipUpgrade>true</skipUpgrade> + </package> + </packages> + </osSpecific> + + <osSpecific> + <osFamily>debian7,ubuntu12,ubuntu14,ubuntu16</osFamily> + <packages> + <package> + <name>krb5-user</name> + <skipUpgrade>true</skipUpgrade> + </package> + <package> + <name>krb5-config</name> + <skipUpgrade>true</skipUpgrade> + </package> + </packages> + </osSpecific> + + <osSpecific> + <osFamily>suse11,suse12</osFamily> + <packages> + <package> + <name>krb5-client</name> + <skipUpgrade>true</skipUpgrade> + </package> + </packages> + </osSpecific> + </osSpecifics> + + <commandScript> + <script>scripts/service_check.py</script> + <scriptType>PYTHON</scriptType> + <timeout>300</timeout> + </commandScript> + + <configuration-dependencies> + <config-type>krb5-conf</config-type> + <config-type>kerberos-env</config-type> + </configuration-dependencies> + <restartRequiredAfterChange>true</restartRequiredAfterChange> + </service> + </services> +</metainfo> http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py new file mode 100644 index 0000000..ddc8063 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py @@ -0,0 +1,80 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +from kerberos_common import * +from resource_management.libraries.functions.security_commons import cached_kinit_executor +from resource_management.core.exceptions import ClientComponentHasNoStatus + +class KerberosClient(KerberosScript): + def install(self, env): + install_packages = default('/configurations/kerberos-env/install_packages', "true") + if install_packages: + self.install_packages(env) + else: + print "Kerberos client packages are not being installed, manual installation is required." + + self.configure(env) + + + def configure(self, env): + import params + env.set_params(params) + if params.manage_krb5_conf: + self.write_krb5_conf() + #delete krb cache to prevent using old krb tickets on fresh kerberos setup + self.clear_tmp_cache() + + self.setup_jce() + + def status(self, env): + raise ClientComponentHasNoStatus() + + def security_status(self, env): + import status_params + if status_params.security_enabled: + if status_params.smoke_user and status_params.smoke_user_keytab: + try: + cached_kinit_executor(status_params.kinit_path_local, + status_params.smoke_user, + status_params.smoke_user_keytab, + status_params.smoke_user_principal, + status_params.hostname, + status_params.tmp_dir) + self.put_structured_out({"securityState": "SECURED_KERBEROS"}) + except Exception as e: + self.put_structured_out({"securityState": "ERROR"}) + self.put_structured_out({"securityStateErrorInfo": str(e)}) + else: + self.put_structured_out({"securityState": "UNKNOWN"}) + self.put_structured_out({"securityStateErrorInfo": "Missing smoke user credentials"}) + else: + self.put_structured_out({"securityState": "UNSECURED"}) + + def set_keytab(self, env): + self.write_keytab_file() + + def remove_keytab(self, env): + self.delete_keytab_file() + + def download_install_jce(self, env): + self.setup_jce() + + +if __name__ == "__main__": + KerberosClient().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_common.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_common.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_common.py new file mode 100644 index 0000000..3c6c83e --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_common.py @@ -0,0 +1,468 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +import base64 +import getpass +import os +import string +import subprocess +import sys +import tempfile +from tempfile import gettempdir + +from resource_management import * +from utils import get_property_value +from ambari_commons.os_utils import remove_file +from ambari_agent import Constants + +class KerberosScript(Script): + KRB5_REALM_PROPERTIES = [ + 'kdc', + 'admin_server', + 'default_domain', + 'master_kdc' + ] + + KRB5_SECTION_NAMES = [ + 'libdefaults', + 'logging', + 'realms', + 'domain_realm', + 'capaths', + 'ca_paths', + 'appdefaults', + 'plugins' + ] + + @staticmethod + def create_random_password(): + import random + + chars = string.digits + string.ascii_letters + return ''.join(random.choice(chars) for x in range(13)) + + @staticmethod + def write_conf_section(output_file, section_name, section_data): + if section_name is not None: + output_file.write('[%s]\n' % section_name) + + if section_data is not None: + for key, value in section_data.iteritems(): + output_file.write(" %s = %s\n" % (key, value)) + + + @staticmethod + def _write_conf_realm(output_file, realm_name, realm_data): + """ Writes out realm details + + Example: + + EXAMPLE.COM = { + kdc = kerberos.example.com + admin_server = kerberos.example.com + } + + """ + if realm_name is not None: + output_file.write(" %s = {\n" % realm_name) + + if realm_data is not None: + for key, value in realm_data.iteritems(): + if key in KerberosScript.KRB5_REALM_PROPERTIES: + output_file.write(" %s = %s\n" % (key, value)) + + output_file.write(" }\n") + + @staticmethod + def write_conf_realms_section(output_file, section_name, realms_data): + if section_name is not None: + output_file.write('[%s]\n' % section_name) + + if realms_data is not None: + for realm, realm_data in realms_data.iteritems(): + KerberosScript._write_conf_realm(output_file, realm, realm_data) + output_file.write('\n') + + @staticmethod + def write_krb5_conf(): + import params + + Directory(params.krb5_conf_dir, + owner='root', + create_parents = True, + group='root', + mode=0755 + ) + + if (params.krb5_conf_template is None) or not params.krb5_conf_template.strip(): + content = Template('krb5_conf.j2') + else: + content = InlineTemplate(params.krb5_conf_template) + + File(params.krb5_conf_path, + content=content, + owner='root', + group='root', + mode=0644 + ) + + @staticmethod + def invoke_kadmin(query, admin_identity=None, default_realm=None): + """ + Executes the kadmin or kadmin.local command (depending on whether auth_identity is set or not + and returns command result code and standard out data. + + :param query: the kadmin query to execute + :param admin_identity: the identity for the administrative user (optional) + :param default_realm: the default realm to assume + :return: return_code, out + """ + if (query is not None) and (len(query) > 0): + auth_principal = None + auth_keytab_file = None + + if admin_identity is not None: + auth_principal = get_property_value(admin_identity, 'principal') + + if auth_principal is None: + kadmin = 'kadmin.local' + credential = '' + else: + kadmin = 'kadmin -p "%s"' % auth_principal + + auth_password = get_property_value(admin_identity, 'password') + + if auth_password is None: + auth_keytab = get_property_value(admin_identity, 'keytab') + + if auth_keytab is not None: + (fd, auth_keytab_file) = tempfile.mkstemp() + keytab_file_path = keytab_file_path.replace("_HOST", params.hostname) + os.write(fd, base64.b64decode(auth_keytab)) + os.close(fd) + + credential = '-k -t %s' % auth_keytab_file + else: + credential = '-w "%s"' % auth_password + + if (default_realm is not None) and (len(default_realm) > 0): + realm = '-r %s' % default_realm + else: + realm = '' + + try: + command = '%s %s %s -q "%s"' % (kadmin, credential, realm, query.replace('"', '\\"')) + return shell.checked_call(command) + except: + raise + finally: + if auth_keytab_file is not None: + os.remove(auth_keytab_file) + + @staticmethod + def create_keytab_file(principal, path, auth_identity=None): + success = False + + if (principal is not None) and (len(principal) > 0): + if (auth_identity is None) or (len(auth_identity) == 0): + norandkey = '-norandkey' + else: + norandkey = '' + + if (path is not None) and (len(path) > 0): + keytab_file = '-k %s' % path + else: + keytab_file = '' + + try: + result_code, output = KerberosScript.invoke_kadmin( + 'ktadd %s %s %s' % (keytab_file, norandkey, principal), + auth_identity) + + success = (result_code == 0) + except: + raise Fail("Failed to create keytab for principal: %s (in %s)" % (principal, path)) + + return success + + @staticmethod + def create_keytab(principal, auth_identity=None): + keytab = None + + (fd, temp_path) = tempfile.mkstemp() + os.remove(temp_path) + + try: + if KerberosScript.create_keytab_file(principal, temp_path, auth_identity): + with open(temp_path, 'r') as f: + keytab = base64.b64encode(f.read()) + finally: + if os.path.isfile(temp_path): + os.remove(temp_path) + + return keytab + + @staticmethod + def principal_exists(identity, auth_identity=None): + exists = False + + if identity is not None: + principal = get_property_value(identity, 'principal') + + if (principal is not None) and (len(principal) > 0): + try: + result_code, output = KerberosScript.invoke_kadmin('getprinc %s' % principal, + auth_identity) + exists = (output is not None) and (("Principal: %s" % principal) in output) + except: + raise Fail("Failed to determine if principal exists: %s" % principal) + + return exists + + @staticmethod + def change_principal_password(identity, auth_identity=None): + success = False + + if identity is not None: + principal = get_property_value(identity, 'principal') + + if (principal is not None) and (len(principal) > 0): + password = get_property_value(identity, 'password') + + if password is None: + credentials = '-randkey' + else: + credentials = '-pw "%s"' % password + + try: + result_code, output = KerberosScript.invoke_kadmin( + 'change_password %s %s' % (credentials, principal), + auth_identity) + + success = (result_code == 0) + except: + raise Fail("Failed to create principal: %s" % principal) + + return success + + @staticmethod + def create_principal(identity, auth_identity=None): + success = False + + if identity is not None: + principal = get_property_value(identity, 'principal') + + if (principal is not None) and (len(principal) > 0): + password = get_property_value(identity, 'password') + + if password is None: + credentials = '-randkey' + else: + credentials = '-pw "%s"' % password + + try: + result_code, out = KerberosScript.invoke_kadmin( + 'addprinc %s %s' % (credentials, principal), + auth_identity) + + success = (result_code == 0) + except: + raise Fail("Failed to create principal: %s" % principal) + + return success + + @staticmethod + def clear_tmp_cache(): + tmp_dir = Constants.AGENT_TMP_DIR + if tmp_dir is None: + tmp_dir = gettempdir() + curl_krb_cache_path = os.path.join(tmp_dir, "curl_krb_cache") + Directory(curl_krb_cache_path, action="delete") + + @staticmethod + def create_principals(identities, auth_identity=None): + if identities is not None: + for identity in identities: + KerberosScript.create_principal(identity, auth_identity) + + @staticmethod + def create_or_update_administrator_identity(): + import params + + if params.realm is not None: + admin_identity = params.get_property_value(params.realm, 'admin_identity') + + if KerberosScript.principal_exists(admin_identity): + KerberosScript.change_principal_password(admin_identity) + else: + KerberosScript.create_principal(admin_identity) + + @staticmethod + def test_kinit(identity, user="root"): + principal = get_property_value(identity, 'principal') + kinit_path_local = functions.get_kinit_path(default('/configurations/kerberos-env/executable_search_paths', None)) + kdestroy_path_local = functions.get_kdestroy_path(default('/configurations/kerberos-env/executable_search_paths', None)) + + if principal is not None: + keytab_file = get_property_value(identity, 'keytab_file') + keytab = get_property_value(identity, 'keytab') + password = get_property_value(identity, 'password') + + # If a test keytab file is available, simply use it + if (keytab_file is not None) and (os.path.isfile(keytab_file)): + keytab_file = keytab_file.replace("_HOST", params.hostname) + command = '%s -k -t %s %s' % (kinit_path_local, keytab_file, principal) + Execute(command, + user = user, + ) + return shell.checked_call(kdestroy_path_local) + + # If base64-encoded test keytab data is available; then decode it, write it to a temporary file + # use it, and then remove the temporary file + elif keytab is not None: + (fd, test_keytab_file) = tempfile.mkstemp() + os.write(fd, base64.b64decode(keytab)) + os.close(fd) + + try: + command = '%s -k -t %s %s' % (kinit_path_local, test_keytab_file, principal) + Execute(command, + user = user, + ) + return shell.checked_call(kdestroy_path_local) + except: + raise + finally: + if test_keytab_file is not None: + os.remove(test_keytab_file) + + # If no keytab data is available and a password was supplied, simply use it. + elif password is not None: + process = subprocess.Popen([kinit_path_local, principal], stdin=subprocess.PIPE) + stdout, stderr = process.communicate(password) + if process.returncode: + err_msg = Logger.filter_text("Execution of kinit returned %d. %s" % (process.returncode, stderr)) + raise Fail(err_msg) + else: + return shell.checked_call(kdestroy_path_local) + else: + return 0, '' + else: + return 0, '' + + + def write_keytab_file(self): + import params + import stat + + if params.kerberos_command_params is not None: + for item in params.kerberos_command_params: + keytab_content_base64 = get_property_value(item, 'keytab_content_base64') + if (keytab_content_base64 is not None) and (len(keytab_content_base64) > 0): + keytab_file_path = get_property_value(item, 'keytab_file_path') + if (keytab_file_path is not None) and (len(keytab_file_path) > 0): + keytab_file_path = keytab_file_path.replace("_HOST", params.hostname) + head, tail = os.path.split(keytab_file_path) + if head: + Directory(head, create_parents = True, mode=0755, owner="root", group="root") + + owner = "root" + group = "root" + mode = 0 + + mode |= stat.S_IREAD | stat.S_IWRITE + mode |= stat.S_IRGRP | stat.S_IWGRP + + keytab_content = base64.b64decode(keytab_content_base64) + + # to hide content in command output + def make_lambda(data): + return lambda: data + + File(keytab_file_path, + content=make_lambda(keytab_content), + mode=mode, + owner=owner, + group=group) + + principal = get_property_value(item, 'principal') + if principal is not None: + curr_content = Script.structuredOut + + if "keytabs" not in curr_content: + curr_content['keytabs'] = {} + + curr_content['keytabs'][principal.replace("_HOST", params.hostname)] = keytab_file_path + + self.put_structured_out(curr_content) + + def delete_keytab_file(self): + import params + + if params.kerberos_command_params is not None: + for item in params.kerberos_command_params: + keytab_file_path = get_property_value(item, 'keytab_file_path') + if (keytab_file_path is not None) and (len(keytab_file_path) > 0): + keytab_file_path = keytab_file_path.replace("_HOST", params.hostname) + # Delete the keytab file + File(keytab_file_path, action="delete") + + principal = get_property_value(item, 'principal') + if principal is not None: + curr_content = Script.structuredOut + + if "keytabs" not in curr_content: + curr_content['keytabs'] = {} + + curr_content['keytabs'][principal.replace("_HOST", params.hostname)] = '_REMOVED_' + + self.put_structured_out(curr_content) + + def setup_jce(self): + import params + + if not params.jdk_name: + return + jce_curl_target = None + if params.jce_policy_zip is not None: + jce_curl_target = format("{artifact_dir}/{jce_policy_zip}") + Directory(params.artifact_dir, + create_parents = True, + ) + File(jce_curl_target, + content = DownloadSource(format("{jce_location}/{jce_policy_zip}")), + ) + elif params.security_enabled: + # Something weird is happening + raise Fail("Security is enabled, but JCE policy zip is not specified.") + + # The extraction will occur only after the security flag is set + if params.security_enabled: + security_dir = format("{java_home}/jre/lib/security") + + File([format("{security_dir}/US_export_policy.jar"), format("{security_dir}/local_policy.jar")], + action = "delete", + ) + + extract_cmd = ("unzip", "-o", "-j", "-q", jce_curl_target, "-d", security_dir) + Execute(extract_cmd, + only_if = format("test -e {security_dir} && test -f {jce_curl_target}"), + path = ['/bin/','/usr/bin'], + sudo = True + ) http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/params.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/params.py new file mode 100644 index 0000000..3533b35 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/params.py @@ -0,0 +1,200 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +from resource_management import * +from utils import get_property_value, get_unstructured_data +from ambari_commons.os_check import OSCheck +from resource_management.libraries.functions.expect import expect + +krb5_conf_dir = '/etc' +krb5_conf_file = 'krb5.conf' +krb5_conf_path = krb5_conf_dir + '/' + krb5_conf_file + +if OSCheck.is_suse_family(): + kdc_conf_dir = '/var/lib/kerberos/krb5kdc' +elif OSCheck.is_ubuntu_family(): + kdc_conf_dir = '/etc/krb5kdc' +else: + kdc_conf_dir = '/var/kerberos/krb5kdc' +kdc_conf_file = 'kdc.conf' +kdc_conf_path = kdc_conf_dir + '/' + kdc_conf_file + +kadm5_acl_dir = kdc_conf_dir # Typically kadm5.acl and kdc.conf exist in the same directory +kadm5_acl_file = 'kadm5.acl' +kadm5_acl_path = kadm5_acl_dir + '/' + kadm5_acl_file + +config = Script.get_config() +tmp_dir = Script.get_tmp_dir() + +configurations = None +keytab_details = None +default_group = None +kdc_server_host = None +cluster_host_info = None + +hostname = config['hostname'] + +kdb5_util_path = 'kdb5_util' + +kdamin_pid_path = '/var/run/kadmind.pid' +krb5kdc_pid_path = '/var/run/krb5kdc.pid' + +smoke_test_principal = None +smoke_test_keytab_file = None + +smoke_user = 'ambari-qa' + +manage_identities = 'true' + +artifact_dir = format("{tmp_dir}/AMBARI-artifacts/") +jce_policy_zip = default("/hostLevelParams/jce_name", None) # None when jdk is already installed by user +jce_location = config['hostLevelParams']['jdk_location'] +jdk_name = default("/hostLevelParams/jdk_name", None) +java_home = config['hostLevelParams']['java_home'] +java_version = expect("/hostLevelParams/java_version", int) + +security_enabled = config['configurations']['cluster-env']['security_enabled'] + +if config is not None: + kerberos_command_params = get_property_value(config, 'kerberosCommandParams') + + cluster_host_info = get_property_value(config, 'clusterHostInfo') + if cluster_host_info is not None: + kdc_server_hosts = get_property_value(cluster_host_info, 'kdc_server_hosts') + + if (kdc_server_hosts is not None) and (len(kdc_server_hosts) > 0): + kdc_server_host = kdc_server_hosts[0] + + configurations = get_property_value(config, 'configurations') + if configurations is not None: + cluster_env = get_property_value(configurations, 'cluster-env') + + if cluster_env is not None: + smoke_test_principal = get_property_value(cluster_env, 'smokeuser_principal_name', None, True, None) + smoke_test_keytab_file = get_property_value(cluster_env, 'smokeuser_keytab', None, True, None) + smoke_user = get_property_value(cluster_env, 'smokeuser', smoke_user, True, smoke_user) + + default_group = get_property_value(cluster_env, 'user_group') + + if default_group is None: + default_group = get_property_value(cluster_env, 'user-group') + + # ############################################################################################## + # Get krb5.conf template data + # ############################################################################################## + realm = 'EXAMPLE.COM' + domains = '' + kdc_hosts = 'localhost' + admin_server_host = None + admin_principal = None + admin_password = None + admin_keytab = None + test_principal = None + test_password = None + test_keytab = None + test_keytab_file = None + encryption_types = None + manage_krb5_conf = "true" + krb5_conf_template = None + + krb5_conf_data = get_property_value(configurations, 'krb5-conf') + + kerberos_env = get_property_value(configurations, "kerberos-env") + + if kerberos_env is not None: + manage_identities = get_property_value(kerberos_env, "manage_identities", "true", True, "true") + encryption_types = get_property_value(kerberos_env, "encryption_types", None, True, None) + realm = get_property_value(kerberos_env, "realm", None, True, None) + kdc_hosts = get_property_value(kerberos_env, 'kdc_hosts', kdc_hosts) + admin_server_host = get_property_value(kerberos_env, 'admin_server_host', admin_server_host) + + if krb5_conf_data is not None: + realm = get_property_value(krb5_conf_data, 'realm', realm) + domains = get_property_value(krb5_conf_data, 'domains', domains) + + admin_principal = get_property_value(krb5_conf_data, 'admin_principal', admin_principal, True, None) + admin_password = get_property_value(krb5_conf_data, 'admin_password', admin_password, True, None) + admin_keytab = get_property_value(krb5_conf_data, 'admin_keytab', admin_keytab, True, None) + + test_principal = get_property_value(krb5_conf_data, 'test_principal', test_principal, True, None) + test_password = get_property_value(krb5_conf_data, 'test_password', test_password, True, None) + test_keytab = get_property_value(krb5_conf_data, 'test_keytab', test_keytab, True, None) + test_keytab_file = get_property_value(krb5_conf_data, 'test_keytab_file', test_keytab_file, True, None) + + krb5_conf_template = get_property_value(krb5_conf_data, 'content', krb5_conf_template) + krb5_conf_dir = get_property_value(krb5_conf_data, 'conf_dir', krb5_conf_dir) + krb5_conf_file = get_property_value(krb5_conf_data, 'conf_file', krb5_conf_file) + krb5_conf_path = krb5_conf_dir + '/' + krb5_conf_file + + manage_krb5_conf = get_property_value(krb5_conf_data, 'manage_krb5_conf', "true") + + # For backward compatibility, ensure that kdc_host exists. This may be needed if the krb5.conf + # template in krb5-conf/content had not be updated during the Ambari upgrade to 2.4.0 - which + # will happen if the template was altered from its stack-default value. + kdc_host_parts = kdc_hosts.split(',') + if kdc_host_parts: + kdc_host = kdc_host_parts[0] + else: + kdc_host = kdc_hosts + + # ############################################################################################## + # Get kdc.conf template data + # ############################################################################################## + kdcdefaults_kdc_ports = "88" + kdcdefaults_kdc_tcp_ports = "88" + + kdc_conf_template = None + + kdc_conf_data = get_property_value(configurations, 'kdc-conf') + + if kdc_conf_data is not None: + kdcdefaults_kdc_ports = get_property_value(kdc_conf_data, 'kdcdefaults_kdc_ports', kdcdefaults_kdc_ports) + kdcdefaults_kdc_tcp_ports = get_property_value(kdc_conf_data, 'kdcdefaults_kdc_tcp_ports', kdcdefaults_kdc_tcp_ports) + + kdc_conf_template = get_property_value(kdc_conf_data, 'content', kdc_conf_template) + kdc_conf_dir = get_property_value(kdc_conf_data, 'conf_dir', kdc_conf_dir) + kdc_conf_file = get_property_value(kdc_conf_data, 'conf_file', kdc_conf_file) + kdc_conf_path = kdc_conf_dir + '/' + kdc_conf_file + + # ############################################################################################## + # Get kadm5.acl template data + # ############################################################################################## + kdcdefaults_kdc_ports = '88' + kdcdefaults_kdc_tcp_ports = '88' + + kadm5_acl_template = None + + kadm5_acl_data = get_property_value(configurations, 'kadm5-acl') + + if kadm5_acl_data is not None: + kadm5_acl_template = get_property_value(kadm5_acl_data, 'content', kadm5_acl_template) + kadm5_acl_dir = get_property_value(kadm5_acl_data, 'conf_dir', kadm5_acl_dir) + kadm5_acl_file = get_property_value(kadm5_acl_data, 'conf_file', kadm5_acl_file) + kadm5_acl_path = kadm5_acl_dir + '/' + kadm5_acl_file + + # ################################################################################################ + # Get commandParams + # ################################################################################################ + command_params = get_property_value(config, 'commandParams') + if command_params is not None: + keytab_details = get_unstructured_data(command_params, 'keytab') + + if manage_identities: + smoke_test_principal = get_property_value(command_params, 'principal_name', smoke_test_principal) + smoke_test_keytab_file = get_property_value(command_params, 'keytab_file', smoke_test_keytab_file) http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/service_check.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/service_check.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/service_check.py new file mode 100644 index 0000000..555a93c --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/service_check.py @@ -0,0 +1,30 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +Ambari Agent + +""" + +from resource_management.libraries.script.script import Script + +class ServiceCheck(Script): + + def service_check(self, env): + print "Service Check" + +if __name__ == "__main__": + ServiceCheck().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/338c2c5b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/status_params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/status_params.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/status_params.py new file mode 100644 index 0000000..bbae4a3 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/status_params.py @@ -0,0 +1,32 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +from resource_management import * + +config = Script.get_config() +tmp_dir = Script.get_tmp_dir() + +hostname = config['hostname'] +kinit_path_local = functions.get_kinit_path(default('/configurations/kerberos-env/executable_search_paths', None)) + +security_enabled = config['configurations']['cluster-env']['security_enabled'] + +smoke_user_keytab = config['configurations']['cluster-env']['smokeuser_keytab'] +smoke_user = config['configurations']['cluster-env']['smokeuser'] +smoke_user_principal = config['configurations']['cluster-env']['smokeuser_principal_name']
