[50/50] [abbrv] ambari git commit: AMBARI-20349. When SPNEGO authentication is enabled for Hadoop in a cluster with NN HA, PXF Process alert fails (rlevas)

Thu, 09 Mar 2017 08:39:53 -0800 

AMBARI-20349. When SPNEGO authentication is enabled for Hadoop in a cluster 
with NN HA, PXF Process alert fails (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/245fd5cf
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/245fd5cf
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/245fd5cf

Branch: refs/heads/branch-dev-logsearch
Commit: 245fd5cf3689097fdcdde6a75c39de9d38e0bde8
Parents: 221ad28
Author: Robert Levas <[email protected]>
Authored: Thu Mar 9 10:25:53 2017 -0500
Committer: Robert Levas <[email protected]>
Committed: Thu Mar 9 10:25:53 2017 -0500

----------------------------------------------------------------------
 .../PXF/3.0.0/package/alerts/api_status.py      | 36 ++++++++++++++------
 1 file changed, 25 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/245fd5cf/ambari-server/src/main/resources/common-services/PXF/3.0.0/package/alerts/api_status.py
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/resources/common-services/PXF/3.0.0/package/alerts/api_status.py
 
b/ambari-server/src/main/resources/common-services/PXF/3.0.0/package/alerts/api_status.py
index d0ed0a4..dcdb372 100644
--- 
a/ambari-server/src/main/resources/common-services/PXF/3.0.0/package/alerts/api_status.py
+++ 
b/ambari-server/src/main/resources/common-services/PXF/3.0.0/package/alerts/api_status.py
@@ -24,15 +24,17 @@ import socket
 import urllib2
 import urllib
 
+from resource_management.core import shell
 from resource_management.libraries.functions.curl_krb_request import 
curl_krb_request
+from resource_management.libraries.functions.get_kinit_path import 
get_kinit_path
 from resource_management.libraries.functions.namenode_ha_utils import 
get_active_namenode
 from resource_management.libraries.script.config_dictionary import 
ConfigDictionary
 from resource_management.core.environment import Environment
 
 CLUSTER_ENV_SECURITY = '{{cluster-env/security_enabled}}'
-HADOOP_ENV_HDFS_USER = '{{hadoop-env/hdfs_user}}'
-HADOOP_ENV_HDFS_USER_KEYTAB = '{{hadoop-env/hdfs_user_keytab}}'
-HADOOP_ENV_HDFS_PRINCIPAL_NAME = '{{hadoop-env/hdfs_principal_name}}'
+ACTING_USER = 'pxf'
+KEYTAB_FILE = '{{pxf-site/pxf.service.kerberos.keytab}}'
+PRINCIPAL_NAME = '{{pxf-site/pxf.service.kerberos.principal}}'
 HDFS_SITE = '{{hdfs-site}}'
 
 
@@ -58,9 +60,9 @@ commonPXFHeaders = {
 
 def get_tokens():
   return (CLUSTER_ENV_SECURITY,
-          HADOOP_ENV_HDFS_USER,
-          HADOOP_ENV_HDFS_USER_KEYTAB,
-          HADOOP_ENV_HDFS_PRINCIPAL_NAME,
+          ACTING_USER,
+          KEYTAB_FILE,
+          PRINCIPAL_NAME,
           HDFS_SITE)
 
 def _get_delegation_token(namenode_address, user, keytab, principal, 
kinit_path):
@@ -130,21 +132,33 @@ def _get_pxf_protocol_version(base_url):
 
   raise Exception("version could not be found in response " + response)
 
+
+def _ensure_kerberos_authentication(user, principal, keytab_file, kinit_path):
+  kinit_path_local = get_kinit_path(kinit_path)
+  shell.checked_call("{0} -kt {1} {2} > /dev/null".format(kinit_path_local, 
keytab_file, principal),
+                     user=user)
+
 def execute(configurations={}, parameters={}, host_name=None):
   BASE_URL = "http://{0}:{1}/pxf/".format(host_name, PXF_PORT)
   try:
     # Get delegation token if security is enabled
     if CLUSTER_ENV_SECURITY in configurations and 
configurations[CLUSTER_ENV_SECURITY].lower() == "true":
+      resolved_principal = configurations[PRINCIPAL_NAME]
+      if resolved_principal is not None:
+        resolved_principal = resolved_principal.replace('_HOST', host_name)
+
       if 'dfs.nameservices' in configurations[HDFS_SITE]:
-        namenode_address = 
get_active_namenode(ConfigDictionary(configurations[HDFS_SITE]), 
configurations[CLUSTER_ENV_SECURITY], configurations[HADOOP_ENV_HDFS_USER])[1]
+        if configurations[CLUSTER_ENV_SECURITY]:
+          _ensure_kerberos_authentication(configurations[ACTING_USER], 
resolved_principal, configurations[KEYTAB_FILE], None)
+        namenode_address = 
get_active_namenode(ConfigDictionary(configurations[HDFS_SITE]), 
configurations[CLUSTER_ENV_SECURITY], configurations[ACTING_USER])[1]
       else:
         namenode_address = 
configurations[HDFS_SITE]['dfs.namenode.http-address']
 
       token = _get_delegation_token(namenode_address,
-                                     configurations[HADOOP_ENV_HDFS_USER],
-                                     
configurations[HADOOP_ENV_HDFS_USER_KEYTAB],
-                                     
configurations[HADOOP_ENV_HDFS_PRINCIPAL_NAME],
-                                     None)
+                                    configurations[ACTING_USER],
+                                    configurations[KEYTAB_FILE],
+                                    resolved_principal,
+                                    None)
       commonPXFHeaders.update({"X-GP-TOKEN": token})
 
     if _get_pxf_protocol_version(BASE_URL).startswith("v"):

Reply via email to