Repository: ambari Updated Branches: refs/heads/branch-2.5 ac01c2773 -> 09944fa58
AMBARI-21230. Add Kerberos HTTP SPNEGO authentication support to Accumulo (Qin Liu via rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/09944fa5 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/09944fa5 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/09944fa5 Branch: refs/heads/branch-2.5 Commit: 09944fa5884f84fc8d0552b75d7e80f235f76c0e Parents: ac01c27 Author: Qin Liu <[email protected]> Authored: Tue Jun 13 16:41:28 2017 +0200 Committer: Robert Levas <[email protected]> Committed: Mon Jun 19 12:37:43 2017 -0400 ---------------------------------------------------------------------- .../timeline/AbstractTimelineMetricsSink.java | 54 ++++++++++---------- .../1.6.1.2.2.0/configuration/accumulo-env.xml | 5 ++ .../package/scripts/accumulo_configuration.py | 3 ++ .../1.6.1.2.2.0/package/scripts/params.py | 5 +- .../package/templates/accumulo_jaas.conf.j2 | 29 +++++++++++ 5 files changed, 67 insertions(+), 29 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/09944fa5/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java ---------------------------------------------------------------------- diff --git a/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java index 249d96b..b8cba25 100644 --- a/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java +++ b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java @@ -172,23 +172,7 @@ public abstract class AbstractTimelineMetricsSink { connection.setRequestProperty(COOKIE, appCookie); } - connection.setRequestMethod("POST"); - connection.setRequestProperty("Content-Type", "application/json"); - connection.setRequestProperty("Connection", "Keep-Alive"); - connection.setConnectTimeout(timeout); - connection.setReadTimeout(timeout); - connection.setDoOutput(true); - - if (jsonData != null) { - try (OutputStream os = connection.getOutputStream()) { - os.write(jsonData.getBytes("UTF-8")); - } - } - - int statusCode = connection.getResponseCode(); - if (LOG.isDebugEnabled()) { - LOG.debug("emitMetricsJson: statusCode = " + statusCode); - } + int statusCode = emitMetricsJson(connection, timeout, jsonData); if (statusCode == HttpStatus.SC_UNAUTHORIZED ) { String wwwAuthHeader = connection.getHeaderField(WWW_AUTHENTICATE); @@ -198,18 +182,11 @@ public abstract class AbstractTimelineMetricsSink { if (wwwAuthHeader != null && wwwAuthHeader.trim().startsWith(NEGOTIATE)) { appCookie = appCookieManager.getAppCookie(connectUrl, true); if (appCookie != null) { + cleanupInputStream(connection.getInputStream()); + connection = connectUrl.startsWith("https") ? + getSSLConnection(connectUrl) : getConnection(connectUrl); connection.setRequestProperty(COOKIE, appCookie); - - if (jsonData != null) { - try (OutputStream os = connection.getOutputStream()) { - os.write(jsonData.getBytes("UTF-8")); - } - } - - statusCode = connection.getResponseCode(); - if (LOG.isDebugEnabled()) { - LOG.debug("emitMetricsJson: statusCode2 = " + statusCode); - } + statusCode = emitMetricsJson(connection, timeout, jsonData); } } else { // no supported authentication type found @@ -259,6 +236,27 @@ public abstract class AbstractTimelineMetricsSink { } } + private int emitMetricsJson(HttpURLConnection connection, int timeout, String jsonData) throws IOException { + connection.setRequestMethod("POST"); + connection.setRequestProperty("Content-Type", "application/json"); + connection.setRequestProperty("Connection", "Keep-Alive"); + connection.setConnectTimeout(timeout); + connection.setReadTimeout(timeout); + connection.setDoOutput(true); + + if (jsonData != null) { + try (OutputStream os = connection.getOutputStream()) { + os.write(jsonData.getBytes("UTF-8")); + } + } + + int statusCode = connection.getResponseCode(); + if (LOG.isDebugEnabled()) { + LOG.debug("emitMetricsJson: statusCode = " + statusCode); + } + return statusCode; + } + protected String getCurrentCollectorHost() { String collectorHost; // Get cached target http://git-wip-us.apache.org/repos/asf/ambari/blob/09944fa5/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml index 1e5eb54..e4aa21e 100644 --- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml +++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml @@ -233,6 +233,11 @@ export ACCUMULO_MONITOR_OPTS="-Xmx{{accumulo_monitor_heapsize}}m -Xms{{accumulo_ export ACCUMULO_GC_OPTS="-Xmx{{accumulo_gc_heapsize}}m -Xms{{accumulo_gc_heapsize}}m" export ACCUMULO_GENERAL_OPTS="-XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -Djava.net.preferIPv4Stack=true ${ACCUMULO_GENERAL_OPTS}" export ACCUMULO_OTHER_OPTS="-Xmx{{accumulo_other_heapsize}}m -Xms{{accumulo_other_heapsize}}m ${ACCUMULO_OTHER_OPTS}" +{% if security_enabled %} +export ACCUMULO_TSERVER_OPTS="${ACCUMULO_TSERVER_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false" +export ACCUMULO_MASTER_OPTS="${ACCUMULO_MASTER_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false" +export ACCUMULO_GC_OPTS="${ACCUMULO_GC_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false" +{% endif %} export ACCUMULO_MONITOR_BIND_ALL={{monitor_bind_str}} # what do when the JVM runs out of heap memory export ACCUMULO_KILL_CMD='kill -9 %p' http://git-wip-us.apache.org/repos/asf/ambari/blob/09944fa5/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py index 25275f8..2629a2a 100644 --- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py +++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py @@ -107,6 +107,9 @@ def setup_conf_dir(name=None): # 'master' or 'tserver' or 'monitor' or 'gc' or ' content=InlineTemplate(params.server_env_sh_template) ) + if params.security_enabled: + accumulo_TemplateConfig("accumulo_jaas.conf", dest_conf_dir) + # create client.conf file configs = {} if 'client' in params.config['configurations']: http://git-wip-us.apache.org/repos/asf/ambari/blob/09944fa5/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py index 150b0a8..a3e9a0b 100644 --- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py @@ -163,6 +163,7 @@ master_hosts = default('/clusterHostInfo/accumulo_master_hosts', []) monitor_hosts = default('/clusterHostInfo/accumulo_monitor_hosts', []) gc_hosts = default('/clusterHostInfo/accumulo_gc_hosts', []) tracer_hosts = default('/clusterHostInfo/accumulo_tracer_hosts', []) +hostname = status_params.hostname # security properties accumulo_user_keytab = config['configurations']['accumulo-env']['accumulo_user_keytab'] @@ -173,11 +174,13 @@ kinit_path_local = status_params.kinit_path_local if security_enabled: bare_accumulo_principal = get_bare_principal(config['configurations']['accumulo-site']['general.kerberos.principal']) kinit_cmd = format("{kinit_path_local} -kt {accumulo_user_keytab} {accumulo_principal_name};") + general_kerberos_keytab = config['configurations']['accumulo-site']['general.kerberos.keytab'] + general_kerberos_principal = config['configurations']['accumulo-site']['general.kerberos.principal'].replace('_HOST', hostname.lower()) + accumulo_jaas_file = format("{server_conf_dir}/accumulo_jaas.conf") else: kinit_cmd = "" #for create_hdfs_directory -hostname = status_params.hostname hdfs_user_keytab = config['configurations']['hadoop-env']['hdfs_user_keytab'] hdfs_user = config['configurations']['hadoop-env']['hdfs_user'] hdfs_principal_name = config['configurations']['hadoop-env']['hdfs_principal_name'] http://git-wip-us.apache.org/repos/asf/ambari/blob/09944fa5/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2 new file mode 100644 index 0000000..1ac5cea --- /dev/null +++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2 @@ -0,0 +1,29 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} + +com.sun.security.jgss.krb5.initiate { +com.sun.security.auth.module.Krb5LoginModule required +renewTGT=false +doNotPrompt=true +useKeyTab=true +storeKey=true +useTicketCache=false +debug=true +keyTab="{{general_kerberos_keytab}}" +principal="{{general_kerberos_principal}}"; +};
