This is an automated email from the ASF dual-hosted git repository.
guyuqi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bigtop.git
The following commit(s) were added to refs/heads/master by this push:
new 526767be BIGTOP-3789: Decouple Kerberos services from Ambari Core
(#991)
526767be is described below
commit 526767bedd88b11f346f500b02a5758ce9c8c903
Author: Yuqi Gu <[email protected]>
AuthorDate: Wed Aug 31 12:33:38 2022 +0800
BIGTOP-3789: Decouple Kerberos services from Ambari Core (#991)
Upgrade Kerberos service from 1.10.3-10 to 1.10.3-30.
And fix deployment issues:
https://github.com/apache/bigtop/pull/989#issuecomment-1229959105
Change-Id: I61347c98f47ab109449d52ae84ef7a4352033d8b
Signed-off-by: Yuqi Gu <[email protected]>
---
.../KERBEROS/configuration/kerberos-env.xml | 406 +++++++++++++++++++++
.../services/KERBEROS/configuration/krb5-conf.xml | 85 +++++
.../BGTP/1.0/services/KERBEROS/kerberos.json | 18 +
.../stacks/BGTP/1.0/services/KERBEROS/metainfo.xml | 107 +++++-
.../KERBEROS/package/scripts/kerberos_client.py | 91 +++++
.../services/KERBEROS/package/scripts/params.py | 206 +++++++++++
.../KERBEROS/package/scripts/service_check.py | 86 +++++
.../KERBEROS/package/scripts/status_params.py | 34 ++
.../1.0/services/KERBEROS/properties/krb5_conf.j2 | 63 ++++
9 files changed, 1095 insertions(+), 1 deletion(-)
diff --git
a/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/configuration/kerberos-env.xml
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/configuration/kerberos-env.xml
new file mode 100644
index 00000000..d00e5979
--- /dev/null
+++
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/configuration/kerberos-env.xml
@@ -0,0 +1,406 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration supports_final="false" supports_adding_forbidden="true">
+ <property require-input="true">
+ <name>kdc_type</name>
+ <description>
+ The type of KDC being used. Either mit-kdc, ipa, or active-directory
+ </description>
+ <value>mit-kdc</value>
+ <display-name>KDC type</display-name>
+ <value-attributes>
+ <type>componentHost</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property require-input="false">
+ <name>kadmin_principal_name</name>
+ <value>kadmin/${admin_server_host|stripPort()}</value>
+ <description>
+ The principal name of kAdmin service principal
+ </description>
+ <display-name>kAdmin Service Principal Name</display-name>
+ <on-ambari-upgrade add="true" delete="false" update="false"/>
+ <on-stack-upgrade merge="true"/>
+ <value-attributes>
+ <visible>true</visible>
+ <overridable>false</overridable>
+ <keystore>false</keystore>
+ </value-attributes>
+ </property>
+ <property>
+ <name>manage_identities</name>
+ <description>
+ Indicates whether the Ambari user and service Kerberos identities
(principals and keytab files)
+ should be managed (created, deleted, updated, etc...) by Ambari or
managed manually.
+ </description>
+ <value>true</value>
+ <display-name>Manage Kerberos Identities</display-name>
+ <value-attributes>
+ <visible>false</visible>
+ <overridable>false</overridable>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>manage_auth_to_local</name>
+ <description>
+ Indicates whether the hadoop auth_to_local rules should be managed by
Ambari or managed manually.
+ </description>
+ <value>true</value>
+ <display-name>Manage Hadoop auth_to_local rules</display-name>
+ <value-attributes>
+ <visible>true</visible>
+ <overridable>false</overridable>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>install_packages</name>
+ <display-name>Install OS-specific Kerberos client package(s)</display-name>
+ <description>
+ Indicates whether Ambari should install the Kerberos client package(s)
or not. If not, it is
+ expected that Kerberos utility programs (such as kadmin, kinit, klist,
and kdestroy) are
+ compatible with MIT Kerberos 5 version 1.10.3 in command line options
and behaviors.
+ </description>
+ <value>true</value>
+ <value-attributes>
+ <type>boolean</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>ldap_url</name>
+ <display-name>LDAP url</display-name>
+ <description>
+ The URL to the Active Directory LDAP Interface
+ Example: ldaps://ad.example.com:636
+ </description>
+ <value/>
+ <value-attributes>
+ <visible>false</visible>
+ <overridable>false</overridable>
+ <type>ldap_url</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>container_dn</name>
+ <display-name>Container DN</display-name>
+ <description>
+ The distinguished name (DN) of the container used store service
principals
+ </description>
+ <value-attributes>
+ <visible>false</visible>
+ <overridable>false</overridable>
+ </value-attributes>
+ <value/>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>encryption_types</name>
+ <display-name>Encryption Types</display-name>
+ <description>
+ The supported list of session key encryption types that should be
returned by the KDC.
+ </description>
+ <value>aes des3-cbc-sha1 rc4 des-cbc-md5</value>
+ <value-attributes>
+ <type>multiLine</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property require-input="true">
+ <name>realm</name>
+ <description>
+ The default realm to use when creating service principals
+ </description>
+ <display-name>Realm name</display-name>
+ <value/>
+ <value-attributes>
+ <type>host</type>
+ <editable-only-at-install>true</editable-only-at-install>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>kdc_hosts</name>
+ <description>
+ A comma-delimited list of IP addresses or FQDNs declaring the KDC hosts.
+ Optionally a port number may be included in each entry by separating
each host and port by a
+ colon (:). Example: kdc1.example.com:88, kdc2.example.com:88
+ </description>
+ <display-name>KDC hosts</display-name>
+ <value/>
+ <value-attributes>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>master_kdc</name>
+ <description>
+ The IP address or FQDN of the master KDC host in a master-slave KDC
deployment.
+ Optionally a port number may be included.
+ Example: kdc1.example.com:88
+ </description>
+ <display-name>Master KDC host</display-name>
+ <value/>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>admin_server_host</name>
+ <display-name>Kadmin host</display-name>
+ <description>
+ The FQDN for the KDC Kerberos administrative host. Optionally a port
number may be included.
+ </description>
+ <value/>
+ <value-attributes>
+ <type>host</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>executable_search_paths</name>
+ <display-name>Executable Search Paths</display-name>
+ <description>
+ A comma-delimited list of search paths to use to find Kerberos utilities
like kadmin, kinit and ipa.
+ </description>
+ <value>/usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin,
/usr/lib/mit/sbin</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ <type>multiLine</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_length</name>
+ <display-name>Password Length</display-name>
+ <description>
+ The length required length for generated passwords.
+ </description>
+ <value>20</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_min_lowercase_letters</name>
+ <display-name>Password Minimum # Lowercase Letters</display-name>
+ <description>
+ The minimum number of lowercase letters (a-z) required in generated
passwords
+ </description>
+ <value>1</value>
+ <value-attributes>
+ <type>int</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_min_uppercase_letters</name>
+ <display-name>Password Minimum # Uppercase Letters</display-name>
+ <description>
+ The minimum number of uppercase letters (A-Z) required in generated
passwords
+ </description>
+ <value>1</value>
+ <value-attributes>
+ <type>int</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_min_digits</name>
+ <display-name>Password Minimum # Digits</display-name>
+ <description>
+ The minimum number of digits (0-9) required in generated passwords
+ </description>
+ <value>1</value>
+ <value-attributes>
+ <type>int</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_min_punctuation</name>
+ <display-name>Password Minimum # Punctuation Characters</display-name>
+ <description>
+ The minimum number of punctuation characters (?.!$%^*()-_+=~) required
in generated passwords
+ </description>
+ <value>1</value>
+ <value-attributes>
+ <type>int</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_min_whitespace</name>
+ <display-name>Password Minimum # Whitespace Characters</display-name>
+ <description>
+ The minimum number of whitespace characters required in generated
passwords
+ </description>
+ <value>0</value>
+ <value-attributes>
+ <type>int</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>service_check_principal_name</name>
+ <display-name>Test Kerberos Principal</display-name>
+ <description>
+ The principal name to use when executing the Kerberos service check
+ </description>
+ <property-type>KERBEROS_PRINCIPAL</property-type>
+ <value>${cluster_name|toLower()}-${short_date}</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>case_insensitive_username_rules</name>
+ <display-name>Enable case insensitive username rules</display-name>
+ <description>
+ Force principal names to resolve to lowercase local usernames in
auth-to-local rules
+ </description>
+ <value>false</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>ad_create_attributes_template</name>
+ <display-name>Account Attribute Template</display-name>
+ <description>
+ A Velocity template to use to generate a JSON-formatted document
containing the set of
+ attribute names and values needed to create a new Kerberos identity in
the relevant
+ Active Directory.
+ Variables include:
+ principal_name, principal_primary, principal_instance, realm,
realm_lowercase,
+ normalized_principal, principal digest, password, is_service,
container_dn
+ </description>
+ <value>
+{
+ "objectClass": ["top", "person", "organizationalPerson", "user"],
+ "cn": "$principal_name",
+ #if( $is_service )
+ "servicePrincipalName": "$principal_name",
+ #end
+ "userPrincipalName": "$normalized_principal",
+ "unicodePwd": "$password",
+ "accountExpires": "0",
+ "userAccountControl": "66048"
+}
+ </value>
+ <value-attributes>
+ <type>content</type>
+ <empty-value-valid>true</empty-value-valid>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>create_ambari_principal</name>
+ <description>
+ Indicates whether Ambari should create the principal, keytab for itself,
used by different views.
+ </description>
+ <value>true</value>
+ <display-name>Create Ambari Principal & Keytab</display-name>
+ <value-attributes>
+ <visible>true</visible>
+ <overridable>false</overridable>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>kdc_create_attributes</name>
+ <display-name>Principal Attributes</display-name>
+ <description>
+ The set of attributes to use when creating a new Kerberos identity in
the relevant (MIT) KDC.
+ </description>
+ <value/>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>ipa_user_group</name>
+ <display-name>IPA User Group</display-name>
+ <description>
+ The group in IPA user principals should be member of
+ </description>
+ <value/>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ <visible>false</visible>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>preconfigure_services</name>
+ <display-name>Pre-configure services</display-name>
+ <description>
+ Indicates whether to pre-configure services or not. If pre-configuring
services, indicates
+ whether to pre-configure all or those explicitly flagged to be
pre-configured. Possible values
+ are DEFAULT, NONE, or ALL
+ </description>
+ <value>DEFAULT</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ <type>value-list</type>
+ <selection-cardinality>1</selection-cardinality>
+ <entries>
+ <entry>
+ <value>NONE</value>
+ </entry>
+ <entry>
+ <value>DEFAULT</value>
+ </entry>
+ <entry>
+ <value>ALL</value>
+ </entry>
+ </entries>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+</configuration>
diff --git
a/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/configuration/krb5-conf.xml
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/configuration/krb5-conf.xml
new file mode 100644
index 00000000..c90cf869
--- /dev/null
+++
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/configuration/krb5-conf.xml
@@ -0,0 +1,85 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+ <property require-input="false">
+ <name>domains</name>
+ <display-name>Domains</display-name>
+ <description>
+ A comma-separated list of domain names used to map server host names to
the Realm name (e.g. .example.com,example.com). This is optional
+ </description>
+ <value/>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>manage_krb5_conf</name>
+ <display-name>Manage Kerberos client krb5.conf</display-name>
+ <description>
+ Indicates whether your krb5.conf file should be managed by the wizard or
should you manage it yourself
+ </description>
+ <value>true</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>conf_dir</name>
+ <display-name>krb5-conf directory path</display-name>
+ <description>The krb5.conf configuration directory</description>
+ <value>/etc</value>
+ <value-attributes>
+ <type>directory</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>content</name>
+ <display-name>krb5-conf template</display-name>
+ <description>Customizable krb5.conf template (Jinja template
engine)</description>
+ <property-type>VALUE_FROM_PROPERTY_FILE</property-type>
+ <value/>
+ <value-attributes>
+ <type>content</type>
+ <overridable>false</overridable>
+ <property-file-name>krb5_conf.j2</property-file-name>
+ <property-file-type>text</property-file-type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>force_tcp</name>
+ <display-name>Force TCP</display-name>
+ <description>Indicates whether to use TCP (instead of UDP) when
communicating with Kerberos</description>
+ <value>false</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+</configuration>
diff --git
a/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/kerberos.json
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/kerberos.json
new file mode 100644
index 00000000..e5860cf1
--- /dev/null
+++
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/kerberos.json
@@ -0,0 +1,18 @@
+{
+ "services": [
+ {
+ "name": "KERBEROS",
+ "identities": [
+ {
+ "name": "kerberos_smokeuser",
+ "reference": "/smokeuser"
+ }
+ ],
+ "components": [
+ {
+ "name": "KERBEROS_CLIENT"
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git
a/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/metainfo.xml
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/metainfo.xml
index 25cfcc6c..d35254ff 100644
---
a/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/metainfo.xml
+++
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/metainfo.xml
@@ -20,7 +20,112 @@
<services>
<service>
<name>KERBEROS</name>
- <extends>common-services/KERBEROS/1.10.3-10</extends>
+ <displayName>Kerberos</displayName>
+ <comment>A computer network authentication protocol which works on
+ the basis of 'tickets' to allow nodes communicating over a
+ non-secure network to prove their identity to one another in a
+ secure manner.
+ </comment>
+ <version>1.10.3-30</version>
+
+ <components>
+ <component>
+ <name>KERBEROS_CLIENT</name>
+ <displayName>Kerberos Client</displayName>
+ <category>CLIENT</category>
+ <cardinality>ALL</cardinality>
+ <versionAdvertised>false</versionAdvertised>
+ <auto-deploy>
+ <enabled>true</enabled>
+ </auto-deploy>
+ <commandScript>
+ <script>scripts/kerberos_client.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>1200</timeout>
+ </commandScript>
+ <customCommands>
+ <customCommand>
+ <name>SET_KEYTAB</name>
+ <commandScript>
+ <script>scripts/kerberos_client.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>1000</timeout>
+ </commandScript>
+ </customCommand>
+ <customCommand>
+ <name>REMOVE_KEYTAB</name>
+ <commandScript>
+ <script>scripts/kerberos_client.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>1000</timeout>
+ </commandScript>
+ </customCommand>
+ <customCommand>
+ <name>CHECK_KEYTABS</name>
+ <commandScript>
+ <script>scripts/kerberos_client.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>1000</timeout>
+ </commandScript>
+ </customCommand>
+ </customCommands>
+ <configFiles>
+ <configFile>
+ <type>env</type>
+ <fileName>krb5.conf</fileName>
+ <dictionaryName>krb5-conf</dictionaryName>
+ </configFile>
+ </configFiles>
+ </component>
+ </components>
+
+ <osSpecifics>
+ <osSpecific>
+ <osFamily>redhat7,amazonlinux2,redhat6</osFamily>
+ <packages>
+ <package>
+ <name>krb5-workstation</name>
+ <skipUpgrade>true</skipUpgrade>
+ </package>
+ </packages>
+ </osSpecific>
+
+ <osSpecific>
+ <osFamily>debian7,ubuntu12,ubuntu14,ubuntu16</osFamily>
+ <packages>
+ <package>
+ <name>krb5-user</name>
+ <skipUpgrade>true</skipUpgrade>
+ </package>
+ <package>
+ <name>krb5-config</name>
+ <skipUpgrade>true</skipUpgrade>
+ </package>
+ </packages>
+ </osSpecific>
+
+ <osSpecific>
+ <osFamily>suse11,suse12</osFamily>
+ <packages>
+ <package>
+ <name>krb5-client</name>
+ <skipUpgrade>true</skipUpgrade>
+ </package>
+ </packages>
+ </osSpecific>
+ </osSpecifics>
+
+ <commandScript>
+ <script>scripts/service_check.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>300</timeout>
+ </commandScript>
+
+ <configuration-dependencies>
+ <config-type>krb5-conf</config-type>
+ <config-type>kerberos-env</config-type>
+ </configuration-dependencies>
+ <restartRequiredAfterChange>true</restartRequiredAfterChange>
</service>
</services>
</metainfo>
diff --git
a/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/kerberos_client.py
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/kerberos_client.py
new file mode 100644
index 00000000..202d48ab
--- /dev/null
+++
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/kerberos_client.py
@@ -0,0 +1,91 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+from resource_management.core.exceptions import ClientComponentHasNoStatus
+from resource_management.libraries.script.script import Script
+from resource_management.libraries.functions import default
+from ambari_commons.kerberos.kerberos_common import write_krb5_conf,
clear_tmp_cache, write_keytab_file, \
+ delete_keytab_file, find_missing_keytabs
+
+
+class KerberosClient(Script):
+ def install(self, env):
+ install_packages =
default('/configurations/kerberos-env/install_packages', "true")
+ if install_packages:
+ self.install_packages(env)
+ else:
+ print "Kerberos client packages are not being installed, manual
installation is required."
+
+ self.configure(env)
+
+ def configure(self, env, upgrade_type=None, config_dir=None):
+ import params
+ env.set_params(params)
+ if params.manage_krb5_conf:
+ write_krb5_conf(params)
+ # delete krb cache to prevent using old krb tickets on fresh kerberos setup
+ clear_tmp_cache()
+
+ def status(self, env):
+ raise ClientComponentHasNoStatus()
+
+ def set_keytab(self, env):
+ import params
+
+ def output_hook(principal, keytab_file_path):
+ if principal is not None:
+ curr_content = Script.structuredOut
+
+ if "keytabs" not in curr_content:
+ curr_content['keytabs'] = {}
+
+ curr_content['keytabs'][principal.replace("_HOST", params.hostname)] =
keytab_file_path
+
+ self.put_structured_out(curr_content)
+
+ write_keytab_file(params, output_hook)
+
+ def remove_keytab(self, env):
+ import params
+
+ def output_hook(principal, keytab_file_path):
+ if principal is not None:
+ curr_content = Script.structuredOut
+
+ if "removedKeytabs" not in curr_content:
+ curr_content['removedKeytabs'] = {}
+ curr_content['removedKeytabs'][principal.replace("_HOST",
params.hostname)] = keytab_file_path
+
+ self.put_structured_out(curr_content)
+
+ delete_keytab_file(params, output_hook)
+
+ def check_keytabs(self, env):
+ import params
+
+ def output_hook(missing_keytabs):
+ curr_content = Script.structuredOut
+ curr_content['missing_keytabs'] = missing_keytabs
+ self.put_structured_out(curr_content)
+
+ find_missing_keytabs(params, output_hook)
+
+
+if __name__ == "__main__":
+ KerberosClient().execute()
diff --git
a/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/params.py
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/params.py
new file mode 100644
index 00000000..a65adf07
--- /dev/null
+++
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/params.py
@@ -0,0 +1,206 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+from ambari_commons.kerberos.utils import get_property_value,
get_unstructured_data
+from ambari_commons.os_check import OSCheck
+from resource_management.libraries.functions.default import default
+from resource_management.libraries.functions.expect import expect
+from resource_management.libraries.functions.format import format
+from resource_management.libraries.script.script import Script
+
+krb5_conf_dir = '/etc'
+krb5_conf_file = 'krb5.conf'
+krb5_conf_path = krb5_conf_dir + '/' + krb5_conf_file
+
+if OSCheck.is_suse_family():
+ kdc_conf_dir = '/var/lib/kerberos/krb5kdc'
+elif OSCheck.is_ubuntu_family():
+ kdc_conf_dir = '/etc/krb5kdc'
+else:
+ kdc_conf_dir = '/var/kerberos/krb5kdc'
+kdc_conf_file = 'kdc.conf'
+kdc_conf_path = kdc_conf_dir + '/' + kdc_conf_file
+
+kadm5_acl_dir = kdc_conf_dir # Typically kadm5.acl and kdc.conf exist in the
same directory
+kadm5_acl_file = 'kadm5.acl'
+kadm5_acl_path = kadm5_acl_dir + '/' + kadm5_acl_file
+
+config = Script.get_config()
+tmp_dir = Script.get_tmp_dir()
+
+configurations = None
+keytab_details = None
+default_group = None
+kdc_server_host = None
+cluster_host_info = None
+
+hostname = config['agentLevelParams']['hostname']
+
+kdb5_util_path = 'kdb5_util'
+
+kdamin_pid_path = '/var/run/kadmind.pid'
+krb5kdc_pid_path = '/var/run/krb5kdc.pid'
+
+smoke_test_principal = None
+smoke_test_keytab_file = None
+
+smoke_user = 'ambari-qa'
+
+manage_identities = 'true'
+
+artifact_dir = format("{tmp_dir}/AMBARI-artifacts/")
+jce_policy_zip = default("/ambariLevelParams/jce_name", None) # None when jdk
is already installed by user
+jce_location = config['ambariLevelParams']['jdk_location']
+jdk_name = default("/ambariLevelParams/jdk_name", None)
+java_home = config['ambariLevelParams']['java_home']
+java_version = expect("/ambariLevelParams/java_version", int)
+
+security_enabled = config['configurations']['cluster-env']['security_enabled']
+
+if config is not None:
+ kerberos_command_params = get_property_value(config, 'kerberosCommandParams')
+
+ cluster_host_info = get_property_value(config, 'clusterHostInfo')
+ if cluster_host_info is not None:
+ kdc_server_hosts = get_property_value(cluster_host_info,
'kdc_server_hosts')
+
+ if (kdc_server_hosts is not None) and (len(kdc_server_hosts) > 0):
+ kdc_server_host = kdc_server_hosts[0]
+
+ configurations = get_property_value(config, 'configurations')
+ if configurations is not None:
+ cluster_env = get_property_value(configurations, 'cluster-env')
+
+ if cluster_env is not None:
+ smoke_test_principal = get_property_value(cluster_env,
'smokeuser_principal_name', None, True, None)
+ smoke_test_keytab_file = get_property_value(cluster_env,
'smokeuser_keytab', None, True, None)
+ smoke_user = get_property_value(cluster_env, 'smokeuser', smoke_user,
True, smoke_user)
+
+ default_group = get_property_value(cluster_env, 'user_group')
+
+ if default_group is None:
+ default_group = get_property_value(cluster_env, 'user-group')
+
+ #
##############################################################################################
+ # Get krb5.conf template data
+ #
##############################################################################################
+ realm = 'EXAMPLE.COM'
+ domains = ''
+ kdc_hosts = 'localhost'
+ master_kdc = None
+ admin_server_host = None
+ admin_principal = None
+ admin_password = None
+ admin_keytab = None
+ test_principal = None
+ test_password = None
+ test_keytab = None
+ test_keytab_file = None
+ encryption_types = None
+ manage_krb5_conf = "true"
+ force_tcp = "false"
+ krb5_conf_template = None
+
+ krb5_conf_data = get_property_value(configurations, 'krb5-conf')
+
+ kerberos_env = get_property_value(configurations, "kerberos-env")
+
+ if kerberos_env is not None:
+ manage_identities = get_property_value(kerberos_env,
"manage_identities", "true", True, "true")
+ encryption_types = get_property_value(kerberos_env, "encryption_types",
None, True, None)
+ realm = get_property_value(kerberos_env, "realm", None, True, None)
+ kdc_hosts = get_property_value(kerberos_env, 'kdc_hosts', kdc_hosts)
+ master_kdc = get_property_value(kerberos_env, 'master_kdc')
+ admin_server_host = get_property_value(kerberos_env,
'admin_server_host', admin_server_host)
+
+ if krb5_conf_data is not None:
+ realm = get_property_value(krb5_conf_data, 'realm', realm)
+ domains = get_property_value(krb5_conf_data, 'domains', domains)
+
+ admin_principal = get_property_value(krb5_conf_data, 'admin_principal',
admin_principal, True, None)
+ admin_password = get_property_value(krb5_conf_data, 'admin_password',
admin_password, True, None)
+ admin_keytab = get_property_value(krb5_conf_data, 'admin_keytab',
admin_keytab, True, None)
+
+ test_principal = get_property_value(krb5_conf_data, 'test_principal',
test_principal, True, None)
+ test_password = get_property_value(krb5_conf_data, 'test_password',
test_password, True, None)
+ test_keytab = get_property_value(krb5_conf_data, 'test_keytab',
test_keytab, True, None)
+ test_keytab_file = get_property_value(krb5_conf_data,
'test_keytab_file', test_keytab_file, True, None)
+
+ krb5_conf_template = get_property_value(krb5_conf_data, 'content',
krb5_conf_template)
+ krb5_conf_dir = get_property_value(krb5_conf_data, 'conf_dir',
krb5_conf_dir)
+ krb5_conf_file = get_property_value(krb5_conf_data, 'conf_file',
krb5_conf_file)
+ krb5_conf_path = krb5_conf_dir + '/' + krb5_conf_file
+
+ manage_krb5_conf = get_property_value(krb5_conf_data,
'manage_krb5_conf', "true")
+ force_tcp = get_property_value(krb5_conf_data, 'force_tcp', "false")
+
+ # For backward compatibility, ensure that kdc_host exists. This may be
needed if the krb5.conf
+ # template in krb5-conf/content had not be updated during the Ambari
upgrade to 2.4.0 - which
+ # will happen if the template was altered from its stack-default value.
+ kdc_host_parts = kdc_hosts.split(',')
+ if kdc_host_parts:
+ kdc_host = kdc_host_parts[0]
+ else:
+ kdc_host = kdc_hosts
+
+ #
##############################################################################################
+ # Get kdc.conf template data
+ #
##############################################################################################
+ kdcdefaults_kdc_ports = "88"
+ kdcdefaults_kdc_tcp_ports = "88"
+
+ kdc_conf_template = None
+
+ kdc_conf_data = get_property_value(configurations, 'kdc-conf')
+
+ if kdc_conf_data is not None:
+ kdcdefaults_kdc_ports = get_property_value(kdc_conf_data,
'kdcdefaults_kdc_ports', kdcdefaults_kdc_ports)
+ kdcdefaults_kdc_tcp_ports = get_property_value(kdc_conf_data,
'kdcdefaults_kdc_tcp_ports', kdcdefaults_kdc_tcp_ports)
+
+ kdc_conf_template = get_property_value(kdc_conf_data, 'content',
kdc_conf_template)
+ kdc_conf_dir = get_property_value(kdc_conf_data, 'conf_dir',
kdc_conf_dir)
+ kdc_conf_file = get_property_value(kdc_conf_data, 'conf_file',
kdc_conf_file)
+ kdc_conf_path = kdc_conf_dir + '/' + kdc_conf_file
+
+ #
##############################################################################################
+ # Get kadm5.acl template data
+ #
##############################################################################################
+ kdcdefaults_kdc_ports = '88'
+ kdcdefaults_kdc_tcp_ports = '88'
+
+ kadm5_acl_template = None
+
+ kadm5_acl_data = get_property_value(configurations, 'kadm5-acl')
+
+ if kadm5_acl_data is not None:
+ kadm5_acl_template = get_property_value(kadm5_acl_data, 'content',
kadm5_acl_template)
+ kadm5_acl_dir = get_property_value(kadm5_acl_data, 'conf_dir',
kadm5_acl_dir)
+ kadm5_acl_file = get_property_value(kadm5_acl_data, 'conf_file',
kadm5_acl_file)
+ kadm5_acl_path = kadm5_acl_dir + '/' + kadm5_acl_file
+
+ #
################################################################################################
+ # Get commandParams
+ #
################################################################################################
+ command_params = get_property_value(config, 'commandParams')
+ if command_params is not None:
+ keytab_details = get_unstructured_data(command_params, 'keytab')
+
+ if manage_identities:
+ smoke_test_principal = get_property_value(command_params,
'principal_name', smoke_test_principal)
+ smoke_test_keytab_file = get_property_value(command_params,
'keytab_file', smoke_test_keytab_file)
diff --git
a/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/service_check.py
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/service_check.py
new file mode 100644
index 00000000..d446ba01
--- /dev/null
+++
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/service_check.py
@@ -0,0 +1,86 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Ambari Agent
+
+"""
+
+import hashlib
+import os
+
+from resource_management.core.exceptions import Fail
+from resource_management.core.logger import Logger
+from resource_management.core.resources.system import Execute, File
+from resource_management.libraries import functions
+from resource_management.libraries.functions import default
+from resource_management.libraries.script.script import Script
+
+# The hash algorithm to use to generate digests/hashes
+HASH_ALGORITHM = hashlib.sha224
+
+class KerberosServiceCheck(Script):
+ def service_check(self, env):
+ import params
+
+ # If Ambari IS managing Kerberos identities
(kerberos-env/manage_identities = true), it is
+ # expected that a (smoke) test principal and its associated keytab file is
available for use
+ # ** If not available, this service check will fail
+ # ** If available, this service check will execute
+ #
+ # If Ambari IS NOT managing Kerberos identities
(kerberos-env/manage_identities = false), the
+ # smoke test principal and its associated keytab file may not be available
+ # ** If not available, this service check will execute
+ # ** If available, this service check will execute
+
+ if ((params.smoke_test_principal is not None) and
+ (params.smoke_test_keytab_file is not None) and
+ os.path.isfile(params.smoke_test_keytab_file)):
+ print "Performing kinit using %s" % params.smoke_test_principal
+
+ ccache_file_name =
HASH_ALGORITHM("{0}|{1}".format(params.smoke_test_principal,
params.smoke_test_keytab_file)).hexdigest()
+ ccache_file_path =
"{0}{1}kerberos_service_check_cc_{2}".format(params.tmp_dir, os.sep,
ccache_file_name)
+
+ kinit_path_local =
functions.get_kinit_path(default('/configurations/kerberos-env/executable_search_paths',
None))
+ kinit_command = "{0} -c {1} -kt {2} {3}".format(kinit_path_local,
ccache_file_path, params.smoke_test_keytab_file,
+
params.smoke_test_principal)
+
+ try:
+ # kinit
+ Execute(kinit_command,
+ user=params.smoke_user,
+ wait_for_finish=True,
+ tries=9,
+ try_sleep=15
+ )
+ finally:
+ File(ccache_file_path,
+ # Since kinit might fail to write to the cache file for various
reasons, an existence check should be done before cleanup
+ action="delete",
+ )
+ elif params.manage_identities:
+ err_msg = Logger.filter_text("Failed to execute kinit test due to
principal or keytab not found or available")
+ raise Fail(err_msg)
+ else:
+ # Ambari is not managing identities so if the smoke user does not exist,
indicate why....
+ print "Skipping this service check since Ambari is not managing Kerberos
identities and the smoke user " \
+ "credentials are not available. To execute this service check, the
smoke user principal name " \
+ "and keytab file location must be set in the cluster_env and the
smoke user's keytab file must" \
+ "exist in the configured location."
+
+
+if __name__ == "__main__":
+ KerberosServiceCheck().execute()
diff --git
a/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/status_params.py
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/status_params.py
new file mode 100644
index 00000000..cfec53d1
--- /dev/null
+++
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/package/scripts/status_params.py
@@ -0,0 +1,34 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+from resource_management.libraries.script.script import Script
+from resource_management.libraries import functions
+from resource_management.libraries.functions import default
+
+config = Script.get_config()
+tmp_dir = Script.get_tmp_dir()
+
+hostname = config['agentLevelParams']['hostname']
+kinit_path_local =
functions.get_kinit_path(default('/configurations/kerberos-env/executable_search_paths',
None))
+
+security_enabled = config['configurations']['cluster-env']['security_enabled']
+
+smoke_user_keytab = config['configurations']['cluster-env']['smokeuser_keytab']
+smoke_user = config['configurations']['cluster-env']['smokeuser']
+smoke_user_principal =
config['configurations']['cluster-env']['smokeuser_principal_name']
diff --git
a/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/properties/krb5_conf.j2
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/properties/krb5_conf.j2
new file mode 100644
index 00000000..d201c33c
--- /dev/null
+++
b/bigtop-packages/src/common/bigtop-ambari-mpack/bgtp-ambari-mpack/src/main/resources/stacks/BGTP/1.0/services/KERBEROS/properties/krb5_conf.j2
@@ -0,0 +1,63 @@
+{#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#}
+[libdefaults]
+ #renew_lifetime = 7d
+ forwardable = true
+ default_realm = {{realm}}
+ ticket_lifetime = 24h
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ default_ccache_name = /tmp/krb5cc_%{uid}
+ #default_tgs_enctypes = {{encryption_types}}
+ #default_tkt_enctypes = {{encryption_types}}
+ {%- if force_tcp %}
+ udp_preference_limit = 1
+ {%- endif -%}
+{% if domains %}
+[domain_realm]
+{%- for domain in domains.split(',') %}
+ {{domain|trim()}} = {{realm}}
+{%- endfor %}
+{% endif %}
+[logging]
+ default = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+ kdc = FILE:/var/log/krb5kdc.log
+
+[realms]
+ {{realm}} = {
+{%- if master_kdc %}
+ master_kdc = {{master_kdc|trim()}}
+{%- endif -%}
+{%- if kdc_hosts > 0 -%}
+{%- set kdc_host_list = kdc_hosts.split(',') -%}
+{%- if kdc_host_list and kdc_host_list|length > 0 %}
+ admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}
+{%- if kdc_host_list -%}
+{%- if master_kdc and (master_kdc not in kdc_host_list) %}
+ kdc = {{master_kdc|trim()}}
+{%- endif -%}
+{% for kdc_host in kdc_host_list %}
+ kdc = {{kdc_host|trim()}}
+{%- endfor -%}
+{% endif %}
+{%- endif %}
+{%- endif %}
+ }
+
+{# Append additional realm declarations below #}
