Robert Levas created AMBARI-8343:
------------------------------------
Summary: Components should indicate Kerberos State (via
ambari-agent)
Key: AMBARI-8343
URL: https://issues.apache.org/jira/browse/AMBARI-8343
Project: Ambari
Issue Type: New Feature
Components: ambari-agent
Affects Versions: 2.0.0
Reporter: Robert Levas
Assignee: Robert Levas
Priority: Critical
Fix For: 2.0.0
In order to properly handle the automated installation or removal of Kerberos
from the cluster, Ambari needs to know whether each component on the hosts of
the cluster is properly Kerberized or not. This information may be compared
with data on the Ambari server to help determine what steps should be taken to
ensure the cluster is in the correct Kerbrerized state.
To do this, the current and desired component Kerbrerization state is
maintained in the Ambari database. The Ambari server will update the desired
state details according to whether the cluster is to be Kerberized or not and
whether the relevant service has enough metadata to be Kerberized. If the
desired and actual Kerberization state details do not match, the Ambari server
will take the necessary steps to work towards synchronization.
In order for a component to indicate its Kerberization status, a new property
needs to be returned in the {{STATUS_COMMAND}} response message (from the
Ambari agent). This property should be named ‘kerberosState’ and should have
one of the following values:
{{ON}} - indicates Kerberos is configured and working properly
{{OFF}} - indicates Kerberos is not configured and working properly
{{ERROR}} - indicates that Kerberos is configured but is not working properly
{{UNKNOWN}} - indicates that the state cannot be determined
To properly set this state value, a call needs to be executed per component
querying for its specific state. Due to the differences on how each component
is configured for Kerberos and how it may be determined if Kerberos is setup
and working properly, it is necessary for each component to have its own logic
for determining this state. Therefore the ambari-agent process will need to
call into the component’s configured (lifecycle) script and wait for its
response - not unlike how it determines whether the component is up and running.
After the infrastructure is in place, each service definition needs to be
updated to implement the new Kerberos status check function. The function
should perform the following steps:
* Determine if Kerberos is enabled for disabled
** If disabled, return “OFF”
** If enabled, perform tests (kinit?, ping KDC?) to determine if the
configuration appears to be working
*** If working, return “ON”
*** If not working, return “ERROR”
If no function is available, the Ambari agent should return “UNKNOWN”.
On the Ambari server, the {{org.apache.ambari.server.agent.HeartBeatHandler}}
class needs to be updated to set the Kerberos state of the relevant component,
as indicated from the {{STATUS_COMMAND}} response. This should be done
{{org.apache.ambari.server.agent.HeartBeatHandler#processStatusReports}}
method, by calling the relavant ServiceComponentHost’s setKerberosState method.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
