[
https://issues.apache.org/jira/browse/AMBARI-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Levas updated AMBARI-8343:
---------------------------------
Summary: Components should indicate Security State (via ambari-agent)
(was: Components should indicate Kerberos State (via ambari-agent))
> Components should indicate Security State (via ambari-agent)
> ------------------------------------------------------------
>
> Key: AMBARI-8343
> URL: https://issues.apache.org/jira/browse/AMBARI-8343
> Project: Ambari
> Issue Type: New Feature
> Components: ambari-agent
> Affects Versions: 2.0.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Critical
> Labels: kerberos, states
> Fix For: 2.0.0
>
>
> In order to properly handle the automated installation or removal of Kerberos
> from the cluster, Ambari needs to know whether each component on the hosts of
> the cluster is properly Kerberized or not. This information may be compared
> with data on the Ambari server to help determine what steps should be taken
> to ensure the cluster is in the correct Kerbrerized state.
> To do this, the current and desired component Kerbrerization state is
> maintained in the Ambari database. The Ambari server will update the desired
> state details according to whether the cluster is to be Kerberized or not and
> whether the relevant service has enough metadata to be Kerberized. If the
> desired and actual Kerberization state details do not match, the Ambari
> server will take the necessary steps to work towards synchronization.
> In order for a component to indicate its Kerberization status, a new property
> needs to be returned in the {{STATUS_COMMAND}} response message (from the
> Ambari agent). This property should be named ‘kerberosState’ and should have
> one of the following values:
> {{ON}} - indicates Kerberos is configured and working properly
> {{OFF}} - indicates Kerberos is not configured and working properly
> {{ERROR}} - indicates that Kerberos is configured but is not working properly
> {{UNKNOWN}} - indicates that the state cannot be determined
> To properly set this state value, a call needs to be executed per component
> querying for its specific state. Due to the differences on how each
> component is configured for Kerberos and how it may be determined if Kerberos
> is setup and working properly, it is necessary for each component to have its
> own logic for determining this state. Therefore the ambari-agent process will
> need to call into the component’s configured (lifecycle) script and wait for
> its response - not unlike how it determines whether the component is up and
> running.
> After the infrastructure is in place, each service definition needs to be
> updated to implement the new Kerberos status check function. The function
> should perform the following steps:
> * Determine if Kerberos is enabled for disabled
> ** If disabled, return “OFF”
> ** If enabled, perform tests (kinit?, ping KDC?) to determine if the
> configuration appears to be working
> *** If working, return “ON”
> *** If not working, return “ERROR”
> If no function is available, the Ambari agent should return “UNKNOWN”.
> On the Ambari server, the {{org.apache.ambari.server.agent.HeartBeatHandler}}
> class needs to be updated to set the Kerberos state of the relevant
> component, as indicated from the {{STATUS_COMMAND}} response. This should be
> done {{org.apache.ambari.server.agent.HeartBeatHandler#processStatusReports}}
> method, by calling the relavant ServiceComponentHost’s setKerberosState
> method.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
