Repository: ambari Updated Branches: refs/heads/trunk e90be740a -> 1de321597
AMBARI-9468. Support secure HDFS with AMS in distributed mode service (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/1de32159 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/1de32159 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/1de32159 Branch: refs/heads/trunk Commit: 1de3215971fcf0c580af377c64c8f81eddf74070 Parents: e90be74 Author: Robert Levas <rle...@hortonworks.com> Authored: Sun Feb 8 06:35:31 2015 -0500 Committer: Robert Levas <rle...@hortonworks.com> Committed: Sun Feb 8 06:35:31 2015 -0500 ---------------------------------------------------------------------- .../AMS/0.1.0/configuration/ams-env.xml | 6 + .../AMS/0.1.0/configuration/ams-hbase-env.xml | 13 +- .../configuration/ams-hbase-security-site.xml | 77 ++++++++++++ .../AMS/0.1.0/configuration/ams-hbase-site.xml | 4 +- .../common-services/AMS/0.1.0/kerberos.json | 122 +++++++++++++++++++ .../common-services/AMS/0.1.0/metainfo.xml | 1 + .../AMS/0.1.0/package/scripts/ams.py | 20 ++- .../AMS/0.1.0/package/scripts/hbase.py | 18 ++- .../0.1.0/package/scripts/metric_collector.py | 64 ++++++++++ .../AMS/0.1.0/package/scripts/params.py | 34 ++++-- .../AMS/0.1.0/package/scripts/params_linux.py | 4 +- .../AMS/0.1.0/package/scripts/status_params.py | 13 +- .../templates/ams_collector_jaas.conf.j2 | 26 ++++ .../templates/ams_zookeeper_jaas.conf.j2 | 26 ++++ 14 files changed, 401 insertions(+), 27 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-env.xml b/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-env.xml index 8e09cc5..4bb82e7 100644 --- a/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-env.xml +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-env.xml @@ -68,6 +68,12 @@ export AMS_MONITOR_PID_DIR={{ams_monitor_pid_dir}} # AMS HBase pid directory export AMS_HBASE_PID_DIR={{hbase_pid_dir}} + +export AMS_COLLECTOR_OPTS= +{% if security_enabled %} +export AMS_COLLECTOR_OPTS="-Djava.security.auth.login.config={{ams_collector_jaas_config_file}}" +{% endif %} + </value> </property> http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-env.xml b/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-env.xml index cc84f62..4b23d2f 100644 --- a/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-env.xml +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-env.xml @@ -120,18 +120,17 @@ export HBASE_MANAGES_ZK=false export HBASE_OPTS="$HBASE_OPTS -Djava.security.auth.login.config={{client_jaas_config_file}}" export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Djava.security.auth.login.config={{master_jaas_config_file}}" export HBASE_REGIONSERVER_OPTS="$HBASE_REGIONSERVER_OPTS -Djava.security.auth.login.config={{regionserver_jaas_config_file}}" +export HBASE_ZOOKEEPER_OPTS="$HBASE_ZOOKEEPER_OPTS -Djava.security.auth.login.config={{ams_zookeeper_jaas_config_file}}" {% endif %} -#Specify native libraries of installed Hadoop paltform -#_HADOOP_IN_PATH=$(PATH="${HADOOP_HOME:-${HADOOP_PREFIX}}/bin:$PATH" which hadoop 2>/dev/null) -#_HADOOP_CLASSPATH="/usr/lib/ams-hbase/lib/*" -#_HADOOP_JAVA_LIBRARY_PATH=$(HADOOP_CLASSPATH="$_HADOOP_CLASSPATH" ${_HADOOP_IN_PATH} org.apache.hadoop.hbase.util.GetJavaProperty java.library.path) -#use embedded native libs +# use embedded native libs _HADOOP_NATIVE_LIB="/usr/lib/ams-hbase/lib/hadoop-native/" export HBASE_OPTS="$HBASE_OPTS -Djava.library.path=${_HADOOP_NATIVE_LIB}" -#"Unsetting" HADOOP_HOME to avoid importing HADOOP installed cluster related configs like: /usr/hdp/2.2.0.0-2041/hadoop/conf/ -export HADOOP_HOME=`pwd` +{% if disable_hadoop_environment %} +# Unset HADOOP_HOME to avoid importing HADOOP installed cluster related configs like: /usr/hdp/2.2.0.0-2041/hadoop/conf/ +export HADOOP_HOME=`pwd` 138 export HADOOP_HOME=`pwd` +{% endif %} </value> </property> http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-security-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-security-site.xml b/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-security-site.xml new file mode 100644 index 0000000..281a8d1 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-security-site.xml @@ -0,0 +1,77 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration> + <property> + <name>ams.zookeeper.keytab</name> + </property> + <property> + <name>ams.zookeeper.principal</name> + </property> + <property> + <name>hadoop.security.authentication</name> + </property> + <property> + <name>hbase.coprocessor.master.classes</name> + </property> + <property> + <name>hbase.coprocessor.region.classes</name> + </property> + <property> + <name>hbase.master.kerberos.principal</name> + </property> + <property> + <name>hbase.master.keytab.file</name> + </property> + <property> + <name>hbase.myclient.keytab</name> + </property> + <property> + <name>hbase.myclient.principal</name> + </property> + <property> + <name>hbase.regionserver.kerberos.principal</name> + </property> + <property> + <name>hbase.regionserver.keytab.file</name> + </property> + <property> + <name>hbase.security.authentication</name> + </property> + <property> + <name>hbase.security.authorization</name> + </property> + <property> + <name>hbase.zookeeper.property.authProvider.1</name> + </property> + <property> + <name>hbase.zookeeper.property.jaasLoginRenew</name> + </property> + <property> + <name>hbase.zookeeper.property.kerberos.removeHostFromPrincipal</name> + </property> + <property> + <name>hbase.zookeeper.property.kerberos.removeRealmFromPrincipal</name> + </property> + <property> + <name>zookeeper.znode.parent</name> + </property> +</configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-site.xml b/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-site.xml index 8de4f30..b8c96ca 100644 --- a/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-site.xml +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-site.xml @@ -48,7 +48,7 @@ </property> <property> <name>hbase.cluster.distributed</name> - <value>false</value> + <value>{{hbase_cluster_distributed}}</value> <description> The mode the cluster will be in. Possible values are false for standalone mode and true for distributed mode. If false, startup will run @@ -64,7 +64,7 @@ </property> <property> <name>hbase.zookeeper.quorum</name> - <value>localhost</value> + <value>{{zookeeper_quorum_hosts}}</value> <description>Comma separated list of servers in the ZooKeeper Quorum. For example, "host1.mydomain.com,host2.mydomain.com,host3.mydomain.com". By default this is set to localhost for local and pseudo-distributed modes http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/kerberos.json b/ambari-server/src/main/resources/common-services/AMS/0.1.0/kerberos.json new file mode 100644 index 0000000..7b92469 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/kerberos.json @@ -0,0 +1,122 @@ +{ + "services": [ + { + "name": "AMS", + "identities": [ + { + "name": "/spnego" + }, + { + "name": "/hdfs" + } + ], + "components": [ + { + "name": "METRIC_COLLECTOR", + "identities": [ + { + "name": "ams_hbase_master_hbase", + "principal": { + "value": "amshbase/_HOST@${realm}", + "type": "service", + "configuration": "ams-hbase-security-site/hbase.master.kerberos.principal", + "local_username": "${ams-hbase-env/hbase_user}" + }, + "keytab": { + "file": "${keytab_dir}/ams-hbase.master.keytab", + "owner": { + "name": "${ams-hbase-env/hbase_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "ams-hbase-security-site/hbase.master.keytab.file" + } + }, + { + "name": "ams_hbase_regionserver_hbase", + "principal": { + "value": "amshbase/_HOST@${realm}", + "type": "service", + "configuration": "ams-hbase-security-site/hbase.regionserver.kerberos.principal", + "local_username": "${ams-hbase-env/hbase_user}" + }, + "keytab": { + "file": "${keytab_dir}/ams-hbase.regionserver.keytab", + "owner": { + "name": "${ams-hbase-env/hbase_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "ams-hbase-security-site/hbase.regionserver.keytab.file" + } + }, + { + "name": "ams_collector", + "principal": { + "value": "amshbase/_HOST@${realm}", + "type": "service", + "configuration": "ams-hbase-security-site/hbase.myclient.principal", + "local_username": "${ams-hbase-env/hbase_user}" + }, + "keytab": { + "file": "${keytab_dir}/ams.collector.keytab", + "owner": { + "name": "${ams-hbase-env/hbase_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "ams-hbase-security-site/hbase.myclient.keytab" + } + }, + { + "name": "ams_zookeeper", + "principal": { + "value": "zookeeper/_HOST@${realm}", + "type": "service", + "configuration": "ams-hbase-security-site/ams.zookeeper.principal", + "local_username": "${ams-hbase-env/hbase_user}" + }, + "keytab": { + "file": "${keytab_dir}/zk.service.ams.keytab", + "owner": { + "name": "${ams-hbase-env/hbase_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "ams-hbase-security-site/ams.zookeeper.keytab" + } + } + ], + "configurations": [ + { + "ams-hbase-security-site": { + "hbase.security.authentication": "kerberos", + "hbase.security.authorization": "true", + "hadoop.security.authentication": "kerberos", + "hbase.coprocessor.master.classes": "org.apache.hadoop.hbase.security.access.AccessController", + "hbase.coprocessor.region.classes": "org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController", + "zookeeper.znode.parent": "/ams-hbase-secure", + "hbase.zookeeper.property.kerberos.removeHostFromPrincipal": "true", + "hbase.zookeeper.property.kerberos.removeRealmFromPrincipal": "true", + "hbase.zookeeper.property.authProvider.1": "org.apache.zookeeper.server.auth.SASLAuthenticationProvider", + "hbase.zookeeper.property.jaasLoginRenew": "3600000" + } + } + ] + } + ] + } + ] +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/metainfo.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/metainfo.xml b/ambari-server/src/main/resources/common-services/AMS/0.1.0/metainfo.xml index 77f57cd..27b3376 100644 --- a/ambari-server/src/main/resources/common-services/AMS/0.1.0/metainfo.xml +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/metainfo.xml @@ -125,6 +125,7 @@ <config-type>ams-log4j</config-type> <config-type>ams-hbase-policy</config-type> <config-type>ams-hbase-site</config-type> + <config-type>ams-hbase-security-site</config-type> <config-type>ams-hbase-env</config-type> <config-type>ams-hbase-log4j</config-type> </configuration-dependencies> http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/ams.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/ams.py b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/ams.py index 20c4223..7d46753 100644 --- a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/ams.py +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/ams.py @@ -18,6 +18,7 @@ limitations under the License. """ +import os from resource_management import * from ambari_commons import OSConst from service_mapping import * @@ -49,9 +50,14 @@ def ams(name=None): owner=params.ams_user, ) + merged_ams_hbase_site = {} + merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-site']) + if params.security_enabled: + merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-security-site']) + XmlConfig( "hbase-site.xml", conf_dir = params.ams_collector_conf_dir, - configurations = params.config['configurations']['ams-hbase-site'], + configurations = merged_ams_hbase_site, configuration_attributes=params.config['configuration_attributes']['ams-hbase-site'], owner = params.ams_user, ) @@ -130,14 +136,24 @@ def ams(name=None): group=params.user_group ) + merged_ams_hbase_site = {} + merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-site']) + if params.security_enabled: + merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-security-site']) + XmlConfig( "hbase-site.xml", conf_dir = params.ams_collector_conf_dir, - configurations = params.config['configurations']['ams-hbase-site'], + configurations = merged_ams_hbase_site, configuration_attributes=params.config['configuration_attributes']['ams-hbase-site'], owner = params.ams_user, group = params.user_group ) + if params.security_enabled: + TemplateConfig(os.path.join(params.hbase_conf_dir, "ams_collector_jaas.conf"), + owner = params.ams_user, + template_tag = None) + if (params.log4j_props != None): File(format("{params.ams_collector_conf_dir}/log4j.properties"), mode=0644, http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/hbase.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/hbase.py b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/hbase.py index 0ccddde..b3bca89 100644 --- a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/hbase.py +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/hbase.py @@ -114,9 +114,14 @@ def hbase(name=None # 'master' or 'regionserver' or 'client' recursive = True ) + merged_ams_hbase_site = {} + merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-site']) + if params.security_enabled: + merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-security-site']) + XmlConfig("hbase-site.xml", conf_dir = params.hbase_conf_dir, - configurations = params.config['configurations']['ams-hbase-site'], + configurations = merged_ams_hbase_site, configuration_attributes=params.config['configuration_attributes']['ams-hbase-site'], owner = params.hbase_user, group = params.user_group @@ -157,7 +162,9 @@ def hbase(name=None # 'master' or 'regionserver' or 'client' if params.security_enabled: hbase_TemplateConfig( format("hbase_{name}_jaas.conf"), user=params.hbase_user) - + hbase_TemplateConfig( format("hbase_client_jaas.conf"), user=params.hbase_user) + hbase_TemplateConfig( format("ams_zookeeper_jaas.conf"), user=params.hbase_user) + if name in ["master","regionserver"]: if params.is_hbase_distributed: @@ -167,6 +174,13 @@ def hbase(name=None # 'master' or 'regionserver' or 'client' owner=params.hbase_user, mode=0775 ) + + params.HdfsDirectory(params.hbase_staging_dir, + action="create_delayed", + owner=params.hbase_user, + mode=0711 + ) + params.HdfsDirectory(None, action="create") else: http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/metric_collector.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/metric_collector.py b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/metric_collector.py index addfc33..2a2e181 100644 --- a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/metric_collector.py +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/metric_collector.py @@ -19,6 +19,9 @@ limitations under the License. """ from resource_management import * +from resource_management.libraries.functions.security_commons import build_expectations, \ + cached_kinit_executor, get_params_from_filesystem, validate_security_config_properties, \ + FILE_TYPE_XML from ams import ams from ams_service import ams_service from hbase import hbase @@ -56,5 +59,66 @@ class AmsCollector(Script): check_service_status(name='collector') + def security_status(self, env): + import status_params + + env.set_params(status_params) + props_value_check = {"hbase.security.authentication": "kerberos", + "hbase.security.authorization": "true"} + + props_empty_check = ["hbase.zookeeper.property.authProvider.1", + "hbase.master.keytab.file", + "hbase.master.kerberos.principal", + "hbase.regionserver.keytab.file", + "hbase.regionserver.kerberos.principal" + ] + props_read_check = ['hbase.master.keytab.file', 'hbase.regionserver.keytab.file'] + ams_hbase_site_expectations = build_expectations('hbase-site', props_value_check, + props_empty_check, + props_read_check) + + expectations = {} + expectations.update(ams_hbase_site_expectations) + + security_params = get_params_from_filesystem(status_params.ams_hbase_conf_dir, + {'hbase-site.xml': FILE_TYPE_XML}) + + is_hbase_distributed = security_params['hbase-site']['hbase.rootdir'].startswith('hdfs://') + # for embedded mode, when HBase is backed by file, security state is SECURED_KERBEROS by definition when cluster is secured + if status_params.security_enabled and not is_hbase_distributed: + self.put_structured_out({"securityState": "SECURED_KERBEROS"}) + return + + result_issues = validate_security_config_properties(security_params, expectations) + + if not result_issues: # If all validations passed successfully + try: + # Double check the dict before calling execute + if ('hbase-site' not in security_params or + 'hbase.master.keytab.file' not in security_params['hbase-site'] or + 'hbase.master.kerberos.principal' not in security_params['hbase-site']): + self.put_structured_out({"securityState": "UNSECURED"}) + self.put_structured_out( + {"securityIssuesFound": "Keytab file or principal are not set property."}) + return + + cached_kinit_executor(status_params.kinit_path_local, + status_params.hbase_user, + security_params['hbase-site']['hbase.master.keytab.file'], + security_params['hbase-site']['hbase.master.kerberos.principal'], + status_params.hostname, + status_params.tmp_dir) + self.put_structured_out({"securityState": "SECURED_KERBEROS"}) + except Exception as e: + self.put_structured_out({"securityState": "ERROR"}) + self.put_structured_out({"securityStateErrorInfo": str(e)}) + else: + issues = [] + for cf in result_issues: + issues.append("Configuration file %s did not pass the validation. Reason: %s" % ( + cf, result_issues[cf])) + self.put_structured_out({"securityIssuesFound": ". ".join(issues)}) + self.put_structured_out({"securityState": "UNSECURED"}) + if __name__ == "__main__": AmsCollector().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params.py index c596ddf..eb064f5 100644 --- a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params.py @@ -65,7 +65,9 @@ hbase_root_dir = config['configurations']['ams-hbase-site']['hbase.rootdir'] is_hbase_distributed = hbase_root_dir.startswith('hdfs://') # security is disabled for embedded mode, when HBase is backed by file -security_enabled = False if not is_hbase_distributed else config['configurations']['cluster-env']['security_enabled'] +security_enabled = False if not is_hbase_distributed else config['configurations']['cluster-env']['security_enabled'] +# if cluster is secured and embedded we have to disable haddop env +disable_hadoop_environment = config['configurations']['cluster-env']['security_enabled'] and not is_hbase_distributed # this is "hadoop-metrics.properties" for 1.x stacks metric_prop_file_name = "hadoop-metrics2-hbase.properties" @@ -83,6 +85,9 @@ regionserver_xmn_size = calc_xmn_from_xms(regionserver_heapsize, regionserver_xm # For embedded mode hbase_heapsize = master_heapsize +zookeeper_quorum_hosts = ','.join(ams_collector_hosts) if is_hbase_distributed else 'localhost' +hbase_cluster_distributed = 'true' if is_hbase_distributed else 'false' + ams_checkpoint_dir = config['configurations']['ams-site']['timeline.metrics.aggregator.checkpoint.dir'] hbase_pid_dir = status_params.hbase_pid_dir hbase_tmp_dir = config['configurations']['ams-hbase-site']['hbase.tmp.dir'] @@ -102,21 +107,30 @@ service_check_data = functions.get_unique_id_and_date() user_group = config['configurations']['cluster-env']["user_group"] hadoop_user = "hadoop" +kinit_cmd = "" + if security_enabled: _hostname_lowercase = config['hostname'].lower() - master_jaas_princ = default('/configurations/ams-hbase-site/hbase.master.kerberos.principal', 'hbase/_h...@example.com').replace('_HOST',_hostname_lowercase) - regionserver_jaas_princ = default('/configurations/ams-hbase-site/hbase.regionserver.kerberos.principal', 'hbase/_h...@example.com').replace('_HOST',_hostname_lowercase) - master_keytab_path = config['configurations']['ams-hbase-site']['hbase.master.keytab.file'] - regionserver_keytab_path = config['configurations']['ams-hbase-site']['hbase.regionserver.keytab.file'] + client_jaas_config_file = format("{hbase_conf_dir}/hbase_client_jaas.conf") smoke_user_keytab = config['configurations']['cluster-env']['smokeuser_keytab'] hbase_user_keytab = config['configurations']['ams-hbase-env']['hbase_user_keytab'] - kinit_path_local = functions.get_kinit_path(["/usr/bin", "/usr/kerberos/bin", "/usr/sbin"]) -if security_enabled: - kinit_cmd = format("{kinit_path_local} -kt {hbase_user_keytab} {hbase_user};") -else: - kinit_cmd = "" + ams_collector_jaas_config_file = format("{hbase_conf_dir}/ams_collector_jaas.conf") + ams_collector_keytab_path = config['configurations']['ams-hbase-security-site']['hbase.myclient.keytab'] + ams_collector_jaas_princ = config['configurations']['ams-hbase-security-site']['hbase.myclient.principal'].replace('_HOST',_hostname_lowercase) + + ams_zookeeper_jaas_config_file = format("{hbase_conf_dir}/ams_zookeeper_jaas.conf") + ams_zookeeper_keytab = config['configurations']['ams-hbase-security-site']['ams.zookeeper.keytab'] + ams_zookeeper_principal_name = config['configurations']['ams-hbase-security-site']['ams.zookeeper.principal'].replace('_HOST',_hostname_lowercase) + + master_jaas_config_file = format("{hbase_conf_dir}/hbase_master_jaas.conf") + master_keytab_path = config['configurations']['ams-hbase-security-site']['hbase.master.keytab.file'] + master_jaas_princ = config['configurations']['ams-hbase-security-site']['hbase.master.kerberos.principal'].replace('_HOST',_hostname_lowercase) + + regionserver_jaas_config_file = format("{hbase_conf_dir}/hbase_regionserver_jaas.conf") + regionserver_keytab_path = config['configurations']['ams-hbase-security-site']['hbase.regionserver.keytab.file'] + regionserver_jaas_princ = config['configurations']['ams-hbase-security-site']['hbase.regionserver.kerberos.principal'].replace('_HOST',_hostname_lowercase) #log4j.properties if (('ams-hbase-log4j' in config['configurations']) and ('content' in config['configurations']['ams-hbase-log4j'])): http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params_linux.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params_linux.py index c67f75c..44d90b7 100644 --- a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params_linux.py +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params_linux.py @@ -20,12 +20,12 @@ limitations under the License. from resource_management import * from ambari_commons import OSCheck -import status_params + config = Script.get_config() ams_collector_conf_dir = "/etc/ambari-metrics-collector/conf" ams_monitor_conf_dir = "/etc/ambari-metrics-monitor/conf/" -ams_user = status_params.ams_user +ams_user = config['configurations']['ams-env']['ams_user'] #RPM versioning support rpm_version = default("/configurations/hadoop-env/rpm_version", None) http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/status_params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/status_params.py b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/status_params.py index a19034c..947c992 100644 --- a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/status_params.py +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/status_params.py @@ -20,11 +20,20 @@ limitations under the License. from resource_management import * -config = Script.get_config() +from ambari_commons import OSCheck +if OSCheck.is_windows_family(): + from params_windows import * +else: + from params_linux import * hbase_pid_dir = config['configurations']['ams-hbase-env']['hbase_pid_dir'] -ams_user = config['configurations']['ams-env']['ams_user'] hbase_user = ams_user ams_collector_pid_dir = config['configurations']['ams-env']['ams_collector_pid_dir'] ams_monitor_pid_dir = config['configurations']['ams-env']['ams_monitor_pid_dir'] +security_enabled = config['configurations']['cluster-env']['security_enabled'] +ams_hbase_conf_dir = format("{hbase_conf_dir}") + +kinit_path_local = functions.get_kinit_path(["/usr/bin", "/usr/kerberos/bin", "/usr/sbin"]) +hostname = config['hostname'] +tmp_dir = Script.get_tmp_dir() http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/templates/ams_collector_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/templates/ams_collector_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/templates/ams_collector_jaas.conf.j2 new file mode 100644 index 0000000..9ce7cd7 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/templates/ams_collector_jaas.conf.j2 @@ -0,0 +1,26 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} + +Client { +com.sun.security.auth.module.Krb5LoginModule required +useKeyTab=true +storeKey=true +useTicketCache=false +keyTab="{{ams_collector_keytab_path}}" +principal="{{ams_collector_jaas_princ}}"; +}; \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/1de32159/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/templates/ams_zookeeper_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/templates/ams_zookeeper_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/templates/ams_zookeeper_jaas.conf.j2 new file mode 100644 index 0000000..f1750b9 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/AMS/0.1.0/package/templates/ams_zookeeper_jaas.conf.j2 @@ -0,0 +1,26 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} + +Server { +com.sun.security.auth.module.Krb5LoginModule required +useKeyTab=true +storeKey=true +useTicketCache=false +keyTab="{{ams_zookeeper_keytab}}" +principal="{{ams_zookeeper_principal_name}}"; +}; \ No newline at end of file