http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KERBEROS/package/templates/kdc_conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KERBEROS/package/templates/kdc_conf.j2 b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KERBEROS/package/templates/kdc_conf.j2 new file mode 100755 index 0000000..f78adc7 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KERBEROS/package/templates/kdc_conf.j2 @@ -0,0 +1,30 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +[kdcdefaults] + kdc_ports = {{kdcdefaults_kdc_ports}} + kdc_tcp_ports = {{kdcdefaults_kdc_tcp_ports}} + +[realms] + {{realm}} = { + acl_file = {{kadm5_acl_path}} + dict_file = /usr/share/dict/words + admin_keytab = {{kadm5_acl_dir}}/kadm5.keytab + supported_enctypes = {{encryption_types}} + } + +{# Append additional realm declarations should be placed below #} \ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KERBEROS/package/templates/krb5_conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KERBEROS/package/templates/krb5_conf.j2 b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KERBEROS/package/templates/krb5_conf.j2 new file mode 100755 index 0000000..733d38a --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KERBEROS/package/templates/krb5_conf.j2 @@ -0,0 +1,55 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +[libdefaults] + renew_lifetime = 7d + forwardable = true + default_realm = {{realm|upper()}} + ticket_lifetime = 24h + dns_lookup_realm = false + dns_lookup_kdc = false + #default_tgs_enctypes = {{encryption_types}} + #default_tkt_enctypes = {{encryption_types}} + +{% if domains %} +[domain_realm] +{% for domain in domains.split(',') %} + {{domain}} = {{realm|upper()}} +{% endfor %} +{% endif %} + +[logging] + default = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + kdc = FILE:/var/log/krb5kdc.log + +[realms] + {{realm}} = { +{%- if kdc_hosts > 0 -%} +{%- set kdc_host_list = kdc_hosts.split(',') -%} +{%- if kdc_host_list and kdc_host_list|length > 0 %} + admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}} +{%- if kdc_host_list -%} +{% for kdc_host in kdc_host_list %} + kdc = {{kdc_host|trim()}} +{%- endfor -%} +{% endif %} +{%- endif %} +{%- endif %} + } + +{# Append additional realm declarations below #} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/alerts.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/alerts.json b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/alerts.json new file mode 100755 index 0000000..4986e04 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/alerts.json @@ -0,0 +1,32 @@ +{ + "KNOX": { + "service": [], + "KNOX_GATEWAY": [ + { + "name": "knox_gateway_process", + "label": "Knox Gateway Process", + "description": "This host-level alert is triggered if the Knox Gateway cannot be determined to be up.", + "interval": 1, + "scope": "HOST", + "source": { + "type": "PORT", + "uri": "{{gateway-site/gateway.port}}", + "default_port": 8443, + "reporting": { + "ok": { + "text": "TCP OK - {0:.3f}s response on port {1}" + }, + "warning": { + "text": "TCP OK - {0:.3f}s response on port {1}", + "value": 1.5 + }, + "critical": { + "text": "Connection failed: {0} to {1}:{2}", + "value": 5.0 + } + } + } + } + ] + } +} http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/gateway-log4j.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/gateway-log4j.xml b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/gateway-log4j.xml new file mode 100755 index 0000000..370f786 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/gateway-log4j.xml @@ -0,0 +1,83 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> + +<configuration supports_final="false"> + + <property> + <name>content</name> + <value> + + # Licensed to the Apache Software Foundation (ASF) under one + # or more contributor license agreements. See the NOTICE file + # distributed with this work for additional information + # regarding copyright ownership. The ASF licenses this file + # to you under the Apache License, Version 2.0 (the + # "License"); you may not use this file except in compliance + # with the License. You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + app.log.dir=${launcher.dir}/../logs + app.log.file=${launcher.name}.log + app.audit.file=${launcher.name}-audit.log + + log4j.rootLogger=ERROR, drfa + + log4j.logger.org.apache.hadoop.gateway=INFO + #log4j.logger.org.apache.hadoop.gateway=DEBUG + + #log4j.logger.org.eclipse.jetty=DEBUG + #log4j.logger.org.apache.shiro=DEBUG + #log4j.logger.org.apache.http=DEBUG + #log4j.logger.org.apache.http.client=DEBUG + #log4j.logger.org.apache.http.headers=DEBUG + #log4j.logger.org.apache.http.wire=DEBUG + + log4j.appender.stdout=org.apache.log4j.ConsoleAppender + log4j.appender.stdout.layout=org.apache.log4j.PatternLayout + log4j.appender.stdout.layout.ConversionPattern=%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n + + log4j.appender.drfa=org.apache.log4j.DailyRollingFileAppender + log4j.appender.drfa.File=${app.log.dir}/${app.log.file} + log4j.appender.drfa.DatePattern=.yyyy-MM-dd + log4j.appender.drfa.layout=org.apache.log4j.PatternLayout + log4j.appender.drfa.layout.ConversionPattern=%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n + + log4j.logger.audit=INFO, auditfile + log4j.appender.auditfile=org.apache.log4j.DailyRollingFileAppender + log4j.appender.auditfile.File=${app.log.dir}/${app.audit.file} + log4j.appender.auditfile.Append = true + log4j.appender.auditfile.DatePattern = '.'yyyy-MM-dd + log4j.appender.auditfile.layout = org.apache.hadoop.gateway.audit.log4j.layout.AuditLayout + + </value> + <description> + content for log4j.properties file for Knox. + </description> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/gateway-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/gateway-site.xml b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/gateway-site.xml new file mode 100755 index 0000000..0e81d0a --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/gateway-site.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> + +<!-- The default settings for Knox. --> +<!-- Edit gateway-site.xml to change settings for your local --> +<!-- install. --> + +<configuration supports_final="false"> + + <property> + <name>gateway.port</name> + <value>8443</value> + <description>The HTTP port for the Gateway.</description> + </property> + + <property> + <name>gateway.path</name> + <value>gateway</value> + <description>The default context path for the gateway.</description> + </property> + + <property> + <name>gateway.gateway.conf.dir</name> + <value>deployments</value> + <description>The directory within GATEWAY_HOME that contains gateway topology files and deployments.</description> + </property> + + <property> + <name>gateway.hadoop.kerberos.secured</name> + <value>false</value> + <description>Boolean flag indicating whether the Hadoop cluster protected by Gateway is secured with Kerberos</description> + </property> + + <property> + <name>java.security.krb5.conf</name> + <value>/etc/knox/conf/krb5.conf</value> + <description>Absolute path to krb5.conf file</description> + </property> + + <property> + <name>java.security.auth.login.config</name> + <value>/etc/knox/conf/krb5JAASLogin.conf</value> + <description>Absolute path to JASS login config file</description> + </property> + + <property> + <name>sun.security.krb5.debug</name> + <value>true</value> + <description>Boolean flag indicating whether to enable debug messages for krb5 authentication</description> + </property> + +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/knox-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/knox-env.xml b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/knox-env.xml new file mode 100755 index 0000000..40504f6 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/knox-env.xml @@ -0,0 +1,64 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> + +<configuration supports_final="true"> + <!-- knox-env.sh --> + + <property require-input="true"> + <name>knox_master_secret</name> + <display-name>Knox Master Secret</display-name> + <value></value> + <property-type>PASSWORD</property-type> + <description>password to use as the master secret</description> + <value-attributes> + <editable-only-at-install>true</editable-only-at-install> + <overridable>false</overridable> + </value-attributes> + </property> + + <property> + <name>knox_user</name> + <value>knox</value> + <property-type>USER</property-type> + <description>Knox Username.</description> + </property> + + <property> + <name>knox_group</name> + <value>knox</value> + <property-type>GROUP</property-type> + <description>Knox Group.</description> + </property> + + <property> + <name>knox_pid_dir</name> + <display-name>Knox PID dir</display-name> + <value>/var/run/knox</value> + <description>Knox PID dir.</description> + <value-attributes> + <type>directory</type> + <editable-only-at-install>true</editable-only-at-install> + <overridable>false</overridable> + </value-attributes> + </property> + +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/ldap-log4j.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/ldap-log4j.xml b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/ldap-log4j.xml new file mode 100755 index 0000000..a0cf658 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/ldap-log4j.xml @@ -0,0 +1,66 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> + +<configuration supports_final="false"> + + <property> + <name>content</name> + <value> + # Licensed to the Apache Software Foundation (ASF) under one + # or more contributor license agreements. See the NOTICE file + # distributed with this work for additional information + # regarding copyright ownership. The ASF licenses this file + # to you under the Apache License, Version 2.0 (the + # "License"); you may not use this file except in compliance + # with the License. You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + app.log.dir=${launcher.dir}/../logs + app.log.file=${launcher.name}.log + + log4j.rootLogger=ERROR, drfa + log4j.logger.org.apache.directory.server.ldap.LdapServer=INFO + log4j.logger.org.apache.directory=WARN + + log4j.appender.stdout=org.apache.log4j.ConsoleAppender + log4j.appender.stdout.layout=org.apache.log4j.PatternLayout + log4j.appender.stdout.layout.ConversionPattern=%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n + + log4j.appender.drfa=org.apache.log4j.DailyRollingFileAppender + log4j.appender.drfa.File=${app.log.dir}/${app.log.file} + log4j.appender.drfa.DatePattern=.yyyy-MM-dd + log4j.appender.drfa.layout=org.apache.log4j.PatternLayout + log4j.appender.drfa.layout.ConversionPattern=%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n + + </value> + <description> + content for log4j.properties file for the demo LDAP that comes with Knox. + </description> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/topology.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/topology.xml b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/topology.xml new file mode 100755 index 0000000..162fffc --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/topology.xml @@ -0,0 +1,157 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> + +<configuration supports_final="false" supports_adding_forbidden="true"> + <!-- topology file --> + + <property> + <name>content</name> + <value> + <topology> + + <gateway> + + <provider> + <role>authentication</role> + <name>ShiroProvider</name> + <enabled>true</enabled> + <param> + <name>sessionTimeout</name> + <value>30</value> + </param> + <param> + <name>main.ldapRealm</name> + <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> + </param> + <param> + <name>main.ldapRealm.userDnTemplate</name> + <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value> + </param> + <param> + <name>main.ldapRealm.contextFactory.url</name> + <value>ldap://{{knox_host_name}}:33389</value> + </param> + <param> + <name>main.ldapRealm.contextFactory.authenticationMechanism</name> + <value>simple</value> + </param> + <param> + <name>urls./**</name> + <value>authcBasic</value> + </param> + </provider> + + <provider> + <role>identity-assertion</role> + <name>Default</name> + <enabled>true</enabled> + </provider> + + </gateway> + + <service> + <role>NAMENODE</role> + <url>hdfs://{{namenode_host}}:{{namenode_rpc_port}}</url> + </service> + + <service> + <role>JOBTRACKER</role> + <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url> + </service> + + <service> + <role>WEBHDFS</role> + <url>http://{{namenode_host}}:{{namenode_http_port}}/webhdfs</url> + </service> + + <service> + <role>WEBHCAT</role> + <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url> + </service> + + <service> + <role>OOZIE</role> + <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url> + </service> + + <service> + <role>WEBHBASE</role> + <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url> + </service> + + <service> + <role>HIVE</role> + <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url> + </service> + + <service> + <role>RESOURCEMANAGER</role> + <url>http://{{rm_host}}:{{rm_port}}/ws</url> + </service> + + <service> + <role>HDFSUI</role> + <url>http://{{namenode_host}}:{{namenode_http_port}}</url> + </service> + + <service> + <role>HBASEUI</role> + <url>http://{{hbase_master_host}}:{{hbase_master_ui_port}}</url> + </service> + + <service> + <role>SOLR</role> + <url>http://{{solr_host}}:{{solr_port}}/solr</url> + </service> + + + <service> + <role>SPARKUI</role> + <url>http://{{spark_historyserver_host}}:{{spark_historyserver_ui_port}}</url> + </service> + + <service> + <role>OOZIEUI</role> + <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url> + </service> + + <service> + <role>YARNUI</role> + <url>http://{{rm_host}}:{{rm_port}}</url> + </service> + + <service> + <role>JOBSTORYUI</role> + <url>http://{{mr_historyserver_address}}</url> + </service> + + </topology> + </value> + <description> + The configuration specifies the Hadoop cluster services Knox will provide access to. + </description> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + <show-property-name>false</show-property-name> + </value-attributes> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/users-ldif.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/users-ldif.xml b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/users-ldif.xml new file mode 100755 index 0000000..6f6fa54 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/configuration/users-ldif.xml @@ -0,0 +1,138 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> + +<configuration supports_final="false" supports_adding_forbidden="true"> + + <property> + <name>content</name> + <value> +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version: 1 + +# Please replace with site specific values +dn: dc=hadoop,dc=apache,dc=org +objectclass: organization +objectclass: dcObject +o: Hadoop +dc: hadoop + +# Entry for a sample people container +# Please replace with site specific values +dn: ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:organizationalUnit +ou: people + +# Entry for a sample end user +# Please replace with site specific values +dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:person +objectclass:organizationalPerson +objectclass:inetOrgPerson +cn: Guest +sn: User +uid: guest +userPassword:guest-password + +# entry for sample user admin +dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:person +objectclass:organizationalPerson +objectclass:inetOrgPerson +cn: Admin +sn: Admin +uid: admin +userPassword:admin-password + +# entry for sample user sam +dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:person +objectclass:organizationalPerson +objectclass:inetOrgPerson +cn: sam +sn: sam +uid: sam +userPassword:sam-password + +# entry for sample user tom +dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:person +objectclass:organizationalPerson +objectclass:inetOrgPerson +cn: tom +sn: tom +uid: tom +userPassword:tom-password + +# create FIRST Level groups branch +dn: ou=groups,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:organizationalUnit +ou: groups +description: generic groups branch + +# create the analyst group under groups +dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass: groupofnames +cn: analyst +description:analyst group +member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org +member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org + + +# create the scientist group under groups +dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass: groupofnames +cn: scientist +description: scientist group +member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org + + </value> + <description> + content for users-ldif file for the demo LDAP that comes with Knox. + </description> + <value-attributes> + <show-property-name>false</show-property-name> + </value-attributes> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/kerberos.json b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/kerberos.json new file mode 100755 index 0000000..5efd581 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/kerberos.json @@ -0,0 +1,62 @@ +{ + "services": [ + { + "name": "KNOX", + "components": [ + { + "name": "KNOX_GATEWAY", + "identities": [ + { + "name": "knox_principal", + "principal": { + "value": "${knox-env/knox_user}/_HOST@${realm}", + "type" : "service", + "configuration": "knox-env/knox_principal_name", + "local_username": "${knox-env/knox_user}" + + }, + "keytab": { + "file": "${keytab_dir}/knox.service.keytab", + "owner": { + "name": "${knox-env/knox_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "knox-env/knox_keytab_path" + } + } + ], + "configurations": [ + { + "gateway-site": { + "gateway.hadoop.kerberos.secured": "true", + "java.security.krb5.conf": "/etc/krb5.conf" + } + }, + { + "core-site": { + "hadoop.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}", + "hadoop.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}" + } + }, + { + "webhcat-site": { + "webhcat.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}", + "webhcat.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}" + } + }, + { + "oozie-site": { + "oozie.service.ProxyUserService.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}", + "oozie.service.ProxyUserService.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}" + } + } + ] + } + ] + } + ] +} http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/metainfo.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/metainfo.xml b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/metainfo.xml new file mode 100755 index 0000000..6093bfe --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/metainfo.xml @@ -0,0 +1,88 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<metainfo> + <schemaVersion>2.0</schemaVersion> + <services> + <service> + <name>KNOX</name> + <displayName>Knox</displayName> + <comment>Provides a single point of authentication and access for Apache Hadoop services in a cluster</comment> + <version>0.6.0</version> + <components> + <component> + <name>KNOX_GATEWAY</name> + <displayName>Knox Gateway</displayName> + <category>MASTER</category> + <cardinality>1+</cardinality> + <versionAdvertised>true</versionAdvertised> + <commandScript> + <script>scripts/knox_gateway.py</script> + <scriptType>PYTHON</scriptType> + <timeout>600</timeout> + </commandScript> + <customCommands> + <customCommand> + <name>STARTDEMOLDAP</name> + <commandScript> + <script>scripts/demo_ldap.py</script> + <scriptType>PYTHON</scriptType> + <timeout>600</timeout> + </commandScript> + </customCommand> + <customCommand> + <name>STOPDEMOLDAP</name> + <commandScript> + <script>scripts/demo_ldap.py</script> + <scriptType>PYTHON</scriptType> + <timeout>600</timeout> + </commandScript> + </customCommand> + </customCommands> + </component> + </components> + <osSpecifics> + <osSpecific> + <osFamily>redhat6,suse11</osFamily> + <packages> + <package> + <name>knox-0.5.0*</name> + </package> + </packages> + </osSpecific> + <osSpecific> + <osFamily>ubuntu12</osFamily> + <packages> + <package> + <name>knox-0.5.0*</name> + </package> + </packages> + </osSpecific> + </osSpecifics> + <commandScript> + <script>scripts/service_check.py</script> + <scriptType>PYTHON</scriptType> + <timeout>300</timeout> + </commandScript> + <configuration-dependencies> + <config-type>gateway-site</config-type> + <config-type>gateway-log4j</config-type> + <config-type>topology</config-type> + </configuration-dependencies> + </service> + </services> +</metainfo> http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/files/validateKnoxStatus.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/files/validateKnoxStatus.py b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/files/validateKnoxStatus.py new file mode 100755 index 0000000..0d3b14d --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/files/validateKnoxStatus.py @@ -0,0 +1,42 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +import optparse +import socket + +# +# Main. +# +def main(): + parser = optparse.OptionParser(usage="usage: %prog [options]") + parser.add_option("-p", "--port", dest="port", help="Port for Knox process") + parser.add_option("-n", "--hostname", dest="hostname", help="Hostname of Knox Gateway component") + + (options, args) = parser.parse_args() + timeout_seconds = 5 + try: + s = socket.create_connection((options.hostname, int(options.port)),timeout=timeout_seconds) + print "Successfully connected to %s on port %s" % (options.hostname, options.port) + s.close() + except socket.error, e: + print "Connection to %s on port %s failed: %s" % (options.hostname, options.port, e) + exit(1) + +if __name__ == "__main__": + main() http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox.py b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox.py new file mode 100755 index 0000000..a98af31 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox.py @@ -0,0 +1,134 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +import os +from resource_management import * + + +from resource_management.libraries.script.script import Script +from resource_management.libraries.resources.xml_config import XmlConfig +from resource_management.core.resources.service import ServiceConfig +from resource_management.libraries.functions.format import format +from resource_management.libraries.resources.template_config import TemplateConfig +from resource_management.core.resources.system import File, Execute, Directory +from resource_management.core.shell import as_user +from resource_management.core.source import InlineTemplate + + +from resource_management.core.logger import Logger + +#@OsFamilyFuncImpl(os_family=OSConst.WINSRV_FAMILY) +#def knox(): +# import params +# +# XmlConfig("gateway-site.xml", +# conf_dir=params.knox_conf_dir, +# configurations=params.config['configurations']['gateway-site'], +# configuration_attributes=params.config['configuration_attributes']['gateway-site'], +# owner=params.knox_user +# ) +# +# # Manually overriding service logon user & password set by the installation package +# ServiceConfig(params.knox_gateway_win_service_name, +# action="change_user", +# username = params.knox_user, +# password = Script.get_password(params.knox_user)) +# +# File(os.path.join(params.knox_conf_dir, "gateway-log4j.properties"), +# owner=params.knox_user, +# content=params.gateway_log4j +# ) +# +# File(os.path.join(params.knox_conf_dir, "topologies", "default.xml"), +# group=params.knox_group, +# owner=params.knox_user, +# content=InlineTemplate(params.topology_template) +# ) +# +# if params.security_enabled: +# TemplateConfig( os.path.join(params.knox_conf_dir, "krb5JAASLogin.conf"), +# owner = params.knox_user, +# template_tag = None +# ) +# +# if not os.path.isfile(params.knox_master_secret_path): +# cmd = format('cmd /C {knox_client_bin} create-master --master {knox_master_secret!p}') +# Execute(cmd) +# cmd = format('cmd /C {knox_client_bin} create-cert --hostname {knox_host_name_in_cluster}') +# Execute(cmd) +# +#@OsFamilyFuncImpl(os_family=OsFamilyImpl.DEFAULT) +def knox(): + import params + + Directory([params.knox_data_dir, params.knox_logs_dir, params.knox_pid_dir, params.knox_conf_dir, os.path.join(params.knox_conf_dir, "topologies")], + owner = params.knox_user, + group = params.knox_group, + create_parents = True, + cd_access = "a", + mode = 0755, + recursive_ownership = True, + recursion_follow_links = True, + ) + + + XmlConfig("gateway-site.xml", + conf_dir=params.knox_conf_dir, + configurations=params.config['configurations']['gateway-site'], + configuration_attributes=params.config['configuration_attributes']['gateway-site'], + owner=params.knox_user, + group=params.knox_group, + ) + + File(format("{params.knox_conf_dir}/gateway-log4j.properties"), + mode=0644, + group=params.knox_group, + owner=params.knox_user, + content=params.gateway_log4j + ) + + File(format("{params.knox_conf_dir}/topologies/default.xml"), + group=params.knox_group, + owner=params.knox_user, + content=InlineTemplate(params.topology_template) + ) + if params.security_enabled: + TemplateConfig( format("{knox_conf_dir}/krb5JAASLogin.conf"), + owner = params.knox_user, + template_tag = None + ) + + + cmd = format('{knox_client_bin} create-master --master {knox_master_secret!p}') + master_secret_exist = as_user(format('test -f {knox_master_secret_path}'), params.knox_user) + + Execute(cmd, + user=params.knox_user, + environment={'JAVA_HOME': params.java_home}, + not_if=master_secret_exist, + ) + + cmd = format('{knox_client_bin} create-cert --hostname {knox_host_name_in_cluster}') + cert_store_exist = as_user(format('test -f {knox_cert_store_path}'), params.knox_user) + + Execute(cmd, + user=params.knox_user, + environment={'JAVA_HOME': params.java_home}, + not_if=cert_store_exist, + ) http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox_gateway.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox_gateway.py b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox_gateway.py new file mode 100755 index 0000000..6cc97ac --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox_gateway.py @@ -0,0 +1,290 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +from resource_management import * +from resource_management.libraries.functions import conf_select +import os +import tarfile + + + +from resource_management.libraries.functions import stack_select + +from resource_management.libraries.functions.security_commons import build_expectations, \ + cached_kinit_executor, validate_security_config_properties, get_params_from_filesystem, \ + FILE_TYPE_XML +import sys + + +#if OSCheck.is_windows_family(): +# from resource_management.libraries.functions.windows_service_utils import check_windows_service_status + +import upgrade +from knox import knox +from knox_ldap import ldap + +#from setup_ranger_knox import setup_ranger_knox + +class KnoxGateway(Script): + + + def get_component_name(self): + return "knox-server" + + def install(self, env): + self.install_packages(env) + import params + env.set_params(params) + + File(format('{knox_conf_dir}/topologies/sandbox.xml'), + action = "delete", + ) + + def configure(self, env, upgrade_type=None): + import params + env.set_params(params) + knox() + ldap() + + + +#@OsFamilyImpl(os_family=OSConst.WINSRV_FAMILY) +#class KnoxGatewayWindows(KnoxGateway): +# def start(self, env): +# import params +# env.set_params(params) +# self.configure(env) +# # setup_ranger_knox(env) +# Service(params.knox_gateway_win_service_name, action="start") +# +# def stop(self, env): +# import params +# env.set_params(params) +# Service(params.knox_gateway_win_service_name, action="stop") +# +# def status(self, env): +# import status_params +# env.set_params(status_params) +# check_windows_service_status(status_params.knox_gateway_win_service_name) +# +# def startdemoldap(self, env): +# import params +# env.set_params(params) +# self.configureldap(env) +# Service(params.knox_ldap_win_service_name, action="start") +# +# def stopdemoldap(self, env): +# import params +# env.set_params(params) +# Service(params.knox_ldap_win_service_name, action="stop") + + + +#@OsFamilyImpl(os_family=OsFamilyImpl.DEFAULT) +#class KnoxGatewayDefault(KnoxGateway): +# def get_component_name(self): +# return {"HDP": "knox-server"} + + def pre_upgrade_restart(self, env, upgrade_type=None): + import params + env.set_params(params) + if params.version and compare_versions(format_stack_version(params.version), '4.0.0.0') >= 0: + + absolute_backup_dir = None + if params.upgrade_direction and params.upgrade_direction == Direction.UPGRADE: + Logger.info("Backing up directories. Initial conf folder: %s" % os.path.realpath(params.knox_conf_dir)) + + # This will backup the contents of the conf directory into /tmp/knox-upgrade-backup/knox-conf-backup.tar + absolute_backup_dir = upgrade.backup_data() + + # conf-select will change the symlink to the conf folder. + conf_select.select(params.stack_name, "knox", params.version) + stack_select.select("knox-server", params.version) + + # Extract the tar of the old conf folder into the new conf directory + if absolute_backup_dir is not None and params.upgrade_direction and params.upgrade_direction == Direction.UPGRADE: + conf_tar_source_path = os.path.join(absolute_backup_dir, upgrade.BACKUP_CONF_ARCHIVE) + data_tar_source_path = os.path.join(absolute_backup_dir, upgrade.BACKUP_DATA_ARCHIVE) + if os.path.exists(conf_tar_source_path): + extract_dir = os.path.realpath(params.knox_conf_dir) + conf_tar_dest_path = os.path.join(extract_dir, upgrade.BACKUP_CONF_ARCHIVE) + Logger.info("Copying %s into %s file." % (upgrade.BACKUP_CONF_ARCHIVE, conf_tar_dest_path)) + Execute(('cp', conf_tar_source_path, conf_tar_dest_path), + sudo = True, + ) + + tar_archive.untar_archive(conf_tar_source_path, extract_dir) + + File(conf_tar_dest_path, + action = "delete", + ) + extract_dir = os.path.realpath(params.knox_data_dir+"-"+params.version+"/security") + if not os.path.exists(extract_dir): + Directory(extract_dir, + owner = params.knox_user, + group = params.knox_group, + create_parents = True + ) + data_tar_dest_path = os.path.join(extract_dir, upgrade.BACKUP_DATA_ARCHIVE) + Logger.info("Copying %s into %s file." % (upgrade.BACKUP_DATA_ARCHIVE, data_tar_dest_path + "/security")) + Execute(('cp', data_tar_source_path, data_tar_dest_path ), + sudo = True, + ) + + tar_archive.untar_archive(data_tar_source_path, extract_dir) + + File(data_tar_dest_path, + action = "delete", + ) + + populate_topology_template = format('cp /usr/iop/{version}/etc/knox/conf.dist/topologies/* {knox_conf_dir}/topologies') + Logger.info("Prepare to populate topologies template via command: {0}".format(populate_topology_template)) + Execute(populate_topology_template) + + def start(self, env, upgrade_type=None): + import params + env.set_params(params) + self.configure(env) + daemon_cmd = format('{knox_bin} start') + populate_topology = format('cd {knox_conf_dir}/topologies/; {sudo} ambari-python-wrap ./generate_template.py; {sudo} chmod 777 *.xml') + no_op_test = format('ls {knox_pid_file} >/dev/null 2>&1 && ps -p `cat {knox_pid_file}` >/dev/null 2>&1') + #setup_ranger_knox(upgrade_type=upgrade_type) + # Used to setup symlink, needed to update the knox managed symlink, in case of custom locations + if os.path.islink(params.knox_managed_pid_symlink) and os.path.realpath(params.knox_managed_pid_symlink) != params.knox_pid_dir: + os.unlink(params.knox_managed_pid_symlink) + os.symlink(params.knox_pid_dir, params.knox_managed_pid_symlink) + + Execute(populate_topology) + Execute(daemon_cmd, + user=params.knox_user, + environment={'JAVA_HOME': params.java_home}, + not_if=no_op_test + ) + + def stop(self, env, upgrade_type=None): + import params + env.set_params(params) + self.configure(env) + daemon_cmd = format('{knox_bin} stop') + Execute(daemon_cmd, + environment={'JAVA_HOME': params.java_home}, + user=params.knox_user, + ) + File(params.knox_pid_file, + action="delete", + ) + + def status(self, env): + import status_params + env.set_params(status_params) + check_process_status(status_params.knox_pid_file) + + + def configureldap(self, env): + import params + env.set_params(params) + ldap() + + def startdemoldap(self, env): + import params + env.set_params(params) + self.configureldap(env) + daemon_cmd = format('{ldap_bin} start') + no_op_test = format('ls {ldap_pid_file} >/dev/null 2>&1 && ps -p `cat {ldap_pid_file}` >/dev/null 2>&1') + Execute(daemon_cmd, + user=params.knox_user, + environment={'JAVA_HOME': params.java_home}, + not_if=no_op_test + ) + + def stopdemoldap(self, env): + import params + env.set_params(params) + self.configureldap(env) + daemon_cmd = format('{ldap_bin} stop') + Execute(daemon_cmd, + environment={'JAVA_HOME': params.java_home}, + user=params.knox_user, + ) + Execute (format("rm -f {ldap_pid_file}")) + + def security_status(self, env): + import status_params + env.set_params(status_params) + + if status_params.security_enabled: + expectations = {} + expectations.update(build_expectations( + 'krb5JAASLogin', + None, + ['keytab', 'principal'], + None + )) + expectations.update(build_expectations( + 'gateway-site', + { + "gateway.hadoop.kerberos.secured" : "true" + }, + None, + None + )) + + security_params = { + "krb5JAASLogin": + { + 'keytab': status_params.knox_keytab_path, + 'principal': status_params.knox_principal_name + } + } + security_params.update(get_params_from_filesystem(status_params.knox_conf_dir, + {"gateway-site.xml" : FILE_TYPE_XML})) + + result_issues = validate_security_config_properties(security_params, expectations) + if not result_issues: # If all validations passed successfully + try: + # Double check the dict before calling execute + if ( 'krb5JAASLogin' not in security_params + or 'keytab' not in security_params['krb5JAASLogin'] + or 'principal' not in security_params['krb5JAASLogin']): + self.put_structured_out({"securityState": "UNSECURED"}) + self.put_structured_out({"securityIssuesFound": "Keytab file and principal are not set."}) + return + + cached_kinit_executor(status_params.kinit_path_local, + status_params.knox_user, + security_params['krb5JAASLogin']['keytab'], + security_params['krb5JAASLogin']['principal'], + status_params.hostname, + status_params.temp_dir) + self.put_structured_out({"securityState": "SECURED_KERBEROS"}) + except Exception as e: + self.put_structured_out({"securityState": "ERROR"}) + self.put_structured_out({"securityStateErrorInfo": str(e)}) + else: + issues = [] + for cf in result_issues: + issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf])) + self.put_structured_out({"securityIssuesFound": ". ".join(issues)}) + self.put_structured_out({"securityState": "UNSECURED"}) + else: + self.put_structured_out({"securityState": "UNSECURED"}) + + +if __name__ == "__main__": + KnoxGateway().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox_ldap.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox_ldap.py b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox_ldap.py new file mode 100755 index 0000000..7712396 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/knox_ldap.py @@ -0,0 +1,54 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +import os +from resource_management import * + +def _ldap_common(): + import params + + File(os.path.join(params.knox_conf_dir, 'ldap-log4j.properties'), + mode=params.mode, + group=params.knox_group, + owner=params.knox_user, + content=params.ldap_log4j + ) + + File(os.path.join(params.knox_conf_dir, 'users.ldif'), + mode=params.mode, + group=params.knox_group, + owner=params.knox_user, + content=params.users_ldif + ) + +#@OsFamilyFuncImpl(os_family=OSConst.WINSRV_FAMILY) +#def ldap(): +# import params +# +# # Manually overriding service logon user & password set by the installation package +# ServiceConfig(params.knox_ldap_win_service_name, +# action="change_user", +# username = params.knox_user, +# password = Script.get_password(params.knox_user)) +# +# _ldap_common() + +#@OsFamilyFuncImpl(os_family=OsFamilyImpl.DEFAULT) +def ldap(): + _ldap_common() http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/ldap.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/ldap.py b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/ldap.py new file mode 100755 index 0000000..d0bab65 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/ldap.py @@ -0,0 +1,55 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +import os +from resource_management import * + + +def _ldap_common(): + import params + + File(os.path.join(params.knox_conf_dir, 'ldap-log4j.properties'), + mode=params.mode, + group=params.knox_group, + owner=params.knox_user, + content=params.ldap_log4j + ) + + File(os.path.join(params.knox_conf_dir, 'users.ldif'), + mode=params.mode, + group=params.knox_group, + owner=params.knox_user, + content=params.users_ldif + ) + +#@OsFamilyFuncImpl(os_#family=OSConst.WINSRV_FAMILY) +#def ldap(): +# import params +# +# # Manually overriding service logon user & password set by the installation package +# ServiceConfig(params.knox_ldap_win_service_name, +# action="change_user", +# username = params.knox_user, +# password = Script.get_password(params.knox_user)) +# +# _ldap_common() + +#@OsFamilyFuncImpl(os_family=OsFamilyImpl.DEFAULT) +def ldap(): + _ldap_common() http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/params.py b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/params.py new file mode 100755 index 0000000..9fec3a3 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/params.py @@ -0,0 +1,172 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +Ambari Agent + +""" + +from ambari_commons.constants import AMBARI_SUDO_BINARY +from resource_management.libraries.functions.version import format_stack_version, compare_versions +from resource_management.libraries.functions.default import default +from resource_management import * +import status_params + +ibm_distribution_knox_dir = '/usr/iop/current/knox-server' +ibm_distribution_knox_var = '/var' + + +# server configurations +config = Script.get_config() + +tmp_dir = Script.get_tmp_dir() +sudo = AMBARI_SUDO_BINARY + +stack_name = default("/hostLevelParams/stack_name", None) + +upgrade_direction = default("/commandParams/upgrade_direction", None) +version = default("/commandParams/version", None) + +stack_version_unformatted = str(config['hostLevelParams']['stack_version']) +stack_version = format_stack_version(stack_version_unformatted) + +knox_bin = ibm_distribution_knox_dir + '/bin/gateway.sh' +ldap_bin = ibm_distribution_knox_dir + '/bin/ldap.sh' +knox_client_bin = ibm_distribution_knox_dir + '/bin/knoxcli.sh' + +namenode_hosts = default("/clusterHostInfo/namenode_host", None) +if type(namenode_hosts) is list: + namenode_host = namenode_hosts[0] +else: + namenode_host = namenode_hosts + +has_namenode = not namenode_host == None +namenode_http_port = "50070" +namenode_rpc_port = "8020" + +if has_namenode: + if 'dfs.namenode.http-address' in config['configurations']['hdfs-site']: + namenode_http_port = get_port_from_url(config['configurations']['hdfs-site']['dfs.namenode.http-address']) + + if 'dfs.namenode.rpc-address' in config['configurations']['hdfs-site']: + namenode_rpc_port = get_port_from_url(config['configurations']['hdfs-site']['dfs.namenode.rpc-address']) + +rm_hosts = default("/clusterHostInfo/rm_host", None) +if type(rm_hosts) is list: + rm_host = rm_hosts[0] +else: + rm_host = rm_hosts +has_rm = not rm_host == None + +jt_rpc_port = "8050" +rm_port = "8080" + +if has_rm: + if 'yarn.resourcemanager.address' in config['configurations']['yarn-site']: + jt_rpc_port = get_port_from_url(config['configurations']['yarn-site']['yarn.resourcemanager.address']) + + if 'yarn.resourcemanager.webapp.address' in config['configurations']['yarn-site']: + rm_port = get_port_from_url(config['configurations']['yarn-site']['yarn.resourcemanager.webapp.address']) + +hive_http_port = default('/configurations/hive-site/hive.server2.thrift.http.port', "10001") +hive_http_path = default('/configurations/hive-site/hive.server2.thrift.http.path', "cliservice") +hive_server_hosts = default("/clusterHostInfo/hive_server_host", None) +if type(hive_server_hosts) is list: + hive_server_host = hive_server_hosts[0] +else: + hive_server_host = hive_server_hosts + +templeton_port = default('/configurations/webhcat-site/templeton.port', "50111") +webhcat_server_hosts = default("/clusterHostInfo/webhcat_server_host", None) +if type(webhcat_server_hosts) is list: + webhcat_server_host = webhcat_server_hosts[0] +else: + webhcat_server_host = webhcat_server_hosts + +hbase_master_port = default('/configurations/hbase-site/hbase.rest.port', "8080") +hbase_master_hosts = default("/clusterHostInfo/hbase_master_hosts", None) +if type(hbase_master_hosts) is list: + hbase_master_host = hbase_master_hosts[0] +else: + hbase_master_host = hbase_master_hosts + +oozie_server_hosts = default("/clusterHostInfo/oozie_server", None) +if type(oozie_server_hosts) is list: + oozie_server_host = oozie_server_hosts[0] +else: + oozie_server_host = oozie_server_hosts + +has_oozie = not oozie_server_host == None +oozie_server_port = "11000" + +if has_oozie: + if 'oozie.base.url' in config['configurations']['oozie-site']: + oozie_server_port = get_port_from_url(config['configurations']['oozie-site']['oozie.base.url']) + +# Knox managed properties +knox_managed_pid_symlink= "/usr/iop/current/knox-server/pids" + +# +#Hbase master port +# +hbase_master_ui_port = default('/configurations/hbase-site/hbase.master.info.port', "60010"); + +#Spark +spark_historyserver_hosts = default("/clusterHostInfo/spark_jobhistoryserver_hosts", None) +if type(spark_historyserver_hosts) is list: + spark_historyserver_host = spark_historyserver_hosts[0] +else: + spark_historyserver_host = spark_historyserver_hosts + +spark_historyserver_ui_port = default("/configurations/spark-defaults/spark.history.ui.port", "18080") +# Solr +solr_host=default("/configurations/solr/hostname", None) +solr_port=default("/configuration/solr/solr-env/solr_port","8983") + +# JobHistory mapreduce +mr_historyserver_address = default("/configurations/mapred-site/mapreduce.jobhistory.webapp.address", None) + + +# server configurations +knox_conf_dir = ibm_distribution_knox_dir + '/conf' +knox_data_dir = ibm_distribution_knox_dir + '/data' +knox_logs_dir = ibm_distribution_knox_var + '/log/knox' +knox_pid_dir = status_params.knox_pid_dir +knox_user = default("/configurations/knox-env/knox_user", "knox") +knox_group = default("/configurations/knox-env/knox_group", "knox") +mode = 0644 +knox_pid_file = status_params.knox_pid_file +ldap_pid_file = status_params.ldap_pid_file +knox_master_secret = config['configurations']['knox-env']['knox_master_secret'] +knox_master_secret_path = ibm_distribution_knox_dir + '/data/security/master' +knox_cert_store_path = ibm_distribution_knox_dir + '/data/security/keystores/gateway.jks' +knox_host_name = config['clusterHostInfo']['knox_gateway_hosts'][0] +knox_host_name_in_cluster = config['hostname'] +knox_host_port = config['configurations']['gateway-site']['gateway.port'] +topology_template = config['configurations']['topology']['content'] +gateway_log4j = config['configurations']['gateway-log4j']['content'] +ldap_log4j = config['configurations']['ldap-log4j']['content'] +users_ldif = config['configurations']['users-ldif']['content'] +java_home = config['hostLevelParams']['java_home'] +security_enabled = config['configurations']['cluster-env']['security_enabled'] +smokeuser = config['configurations']['cluster-env']['smokeuser'] +smokeuser_principal = config['configurations']['cluster-env']['smokeuser_principal_name'] +smoke_user_keytab = config['configurations']['cluster-env']['smokeuser_keytab'] +kinit_path_local = get_kinit_path(default('/configurations/kerberos-env/executable_search_paths', None)) +if security_enabled: + knox_keytab_path = config['configurations']['knox-env']['knox_keytab_path'] + _hostname_lowercase = config['hostname'].lower() + knox_principal_name = config['configurations']['knox-env']['knox_principal_name'].replace('_HOST',_hostname_lowercase) http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/service_check.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/service_check.py b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/service_check.py new file mode 100755 index 0000000..ec915d4 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/service_check.py @@ -0,0 +1,92 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +from resource_management import * +import sys +import os + + +class KnoxServiceCheck(Script): + def service_check(self, env): + pass + + +# +#@OsFamilyImpl(os_family=OSConst.WINSRV_FAMILY) +##class KnoxServiceCheckWindows(KnoxServiceCheck): +# def service_check(self, env): +# import params +# env.set_params(params) +# +# temp_dir = os.path.join(os.path.dirname(params.knox_home), "temp") +# validateKnoxFileName = "validateKnoxStatus.py" +# validateKnoxFilePath = os.path.join(temp_dir, validateKnoxFileName) +# python_executable = sys.executable +# validateStatusCmd = "%s %s -p %s -n %s" % (python_executable, validateKnoxFilePath, params.knox_host_port, params.knox_host_name) +# +# print "Test connectivity to knox server" +# +# File(validateKnoxFilePath, +# content=StaticFile(validateKnoxFileName) +# ) +# +# Execute(validateStatusCmd, +# tries=3, +# try_sleep=5, +# timeout=5, +# logoutput=True +# ) + + +#@OsFamilyImpl(os_family=OsFamilyImpl.DEFAULT) +class KnoxServiceCheckDefault(KnoxServiceCheck): + def service_check(self, env): + import params + env.set_params(params) + + validateKnoxFileName = "validateKnoxStatus.py" + validateKnoxFilePath = format("{tmp_dir}/{validateKnoxFileName}") + python_executable = sys.executable + validateStatusCmd = format("{python_executable} {validateKnoxFilePath} -p {knox_host_port} -n {knox_host_name}") + if params.security_enabled: + kinit_cmd = format("{kinit_path_local} -kt {smoke_user_keytab} {smokeuser_principal};") + smoke_cmd = format("{kinit_cmd} {validateStatusCmd}") + else: + smoke_cmd = validateStatusCmd + + print "Test connectivity to knox server" + + File(validateKnoxFilePath, + content=StaticFile(validateKnoxFileName), + mode=0755 + ) + + Execute(smoke_cmd, + tries=3, + try_sleep=5, + path='/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin', + user=params.smokeuser, + timeout=5, + logoutput=True + ) + + +if __name__ == "__main__": + KnoxServiceCheck().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/status_params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/status_params.py b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/status_params.py new file mode 100755 index 0000000..fe359e8 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/status_params.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +from resource_management import * + +config = Script.get_config() + +knox_pid_dir = config['configurations']['knox-env']['knox_pid_dir'] +knox_pid_file = format("{knox_pid_dir}/gateway.pid") +ldap_pid_file = format("{knox_pid_dir}/ldap.pid") +#if OSCheck.is_windows_family(): +# knox_gateway_win_service_name = "gateway" +# knox_ldap_win_service_name = "ldap" +#else: +knox_conf_dir = '/etc/knox/conf' +# if Script.is_stack_greater_or_equal("2.2"): +knox_conf_dir = '/usr/iop/current/knox-server/conf' +# knox_pid_dir = config['configurations']['knox-env']['knox_pid_dir'] +# knox_pid_file = format("{knox_pid_dir}/gateway.pid") +# ldap_pid_file = format("{knox_pid_dir}/ldap.pid") + +security_enabled = config['configurations']['cluster-env']['security_enabled'] +if security_enabled: + knox_keytab_path = config['configurations']['knox-env']['knox_keytab_path'] + knox_principal_name = config['configurations']['knox-env']['knox_principal_name'] +else: + knox_keytab_path = None + knox_principal_name = None + +hostname = config['hostname'].lower() +knox_user = default("/configurations/knox-env/knox_user", "knox") +kinit_path_local = get_kinit_path(default('/configurations/kerberos-env/executable_search_paths', None)) +temp_dir = Script.get_tmp_dir() http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/upgrade.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/upgrade.py b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/upgrade.py new file mode 100755 index 0000000..66115d3 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/scripts/upgrade.py @@ -0,0 +1,72 @@ + +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +import os +import tarfile +import tempfile + +from resource_management.core.logger import Logger +from resource_management.core.exceptions import Fail +from resource_management.libraries.functions import tar_archive + +BACKUP_TEMP_DIR = "knox-upgrade-backup" +BACKUP_DATA_ARCHIVE = "knox-data-backup.tar" +BACKUP_CONF_ARCHIVE = "knox-conf-backup.tar" + +def backup_data(): + """ + Backs up the knox data as part of the upgrade process. + :return: Returns the path to the absolute backup directory. + """ + Logger.info('Backing up Knox data directory before upgrade...') + directoryMappings = _get_directory_mappings() + + Logger.info("Directory mappings to backup: {0}".format(str(directoryMappings))) + + absolute_backup_dir = os.path.join(tempfile.gettempdir(), BACKUP_TEMP_DIR) + if not os.path.isdir(absolute_backup_dir): + os.makedirs(absolute_backup_dir) + + for directory in directoryMappings: + if not os.path.isdir(directory): + raise Fail("Unable to backup missing directory {0}".format(directory)) + + archive = os.path.join(absolute_backup_dir, directoryMappings[directory]) + Logger.info('Compressing {0} to {1}'.format(directory, archive)) + + if os.path.exists(archive): + os.remove(archive) + + # backup the directory, following symlinks instead of including them + tar_archive.archive_directory_dereference(archive, directory) + + return absolute_backup_dir + + +def _get_directory_mappings(): + """ + Gets a dictionary of directory to archive name that represents the + directories that need to be backed up and their output tarball archive targets + :return: the dictionary of directory to tarball mappings + """ + import params + + return { params.ibm_distribution_knox_var + "/lib/knox/data/security" : BACKUP_DATA_ARCHIVE, + params.knox_conf_dir + "/": BACKUP_CONF_ARCHIVE} # the trailing "/" is important here so as to not include the "conf" folder itself http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/templates/krb5JAASLogin.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/templates/krb5JAASLogin.conf.j2 b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/templates/krb5JAASLogin.conf.j2 new file mode 100755 index 0000000..13191b8 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/KNOX/package/templates/krb5JAASLogin.conf.j2 @@ -0,0 +1,29 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +com.sun.security.jgss.initiate { +com.sun.security.auth.module.Krb5LoginModule required +renewTGT=true +doNotPrompt=true +useKeyTab=true +keyTab="{{knox_keytab_path}}" +principal="{{knox_principal_name}}" +isInitiator=true +storeKey=true +useTicketCache=true +client=true; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/1863c3b9/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/OOZIE/alerts.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/OOZIE/alerts.json b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/OOZIE/alerts.json new file mode 100755 index 0000000..32849b3 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/BigInsights/4.0/services/OOZIE/alerts.json @@ -0,0 +1,45 @@ +{ + "OOZIE": { + "service": [], + "OOZIE_SERVER": [ + { + "name": "oozie_server_webui", + "label": "Oozie Server Web UI", + "description": "This host-level alert is triggered if the Oozie server Web UI is unreachable.", + "interval": 1, + "scope": "ANY", + "source": { + "type": "WEB", + "uri": { + "http": "{{oozie-site/oozie.base.url}}/?user.name={{oozie-env/oozie_user}}", + "kerberos_keytab": "{{oozie-site/oozie.authentication.kerberos.keytab}}", + "kerberos_principal": "{{oozie-site/oozie.authentication.kerberos.principal}}", + "connection_timeout": 5.0 + }, + "reporting": { + "ok": { + "text": "HTTP {0} response in {2:.3f}s" + }, + "warning":{ + "text": "HTTP {0} response from {1} in {2:.3f}s ({3})" + }, + "critical": { + "text": "Connection failed to {1} ({3})" + } + } + } + }, + { + "name": "oozie_server_status", + "label": "Oozie Server Status", + "description": "This host-level alert is triggered if the Oozie server cannot be determined to be up and responding to client requests.", + "interval": 1, + "scope": "ANY", + "source": { + "type": "SCRIPT", + "path": "OOZIE/4.2.0.4.1/package/alerts/alert_check_oozie_server.py" + } + } + ] + } +}