[AMBARI-8795] MapReduce service components should indicate security state - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0.0
Fix Version/s: 2.0.0
Component/s: ambari-server, stacks
Labels:
- kerberos
- security
- stack

Epic Link:
Ambari Automated Kerberization

Description

The MAPREDUCE2 service components should indicate security state when queried by Ambari Agent via STATUS_COMMAND. Each component should determine it's state as follows:

HISTORYSERVER

Indicators

Command JSON
- config['configurations']['cluster-env']['security_enabled']
  - = “true”
Configuration File: params.hive_client_conf_dir + ‘mapred-site.xml’
- mapreduce.jobhistory.principal
  - not empty
  - required
- mapreduce.jobhistory.keytab
  - not empty
  - path exists and is readable
  - required
- mapreduce.jobhistory.webapp.spnego-principal
  - not empty
  - required
- mapreduce.jobhistory.webapp.spnego-keytab-file
  - not empty
  - path exists and is readable
  - required

Pseudocode

if indicators imply security is on and validate
    if kinit(mapreduce.jobhistory.principal) succeeds
        state = SECURED_KERBEROS
    else
        state = ERROR 
else
    state = UNSECURED

Note: Due to the cost of calling kinit results should be cached for a period of time before retrying. This may be an issue depending on the frequency of the heartbeat timeout.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-8795_01.patch
04/Jan/15 01:54
11 kB
Robert Levas

Issue Links

links to

ReviewBoard

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 18/Dec/14 15:56

Updated:: 06/Jan/15 20:13

Resolved:: 06/Jan/15 19:03