ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From srima...@apache.org
Subject git commit: AMBARI-8011. Slider View: App creation should support apps which need multiple keytabs (srimanth)
Date Tue, 28 Oct 2014 23:13:12 GMT
Repository: ambari
Updated Branches:
  refs/heads/branch-1.7.0 5e1796a9d -> f2c624cc9


AMBARI-8011. Slider View: App creation should support apps which need multiple keytabs (srimanth)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/f2c624cc
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/f2c624cc
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/f2c624cc

Branch: refs/heads/branch-1.7.0
Commit: f2c624cc95e176b8ca61e5996ce186805875aeb8
Parents: 5e1796a
Author: Srimanth Gunturi <sgunturi@hortonworks.com>
Authored: Tue Oct 28 16:06:36 2014 -0700
Committer: Srimanth Gunturi <sgunturi@hortonworks.com>
Committed: Tue Oct 28 16:12:59 2014 -0700

----------------------------------------------------------------------
 contrib/views/slider/docs/index.md              | 50 ++++++++++++++--
 .../slider/SliderAppsViewControllerImpl.java    | 60 +++++++++++++++-----
 2 files changed, 91 insertions(+), 19 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/f2c624cc/contrib/views/slider/docs/index.md
----------------------------------------------------------------------
diff --git a/contrib/views/slider/docs/index.md b/contrib/views/slider/docs/index.md
index ce09e28..1f240cb 100644
--- a/contrib/views/slider/docs/index.md
+++ b/contrib/views/slider/docs/index.md
@@ -17,10 +17,10 @@ limitations under the License.
 ## Security Guide
 *Slider Apps View* can optionally connect to a Kerberos secured cluster by following the
below steps.
 
-#### Step-1: Deploy a HDP cluster and secure it using *Kerberos*
+### Step-1: Deploy a HDP cluster and secure it using *Kerberos*
 After deploying a HDP cluster through Ambari, it can be secured by using the *Enable Security*
button in *Admin > Seurity* page.
 
-#### Step-2: Create *Kerberos* principal for view
+### Step-2: Create *Kerberos* principal for view
 We need to provide a *Kerberos* identity for the process in which the view is run. We shall
identify the user as `view-principal`. **In this document `view-principal` can be changed
to any suitable name.** Since views are generally hosted by Ambari server, typically this
can be named as *ambari*.
 
 On the machine where *KDC Server* is hosted, create user principal by running below command
@@ -53,7 +53,7 @@ ambari-server setup-security
 During *setup-security* the `view-principal` user should be provided along with the keytab.
These same values will be provided as view parameters in *Step-4*.
 
 
-#### Step-3: Configure *proxyuser* for created principal
+### Step-3: Configure *proxyuser* for created principal
 Add the following configurations in *Custom core-site* section of *HDFS* service.
 
 * hadoop.proxyuser.`view-principal`.groups = *
@@ -74,7 +74,7 @@ This will in-turn show up in *core-site.xml* as
 ```
 Restart HDFS and YARN services.
 
-#### Step-4: Create *Slider Apps View* with security parameters
+### Step-4: Create *Slider Apps View* with security parameters
 
 From *Ambari-Admin* create a *Slider Apps View* with the below parameters populated
 
@@ -82,7 +82,7 @@ From *Ambari-Admin* create a *Slider Apps View* with the below parameters
popula
 * view.kerberos.principal = `view-principal`
 * view.kerberos.principal.keytab = `/etc/security/keytabs/view-principal.headless.keytab`
 
-#### Step-5 Create *Kerberos* principal for *slider.user*
+### Step-5 Create *Kerberos* principal for *slider.user*
 We need to provide a *Kerberos* identity for the user identified in *slider.user* view parameter.

 
 The *slider.user* view parameter has the following interpretations:
@@ -112,3 +112,43 @@ cp /path/to/keytab/slider-user.headless.keytab /etc/security/keytabs/
 Change file permissions so that only necessary users can access it.
 
 **Make sure that `slider-user` keytab is at /etc/security/keytabs/`slider-user`.headless.keytab**
+
+### Step-6 Create *Kerberos* principal for App launched by  *slider.user*
+Slider Apps contain services, and they might need their own identities when talking to HDFS
and YARN. To support such Apps, keytabs have to be created that are required for specific
Apps. 
+
+By default, the following keytabs have to be created for specific Apps. This user has to
exist on all hosts where containers are run:
+#### HBase
+```
+kadmin.local -q "addprinc -randkey slider-user@EXAMPLE.COM"
+```
+Next, extract keytab file 
+
+```
+kadmin.local -q "xst -k /path/to/keytab/slider-user.HBASE.service.keytab slider-user@EXAMPLE.COM"
+```
+The keytab file should then be copied over to the keytabs location on the host where the
view is hosted.
+
+```
+cp /path/to/keytab/slider-user.HBASE.service.keytab /etc/security/keytabs/
+```
+
+Change file permissions so that only necessary users can access it.
+
+#### Storm
+```
+kadmin.local -q "addprinc -randkey slider-user@EXAMPLE.COM"
+```
+Next, extract keytab file 
+
+```
+kadmin.local -q "xst -k /path/to/keytab/slider-user.STORM.nimbus.keytab slider-user@EXAMPLE.COM"
+kadmin.local -q "xst -k /path/to/keytab/slider-user.STORM.client.keytab slider-user@EXAMPLE.COM"
+```
+The keytab file should then be copied over to the keytabs location on the host where the
view is hosted.
+
+```
+cp /path/to/keytab/slider-user.STORM.nimbus.keytab /etc/security/keytabs/
+cp /path/to/keytab/slider-user.STORM.client.keytab /etc/security/keytabs/
+```
+
+Change file permissions so that only necessary users can access it.

http://git-wip-us.apache.org/repos/asf/ambari/blob/f2c624cc/contrib/views/slider/src/main/java/org/apache/ambari/view/slider/SliderAppsViewControllerImpl.java
----------------------------------------------------------------------
diff --git a/contrib/views/slider/src/main/java/org/apache/ambari/view/slider/SliderAppsViewControllerImpl.java
b/contrib/views/slider/src/main/java/org/apache/ambari/view/slider/SliderAppsViewControllerImpl.java
index 98abf42..6b10373 100644
--- a/contrib/views/slider/src/main/java/org/apache/ambari/view/slider/SliderAppsViewControllerImpl.java
+++ b/contrib/views/slider/src/main/java/org/apache/ambari/view/slider/SliderAppsViewControllerImpl.java
@@ -27,6 +27,7 @@ import java.lang.reflect.UndeclaredThrowableException;
 import java.net.URI;
 import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -34,6 +35,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Set;
+import java.util.regex.Pattern;
 import java.util.zip.ZipException;
 
 import org.apache.ambari.view.ViewContext;
@@ -1174,7 +1176,7 @@ public class SliderAppsViewControllerImpl implements SliderAppsViewController
{
       appCreateFolder.mkdirs();
       File appConfigJsonFile = new File(appCreateFolder, "appConfig.json");
       File resourcesJsonFile = new File(appCreateFolder, "resources.json");
-      saveAppConfigs(configs, componentsArray, appName, securityEnabled, appConfigJsonFile);
+      saveAppConfigs(configs, componentsArray, appName, appType, securityEnabled, appConfigJsonFile);
       saveAppResources(resourcesObj, resourcesJsonFile);
 
       final ActionCreateArgs createArgs = new ActionCreateArgs();
@@ -1191,10 +1193,14 @@ public class SliderAppsViewControllerImpl implements SliderAppsViewController
{
       installArgs.packageURI = getAppsFolderPath() + "/" + localAppPackageFileName;
       installArgs.replacePkg = true;
 
-      final ActionInstallKeytabArgs keytabArgs = new ActionInstallKeytabArgs();
+      final List<ActionInstallKeytabArgs> installKeytabActions = new ArrayList<ActionInstallKeytabArgs>();
       if (securityEnabled) {
-        keytabArgs.keytabUri = getUserToRunAsKeytab();
-        keytabArgs.folder = appName;
+        for (String keytab : getUserToRunAsKeytabs(appType)) {
+          ActionInstallKeytabArgs keytabArgs = new ActionInstallKeytabArgs();
+          keytabArgs.keytabUri = keytab;
+          keytabArgs.folder = appName;
+          installKeytabActions.add(keytabArgs);
+        }
       }
 
       return invokeSliderClientRunnable(new SliderClientContextRunnable<String>() {
@@ -1212,7 +1218,12 @@ public class SliderAppsViewControllerImpl implements SliderAppsViewController
{
             logger.warn("Unable to determine 'slider.libdir' path", t);
           }
           if (securityEnabled) {
-            sliderClient.actionInstallKeytab(keytabArgs);
+            for (ActionInstallKeytabArgs keytabArgs : installKeytabActions) {
+              if (logger.isDebugEnabled()) {
+                logger.debug("Installing keytab " + keytabArgs.keytabUri);
+              }
+              sliderClient.actionInstallKeytab(keytabArgs);
+            }
           }
           sliderClient.actionInstallPkg(installArgs);
           sliderClient.actionCreate(appName, createArgs);
@@ -1284,25 +1295,46 @@ public class SliderAppsViewControllerImpl implements SliderAppsViewController
{
   /*
    * When security is enabled, the AppMaster itself needs the keytab identifying the calling
user.
    * The user's keytab should be at the same location as the view's keytab, and should be
-   * named as ${username}.headless.keytab
+   * named as ${username}.headless.keytab.
+   * 
+   * This method returns the list of keytabs where the first keytab is always the AppMaster's

+   * keytab. Additional keys will be provided, only if found at the location of the view's
keytab.
+   * Additional keytabs should be of the format ${username}.<APP_TYPE>.*.keytab
    */
-  private String getUserToRunAsKeytab() {
+  private List<String> getUserToRunAsKeytabs(String appType) {
+    List<String> keytabsList = new ArrayList<String>();
     String viewKeytab = viewContext.getProperties().get(PARAM_VIEW_PRINCIPAL_KEYTAB);
-    String prefix = "";
+    String folderPath = "";
     int index = viewKeytab.lastIndexOf('/');
     if (index > -1) {
-      prefix = viewKeytab.substring(0, index);
+      folderPath = viewKeytab.substring(0, index);
     }
     String username = getUserToRunAs();
-    String userKeytab = prefix + "/" + username + ".headless.keytab";
+    String userKeytab = folderPath + "/" + username + ".headless.keytab";
+    File folder = new File(folderPath);
+    if (folder.exists()) {
+      final Pattern userKeytabPattern = Pattern.compile("^" + username + "\\." + appType
+ "\\..*\\.keytab");
+      String[] keytabNames = folder.list(new FilenameFilter() {
+        @Override
+        public boolean accept(File dir, String name) {
+          return userKeytabPattern.matcher(name).matches();
+        }
+      });
+      if (keytabNames != null) {
+        for (String keytabName : keytabNames) {
+          keytabsList.add(folderPath + "/" + keytabName);
+        }
+      }
+    }
+    keytabsList.add(0, userKeytab);
     if (logger.isDebugEnabled()) {
-      logger.debug(username + " keytab: " + userKeytab);
+      logger.debug(username + " keytabs: " + keytabsList);
     }
-    return userKeytab;
+    return keytabsList;
   }
 
   private void saveAppConfigs(JsonObject configs, JsonArray componentsArray,
-      String appName, boolean securityEnabled, File appConfigJsonFile) throws IOException
{
+      String appName, String appType, boolean securityEnabled, File appConfigJsonFile) throws
IOException {
     JsonObject appConfigs = new JsonObject();
     appConfigs.addProperty("schema", "http://example.org/specification/v2.0.0");
     appConfigs.add("metadata", new JsonObject());
@@ -1319,7 +1351,7 @@ public class SliderAppsViewControllerImpl implements SliderAppsViewController
{
     }
     if (securityEnabled) {
       JsonObject appMasterComponent = new JsonObject();
-      String userToRunAsKeytab = getUserToRunAsKeytab();
+      String userToRunAsKeytab = getUserToRunAsKeytabs(appType).get(0);
       String fileName = userToRunAsKeytab.substring(userToRunAsKeytab.lastIndexOf('/') +
1);
       appMasterComponent.add("slider.am.login.keytab.name", new JsonPrimitive(fileName));
       appMasterComponent.add("slider.hdfs.keytab.dir", new JsonPrimitive(".slider/keytabs/"
+ appName));


Mime
View raw message