ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@apache.org
Subject ambari git commit: AMBARI-17898 Add Kerberos HTTP SPNEGO authentication support to Ambari Metrics Monitor (qinliu via dsen)
Date Fri, 21 Oct 2016 10:38:23 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk dd0cc32b7 -> 18a88ebb4


AMBARI-17898 Add Kerberos HTTP SPNEGO authentication support to Ambari Metrics Monitor (qinliu
via dsen)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/18a88ebb
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/18a88ebb
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/18a88ebb

Branch: refs/heads/trunk
Commit: 18a88ebb43260f01ff1b5370bc15fb7b6a64055c
Parents: dd0cc32
Author: Dmytro Sen <dsen@apache.org>
Authored: Fri Oct 21 13:38:14 2016 +0300
Committer: Dmytro Sen <dsen@apache.org>
Committed: Fri Oct 21 13:38:14 2016 +0300

----------------------------------------------------------------------
 ambari-metrics/ambari-metrics-assembly/pom.xml  |   1 +
 .../conf/unix/metric_monitor.ini                |   2 +
 .../src/main/python/core/config_reader.py       |  10 +-
 .../src/main/python/core/emitter.py             |  57 ++++++-
 .../src/main/python/core/krberr.py              |  42 +++++
 .../main/python/core/spnego_kerberos_auth.py    | 163 +++++++++++++++++++
 .../src/test/python/core/TestEmitter.py         |  26 +++
 .../AMBARI_METRICS/0.1.0/kerberos.json          |  26 +++
 .../AMBARI_METRICS/0.1.0/package/scripts/ams.py |  13 +-
 .../0.1.0/package/scripts/params.py             |   7 +-
 .../package/templates/metric_monitor.ini.j2     |   2 +
 11 files changed, 329 insertions(+), 20 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/18a88ebb/ambari-metrics/ambari-metrics-assembly/pom.xml
----------------------------------------------------------------------
diff --git a/ambari-metrics/ambari-metrics-assembly/pom.xml b/ambari-metrics/ambari-metrics-assembly/pom.xml
index d73a0af..cd45d35 100644
--- a/ambari-metrics/ambari-metrics-assembly/pom.xml
+++ b/ambari-metrics/ambari-metrics-assembly/pom.xml
@@ -535,6 +535,7 @@
                     <require>${python.ver}</require>
                     <require>gcc</require>
                     <require>${python.devel}</require>
+                    <require>python-kerberos</require>
                   </requires>
                   <preremoveScriptlet>
                     <scriptFile>src/main/package/rpm/preremove.sh</scriptFile>

http://git-wip-us.apache.org/repos/asf/ambari/blob/18a88ebb/ambari-metrics/ambari-metrics-host-monitoring/conf/unix/metric_monitor.ini
----------------------------------------------------------------------
diff --git a/ambari-metrics/ambari-metrics-host-monitoring/conf/unix/metric_monitor.ini b/ambari-metrics/ambari-metrics-host-monitoring/conf/unix/metric_monitor.ini
index e98c65c..8f7bcc8 100644
--- a/ambari-metrics/ambari-metrics-host-monitoring/conf/unix/metric_monitor.ini
+++ b/ambari-metrics/ambari-metrics-host-monitoring/conf/unix/metric_monitor.ini
@@ -25,6 +25,8 @@ skip_disk_patterns =
 
 [emitter]
 send_interval = 60
+kinit_cmd = /usr/bin/kinit -kt /etc/security/keytabs/ams.monitor.keytab amsmon/localhost
+klist_cmd = /usr/bin/klist
 
 [collector]
 collector_sleep_interval = 5

http://git-wip-us.apache.org/repos/asf/ambari/blob/18a88ebb/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/config_reader.py
----------------------------------------------------------------------
diff --git a/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/config_reader.py
b/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/config_reader.py
index 890d3ce..3ad3aac 100644
--- a/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/config_reader.py
+++ b/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/config_reader.py
@@ -108,6 +108,8 @@ enable_value_threshold = false
 
 [emitter]
 send_interval = 60
+kinit_cmd = /usr/bin/kinit -kt /etc/security/keytabs/ams.monitor.keytab amsmon/localhost
+klist_cmd = /usr/bin/klist
 
 [collector]
 collector_sleep_interval = 5
@@ -209,6 +211,12 @@ class Configuration:
   def get_send_interval(self):
     return int(self.get("emitter", "send_interval", 60))
 
+  def get_kinit_cmd(self):
+    return self.get("emitter", "kinit_cmd")
+
+  def get_klist_cmd(self):
+    return self.get("emitter", "klist_cmd")
+
   def get_collector_sleep_interval(self):
     return int(self.get("collector", "collector_sleep_interval", 10))
 
@@ -256,4 +264,4 @@ class Configuration:
     return self._ca_cert_file_path
 
   def get_disk_metrics_skip_pattern(self):
-    return self.get("default", "skip_disk_patterns")
\ No newline at end of file
+    return self.get("default", "skip_disk_patterns")

http://git-wip-us.apache.org/repos/asf/ambari/blob/18a88ebb/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/emitter.py
----------------------------------------------------------------------
diff --git a/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/emitter.py
b/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/emitter.py
index ba3f18e..27cfa0f 100644
--- a/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/emitter.py
+++ b/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/emitter.py
@@ -20,6 +20,7 @@ limitations under the License.
 
 import logging
 import threading
+from spnego_kerberos_auth import SPNEGOKerberosAuth
 
 from security import CachedHTTPSConnection, CachedHTTPConnection
 from blacklisted_set import BlacklistedSet
@@ -31,6 +32,10 @@ class Emitter(threading.Thread):
   AMS_METRICS_POST_URL = "/ws/v1/timeline/metrics/"
   RETRY_SLEEP_INTERVAL = 5
   MAX_RETRY_COUNT = 3
+  cookie_cached = {}
+  kinit_cmd = None
+  klist_cmd = None
+  spnego_krb_auth = None
   """
   Wake up every send interval seconds and empty the application metric map.
   """
@@ -39,6 +44,10 @@ class Emitter(threading.Thread):
     logger.debug('Initializing Emitter thread.')
     self.lock = threading.Lock()
     self.send_interval = config.get_send_interval()
+    self.kinit_cmd = config.get_kinit_cmd()
+    if self.kinit_cmd:
+      logger.debug(self.kinit_cmd)
+    self.klist_cmd = config.get_klist_cmd()
     self.hostname = config.get_hostname_config()
     self.hostname_hash = self.compute_hash(self.hostname)
     self._stop_handler = stop_handler
@@ -63,6 +72,7 @@ class Emitter(threading.Thread):
         self.submit_metrics()
       except Exception, e:
         logger.warn('Unable to emit events. %s' % str(e))
+        self.cookie_cached = {}
       pass
       #Wait for the service stop event instead of sleeping blindly
       if 0 == self._stop_handler.wait(self.send_interval):
@@ -100,17 +110,50 @@ class Emitter(threading.Thread):
     headers = {"Content-Type" : "application/json", "Accept" : "*/*"}
     connection = self.get_connection(collector_host)
     logger.debug("message to send: %s" % data)
+
+    try:
+      if self.cookie_cached[connection.host]:
+        headers["Cookie"] = self.cookie_cached[connection.host]
+        logger.debug("Cookie: %s" % self.cookie_cached[connection.host])
+    except Exception, e:
+      self.cookie_cached = {}
+    pass
+
     retry_count = 0
     while retry_count < self.MAX_RETRY_COUNT:
       response = self.get_response_from_submission(connection, data, headers)
-      if response and response.status == 200:
-        return True
-      else:
-        logger.warn("Retrying after {0} ...".format(self.RETRY_SLEEP_INTERVAL))
-        retry_count += 1
-        #Wait for the service stop event instead of sleeping blindly
-        if 0 == self._stop_handler.wait(self.RETRY_SLEEP_INTERVAL):
+      if response:
+        if response.status == 200:
           return True
+        if response.status == 401 or response.status == 403:
+          self.cookie_cached = {}
+          auth_header = response.getheader('www-authenticate', None)
+          if auth_header == None:
+              logger.warn('www-authenticate header not found')
+          else:
+            self.spnego_krb_auth = SPNEGOKerberosAuth()
+            if self.spnego_krb_auth.get_negotiate_value(auth_header) == '':
+              response = self.spnego_krb_auth.authenticate_handshake(connection, "POST",
self.AMS_METRICS_POST_URL, data, headers, self.kinit_cmd, self.klist_cmd)
+              if response:
+                logger.debug("response from authenticate_client: retcode = {0}, reason =
{1}"
+                                                           .format(response.status, response.reason))
+                logger.debug(str(response.read()))
+                if response.status == 200:
+                  logger.debug("response headers: {0}".format(response.getheaders()))
+                  logger.debug("cookie_cached: %s" % self.cookie_cached)
+                  set_cookie_header = response.getheader('set-cookie', None)
+                  if set_cookie_header and self.spnego_krb_auth:
+                    set_cookie_val = self.spnego_krb_auth.get_hadoop_auth_cookie(set_cookie_header)
+                    logger.debug("set_cookie: %s" % set_cookie_val)
+                    if set_cookie_val:
+                      self.cookie_cached[connection.host] = set_cookie_val
+                  return True
+
+      logger.warn("Retrying after {0} ...".format(self.RETRY_SLEEP_INTERVAL))
+      retry_count += 1
+      #Wait for the service stop event instead of sleeping blindly
+      if 0 == self._stop_handler.wait(self.RETRY_SLEEP_INTERVAL):
+        return True
     pass
 
     if retry_count >= self.MAX_RETRY_COUNT:

http://git-wip-us.apache.org/repos/asf/ambari/blob/18a88ebb/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/krberr.py
----------------------------------------------------------------------
diff --git a/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/krberr.py
b/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/krberr.py
new file mode 100644
index 0000000..25d7890
--- /dev/null
+++ b/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/krberr.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+
+'''
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+'''
+
+"""
+Python Kerberos GSS APIs used by spnego_kerberos_auth.py.
+It is used as a place holder for kerberos.py which is not available.
+"""
+
+class KrbError(Exception):
+      pass
+
+class GSSError(KrbError):
+      pass
+
+def authGSSClientInit(service):
+      pass
+
+def authGSSClientClean(context):
+      pass
+
+def authGSSClientStep(context, challenge):
+      pass
+
+def authGSSClientResponse(context):
+      pass
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/18a88ebb/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/spnego_kerberos_auth.py
----------------------------------------------------------------------
diff --git a/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/spnego_kerberos_auth.py
b/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/spnego_kerberos_auth.py
new file mode 100644
index 0000000..a16ca86
--- /dev/null
+++ b/ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/spnego_kerberos_auth.py
@@ -0,0 +1,163 @@
+#!/usr/bin/env python
+
+'''
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+'''
+
+import logging
+import httplib
+import os
+
+logger = logging.getLogger()
+try:
+      import kerberos
+except ImportError:
+  import krberr as kerberos
+  logger.warn('import kerberos exception: %s' % str(ImportError))
+pass
+
+class SPNEGOKerberosAuth:
+  def __init__(self):
+        self.krb_context = None
+
+  def authenticate_handshake (self, connection, method, service_url, body, headers, kinit_cmd,
klist_cmd):
+        # kinit to ensure ticket valid
+    self.execute_kinit(kinit_cmd, klist_cmd)
+
+    try:
+          # Authenticate the client request
+      response = self.authenticate_client(connection, method, service_url, body, headers)
+
+      # Authenticate the response from the server
+      if response:
+            self.authenticate_server(response)
+      return response
+    finally:
+      # Clean the client context after the handshake
+      self.clean_client_context()
+    pass
+
+  def execute_kinit(self, kinit_cmd, klist_cmd):
+    exit_status = os.system(kinit_cmd)
+    logger.debug("kinit exit_status: {0}".format(exit_status))
+    logger.debug(os.system(klist_cmd))
+    return exit_status
+
+  def authenticate_client(self, connection, method, service_url, body, headers):
+    service = "HTTP@%s" % connection.host.lower()
+    logger.debug("connection: %s", connection)
+    logger.debug("service: %s", service)
+
+    auth_header = self.get_authorization_header(service)
+    logger.debug("Authorization: %s" % auth_header)
+
+    # Send 2nd HTTP request with authorization header
+    headers['Authorization'] = auth_header
+    try:
+      connection.request(method, service_url, body, headers)
+      response = connection.getresponse()
+    except Exception, e:
+      logger.warn('2nd HTTP request exception from server: %s' % str(e))
+      return None
+    pass
+    if response:
+      logger.debug("2nd HTTP response from server: retcode = {0}, reason = {1}"
+                                            .format(response.status, response.reason))
+      logger.debug(str(response.read()))
+      logger.debug("response headers: {0}".format(response.getheaders()))
+    return response
+
+  def get_authorization_header(self, service):
+        # Initialize the context object for client-side authentication with a service principal
+    try:
+      result, self.krb_context = kerberos.authGSSClientInit(service)
+      if result == -1:
+        logger.warn('authGSSClientInit result: {0}'.format(result))
+        return None
+    except kerberos.GSSError, e:
+      logger.warn('authGSSClientInit exception: %s' % str(e))
+      return None
+    pass
+
+    # Process the first client-side step with the context
+    try:
+      result = kerberos.authGSSClientStep(self.krb_context, "")
+      if result == -1:
+        logger.warn('authGSSClientStep result for authenticate client: {0}'.format(result))
+        return None
+    except kerberos.GSSError, e:
+      logger.warn('authGSSClientStep exception for authenticate client: %s' % str(e))
+      return None
+    pass
+
+    # Get the client response from the first client-side step
+    try:
+      negotiate_value = kerberos.authGSSClientResponse(self.krb_context)
+      logger.debug("authGSSClientResponse response:{0}".format(negotiate_value))
+    except kerberos.GSSError, e:
+      logger.warn('authGSSClientResponse exception: %s' % str(e))
+      return None
+    pass
+
+    # Build the authorization header
+    return "Negotiate %s" % negotiate_value
+
+  def authenticate_server(self, response):
+    auth_header = response.getheader('www-authenticate', None)
+    negotiate_value = self.get_negotiate_value(auth_header)
+    if negotiate_value == None:
+      logger.warn('www-authenticate header not found')
+
+    # Process the client-side step with the context and the negotiate value from 2nd HTTP
response
+    try:
+      result = kerberos.authGSSClientStep(self.krb_context, negotiate_value)
+      if result == -1:
+        logger.warn('authGSSClientStep result for authenticate server: {0}'.format(result))
+    except kerberos.GSSError, e:
+      logger.warn('authGSSClientStep exception for authenticate server: %s' % str(e))
+      result = -1
+    pass
+    return result
+
+  def clean_client_context(self):
+    # Destroy the context for client-side authentication
+    try:
+      result = kerberos.authGSSClientClean(self.krb_context)
+      logger.debug("authGSSClientClean result:{0}".format(result))
+    except kerberos.GSSError, e:
+      logger.warn('authGSSClientClean exception: %s' % str(e))
+      result = -1
+    pass
+    return result
+
+  def get_hadoop_auth_cookie(self, set_cookie_header):
+    if set_cookie_header:
+      for field in set_cookie_header.split(";"):
+        if field.startswith('hadoop.auth='):
+          return field
+    else:
+     return None
+    return None
+
+  def get_negotiate_value(self, auth_header):
+    if auth_header:
+      for field in auth_header.split(","):
+        key, __, value = field.strip().partition(" ")
+        if key.lower() == "negotiate":
+          return value.strip()
+    else:
+        return None

http://git-wip-us.apache.org/repos/asf/ambari/blob/18a88ebb/ambari-metrics/ambari-metrics-host-monitoring/src/test/python/core/TestEmitter.py
----------------------------------------------------------------------
diff --git a/ambari-metrics/ambari-metrics-host-monitoring/src/test/python/core/TestEmitter.py
b/ambari-metrics/ambari-metrics-host-monitoring/src/test/python/core/TestEmitter.py
index de97292..722a176 100644
--- a/ambari-metrics/ambari-metrics-host-monitoring/src/test/python/core/TestEmitter.py
+++ b/ambari-metrics/ambari-metrics-host-monitoring/src/test/python/core/TestEmitter.py
@@ -27,6 +27,7 @@ from only_for_platform import get_platform, PLATFORM_WINDOWS
 from mock.mock import patch, MagicMock
 from security import CachedHTTPConnection
 from blacklisted_set import BlacklistedSet
+from spnego_kerberos_auth import SPNEGOKerberosAuth
 
 if get_platform() != PLATFORM_WINDOWS:
   os_distro_value = ('Suse','11','Final')
@@ -86,6 +87,31 @@ class TestEmitter(TestCase):
     self.assertEqual(request_mock.call_count, 9)
     self.assertUrlData(request_mock)
 
+  @patch.object(OSCheck, "os_distribution", new = MagicMock(return_value = os_distro_value))
+  @patch.object(CachedHTTPConnection, "create_connection", new = MagicMock())
+  @patch.object(SPNEGOKerberosAuth, "authenticate_handshake")
+  @patch.object(CachedHTTPConnection, "getresponse")
+  @patch.object(CachedHTTPConnection, "request")
+  def test_spnego_negotiation(self, request_mock, getresponse_mock, auth_mock):
+    request_mock.return_value = MagicMock()
+    getresponse_mock.return_value.status = 401
+    getresponse_mock.return_value.getheader.return_value = "Negotiate   "
+
+    auth_mock.return_value.status = 200
+
+    stop_handler = bind_signal_handlers()
+
+    config = Configuration()
+    application_metric_map = ApplicationMetricMap("host","10.10.10.10")
+    application_metric_map.clear()
+    application_metric_map.put_metric("APP1", {"metric1":1}, 1)
+    emitter = Emitter(config, application_metric_map, stop_handler)
+    emitter.submit_metrics()
+
+
+    self.assertEqual(request_mock.call_count, 1)
+    self.assertUrlData(request_mock)
+
   def assertUrlData(self, request_mock):
     self.assertEqual(len(request_mock.call_args), 2)
     data = request_mock.call_args[0][2]

http://git-wip-us.apache.org/repos/asf/ambari/blob/18a88ebb/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/kerberos.json
b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/kerberos.json
index 51f541f..a6afda5 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/kerberos.json
@@ -9,6 +9,32 @@
       ],
       "components": [
         {
+          "name": "METRICS_MONITOR",
+          "identities": [
+            {
+              "name": "ams_monitor",
+              "principal": {
+                "value": "amsmon/_HOST@${realm}",
+                "type": "service",
+                "configuration": "ams-hbase-security-site/ams.monitor.principal",
+                "local_username": "${ams-env/ambari_metrics_user}"
+              },
+              "keytab": {
+                "file": "${keytab_dir}/ams-monitor.keytab",
+                "owner": {
+                  "name": "${ams-env/ambari_metrics_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                },
+                "configuration": "ams-hbase-security-site/ams.monitor.keytab"
+              }
+            }
+          ]
+        },
+        {
           "name": "METRICS_COLLECTOR",
           "identities": [
             {

http://git-wip-us.apache.org/repos/asf/ambari/blob/18a88ebb/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/ams.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/ams.py
b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/ams.py
index 6cf743e..28aba35 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/ams.py
+++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/ams.py
@@ -320,18 +320,9 @@ def ams(name=None, action=None):
             mode=0644
       )
 
-      # Remove spnego configs from core-site, since AMS does not support spnego (AMBARI-14384)
-      truncated_core_site = {}
-      truncated_core_site.update(params.config['configurations']['core-site'])
-      if 'core-site' in params.config['configurations']:
-        if 'hadoop.http.authentication.type' in params.config['configurations']['core-site']:
-          truncated_core_site.pop('hadoop.http.authentication.type')
-        if 'hadoop.http.filter.initializers' in params.config['configurations']['core-site']:
-          truncated_core_site.pop('hadoop.http.filter.initializers')
-
       XmlConfig("core-site.xml",
                 conf_dir=params.ams_collector_conf_dir,
-                configurations=truncated_core_site,
+                configurations=params.config['configurations']['core-site'],
                 configuration_attributes=params.config['configuration_attributes']['core-site'],
                 owner=params.ams_user,
                 group=params.user_group,
@@ -340,7 +331,7 @@ def ams(name=None, action=None):
 
       XmlConfig("core-site.xml",
                 conf_dir=params.hbase_conf_dir,
-                configurations=truncated_core_site,
+                configurations=params.config['configurations']['core-site'],
                 configuration_attributes=params.config['configuration_attributes']['core-site'],
                 owner=params.ams_user,
                 group=params.user_group,

http://git-wip-us.apache.org/repos/asf/ambari/blob/18a88ebb/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
index f04f5c2..b052999 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
@@ -270,7 +270,10 @@ service_check_data = functions.get_unique_id_and_date()
 user_group = config['configurations']['cluster-env']["user_group"]
 hadoop_user = "hadoop"
 
+kinit_path_local = functions.get_kinit_path(default('/configurations/kerberos-env/executable_search_paths',
None))
 kinit_cmd = ""
+klist_path_local = functions.get_klist_path(default('/configurations/kerberos-env/executable_search_paths',
None))
+klist_cmd = ""
 
 if security_enabled:
   _hostname_lowercase = config['hostname'].lower()
@@ -294,6 +297,9 @@ if security_enabled:
   regionserver_keytab_path = config['configurations']['ams-hbase-security-site']['hbase.regionserver.keytab.file']
   regionserver_jaas_princ = config['configurations']['ams-hbase-security-site']['hbase.regionserver.kerberos.principal'].replace('_HOST',_hostname_lowercase)
 
+  kinit_cmd = '%s -kt %s %s' % (kinit_path_local, config['configurations']['ams-hbase-security-site']['ams.monitor.keytab'],
config['configurations']['ams-hbase-security-site']['ams.monitor.principal'].replace('_HOST',_hostname_lowercase))
+  klist_cmd = '%s' % klist_path_local
+
 #log4j.properties
 if (('ams-hbase-log4j' in config['configurations']) and ('content' in config['configurations']['ams-hbase-log4j'])):
   hbase_log4j_props = config['configurations']['ams-hbase-log4j']['content']
@@ -316,7 +322,6 @@ hbase_staging_dir = default("/configurations/ams-hbase-site/hbase.bulkload.stagi
 hdfs_user_keytab = config['configurations']['hadoop-env']['hdfs_user_keytab']
 hdfs_user = config['configurations']['hadoop-env']['hdfs_user']
 hdfs_principal_name = config['configurations']['hadoop-env']['hdfs_principal_name']
-kinit_path_local = functions.get_kinit_path(default('/configurations/kerberos-env/executable_search_paths',
None))
 
 
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/18a88ebb/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/metric_monitor.ini.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/metric_monitor.ini.j2
b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/metric_monitor.ini.j2
index 3823912..1f1f117 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/metric_monitor.ini.j2
+++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/metric_monitor.ini.j2
@@ -26,6 +26,8 @@ skip_disk_patterns = {{skip_disk_metrics_patterns}}
 
 [emitter]
 send_interval = {{metrics_report_interval}}
+kinit_cmd = {{kinit_cmd}}
+klist_cmd = {{klist_cmd}}
 
 [collector]
 collector_sleep_interval = 10


Mime
View raw message