Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B2BF9200C8F for ; Fri, 9 Jun 2017 20:47:14 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B13EA160BB6; Fri, 9 Jun 2017 18:47:14 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 3897C160BD4 for ; Fri, 9 Jun 2017 20:47:12 +0200 (CEST) Received: (qmail 61634 invoked by uid 500); 9 Jun 2017 18:47:11 -0000 Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-dev@ambari.apache.org Delivered-To: mailing list commits@ambari.apache.org Received: (qmail 61488 invoked by uid 99); 9 Jun 2017 18:47:10 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Jun 2017 18:47:10 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 683F4E00B1; Fri, 9 Jun 2017 18:47:09 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: rlevas@apache.org To: commits@ambari.apache.org Date: Fri, 09 Jun 2017 18:47:10 -0000 Message-Id: <423f2630541d4975876a736f3e5c056a@git.apache.org> In-Reply-To: <48a6a6da3a60464a87ce099e7e348716@git.apache.org> References: <48a6a6da3a60464a87ce099e7e348716@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/9] ambari git commit: AMBARI-19369. Add Kerberos HTTP SPNEGO authentication support to Hadoop/hbase/kafka/storm sinks (Qin Liu via rlevas) archived-at: Fri, 09 Jun 2017 18:47:14 -0000 AMBARI-19369. Add Kerberos HTTP SPNEGO authentication support to Hadoop/hbase/kafka/storm sinks (Qin Liu via rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/4aaf259e Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/4aaf259e Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/4aaf259e Branch: refs/heads/branch-feature-AMBARI-20859 Commit: 4aaf259e191344076a88391f5853da4bf85b8a80 Parents: b98f07f Author: Qin Liu Authored: Thu Jun 8 16:23:34 2017 -0400 Committer: Robert Levas Committed: Thu Jun 8 16:23:34 2017 -0400 ---------------------------------------------------------------------- ambari-metrics/ambari-metrics-common/pom.xml | 5 + .../timeline/AbstractTimelineMetricsSink.java | 60 +++++ .../sink/timeline/AppCookieManager.java | 219 +++++++++++++++++++ .../sink/timeline/AppCookieManagerTest.java | 52 +++++ .../0.1.0/configuration/ams-hbase-env.xml | 4 +- .../package/templates/hbase_master_jaas.conf.j2 | 10 + .../templates/hbase_regionserver_jaas.conf.j2 | 10 + .../package/templates/hbase_master_jaas.conf.j2 | 10 + .../templates/hbase_regionserver_jaas.conf.j2 | 10 + .../HBASE/2.0.0.3.0/configuration/hbase-env.xml | 4 +- .../package/templates/hbase_master_jaas.conf.j2 | 10 + .../templates/hbase_regionserver_jaas.conf.j2 | 10 + .../HDFS/2.1.0.2.0/package/scripts/hdfs.py | 17 ++ .../package/templates/hdfs_dn_jaas.conf.j2 | 27 +++ .../package/templates/hdfs_jn_jaas.conf.j2 | 27 +++ .../package/templates/hdfs_nn_jaas.conf.j2 | 27 +++ .../HDFS/3.0.0.3.0/package/scripts/hdfs.py | 17 ++ .../package/templates/hdfs_dn_jaas.conf.j2 | 27 +++ .../package/templates/hdfs_jn_jaas.conf.j2 | 27 +++ .../package/templates/hdfs_nn_jaas.conf.j2 | 27 +++ .../KAFKA/0.8.1/configuration/kafka-env.xml | 4 + .../0.8.1/configuration/kafka_jaas_conf.xml | 11 + .../0.8.1/package/templates/kafka_jaas.conf.j2 | 11 + .../0.9.1/package/scripts/storm_yaml_utils.py | 5 +- .../0.9.1/package/templates/storm_jaas.conf.j2 | 10 + .../2.1.0.2.0/package/scripts/params_linux.py | 32 ++- .../YARN/2.1.0.2.0/package/scripts/yarn.py | 17 ++ .../package/templates/mapred_jaas.conf.j2 | 28 +++ .../package/templates/yarn_ats_jaas.conf.j2 | 27 +++ .../package/templates/yarn_jaas.conf.j2 | 12 +- .../package/templates/yarn_nm_jaas.conf.j2 | 27 +++ .../configuration-mapred/mapred-env.xml | 4 +- .../YARN/3.0.0.3.0/configuration/yarn-env.xml | 15 +- .../3.0.0.3.0/package/scripts/params_linux.py | 32 ++- .../YARN/3.0.0.3.0/package/scripts/yarn.py | 19 +- .../package/templates/mapred_jaas.conf.j2 | 28 +++ .../package/templates/yarn_ats_jaas.conf.j2 | 27 +++ .../package/templates/yarn_jaas.conf.j2 | 12 +- .../package/templates/yarn_nm_jaas.conf.j2 | 27 +++ .../YARN/configuration-mapred/mapred-env.xml | 4 +- .../services/HBASE/configuration/hbase-env.xml | 4 +- .../services/HDFS/configuration/hadoop-env.xml | 7 + .../services/YARN/configuration/yarn-env.xml | 16 +- .../services/HDFS/configuration/hadoop-env.xml | 7 + .../services/HDFS/configuration/hadoop-env.xml | 7 + .../YARN/configuration-mapred/mapred-env.xml | 4 +- .../python/stacks/2.0.6/HDFS/test_datanode.py | 10 + .../stacks/2.0.6/HDFS/test_journalnode.py | 11 +- .../python/stacks/2.0.6/HDFS/test_namenode.py | 24 +- .../python/stacks/2.0.6/HDFS/test_nfsgateway.py | 10 + .../python/stacks/2.0.6/HDFS/test_snamenode.py | 12 +- .../test/python/stacks/2.0.6/HDFS/test_zkfc.py | 17 +- .../stacks/2.0.6/YARN/test_historyserver.py | 10 + .../stacks/2.0.6/YARN/test_mapreduce2_client.py | 10 + .../stacks/2.0.6/YARN/test_nodemanager.py | 10 + .../stacks/2.0.6/YARN/test_resourcemanager.py | 10 + .../stacks/2.0.6/YARN/test_yarn_client.py | 10 + 57 files changed, 1084 insertions(+), 47 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-metrics/ambari-metrics-common/pom.xml ---------------------------------------------------------------------- diff --git a/ambari-metrics/ambari-metrics-common/pom.xml b/ambari-metrics/ambari-metrics-common/pom.xml index 62ae75f..f0d3963 100644 --- a/ambari-metrics/ambari-metrics-common/pom.xml +++ b/ambari-metrics/ambari-metrics-common/pom.xml @@ -189,5 +189,10 @@ powermock-module-junit4 test + + org.apache.httpcomponents + httpclient + 4.2.5 + http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java ---------------------------------------------------------------------- diff --git a/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java index a8dc571..fddf4b3 100644 --- a/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java +++ b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java @@ -30,6 +30,7 @@ import org.apache.hadoop.metrics2.sink.timeline.availability.MetricCollectorHAHe import org.apache.hadoop.metrics2.sink.timeline.availability.MetricCollectorUnavailableException; import org.apache.hadoop.metrics2.sink.timeline.availability.MetricSinkWriteShardHostnameHashingStrategy; import org.apache.hadoop.metrics2.sink.timeline.availability.MetricSinkWriteShardStrategy; +import org.apache.http.HttpStatus; import org.codehaus.jackson.map.AnnotationIntrospector; import org.codehaus.jackson.map.ObjectMapper; import org.codehaus.jackson.map.annotate.JsonSerialize; @@ -83,6 +84,9 @@ public abstract class AbstractTimelineMetricsSink { public static final String COLLECTOR_LIVE_NODES_PATH = "/ws/v1/timeline/metrics/livenodes"; public static final String INSTANCE_ID_PROPERTY = "instanceId"; public static final String SET_INSTANCE_ID_PROPERTY = "set.instanceId"; + public static final String COOKIE = "Cookie"; + private static final String WWW_AUTHENTICATE = "WWW-Authenticate"; + private static final String NEGOTIATE = "Negotiate"; protected static final AtomicInteger failedCollectorConnectionsCounter = new AtomicInteger(0); public static int NUMBER_OF_SKIPPED_COLLECTOR_EXCEPTIONS = 100; @@ -97,6 +101,7 @@ public abstract class AbstractTimelineMetricsSink { private long lastFailedZkRequestTime = 0l; private SSLSocketFactory sslSocketFactory; + private AppCookieManager appCookieManager = null; protected final Log LOG; @@ -157,6 +162,18 @@ public abstract class AbstractTimelineMetricsSink { connection = connectUrl.startsWith("https") ? getSSLConnection(connectUrl) : getConnection(connectUrl); + if (LOG.isDebugEnabled()) { + LOG.debug("emitMetricsJson to " + connectUrl + ", " + jsonData); + } + AppCookieManager appCookieManager = getAppCookieManager(); + String appCookie = appCookieManager.getCachedAppCookie(connectUrl); + if (appCookie != null) { + if (LOG.isInfoEnabled()) { + LOG.info("Using cached app cookie for URL:" + connectUrl); + } + connection.setRequestProperty(COOKIE, appCookie); + } + connection.setRequestMethod("POST"); connection.setRequestProperty("Content-Type", "application/json"); connection.setRequestProperty("Connection", "Keep-Alive"); @@ -171,6 +188,37 @@ public abstract class AbstractTimelineMetricsSink { } int statusCode = connection.getResponseCode(); + if (LOG.isDebugEnabled()) { + LOG.debug("emitMetricsJson: statusCode = " + statusCode); + } + + if (statusCode == HttpStatus.SC_UNAUTHORIZED ) { + String wwwAuthHeader = connection.getHeaderField(WWW_AUTHENTICATE); + if (LOG.isInfoEnabled()) { + LOG.info("Received WWW-Authentication header:" + wwwAuthHeader + ", for URL:" + connectUrl); + } + if (wwwAuthHeader != null && wwwAuthHeader.trim().startsWith(NEGOTIATE)) { + appCookie = appCookieManager.getAppCookie(connectUrl, true); + if (appCookie != null) { + connection.setRequestProperty(COOKIE, appCookie); + + if (jsonData != null) { + try (OutputStream os = connection.getOutputStream()) { + os.write(jsonData.getBytes("UTF-8")); + } + } + + statusCode = connection.getResponseCode(); + if (LOG.isDebugEnabled()) { + LOG.debug("emitMetricsJson: statusCode2 = " + statusCode); + } + } + } else { + // no supported authentication type found + // we would let the original response propagate + LOG.error("Unsupported WWW-Authentication header:" + wwwAuthHeader+ ", for URL:" + connectUrl); + } + } if (statusCode != 200) { LOG.info("Unable to POST metrics to collector, " + connectUrl + ", " + @@ -265,6 +313,18 @@ public abstract class AbstractTimelineMetricsSink { } /** + * Get the associated app cookie manager. + * + * @return the app cookie manager + */ + public synchronized AppCookieManager getAppCookieManager() { + if (appCookieManager == null) { + appCookieManager = new AppCookieManager(); + } + return appCookieManager; + } + + /** * Cleans up and closes an input stream * see http://docs.oracle.com/javase/6/docs/technotes/guides/net/http-keepalive.html * @param is the InputStream to clean up http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AppCookieManager.java ---------------------------------------------------------------------- diff --git a/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AppCookieManager.java b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AppCookieManager.java new file mode 100644 index 0000000..bcba238 --- /dev/null +++ b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AppCookieManager.java @@ -0,0 +1,219 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.metrics2.sink.timeline; + +import java.io.IOException; +import java.net.URI; +import java.security.Principal; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.http.Header; +import org.apache.http.HeaderElement; +import org.apache.http.HttpEntity; +import org.apache.http.HttpHost; +import org.apache.http.HttpRequest; +import org.apache.http.HttpResponse; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.Credentials; +import org.apache.http.client.methods.HttpGet; +import org.apache.http.client.methods.HttpOptions; +import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.client.params.AuthPolicy; +import org.apache.http.impl.auth.SPNegoSchemeFactory; +import org.apache.http.impl.client.DefaultHttpClient; +import org.apache.http.util.EntityUtils; + +/** + * Handles SPNego authentication as a client of hadoop service, caches + * hadoop.auth cookie returned by hadoop service on successful SPNego + * authentication. Refreshes hadoop.auth cookie on demand if the cookie has + * expired. + * + */ +public class AppCookieManager { + + static final String HADOOP_AUTH = "hadoop.auth"; + private static final String HADOOP_AUTH_EQ = "hadoop.auth="; + private static final String SET_COOKIE = "Set-Cookie"; + + private static final EmptyJaasCredentials EMPTY_JAAS_CREDENTIALS = new EmptyJaasCredentials(); + + private Map endpointCookieMap = new ConcurrentHashMap(); + private static Log LOG = LogFactory.getLog(AppCookieManager.class); + + /** + * Utility method to exercise AppCookieManager directly + * @param args element 0 of args should be a URL to hadoop service protected by SPengo + * @throws IOException in case of errors + */ + public static void main(String[] args) throws IOException { + new AppCookieManager().getAppCookie(args[0], false); + } + + public AppCookieManager() { + } + + /** + * Returns hadoop.auth cookie, doing needed SPNego authentication + * + * @param endpoint + * the URL of the Hadoop service + * @param refresh + * flag indicating wehther to refresh the cookie, if + * true, we do a new SPNego authentication and refresh + * the cookie even if the cookie already exists in local cache + * @return hadoop.auth cookie value + * @throws IOException + * in case of problem getting hadoop.auth cookie + */ + public String getAppCookie(String endpoint, boolean refresh) + throws IOException { + + HttpUriRequest outboundRequest = new HttpGet(endpoint); + URI uri = outboundRequest.getURI(); + String scheme = uri.getScheme(); + String host = uri.getHost(); + int port = uri.getPort(); + String path = uri.getPath(); + if (!refresh) { + String appCookie = endpointCookieMap.get(endpoint); + if (appCookie != null) { + if (LOG.isDebugEnabled()) { + LOG.debug("got cached cookie"); + } + return appCookie; + } + } + + clearAppCookie(endpoint); + + DefaultHttpClient client = new DefaultHttpClient(); + SPNegoSchemeFactory spNegoSF = new SPNegoSchemeFactory(/* stripPort */true); + client.getAuthSchemes().register(AuthPolicy.SPNEGO, spNegoSF); + client.getCredentialsProvider().setCredentials( + new AuthScope(/* host */null, /* port */-1, /* realm */null), + EMPTY_JAAS_CREDENTIALS); + + String hadoopAuthCookie = null; + HttpResponse httpResponse = null; + try { + HttpHost httpHost = new HttpHost(host, port, scheme); + HttpRequest httpRequest = new HttpOptions(path); + httpResponse = client.execute(httpHost, httpRequest); + Header[] headers = httpResponse.getHeaders(SET_COOKIE); + if (LOG.isDebugEnabled()) { + for (Header header : headers) { + LOG.debug(header.getName() + " : " + header.getValue()); + } + } + hadoopAuthCookie = getHadoopAuthCookieValue(headers); + if (hadoopAuthCookie == null) { + int statusCode = httpResponse.getStatusLine().getStatusCode(); + HttpEntity entity = httpResponse.getEntity(); + String responseBody = entity != null ? EntityUtils.toString(entity) : null; + LOG.error("SPNego authentication failed with statusCode = " + statusCode + ", responseBody = " + responseBody + ", can not get hadoop.auth cookie for URL: " + endpoint); + return null; + } + } finally { + if (httpResponse != null) { + HttpEntity entity = httpResponse.getEntity(); + if (entity != null) { + entity.getContent().close(); + } + } + + } + + hadoopAuthCookie = HADOOP_AUTH_EQ + quote(hadoopAuthCookie); + setAppCookie(endpoint, hadoopAuthCookie); + if (LOG.isInfoEnabled()) { + LOG.info("Successful SPNego authentication to URL:" + uri.toString()); + } + return hadoopAuthCookie; + } + + + /** + * Returns the cached app cookie + * @param endpoint the hadoop end point we authenticate to + * @return the cached app cookie, can be null + */ + public String getCachedAppCookie(String endpoint) { + return endpointCookieMap.get(endpoint); + } + + /** + * Sets the cached app cookie cache + * @param endpoint the hadoop end point we authenticate to + * @param appCookie the app cookie + */ + private void setAppCookie(String endpoint, String appCookie) { + endpointCookieMap.put(endpoint, appCookie); + } + + /** + * Clears the cached app cookie + * @param endpoint the hadoop end point we authenticate to + */ + private void clearAppCookie(String endpoint) { + endpointCookieMap.remove(endpoint); + } + + static String quote(String s) { + return s == null ? s : "\"" + s + "\""; + } + + static String getHadoopAuthCookieValue(Header[] headers) { + if (headers == null) { + return null; + } + for (Header header : headers) { + HeaderElement[] elements = header.getElements(); + for (HeaderElement element : elements) { + String cookieName = element.getName(); + if (cookieName.equals(HADOOP_AUTH)) { + if (element.getValue() != null) { + String trimmedVal = element.getValue().trim(); + if (!trimmedVal.isEmpty()) { + return trimmedVal; + } + } + } + } + } + return null; + } + + + private static class EmptyJaasCredentials implements Credentials { + + public String getPassword() { + return null; + } + + public Principal getUserPrincipal() { + return null; + } + + } + +} http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-metrics/ambari-metrics-common/src/test/java/org/apache/hadoop/metrics2/sink/timeline/AppCookieManagerTest.java ---------------------------------------------------------------------- diff --git a/ambari-metrics/ambari-metrics-common/src/test/java/org/apache/hadoop/metrics2/sink/timeline/AppCookieManagerTest.java b/ambari-metrics/ambari-metrics-common/src/test/java/org/apache/hadoop/metrics2/sink/timeline/AppCookieManagerTest.java new file mode 100644 index 0000000..8355288 --- /dev/null +++ b/ambari-metrics/ambari-metrics-common/src/test/java/org/apache/hadoop/metrics2/sink/timeline/AppCookieManagerTest.java @@ -0,0 +1,52 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.metrics2.sink.timeline; + +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; + +import org.apache.http.Header; +import org.apache.http.message.BasicHeader; +import org.junit.Test; + +public class AppCookieManagerTest { + + @Test + public void getCachedAppCookie() { + assertNull(new AppCookieManager().getCachedAppCookie("http://dummy")); + } + + @Test + public void getHadoopAuthCookieValueWithNullHeaders() { + assertNull(AppCookieManager.getHadoopAuthCookieValue(null)); + } + + @Test + public void getHadoopAuthCookieValueWitEmptylHeaders() { + assertNull(AppCookieManager.getHadoopAuthCookieValue(new Header[0])); + } + + @Test + public void getHadoopAuthCookieValueWithValidlHeaders() { + Header[] headers = new Header[1]; + headers[0] = new BasicHeader("Set-Cookie", AppCookieManager.HADOOP_AUTH + "=dummyvalue"); + assertNotNull(AppCookieManager.getHadoopAuthCookieValue(headers)); + } + +} http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-hbase-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-hbase-env.xml b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-hbase-env.xml index db36db8..9c4fc02 100644 --- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-hbase-env.xml +++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-hbase-env.xml @@ -255,8 +255,8 @@ export HBASE_MANAGES_ZK=false {% if security_enabled %} export HBASE_OPTS="$HBASE_OPTS -Djava.security.auth.login.config={{client_jaas_config_file}}" -export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Djava.security.auth.login.config={{master_jaas_config_file}}" -export HBASE_REGIONSERVER_OPTS="$HBASE_REGIONSERVER_OPTS -Djava.security.auth.login.config={{regionserver_jaas_config_file}}" +export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Djava.security.auth.login.config={{master_jaas_config_file}} -Djavax.security.auth.useSubjectCredsOnly=false" +export HBASE_REGIONSERVER_OPTS="$HBASE_REGIONSERVER_OPTS -Djava.security.auth.login.config={{regionserver_jaas_config_file}} -Djavax.security.auth.useSubjectCredsOnly=false" export HBASE_ZOOKEEPER_OPTS="$HBASE_ZOOKEEPER_OPTS -Djava.security.auth.login.config={{ams_zookeeper_jaas_config_file}}" {% endif %} http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/hbase_master_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/hbase_master_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/hbase_master_jaas.conf.j2 index a93c36c..4bb0fc1 100644 --- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/hbase_master_jaas.conf.j2 +++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/hbase_master_jaas.conf.j2 @@ -24,3 +24,13 @@ useTicketCache=false keyTab="{{master_keytab_path}}" principal="{{master_jaas_princ}}"; }; +com.sun.security.jgss.krb5.initiate { +com.sun.security.auth.module.Krb5LoginModule required +renewTGT=false +doNotPrompt=true +useKeyTab=true +storeKey=true +useTicketCache=false +keyTab="{{master_keytab_path}}" +principal="{{master_jaas_princ}}"; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/hbase_regionserver_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/hbase_regionserver_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/hbase_regionserver_jaas.conf.j2 index 7097481..c9973ca 100644 --- a/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/hbase_regionserver_jaas.conf.j2 +++ b/ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/hbase_regionserver_jaas.conf.j2 @@ -24,3 +24,13 @@ useTicketCache=false keyTab="{{regionserver_keytab_path}}" principal="{{regionserver_jaas_princ}}"; }; +com.sun.security.jgss.krb5.initiate { +com.sun.security.auth.module.Krb5LoginModule required +renewTGT=false +doNotPrompt=true +useKeyTab=true +storeKey=true +useTicketCache=false +keyTab="{{regionserver_keytab_path}}" +principal="{{regionserver_jaas_princ}}"; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/templates/hbase_master_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/templates/hbase_master_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/templates/hbase_master_jaas.conf.j2 index a93c36c..4bb0fc1 100644 --- a/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/templates/hbase_master_jaas.conf.j2 +++ b/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/templates/hbase_master_jaas.conf.j2 @@ -24,3 +24,13 @@ useTicketCache=false keyTab="{{master_keytab_path}}" principal="{{master_jaas_princ}}"; }; +com.sun.security.jgss.krb5.initiate { +com.sun.security.auth.module.Krb5LoginModule required +renewTGT=false +doNotPrompt=true +useKeyTab=true +storeKey=true +useTicketCache=false +keyTab="{{master_keytab_path}}" +principal="{{master_jaas_princ}}"; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/templates/hbase_regionserver_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/templates/hbase_regionserver_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/templates/hbase_regionserver_jaas.conf.j2 index 7097481..c9973ca 100644 --- a/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/templates/hbase_regionserver_jaas.conf.j2 +++ b/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/templates/hbase_regionserver_jaas.conf.j2 @@ -24,3 +24,13 @@ useTicketCache=false keyTab="{{regionserver_keytab_path}}" principal="{{regionserver_jaas_princ}}"; }; +com.sun.security.jgss.krb5.initiate { +com.sun.security.auth.module.Krb5LoginModule required +renewTGT=false +doNotPrompt=true +useKeyTab=true +storeKey=true +useTicketCache=false +keyTab="{{regionserver_keytab_path}}" +principal="{{regionserver_jaas_princ}}"; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/configuration/hbase-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/configuration/hbase-env.xml b/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/configuration/hbase-env.xml index da12706..cb30b63 100644 --- a/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/configuration/hbase-env.xml +++ b/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/configuration/hbase-env.xml @@ -225,8 +225,8 @@ JDK_DEPENDED_OPTS="-XX:PermSize=128m -XX:MaxPermSize=128m" {% if security_enabled %} export HBASE_OPTS="$HBASE_OPTS -XX:+UseConcMarkSweepGC -XX:ErrorFile={{log_dir}}/hs_err_pid%p.log -Djava.security.auth.login.config={{client_jaas_config_file}} -Djava.io.tmpdir={{java_io_tmpdir}}" -export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Xmx{{master_heapsize}} -Djava.security.auth.login.config={{master_jaas_config_file}} $JDK_DEPENDED_OPTS" -export HBASE_REGIONSERVER_OPTS="$HBASE_REGIONSERVER_OPTS -Xmn{{regionserver_xmn_size}} -XX:CMSInitiatingOccupancyFraction=70 -Xms{{regionserver_heapsize}} -Xmx{{regionserver_heapsize}} -Djava.security.auth.login.config={{regionserver_jaas_config_file}} $JDK_DEPENDED_OPTS" +export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Xmx{{master_heapsize}} -Djava.security.auth.login.config={{master_jaas_config_file}} -Djavax.security.auth.useSubjectCredsOnly=false $JDK_DEPENDED_OPTS" +export HBASE_REGIONSERVER_OPTS="$HBASE_REGIONSERVER_OPTS -Xmn{{regionserver_xmn_size}} -XX:CMSInitiatingOccupancyFraction=70 -Xms{{regionserver_heapsize}} -Xmx{{regionserver_heapsize}} -Djava.security.auth.login.config={{regionserver_jaas_config_file}} -Djavax.security.auth.useSubjectCredsOnly=false $JDK_DEPENDED_OPTS" export PHOENIX_QUERYSERVER_OPTS="$PHOENIX_QUERYSERVER_OPTS -Djava.security.auth.login.config={{queryserver_jaas_config_file}}" {% else %} export HBASE_OPTS="$HBASE_OPTS -XX:+UseConcMarkSweepGC -XX:ErrorFile={{log_dir}}/hs_err_pid%p.log -Djava.io.tmpdir={{java_io_tmpdir}}" http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/package/templates/hbase_master_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/package/templates/hbase_master_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/package/templates/hbase_master_jaas.conf.j2 index a93c36c..4bb0fc1 100644 --- a/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/package/templates/hbase_master_jaas.conf.j2 +++ b/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/package/templates/hbase_master_jaas.conf.j2 @@ -24,3 +24,13 @@ useTicketCache=false keyTab="{{master_keytab_path}}" principal="{{master_jaas_princ}}"; }; +com.sun.security.jgss.krb5.initiate { +com.sun.security.auth.module.Krb5LoginModule required +renewTGT=false +doNotPrompt=true +useKeyTab=true +storeKey=true +useTicketCache=false +keyTab="{{master_keytab_path}}" +principal="{{master_jaas_princ}}"; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/package/templates/hbase_regionserver_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/package/templates/hbase_regionserver_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/package/templates/hbase_regionserver_jaas.conf.j2 index 7097481..c9973ca 100644 --- a/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/package/templates/hbase_regionserver_jaas.conf.j2 +++ b/ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/package/templates/hbase_regionserver_jaas.conf.j2 @@ -24,3 +24,13 @@ useTicketCache=false keyTab="{{regionserver_keytab_path}}" principal="{{regionserver_jaas_princ}}"; }; +com.sun.security.jgss.krb5.initiate { +com.sun.security.auth.module.Krb5LoginModule required +renewTGT=false +doNotPrompt=true +useKeyTab=true +storeKey=true +useTicketCache=false +keyTab="{{regionserver_keytab_path}}" +principal="{{regionserver_jaas_princ}}"; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/hdfs.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/hdfs.py b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/hdfs.py index d9b62e2..15fda67 100644 --- a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/hdfs.py +++ b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/hdfs.py @@ -51,6 +51,23 @@ def hdfs(name=None): ) if params.security_enabled: + File(os.path.join(params.hadoop_conf_dir, 'hdfs_dn_jaas.conf'), + owner=params.hdfs_user, + group=params.user_group, + content=Template("hdfs_dn_jaas.conf.j2") + ) + File(os.path.join(params.hadoop_conf_dir, 'hdfs_nn_jaas.conf'), + owner=params.hdfs_user, + group=params.user_group, + content=Template("hdfs_nn_jaas.conf.j2") + ) + if params.dfs_ha_enabled: + File(os.path.join(params.hadoop_conf_dir, 'hdfs_jn_jaas.conf'), + owner=params.hdfs_user, + group=params.user_group, + content=Template("hdfs_jn_jaas.conf.j2") + ) + tc_mode = 0644 tc_owner = "root" else: http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_dn_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_dn_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_dn_jaas.conf.j2 new file mode 100644 index 0000000..53583b4 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_dn_jaas.conf.j2 @@ -0,0 +1,27 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{dn_keytab}}" + principal="{{dn_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jn_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jn_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jn_jaas.conf.j2 new file mode 100644 index 0000000..9769a6b --- /dev/null +++ b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jn_jaas.conf.j2 @@ -0,0 +1,27 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{jn_keytab}}" + principal="{{jn_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_nn_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_nn_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_nn_jaas.conf.j2 new file mode 100644 index 0000000..985a477 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_nn_jaas.conf.j2 @@ -0,0 +1,27 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{nn_keytab}}" + principal="{{nn_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/hdfs.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/hdfs.py b/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/hdfs.py index d9b62e2..15fda67 100644 --- a/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/hdfs.py +++ b/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/hdfs.py @@ -51,6 +51,23 @@ def hdfs(name=None): ) if params.security_enabled: + File(os.path.join(params.hadoop_conf_dir, 'hdfs_dn_jaas.conf'), + owner=params.hdfs_user, + group=params.user_group, + content=Template("hdfs_dn_jaas.conf.j2") + ) + File(os.path.join(params.hadoop_conf_dir, 'hdfs_nn_jaas.conf'), + owner=params.hdfs_user, + group=params.user_group, + content=Template("hdfs_nn_jaas.conf.j2") + ) + if params.dfs_ha_enabled: + File(os.path.join(params.hadoop_conf_dir, 'hdfs_jn_jaas.conf'), + owner=params.hdfs_user, + group=params.user_group, + content=Template("hdfs_jn_jaas.conf.j2") + ) + tc_mode = 0644 tc_owner = "root" else: http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_dn_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_dn_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_dn_jaas.conf.j2 new file mode 100644 index 0000000..53583b4 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_dn_jaas.conf.j2 @@ -0,0 +1,27 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{dn_keytab}}" + principal="{{dn_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_jn_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_jn_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_jn_jaas.conf.j2 new file mode 100644 index 0000000..9769a6b --- /dev/null +++ b/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_jn_jaas.conf.j2 @@ -0,0 +1,27 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{jn_keytab}}" + principal="{{jn_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_nn_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_nn_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_nn_jaas.conf.j2 new file mode 100644 index 0000000..985a477 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_nn_jaas.conf.j2 @@ -0,0 +1,27 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{nn_keytab}}" + principal="{{nn_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/configuration/kafka-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/configuration/kafka-env.xml b/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/configuration/kafka-env.xml index 91af58e..ad81d66 100644 --- a/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/configuration/kafka-env.xml +++ b/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/configuration/kafka-env.xml @@ -88,7 +88,11 @@ export JAVA_HOME={{java64_home}} export PATH=$PATH:$JAVA_HOME/bin export PID_DIR={{kafka_pid_dir}} export LOG_DIR={{kafka_log_dir}} +{% if security_enabled %} +export KAFKA_KERBEROS_PARAMS="-Djavax.security.auth.useSubjectCredsOnly=false {{kafka_kerberos_params}}" +{% else %} export KAFKA_KERBEROS_PARAMS={{kafka_kerberos_params}} +{% endif %} # Add kafka sink to classpath and related depenencies if [ -e "/usr/lib/ambari-metrics-kafka-sink/ambari-metrics-kafka-sink.jar" ]; then export CLASSPATH=$CLASSPATH:/usr/lib/ambari-metrics-kafka-sink/ambari-metrics-kafka-sink.jar http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/configuration/kafka_jaas_conf.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/configuration/kafka_jaas_conf.xml b/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/configuration/kafka_jaas_conf.xml index fdde8f2..8ceb891 100644 --- a/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/configuration/kafka_jaas_conf.xml +++ b/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/configuration/kafka_jaas_conf.xml @@ -49,6 +49,17 @@ useTicketCache=false serviceName="zookeeper" principal="{{kafka_jaas_principal}}"; }; +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{kafka_keytab_path}}" + storeKey=true + useTicketCache=false + serviceName="{{kafka_bare_jaas_principal}}" + principal="{{kafka_jaas_principal}}"; +}; content http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/templates/kafka_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/templates/kafka_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/templates/kafka_jaas.conf.j2 index 56c558d..1d9e61d 100644 --- a/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/templates/kafka_jaas.conf.j2 +++ b/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/templates/kafka_jaas.conf.j2 @@ -39,3 +39,14 @@ Client { serviceName="zookeeper" principal="{{kafka_jaas_principal}}"; }; +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{kafka_keytab_path}}" + storeKey=true + useTicketCache=false + serviceName="{{kafka_bare_jaas_principal}}" + principal="{{kafka_jaas_principal}}"; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/storm_yaml_utils.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/storm_yaml_utils.py b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/storm_yaml_utils.py index 9d78e71..557c9dc 100644 --- a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/storm_yaml_utils.py +++ b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/storm_yaml_utils.py @@ -27,7 +27,10 @@ from resource_management.core.resources.system import File def replace_jaas_placeholder(name, security_enabled, conf_dir): if name.find('_JAAS_PLACEHOLDER') > -1: if security_enabled: - return name.replace('_JAAS_PLACEHOLDER', '-Djava.security.auth.login.config=' + conf_dir + '/storm_jaas.conf') + if name.find('Nimbus_JVM') > -1: + return name.replace('_JAAS_PLACEHOLDER', '-Djava.security.auth.login.config=' + conf_dir + '/storm_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false') + else: + return name.replace('_JAAS_PLACEHOLDER', '-Djava.security.auth.login.config=' + conf_dir + '/storm_jaas.conf') else: return name.replace('_JAAS_PLACEHOLDER', '') else: http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/templates/storm_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/templates/storm_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/templates/storm_jaas.conf.j2 index c22cb51..d131e62 100644 --- a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/templates/storm_jaas.conf.j2 +++ b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/templates/storm_jaas.conf.j2 @@ -41,6 +41,16 @@ RegistryClient { useTicketCache=false principal="{{storm_jaas_principal}}"; }; +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{nimbus_keytab_path}}" + principal="{{nimbus_jaas_principal}}" + storeKey=true + useTicketCache=false; +}; {% endif %} Client { com.sun.security.auth.module.Krb5LoginModule required http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py index 3579fcb..f474a89 100644 --- a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py +++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py @@ -249,6 +249,9 @@ nm_hosts = default("/clusterHostInfo/nm_hosts", []) # don't using len(nm_hosts) here, because check can take too much time on large clusters number_of_nm = 1 +hs_host = default("/clusterHostInfo/hs_host", []) +has_hs = not len(hs_host) == 0 + # default kinit commands rm_kinit_cmd = "" yarn_timelineservice_kinit_cmd = "" @@ -272,19 +275,26 @@ if security_enabled: # YARN timeline security options if has_ats: - _yarn_timelineservice_principal_name = config['configurations']['yarn-site']['yarn.timeline-service.principal'] - _yarn_timelineservice_principal_name = _yarn_timelineservice_principal_name.replace('_HOST', hostname.lower()) - _yarn_timelineservice_keytab = config['configurations']['yarn-site']['yarn.timeline-service.keytab'] - yarn_timelineservice_kinit_cmd = format("{kinit_path_local} -kt {_yarn_timelineservice_keytab} {_yarn_timelineservice_principal_name};") + yarn_timelineservice_principal_name = config['configurations']['yarn-site']['yarn.timeline-service.principal'] + yarn_timelineservice_principal_name = yarn_timelineservice_principal_name.replace('_HOST', hostname.lower()) + yarn_timelineservice_keytab = config['configurations']['yarn-site']['yarn.timeline-service.keytab'] + yarn_timelineservice_kinit_cmd = format("{kinit_path_local} -kt {yarn_timelineservice_keytab} {yarn_timelineservice_principal_name};") + yarn_ats_jaas_file = os.path.join(config_dir, 'yarn_ats_jaas.conf') if 'yarn.nodemanager.principal' in config['configurations']['yarn-site']: - _nodemanager_principal_name = default('/configurations/yarn-site/yarn.nodemanager.principal', None) - if _nodemanager_principal_name: - _nodemanager_principal_name = _nodemanager_principal_name.replace('_HOST', hostname.lower()) - - _nodemanager_keytab = config['configurations']['yarn-site']['yarn.nodemanager.keytab'] - nodemanager_kinit_cmd = format("{kinit_path_local} -kt {_nodemanager_keytab} {_nodemanager_principal_name};") - + nodemanager_principal_name = default('/configurations/yarn-site/yarn.nodemanager.principal', None) + if nodemanager_principal_name: + nodemanager_principal_name = nodemanager_principal_name.replace('_HOST', hostname.lower()) + + nodemanager_keytab = config['configurations']['yarn-site']['yarn.nodemanager.keytab'] + nodemanager_kinit_cmd = format("{kinit_path_local} -kt {nodemanager_keytab} {nodemanager_principal_name};") + yarn_nm_jaas_file = os.path.join(config_dir, 'yarn_nm_jaas.conf') + + if has_hs: + mapred_jhs_principal_name = config['configurations']['mapred-site']['mapreduce.jobhistory.principal'] + mapred_jhs_principal_name = mapred_jhs_principal_name.replace('_HOST', hostname.lower()) + mapred_jhs_keytab = config['configurations']['mapred-site']['mapreduce.jobhistory.keytab'] + mapred_jaas_file = os.path.join(config_dir, 'mapred_jaas.conf') yarn_log_aggregation_enabled = config['configurations']['yarn-site']['yarn.log-aggregation-enable'] yarn_nm_app_log_dir = config['configurations']['yarn-site']['yarn.nodemanager.remote-app-log-dir'] http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/yarn.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/yarn.py b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/yarn.py index 5ef08ad..28d14fe 100644 --- a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/yarn.py +++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/yarn.py @@ -192,6 +192,23 @@ def yarn(name=None, config_dir=None): group=params.user_group, content=Template("yarn_jaas.conf.j2") ) + if params.has_ats: + File(os.path.join(config_dir, 'yarn_ats_jaas.conf'), + owner=params.yarn_user, + group=params.user_group, + content=Template("yarn_ats_jaas.conf.j2") + ) + File(os.path.join(config_dir, 'yarn_nm_jaas.conf'), + owner=params.yarn_user, + group=params.user_group, + content=Template("yarn_nm_jaas.conf.j2") + ) + if params.has_hs: + File(os.path.join(config_dir, 'mapred_jaas.conf'), + owner=params.mapred_user, + group=params.user_group, + content=Template("mapred_jaas.conf.j2") + ) else: File(os.path.join(config_dir, 'taskcontroller.cfg'), owner=params.tc_owner, http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/mapred_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/mapred_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/mapred_jaas.conf.j2 new file mode 100644 index 0000000..67f4bcb --- /dev/null +++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/mapred_jaas.conf.j2 @@ -0,0 +1,28 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} + +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{mapred_jhs_keytab}}" + principal="{{mapred_jhs_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_ats_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_ats_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_ats_jaas.conf.j2 new file mode 100644 index 0000000..55308e8 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_ats_jaas.conf.j2 @@ -0,0 +1,27 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{yarn_timelineservice_keytab}}" + principal="{{yarn_timelineservice_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_jaas.conf.j2 index 483c815..99f0a1b 100644 --- a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_jaas.conf.j2 +++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_jaas.conf.j2 @@ -23,4 +23,14 @@ Client { useTicketCache=false keyTab="{{rm_keytab}}" principal="{{rm_principal_name}}"; -}; \ No newline at end of file +}; +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{rm_keytab}}" + principal="{{rm_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_nm_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_nm_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_nm_jaas.conf.j2 new file mode 100644 index 0000000..b501c82 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/templates/yarn_nm_jaas.conf.j2 @@ -0,0 +1,27 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{nodemanager_keytab}}" + principal="{{nodemanager_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/configuration-mapred/mapred-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/configuration-mapred/mapred-env.xml b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/configuration-mapred/mapred-env.xml index 07cfafe..93e5234 100644 --- a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/configuration-mapred/mapred-env.xml +++ b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/configuration-mapred/mapred-env.xml @@ -89,7 +89,9 @@ export HADOOP_MAPRED_ROOT_LOGGER=INFO,RFA - #export HADOOP_JOB_HISTORYSERVER_OPTS= + {% if security_enabled %} + export HADOOP_JOB_HISTORYSERVER_OPTS="-Djava.security.auth.login.config={{mapred_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false" + {% endif %} #export HADOOP_MAPRED_LOG_DIR="" # Where log files are stored. $HADOOP_MAPRED_HOME/logs by default. #export HADOOP_JHS_LOGGER=INFO,RFA # Hadoop JobSummary logger. #export HADOOP_MAPRED_PID_DIR= # The pid files are stored. /tmp by default. http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/configuration/yarn-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/configuration/yarn-env.xml b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/configuration/yarn-env.xml index 6a52865..aaa72d1 100644 --- a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/configuration/yarn-env.xml +++ b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/configuration/yarn-env.xml @@ -220,7 +220,9 @@ export YARN_RESOURCEMANAGER_HEAPSIZE={{resourcemanager_heapsize}} # Specify the JVM options to be used when starting the ResourceManager. # These options will be appended to the options specified as YARN_OPTS # and therefore may override any similar flags set in YARN_OPTS -#export YARN_RESOURCEMANAGER_OPTS= +{% if security_enabled %} +export YARN_RESOURCEMANAGER_OPTS="-Djava.security.auth.login.config={{yarn_jaas_file}}" +{% endif %} # Node Manager specific parameters @@ -242,10 +244,16 @@ export YARN_NODEMANAGER_HEAPSIZE={{nodemanager_heapsize}} # or JAVA_HEAP_MAX with YARN_HEAPMAX as the preferred option of the two. export YARN_TIMELINESERVER_HEAPSIZE={{apptimelineserver_heapsize}} +{% if security_enabled %} +export YARN_TIMELINESERVER_OPTS="-Djava.security.auth.login.config={{yarn_ats_jaas_file}}" +{% endif %} + # Specify the JVM options to be used when starting the NodeManager. # These options will be appended to the options specified as YARN_OPTS # and therefore may override any similar flags set in YARN_OPTS -#export YARN_NODEMANAGER_OPTS= +{% if security_enabled %} +export YARN_NODEMANAGER_OPTS="-Djava.security.auth.login.config={{yarn_nm_jaas_file}}" +{% endif %} # so that filenames w/ spaces are handled correctly in loops below IFS= @@ -286,6 +294,9 @@ YARN_OPTS="$YARN_OPTS -Djava.io.tmpdir={{hadoop_java_io_tmpdir}}" {% if rm_security_opts is defined %} YARN_OPTS="{{rm_security_opts}} $YARN_OPTS" {% endif %} +{% if security_enabled %} +YARN_OPTS="$YARN_OPTS -Djavax.security.auth.useSubjectCredsOnly=false" +{% endif %} content http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/params_linux.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/params_linux.py index 66194ed..a05d259 100644 --- a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/params_linux.py +++ b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/params_linux.py @@ -247,6 +247,9 @@ nm_hosts = default("/clusterHostInfo/nm_hosts", []) # don't using len(nm_hosts) here, because check can take too much time on large clusters number_of_nm = 1 +hs_host = default("/clusterHostInfo/hs_host", []) +has_hs = not len(hs_host) == 0 + # default kinit commands rm_kinit_cmd = "" yarn_timelineservice_kinit_cmd = "" @@ -268,19 +271,26 @@ if security_enabled: # YARN timeline security options if has_ats: - _yarn_timelineservice_principal_name = config['configurations']['yarn-site']['yarn.timeline-service.principal'] - _yarn_timelineservice_principal_name = _yarn_timelineservice_principal_name.replace('_HOST', hostname.lower()) - _yarn_timelineservice_keytab = config['configurations']['yarn-site']['yarn.timeline-service.keytab'] - yarn_timelineservice_kinit_cmd = format("{kinit_path_local} -kt {_yarn_timelineservice_keytab} {_yarn_timelineservice_principal_name};") + yarn_timelineservice_principal_name = config['configurations']['yarn-site']['yarn.timeline-service.principal'] + yarn_timelineservice_principal_name = yarn_timelineservice_principal_name.replace('_HOST', hostname.lower()) + yarn_timelineservice_keytab = config['configurations']['yarn-site']['yarn.timeline-service.keytab'] + yarn_timelineservice_kinit_cmd = format("{kinit_path_local} -kt {yarn_timelineservice_keytab} {yarn_timelineservice_principal_name};") + yarn_ats_jaas_file = os.path.join(config_dir, 'yarn_ats_jaas.conf') if 'yarn.nodemanager.principal' in config['configurations']['yarn-site']: - _nodemanager_principal_name = default('/configurations/yarn-site/yarn.nodemanager.principal', None) - if _nodemanager_principal_name: - _nodemanager_principal_name = _nodemanager_principal_name.replace('_HOST', hostname.lower()) - - _nodemanager_keytab = config['configurations']['yarn-site']['yarn.nodemanager.keytab'] - nodemanager_kinit_cmd = format("{kinit_path_local} -kt {_nodemanager_keytab} {_nodemanager_principal_name};") - + nodemanager_principal_name = default('/configurations/yarn-site/yarn.nodemanager.principal', None) + if nodemanager_principal_name: + nodemanager_principal_name = nodemanager_principal_name.replace('_HOST', hostname.lower()) + + nodemanager_keytab = config['configurations']['yarn-site']['yarn.nodemanager.keytab'] + nodemanager_kinit_cmd = format("{kinit_path_local} -kt {nodemanager_keytab} {nodemanager_principal_name};") + yarn_nm_jaas_file = os.path.join(config_dir, 'yarn_nm_jaas.conf') + + if has_hs: + mapred_jhs_principal_name = config['configurations']['mapred-site']['mapreduce.jobhistory.principal'] + mapred_jhs_principal_name = mapred_jhs_principal_name.replace('_HOST', hostname.lower()) + mapred_jhs_keytab = config['configurations']['mapred-site']['mapreduce.jobhistory.keytab'] + mapred_jaas_file = os.path.join(config_dir, 'mapred_jaas.conf') yarn_log_aggregation_enabled = config['configurations']['yarn-site']['yarn.log-aggregation-enable'] yarn_nm_app_log_dir = config['configurations']['yarn-site']['yarn.nodemanager.remote-app-log-dir'] http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/yarn.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/yarn.py b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/yarn.py index 768411c..0591511 100644 --- a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/yarn.py +++ b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/yarn.py @@ -192,7 +192,24 @@ def yarn(name=None, config_dir=None): owner=params.yarn_user, group=params.user_group, content=Template("yarn_jaas.conf.j2") - ) + ) + if params.has_ats: + File(os.path.join(config_dir, 'yarn_ats_jaas.conf'), + owner=params.yarn_user, + group=params.user_group, + content=Template("yarn_ats_jaas.conf.j2") + ) + File(os.path.join(config_dir, 'yarn_nm_jaas.conf'), + owner=params.yarn_user, + group=params.user_group, + content=Template("yarn_nm_jaas.conf.j2") + ) + if params.has_hs: + File(os.path.join(config_dir, 'mapred_jaas.conf'), + owner=params.mapred_user, + group=params.user_group, + content=Template("mapred_jaas.conf.j2") + ) else: File(os.path.join(config_dir, 'taskcontroller.cfg'), owner=params.tc_owner, http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/mapred_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/mapred_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/mapred_jaas.conf.j2 new file mode 100644 index 0000000..67f4bcb --- /dev/null +++ b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/mapred_jaas.conf.j2 @@ -0,0 +1,28 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} + +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{mapred_jhs_keytab}}" + principal="{{mapred_jhs_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_ats_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_ats_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_ats_jaas.conf.j2 new file mode 100644 index 0000000..55308e8 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_ats_jaas.conf.j2 @@ -0,0 +1,27 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{yarn_timelineservice_keytab}}" + principal="{{yarn_timelineservice_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_jaas.conf.j2 index 483c815..99f0a1b 100644 --- a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_jaas.conf.j2 +++ b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_jaas.conf.j2 @@ -23,4 +23,14 @@ Client { useTicketCache=false keyTab="{{rm_keytab}}" principal="{{rm_principal_name}}"; -}; \ No newline at end of file +}; +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{rm_keytab}}" + principal="{{rm_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_nm_jaas.conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_nm_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_nm_jaas.conf.j2 new file mode 100644 index 0000000..b501c82 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/templates/yarn_nm_jaas.conf.j2 @@ -0,0 +1,27 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="{{nodemanager_keytab}}" + principal="{{nodemanager_principal_name}}" + storeKey=true + useTicketCache=false; +}; http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/configuration-mapred/mapred-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/configuration-mapred/mapred-env.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/configuration-mapred/mapred-env.xml index 869f44a..67d33db 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/configuration-mapred/mapred-env.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/configuration-mapred/mapred-env.xml @@ -32,7 +32,9 @@ export HADOOP_JOB_HISTORYSERVER_HEAPSIZE={{jobhistory_heapsize}} export HADOOP_MAPRED_ROOT_LOGGER=INFO,RFA -#export HADOOP_JOB_HISTORYSERVER_OPTS= +{% if security_enabled %} +export HADOOP_JOB_HISTORYSERVER_OPTS="-Djava.security.auth.login.config={{mapred_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false" +{% endif %} #export HADOOP_MAPRED_LOG_DIR="" # Where log files are stored. $HADOOP_MAPRED_HOME/logs by default. #export HADOOP_JHS_LOGGER=INFO,RFA # Hadoop JobSummary logger. #export HADOOP_MAPRED_PID_DIR= # The pid files are stored. /tmp by default. http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/stacks/HDP/2.3/services/HBASE/configuration/hbase-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/services/HBASE/configuration/hbase-env.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/services/HBASE/configuration/hbase-env.xml index d2b3671..45e137c 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/services/HBASE/configuration/hbase-env.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/services/HBASE/configuration/hbase-env.xml @@ -90,8 +90,8 @@ JDK_DEPENDED_OPTS="-XX:PermSize=128m -XX:MaxPermSize=128m" {% if security_enabled %} export HBASE_OPTS="$HBASE_OPTS -XX:+UseConcMarkSweepGC -XX:ErrorFile={{log_dir}}/hs_err_pid%p.log -Djava.security.auth.login.config={{client_jaas_config_file}} -Djava.io.tmpdir={{java_io_tmpdir}}" -export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Xmx{{master_heapsize}} -Djava.security.auth.login.config={{master_jaas_config_file}} $JDK_DEPENDED_OPTS" -export HBASE_REGIONSERVER_OPTS="$HBASE_REGIONSERVER_OPTS -Xmn{{regionserver_xmn_size}} -XX:CMSInitiatingOccupancyFraction=70 -Xms{{regionserver_heapsize}} -Xmx{{regionserver_heapsize}} -Djava.security.auth.login.config={{regionserver_jaas_config_file}} $JDK_DEPENDED_OPTS" +export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Xmx{{master_heapsize}} -Djava.security.auth.login.config={{master_jaas_config_file}} -Djavax.security.auth.useSubjectCredsOnly=false $JDK_DEPENDED_OPTS" +export HBASE_REGIONSERVER_OPTS="$HBASE_REGIONSERVER_OPTS -Xmn{{regionserver_xmn_size}} -XX:CMSInitiatingOccupancyFraction=70 -Xms{{regionserver_heapsize}} -Xmx{{regionserver_heapsize}} -Djava.security.auth.login.config={{regionserver_jaas_config_file}} -Djavax.security.auth.useSubjectCredsOnly=false $JDK_DEPENDED_OPTS" export PHOENIX_QUERYSERVER_OPTS="$PHOENIX_QUERYSERVER_OPTS -Djava.security.auth.login.config={{queryserver_jaas_config_file}}" {% else %} export HBASE_OPTS="$HBASE_OPTS -XX:+UseConcMarkSweepGC -XX:ErrorFile={{log_dir}}/hs_err_pid%p.log -Djava.io.tmpdir={{java_io_tmpdir}}" http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml index 1bfd2fe..eb04aa4 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml @@ -81,6 +81,13 @@ export HADOOP_SECONDARYNAMENODE_OPTS="${SHARED_HADOOP_NAMENODE_OPTS} -XX:OnOutOf export HADOOP_CLIENT_OPTS="-Xmx${HADOOP_HEAPSIZE}m $HADOOP_CLIENT_OPTS" {% endif %} +{% if security_enabled %} +export HADOOP_NAMENODE_OPTS="$HADOOP_NAMENODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_nn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" +export HADOOP_SECONDARYNAMENODE_OPTS="$HADOOP_SECONDARYNAMENODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_nn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" +export HADOOP_DATANODE_OPTS="$HADOOP_DATANODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_dn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" +export HADOOP_JOURNALNODE_OPTS="$HADOOP_JOURNALNODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_jn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" +{% endif %} + HADOOP_NFS3_OPTS="-Xmx{{nfsgateway_heapsize}}m -Dhadoop.security.logger=ERROR,DRFAS ${HADOOP_NFS3_OPTS}" HADOOP_BALANCER_OPTS="-server -Xmx{{hadoop_heapsize}}m ${HADOOP_BALANCER_OPTS}" http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/stacks/HDP/2.3/services/YARN/configuration/yarn-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/services/YARN/configuration/yarn-env.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/services/YARN/configuration/yarn-env.xml index 190684c..9bfa2fe 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/services/YARN/configuration/yarn-env.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/services/YARN/configuration/yarn-env.xml @@ -90,8 +90,9 @@ # Specify the JVM options to be used when starting the ResourceManager. # These options will be appended to the options specified as YARN_OPTS # and therefore may override any similar flags set in YARN_OPTS - #export YARN_RESOURCEMANAGER_OPTS= - + {% if security_enabled %} + export YARN_RESOURCEMANAGER_OPTS="-Djava.security.auth.login.config={{yarn_jaas_file}}" + {% endif %} # Node Manager specific parameters # Specify the max Heapsize for the NodeManager using a numerical value @@ -112,10 +113,16 @@ # or JAVA_HEAP_MAX with YARN_HEAPMAX as the preferred option of the two. export YARN_TIMELINESERVER_HEAPSIZE={{apptimelineserver_heapsize}} + {% if security_enabled %} + export YARN_TIMELINESERVER_OPTS="-Djava.security.auth.login.config={{yarn_ats_jaas_file}}" + {% endif %} + # Specify the JVM options to be used when starting the NodeManager. # These options will be appended to the options specified as YARN_OPTS # and therefore may override any similar flags set in YARN_OPTS - #export YARN_NODEMANAGER_OPTS= + {% if security_enabled %} + export YARN_NODEMANAGER_OPTS="-Djava.security.auth.login.config={{yarn_nm_jaas_file}}" + {% endif %} # so that filenames w/ spaces are handled correctly in loops below IFS= @@ -153,6 +160,9 @@ fi YARN_OPTS="$YARN_OPTS -Dyarn.policy.file=$YARN_POLICYFILE" YARN_OPTS="$YARN_OPTS -Djava.io.tmpdir={{hadoop_java_io_tmpdir}}" + {% if security_enabled %} + YARN_OPTS="$YARN_OPTS -Djavax.security.auth.useSubjectCredsOnly=false" + {% endif %} content http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml index 1bfd2fe..eb04aa4 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml @@ -81,6 +81,13 @@ export HADOOP_SECONDARYNAMENODE_OPTS="${SHARED_HADOOP_NAMENODE_OPTS} -XX:OnOutOf export HADOOP_CLIENT_OPTS="-Xmx${HADOOP_HEAPSIZE}m $HADOOP_CLIENT_OPTS" {% endif %} +{% if security_enabled %} +export HADOOP_NAMENODE_OPTS="$HADOOP_NAMENODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_nn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" +export HADOOP_SECONDARYNAMENODE_OPTS="$HADOOP_SECONDARYNAMENODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_nn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" +export HADOOP_DATANODE_OPTS="$HADOOP_DATANODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_dn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" +export HADOOP_JOURNALNODE_OPTS="$HADOOP_JOURNALNODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_jn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" +{% endif %} + HADOOP_NFS3_OPTS="-Xmx{{nfsgateway_heapsize}}m -Dhadoop.security.logger=ERROR,DRFAS ${HADOOP_NFS3_OPTS}" HADOOP_BALANCER_OPTS="-server -Xmx{{hadoop_heapsize}}m ${HADOOP_BALANCER_OPTS}" http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml b/ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml index 9d504db..4814efe 100644 --- a/ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml +++ b/ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml @@ -82,6 +82,13 @@ export HADOOP_CLIENT_OPTS="-Xmx${HADOOP_HEAPSIZE}m $HADOOP_CLIENT_OPTS" {% endif %} + {% if security_enabled %} + export HADOOP_NAMENODE_OPTS="$HADOOP_NAMENODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_nn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" + export HADOOP_SECONDARYNAMENODE_OPTS="$HADOOP_SECONDARYNAMENODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_nn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" + export HADOOP_DATANODE_OPTS="$HADOOP_DATANODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_dn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" + export HADOOP_JOURNALNODE_OPTS="$HADOOP_JOURNALNODE_OPTS -Djava.security.auth.login.config={{hadoop_conf_dir}}/hdfs_jn_jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" + {% endif %} + HADOOP_NFS3_OPTS="-Xmx{{nfsgateway_heapsize}}m -Dhadoop.security.logger=ERROR,DRFAS ${HADOOP_NFS3_OPTS}" HADOOP_BALANCER_OPTS="-server -Xmx{{hadoop_heapsize}}m ${HADOOP_BALANCER_OPTS}" http://git-wip-us.apache.org/repos/asf/ambari/blob/4aaf259e/ambari-server/src/main/resources/stacks/HDP/3.0/services/YARN/configuration-mapred/mapred-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/3.0/services/YARN/configuration-mapred/mapred-env.xml b/ambari-server/src/main/resources/stacks/HDP/3.0/services/YARN/configuration-mapred/mapred-env.xml index a143660..b044cb6 100644 --- a/ambari-server/src/main/resources/stacks/HDP/3.0/services/YARN/configuration-mapred/mapred-env.xml +++ b/ambari-server/src/main/resources/stacks/HDP/3.0/services/YARN/configuration-mapred/mapred-env.xml @@ -31,7 +31,9 @@ export HADOOP_MAPRED_ROOT_LOGGER=INFO,RFA - #export HADOOP_JOB_HISTORYSERVER_OPTS= + {% if security_enabled %} + export HADOOP_JOB_HISTORYSERVER_OPTS="-Djava.security.auth.login.config={{mapred_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false" + {% endif %} #export HADOOP_MAPRED_LOG_DIR="" # Where log files are stored. $HADOOP_MAPRED_HOME/logs by default. #export HADOOP_JHS_LOGGER=INFO,RFA # Hadoop JobSummary logger. #export HADOOP_MAPRED_PID_DIR= # The pid files are stored. /tmp by default.