ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject [2/3] ambari git commit: AMBARI-21809. Pre-configure services during stack upgrade if Kerberos is enabled to reduce number of core service restarts when services are added (rlevas)
Date Fri, 01 Sep 2017 16:59:13 GMT
http://git-wip-us.apache.org/repos/asf/ambari/blob/d2e10b5b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/upgrades/PreconfigureKerberosActionTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/upgrades/PreconfigureKerberosActionTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/upgrades/PreconfigureKerberosActionTest.java
new file mode 100644
index 0000000..a7bf33c
--- /dev/null
+++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/upgrades/PreconfigureKerberosActionTest.java
@@ -0,0 +1,596 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.serveraction.upgrades;
+
+import static org.apache.ambari.server.serveraction.upgrades.PreconfigureKerberosAction.UPGRADE_DIRECTION_KEY;
+import static org.easymock.EasyMock.anyObject;
+import static org.easymock.EasyMock.anyString;
+import static org.easymock.EasyMock.capture;
+import static org.easymock.EasyMock.eq;
+import static org.easymock.EasyMock.expect;
+import static org.easymock.EasyMock.expectLastCall;
+import static org.easymock.EasyMock.getCurrentArguments;
+import static org.easymock.EasyMock.newCapture;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+import javax.persistence.EntityManager;
+
+import org.apache.ambari.server.AmbariException;
+import org.apache.ambari.server.actionmanager.ActionManager;
+import org.apache.ambari.server.actionmanager.HostRoleCommandFactory;
+import org.apache.ambari.server.actionmanager.HostRoleCommandFactoryImpl;
+import org.apache.ambari.server.actionmanager.RequestFactory;
+import org.apache.ambari.server.actionmanager.StageFactory;
+import org.apache.ambari.server.agent.ExecutionCommand;
+import org.apache.ambari.server.api.services.AmbariMetaInfo;
+import org.apache.ambari.server.api.services.stackadvisor.StackAdvisorHelper;
+import org.apache.ambari.server.api.services.stackadvisor.StackAdvisorRequest;
+import org.apache.ambari.server.api.services.stackadvisor.recommendations.RecommendationResponse;
+import org.apache.ambari.server.audit.AuditLogger;
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.controller.AmbariCustomCommandExecutionHelper;
+import org.apache.ambari.server.controller.AmbariManagementController;
+import org.apache.ambari.server.controller.KerberosHelper;
+import org.apache.ambari.server.controller.KerberosHelperImpl;
+import org.apache.ambari.server.metadata.CachedRoleCommandOrderProvider;
+import org.apache.ambari.server.metadata.RoleCommandOrderProvider;
+import org.apache.ambari.server.orm.DBAccessor;
+import org.apache.ambari.server.orm.dao.ArtifactDAO;
+import org.apache.ambari.server.orm.dao.HostRoleCommandDAO;
+import org.apache.ambari.server.orm.dao.KerberosPrincipalDAO;
+import org.apache.ambari.server.orm.entities.RepositoryVersionEntity;
+import org.apache.ambari.server.orm.entities.UpgradeEntity;
+import org.apache.ambari.server.security.encryption.CredentialStoreService;
+import org.apache.ambari.server.stack.StackManagerFactory;
+import org.apache.ambari.server.stageplanner.RoleGraphFactory;
+import org.apache.ambari.server.state.Cluster;
+import org.apache.ambari.server.state.Clusters;
+import org.apache.ambari.server.state.ComponentInfo;
+import org.apache.ambari.server.state.Config;
+import org.apache.ambari.server.state.ConfigFactory;
+import org.apache.ambari.server.state.ConfigHelper;
+import org.apache.ambari.server.state.Host;
+import org.apache.ambari.server.state.HostComponentAdminState;
+import org.apache.ambari.server.state.PropertyInfo;
+import org.apache.ambari.server.state.SecurityType;
+import org.apache.ambari.server.state.Service;
+import org.apache.ambari.server.state.ServiceComponent;
+import org.apache.ambari.server.state.ServiceComponentHost;
+import org.apache.ambari.server.state.ServiceInfo;
+import org.apache.ambari.server.state.StackId;
+import org.apache.ambari.server.state.UpgradeContext;
+import org.apache.ambari.server.state.UpgradeContextFactory;
+import org.apache.ambari.server.state.kerberos.KerberosDescriptor;
+import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory;
+import org.apache.ambari.server.state.scheduler.RequestExecutionFactory;
+import org.apache.ambari.server.state.stack.OsFamily;
+import org.apache.ambari.server.state.stack.upgrade.Direction;
+import org.apache.ambari.server.topology.PersistedState;
+import org.apache.ambari.server.topology.TopologyManager;
+import org.apache.ambari.server.topology.tasks.ConfigureClusterTaskFactory;
+import org.apache.ambari.server.utils.StageUtils;
+import org.apache.commons.collections.MapUtils;
+import org.easymock.Capture;
+import org.easymock.EasyMockSupport;
+import org.easymock.IAnswer;
+import org.junit.Assert;
+import org.junit.Test;
+
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
+import com.google.inject.AbstractModule;
+import com.google.inject.Guice;
+import com.google.inject.Injector;
+
+public class PreconfigureKerberosActionTest extends EasyMockSupport {
+
+  private static final String CLUSTER_NAME = "c1";
+
+  @Test
+  public void testSkipWhenDowngrade() throws Exception {
+
+    Injector injector = getInjector();
+
+    Map<String, String> commandParams = getDefaultCommandParams();
+    commandParams.put(UPGRADE_DIRECTION_KEY, Direction.DOWNGRADE.name());
+
+    ExecutionCommand executionCommand = createMockExecutionCommand(commandParams);
+
+    replayAll();
+
+    injector.getInstance(AmbariMetaInfo.class).init();
+
+    PreconfigureKerberosAction action = injector.getInstance(PreconfigureKerberosAction.class);
+    ConcurrentMap<String, Object> context = new ConcurrentHashMap<>();
+    action.setExecutionCommand(executionCommand);
+    action.execute(context);
+
+    verifyAll();
+  }
+
+  @Test
+  public void testSkipWhenNotKerberos() throws Exception {
+    Injector injector = getInjector();
+
+    ExecutionCommand executionCommand = createMockExecutionCommand(getDefaultCommandParams());
+
+    Cluster cluster = createMockCluster(SecurityType.NONE, Collections.<Host>emptyList(),
+        Collections.<String, Service>emptyMap(), Collections.<String, List<ServiceComponentHost>>emptyMap(),
+        createNiceMock(StackId.class), Collections.<String, Config>emptyMap());
+
+    Clusters clusters = injector.getInstance(Clusters.class);
+    expect(clusters.getCluster(CLUSTER_NAME)).andReturn(cluster).atLeastOnce();
+
+    replayAll();
+
+    injector.getInstance(AmbariMetaInfo.class).init();
+
+    PreconfigureKerberosAction action = injector.getInstance(PreconfigureKerberosAction.class);
+    ConcurrentMap<String, Object> context = new ConcurrentHashMap<>();
+    action.setExecutionCommand(executionCommand);
+    action.execute(context);
+
+    verifyAll();
+  }
+
+  private Host createMockHost(String hostname) {
+    Host host = createNiceMock(Host.class);
+    expect(host.getHostName()).andReturn(hostname).anyTimes();
+    return host;
+  }
+
+  @Test
+  public void testUpgrade() throws Exception {
+    Capture<? extends Map<String, String>> captureCoreSiteProperties = newCapture();
+
+    Injector injector = getInjector();
+
+    ExecutionCommand executionCommand = createMockExecutionCommand(getDefaultCommandParams());
+
+    UpgradeEntity upgradeProgress = createMock(UpgradeEntity.class);
+
+    StackId targetStackId = createMock(StackId.class);
+    expect(targetStackId.getStackId()).andReturn("HDP-2.6").anyTimes();
+    expect(targetStackId.getStackName()).andReturn("HDP").anyTimes();
+    expect(targetStackId.getStackVersion()).andReturn("2.6").anyTimes();
+
+    final String hostName1 = "c6401.ambari.apache.org";
+    final String hostName2 = "c6402.ambari.apache.org";
+    final String hostName3 = "c6403.ambari.apache.org";
+
+    final Host host1 = createMockHost(hostName1);
+    Host host2 = createMockHost(hostName2);
+    Host host3 = createMockHost(hostName3);
+    Map<String, Host> hosts = new HashMap<>();
+    hosts.put(hostName1, host1);
+    hosts.put(hostName2, host2);
+    hosts.put(hostName3, host3);
+
+    Map<String, ServiceComponentHost> nnSchs = Collections.singletonMap(hostName1, createMockServiceComponentHost("HDFS", "NAMENODE", hostName1, host1));
+    Map<String, ServiceComponentHost> rmSchs = Collections.singletonMap(hostName2, createMockServiceComponentHost("YARN", "RESOURCEMANAGER", hostName2, host2));
+    Map<String, ServiceComponentHost> nmSchs = Collections.singletonMap(hostName2, createMockServiceComponentHost("YARN", "NODEMANAGER", hostName2, host2));
+    Map<String, ServiceComponentHost> dnSchs = new HashMap<>();
+    final Map<String, ServiceComponentHost> hcSchs = new HashMap<>();
+    Map<String, ServiceComponentHost> zkSSchs = new HashMap<>();
+    Map<String, ServiceComponentHost> zkCSchs = new HashMap<>();
+    Map<String, List<ServiceComponentHost>> serviceComponentHosts = new HashMap<>();
+
+    for (Map.Entry<String, Host> entry : hosts.entrySet()) {
+      String hostname = entry.getKey();
+      List<ServiceComponentHost> list = new ArrayList<>();
+      ServiceComponentHost sch;
+
+      sch = createMockServiceComponentHost("HDFS", "DATANODE", hostname, entry.getValue());
+      dnSchs.put(hostname, sch);
+      list.add(sch);
+
+      sch = createMockServiceComponentHost("HDFS", "HDFS_CLIENT", hostname, entry.getValue());
+      hcSchs.put(hostname, sch);
+      list.add(sch);
+
+      sch = createMockServiceComponentHost("ZOOKEEPER", "ZOOKEEPER_SERVER", hostname, entry.getValue());
+      zkSSchs.put(hostname, sch);
+      list.add(sch);
+
+      sch = createMockServiceComponentHost("ZOOKEEPER", "ZOOKEEPER_CLIENT", hostname, entry.getValue());
+      zkCSchs.put(hostname, sch);
+      list.add(sch);
+
+      serviceComponentHosts.put(hostname, list);
+    }
+
+
+    Map<String, ServiceComponent> hdfsComponents = new HashMap<>();
+    hdfsComponents.put("NAMENODE", createMockServiceComponent("NAMENODE", false, nnSchs));
+    hdfsComponents.put("DATANODE", createMockServiceComponent("DATANODE", false, dnSchs));
+    hdfsComponents.put("HDFS_CLIENT", createMockServiceComponent("HDFS_CLIENT", true, hcSchs));
+
+    Map<String, ServiceComponent> yarnComponents = new HashMap<>();
+    yarnComponents.put("RESOURCEMANAGER", createMockServiceComponent("RESOURCEMANAGER", false, rmSchs));
+    yarnComponents.put("NODEMANAGER", createMockServiceComponent("NODEMANAGER", false, nmSchs));
+
+    Map<String, ServiceComponent> zkCompnents = new HashMap<>();
+    yarnComponents.put("ZOOKEEPER_SERVER", createMockServiceComponent("ZOOKEEPER_SERVER", false, zkSSchs));
+    yarnComponents.put("ZOOKEEPER_CLIENT", createMockServiceComponent("ZOOKEEPER_CLIENT", true, zkCSchs));
+
+    Service hdfsService = createMockService("HDFS", hdfsComponents, targetStackId);
+    Service yarnService = createMockService("YARN", yarnComponents, targetStackId);
+    Service zkService = createMockService("ZOOKEEPER", zkCompnents, targetStackId);
+
+    Map<String, Service> installedServices = new HashMap<>();
+    installedServices.put("HDFS", hdfsService);
+    installedServices.put("YARN", yarnService);
+    installedServices.put("ZOOKEEPER", zkService);
+
+    Map<String, Map<String, String>> clusterConfig = getClusterConfig();
+
+    Map<String, Config> clusterConfigs = new HashMap<>();
+    for (Map.Entry<String, Map<String, String>> entry : clusterConfig.entrySet()) {
+      clusterConfigs.put(entry.getKey(), createMockConfig(entry.getValue()));
+    }
+
+    Cluster cluster = createMockCluster(SecurityType.KERBEROS, hosts.values(), installedServices, serviceComponentHosts, targetStackId, clusterConfigs);
+    expect(cluster.getUpgradeInProgress()).andReturn(upgradeProgress).once();
+
+    RepositoryVersionEntity targetRepositoryVersion = createMock(RepositoryVersionEntity.class);
+    expect(targetRepositoryVersion.getStackId()).andReturn(targetStackId).atLeastOnce();
+
+    UpgradeContext upgradeContext = createMock(UpgradeContext.class);
+    expect(upgradeContext.getTargetRepositoryVersion(anyString())).andReturn(targetRepositoryVersion).atLeastOnce();
+
+    UpgradeContextFactory upgradeContextFactory = injector.getInstance(UpgradeContextFactory.class);
+    expect(upgradeContextFactory.create(cluster, upgradeProgress)).andReturn(upgradeContext).once();
+
+    createMockClusters(injector, cluster);
+
+    List<PropertyInfo> knoxProperties = Arrays.asList(
+        crateMockPropertyInfo("knox-env.xml", "knox_user", "knox"),
+        crateMockPropertyInfo("knox-env.xml", "knox_group", "knox"),
+        crateMockPropertyInfo("knox-env.xml", "knox_principal_name", "KERBEROS_PRINCIPAL"),
+        crateMockPropertyInfo("gateway-site.xml", "gateway.port", "8443"),
+        crateMockPropertyInfo("gateway-site.xml", "gateway.path", "gateway")
+    );
+
+    AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+    expect(ambariMetaInfo.getKerberosDescriptor("HDP", "2.6", false)).
+        andReturn(getKerberosDescriptor(false)).once();
+    expect(ambariMetaInfo.getKerberosDescriptor("HDP", "2.6", true)).
+        andReturn(getKerberosDescriptor(true)).once();
+    expect(ambariMetaInfo.isValidService("HDP", "2.6", "BEACON"))
+        .andReturn(false).anyTimes();
+    expect(ambariMetaInfo.isValidService("HDP", "2.6", "KNOX"))
+        .andReturn(true).anyTimes();
+    expect(ambariMetaInfo.getService("HDP", "2.6", "KNOX"))
+        .andReturn(createMockServiceInfo("KNOX", knoxProperties, Collections.singletonList(createMockComponentInfo("KNOX_GATEWAY")))).anyTimes();
+
+    AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+    expect(managementController.findConfigurationTagsWithOverrides(cluster, null))
+        .andReturn(clusterConfig).once();
+    expect(managementController.getAuthName()).andReturn("admin").anyTimes();
+
+    ConfigHelper configHelper = injector.getInstance(ConfigHelper.class);
+    expect(configHelper.getEffectiveConfigProperties(cluster, clusterConfig)).andReturn(clusterConfig).anyTimes();
+    configHelper.updateConfigType(eq(cluster), eq(targetStackId), eq(managementController), eq("core-site"), capture(captureCoreSiteProperties), anyObject(Collection.class), eq("admin"), anyString());
+    expectLastCall().once();
+
+    TopologyManager topologyManager = injector.getInstance(TopologyManager.class);
+    expect(topologyManager.getPendingHostComponents()).andReturn(Collections.<String, Collection<String>>emptyMap()).anyTimes();
+
+    StackAdvisorHelper stackAdvisorHelper = injector.getInstance(StackAdvisorHelper.class);
+    expect(stackAdvisorHelper.recommend(anyObject(StackAdvisorRequest.class)))
+        .andAnswer(new IAnswer<RecommendationResponse>() {
+          @Override
+          public RecommendationResponse answer() throws Throwable {
+            Object[] args = getCurrentArguments();
+            StackAdvisorRequest request = (StackAdvisorRequest) args[0];
+            StackAdvisorRequest.StackAdvisorRequestType requestType = request.getRequestType();
+
+            if (requestType == StackAdvisorRequest.StackAdvisorRequestType.HOST_GROUPS) {
+              RecommendationResponse.Blueprint blueprint = new RecommendationResponse.Blueprint();
+              blueprint.setHostGroups(new HashSet<>(Arrays.asList(
+                  createRecommendationHostGroup(hostName1,
+                      Arrays.asList("ZOOKEEPER_SERVER", "ZOOKEEPER_CLIENT", "HDFS_CLIENT", "DATANODE", "NAMENODE", "KNOX_GATEWAY")),
+                  createRecommendationHostGroup(hostName2,
+                      Arrays.asList("ZOOKEEPER_SERVER", "ZOOKEEPER_CLIENT", "HDFS_CLIENT", "DATANODE", "RESOURCEMANAGER", "NODEMANAGER")),
+                  createRecommendationHostGroup(hostName3,
+                      Arrays.asList("ZOOKEEPER_SERVER", "ZOOKEEPER_CLIENT", "HDFS_CLIENT", "DATANODE"))
+              )));
+              Set<RecommendationResponse.BindingHostGroup> bindingHostGroups = new HashSet<>(Arrays.asList(
+                  createBindingHostGroup(hostName1),
+                  createBindingHostGroup(hostName2),
+                  createBindingHostGroup(hostName3)
+              ));
+
+              RecommendationResponse.BlueprintClusterBinding binding = new RecommendationResponse.BlueprintClusterBinding();
+              binding.setHostGroups(bindingHostGroups);
+
+              RecommendationResponse.Recommendation recommendation = new RecommendationResponse.Recommendation();
+              recommendation.setBlueprint(blueprint);
+              recommendation.setBlueprintClusterBinding(binding);
+
+              RecommendationResponse response = new RecommendationResponse();
+              response.setRecommendations(recommendation);
+              return response;
+            } else {
+              return null;
+            }
+          }
+        })
+        .anyTimes();
+
+    replayAll();
+
+    ambariMetaInfo.init();
+    StageUtils.setTopologyManager(injector.getInstance(TopologyManager.class));
+    StageUtils.setConfiguration(injector.getInstance(Configuration.class));
+
+    PreconfigureKerberosAction action = injector.getInstance(PreconfigureKerberosAction.class);
+    ConcurrentMap<String, Object> context = new ConcurrentHashMap<>();
+    action.setExecutionCommand(executionCommand);
+    action.execute(context);
+
+    verifyAll();
+
+    Assert.assertTrue(captureCoreSiteProperties.hasCaptured());
+
+    Map<String, String> capturedProperties = captureCoreSiteProperties.getValue();
+    Assert.assertFalse(MapUtils.isEmpty(capturedProperties));
+
+
+    String expectedAuthToLocalRules = "" +
+        "RULE:[1:$1@$0](ambari-qa-c1@EXAMPLE.COM)s/.*/ambari-qa/\n" +
+        "RULE:[1:$1@$0](hdfs-c1@EXAMPLE.COM)s/.*/hdfs/\n" +
+        "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" +
+        "RULE:[2:$1@$0](beacon@EXAMPLE.COM)s/.*/beacon/\n" +
+        "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" +
+        "RULE:[2:$1@$0](knox@EXAMPLE.COM)s/.*/knox/\n" +
+        "RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/${yarn-env/yarn_user}/\n" +
+        "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" +
+        "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/${yarn-env/yarn_user}/\n" +
+        "DEFAULT";
+
+    Assert.assertEquals(3, capturedProperties.size());
+    Assert.assertEquals("users", capturedProperties.get("hadoop.proxyuser.knox.groups"));
+    Assert.assertEquals("c6401.ambari.apache.org", capturedProperties.get("hadoop.proxyuser.knox.hosts"));
+    Assert.assertEquals(expectedAuthToLocalRules, capturedProperties.get("hadoop.security.auth_to_local"));
+  }
+
+  private RecommendationResponse.BindingHostGroup createBindingHostGroup(String hostName) {
+    RecommendationResponse.BindingHostGroup bindingHostGroup = new RecommendationResponse.BindingHostGroup();
+    bindingHostGroup.setName(hostName);
+    bindingHostGroup.setHosts(Collections.singleton(Collections.singletonMap("fqdn", hostName)));
+    return bindingHostGroup;
+  }
+
+  private RecommendationResponse.HostGroup createRecommendationHostGroup(String hostName, List<String> components) {
+    Set<Map<String, String>> componentDetails = new HashSet<>();
+    for (String component : components) {
+      componentDetails.add(Collections.singletonMap("name", component));
+    }
+
+    RecommendationResponse.HostGroup hostGroup = new RecommendationResponse.HostGroup();
+    hostGroup.setComponents(componentDetails);
+    hostGroup.setName(hostName);
+    return hostGroup;
+  }
+
+  private ComponentInfo createMockComponentInfo(String componentName) {
+    ComponentInfo componentInfo = createMock(ComponentInfo.class);
+    expect(componentInfo.getName()).andReturn(componentName).anyTimes();
+    return componentInfo;
+  }
+
+  private PropertyInfo crateMockPropertyInfo(String fileName, String propertyName, String propertyValue) {
+    PropertyInfo propertyInfo = createMock(PropertyInfo.class);
+    expect(propertyInfo.getFilename()).andReturn(fileName).anyTimes();
+    expect(propertyInfo.getName()).andReturn(propertyName).anyTimes();
+    expect(propertyInfo.getValue()).andReturn(propertyValue).anyTimes();
+    return propertyInfo;
+  }
+
+  private ServiceInfo createMockServiceInfo(String name, List<PropertyInfo> properties, List<ComponentInfo> components) {
+    ServiceInfo serviceInfo = createMock(ServiceInfo.class);
+    expect(serviceInfo.getName()).andReturn(name).anyTimes();
+    expect(serviceInfo.getProperties()).andReturn(properties).anyTimes();
+    expect(serviceInfo.getComponents()).andReturn(components).anyTimes();
+    return serviceInfo;
+  }
+
+  private Map<String, Map<String, String>> getClusterConfig() throws URISyntaxException, FileNotFoundException {
+    URL url = ClassLoader.getSystemResource("PreconfigureActionTest_cluster_config.json");
+    return new Gson().fromJson(new FileReader(new File(url.toURI())),
+        new TypeToken<Map<String, Map<String, String>>>() {
+        }.getType());
+  }
+
+  private KerberosDescriptor getKerberosDescriptor(boolean includePreconfigureData) throws URISyntaxException, IOException {
+    URL url;
+
+    if (includePreconfigureData) {
+      url = ClassLoader.getSystemResource("PreconfigureActionTest_kerberos_descriptor_stack_preconfigure.json");
+    } else {
+      url = ClassLoader.getSystemResource("PreconfigureActionTest_kerberos_descriptor_stack.json");
+    }
+
+    return new KerberosDescriptorFactory().createInstance(new File(url.toURI()));
+  }
+
+  private ServiceComponent createMockServiceComponent(String name, Boolean isClientComponent, Map<String, ServiceComponentHost> serviceComponentHostMap) throws AmbariException {
+    ServiceComponent serviceComponent = createMock(ServiceComponent.class);
+    expect(serviceComponent.getName()).andReturn(name).anyTimes();
+    expect(serviceComponent.isClientComponent()).andReturn(isClientComponent).anyTimes();
+
+    for (Map.Entry<String, ServiceComponentHost> entry : serviceComponentHostMap.entrySet()) {
+      expect(serviceComponent.getServiceComponentHost(entry.getKey())).andReturn(serviceComponentHostMap.get(entry.getKey())).anyTimes();
+    }
+
+    expect(serviceComponent.getServiceComponentHosts()).andReturn(serviceComponentHostMap).anyTimes();
+
+    return serviceComponent;
+  }
+
+  private ServiceComponentHost createMockServiceComponentHost(String serviceName, String componentName, String hostname, Host host) {
+    ServiceComponentHost serviceComponentHost = createMock(ServiceComponentHost.class);
+    expect(serviceComponentHost.getServiceName()).andReturn(serviceName).anyTimes();
+    expect(serviceComponentHost.getServiceComponentName()).andReturn(componentName).anyTimes();
+    expect(serviceComponentHost.getHostName()).andReturn(hostname).anyTimes();
+    expect(serviceComponentHost.getHost()).andReturn(host).anyTimes();
+    expect(serviceComponentHost.getComponentAdminState()).andReturn(HostComponentAdminState.INSERVICE).anyTimes();
+
+    return serviceComponentHost;
+  }
+
+  private Service createMockService(String name, Map<String, ServiceComponent> components, StackId desiredStackId) {
+    Service service = createMock(Service.class);
+    expect(service.getName()).andReturn(name).anyTimes();
+    expect(service.getServiceComponents()).andReturn(components).anyTimes();
+    expect(service.getDesiredStackId()).andReturn(desiredStackId).anyTimes();
+    return service;
+  }
+
+  private Clusters createMockClusters(Injector injector, Cluster cluster) throws AmbariException {
+    Clusters clusters = injector.getInstance(Clusters.class);
+    expect(clusters.getCluster(CLUSTER_NAME)).andReturn(cluster).atLeastOnce();
+    return clusters;
+  }
+
+  private Cluster createMockCluster(SecurityType securityType, Collection<Host> hosts,
+                                    Map<String, Service> services,
+                                    Map<String, List<ServiceComponentHost>> serviceComponentHosts,
+                                    StackId currentStackId, final Map<String, Config> clusterConfigs) {
+    final Cluster cluster = createMock(Cluster.class);
+    expect(cluster.getSecurityType()).andReturn(securityType).anyTimes();
+    expect(cluster.getClusterName()).andReturn(CLUSTER_NAME).anyTimes();
+    expect(cluster.getClusterId()).andReturn(1L).anyTimes();
+    expect(cluster.getHosts()).andReturn(hosts).anyTimes();
+    expect(cluster.getServices()).andReturn(services).anyTimes();
+    expect(cluster.getCurrentStackVersion()).andReturn(currentStackId).anyTimes();
+
+    for (Map.Entry<String, List<ServiceComponentHost>> entry : serviceComponentHosts.entrySet()) {
+      expect(cluster.getServiceComponentHosts(entry.getKey())).andReturn(entry.getValue()).atLeastOnce();
+    }
+
+    expect(cluster.getServiceComponentHostMap(null, new HashSet<>(Arrays.asList("HDFS", "ZOOKEEPER", "YARN", "KNOX"))))
+        .andReturn(null)
+        .anyTimes();
+    expect(cluster.getServiceComponentHostMap(null, new HashSet<>(Arrays.asList("HDFS", "ZOOKEEPER", "YARN"))))
+        .andReturn(null)
+        .anyTimes();
+
+    Map<String, String> configTypeService = new HashMap<>();
+    configTypeService.put("hdfs-site", "HDFS");
+    configTypeService.put("core-site", "HDFS");
+    configTypeService.put("hadoop-env", "HDFS");
+    configTypeService.put("cluster-env", null);
+    configTypeService.put("kerberos-env", "KERBEROS");
+    configTypeService.put("ranger-hdfs-audit", "RANGER");
+    configTypeService.put("zookeeper-env", "ZOOKEEPER");
+    configTypeService.put("gateway-site", "KNOX");
+
+    for (Map.Entry<String, String> entry : configTypeService.entrySet()) {
+      expect(cluster.getServiceByConfigType(entry.getKey())).andReturn(entry.getValue()).anyTimes();
+    }
+
+    for (Map.Entry<String, Config> entry : clusterConfigs.entrySet()) {
+      expect(cluster.getDesiredConfigByType(entry.getKey())).andReturn(entry.getValue()).anyTimes();
+      expect(cluster.getConfigsByType(entry.getKey())).andReturn(Collections.singletonMap(entry.getKey(), entry.getValue())).anyTimes();
+      expect(cluster.getConfigPropertiesTypes(entry.getKey())).andReturn(Collections.<PropertyInfo.PropertyType, Set<String>>emptyMap()).anyTimes();
+    }
+
+    return cluster;
+  }
+
+  private Config createMockConfig(Map<String, String> properties) {
+    Config config = createMock(Config.class);
+    expect(config.getProperties()).andReturn(properties).anyTimes();
+    expect(config.getPropertiesAttributes()).andReturn(Collections.<String, Map<String, String>>emptyMap()).anyTimes();
+    return config;
+  }
+
+  private Map<String, String> getDefaultCommandParams() {
+    Map<String, String> commandParams = new HashMap<>();
+    commandParams.put("clusterName", CLUSTER_NAME);
+    commandParams.put(UPGRADE_DIRECTION_KEY, Direction.UPGRADE.name());
+    return commandParams;
+  }
+
+  private ExecutionCommand createMockExecutionCommand(Map<String, String> commandParams) {
+    ExecutionCommand executionCommand = createMock(ExecutionCommand.class);
+    expect(executionCommand.getCommandParams()).andReturn(commandParams).atLeastOnce();
+    return executionCommand;
+  }
+
+  private Injector getInjector() {
+    return Guice.createInjector(new AbstractModule() {
+      @Override
+      protected void configure() {
+        bind(EntityManager.class).toInstance(createMock(EntityManager.class));
+        bind(DBAccessor.class).toInstance(createMock(DBAccessor.class));
+        bind(UpgradeContextFactory.class).toInstance(createMock(UpgradeContextFactory.class));
+        bind(OsFamily.class).toInstance(createMock(OsFamily.class));
+        bind(StackManagerFactory.class).toInstance(createMock(StackManagerFactory.class));
+        bind(StageFactory.class).toInstance(createMock(StageFactory.class));
+        bind(AmbariMetaInfo.class).toInstance(createMock(AmbariMetaInfo.class));
+        bind(AmbariCustomCommandExecutionHelper.class).toInstance(createMock(AmbariCustomCommandExecutionHelper.class));
+        bind(ActionManager.class).toInstance(createMock(ActionManager.class));
+        bind(HostRoleCommandDAO.class).toInstance(createNiceMock(HostRoleCommandDAO.class));
+        bind(AuditLogger.class).toInstance(createNiceMock(AuditLogger.class));
+        bind(ArtifactDAO.class).toInstance(createNiceMock(ArtifactDAO.class));
+        bind(KerberosPrincipalDAO.class).toInstance(createNiceMock(KerberosPrincipalDAO.class));
+        bind(RoleCommandOrderProvider.class).to(CachedRoleCommandOrderProvider.class);
+        bind(HostRoleCommandFactory.class).to(HostRoleCommandFactoryImpl.class);
+        bind(RoleCommandOrderProvider.class).to(CachedRoleCommandOrderProvider.class);
+        bind(HostRoleCommandFactory.class).to(HostRoleCommandFactoryImpl.class);
+        bind(RoleGraphFactory.class).toInstance(createMock(RoleGraphFactory.class));
+        bind(RequestFactory.class).toInstance(createMock(RequestFactory.class));
+        bind(RequestExecutionFactory.class).toInstance(createMock(RequestExecutionFactory.class));
+        bind(CredentialStoreService.class).toInstance(createMock(CredentialStoreService.class));
+        bind(TopologyManager.class).toInstance(createNiceMock(TopologyManager.class));
+        bind(ConfigFactory.class).toInstance(createMock(ConfigFactory.class));
+        bind(PersistedState.class).toInstance(createMock(PersistedState.class));
+        bind(ConfigureClusterTaskFactory.class).toInstance(createNiceMock(ConfigureClusterTaskFactory.class));
+        bind(Configuration.class).toInstance(new Configuration(new Properties()));
+
+        bind(AmbariManagementController.class).toInstance(createMock(AmbariManagementController.class));
+        bind(KerberosHelper.class).to(KerberosHelperImpl.class);
+        bind(Clusters.class).toInstance(createMock(Clusters.class));
+        bind(StackAdvisorHelper.class).toInstance(createMock(StackAdvisorHelper.class));
+        bind(ConfigHelper.class).toInstance(createMock(ConfigHelper.class));
+      }
+    });
+  }
+}

http://git-wip-us.apache.org/repos/asf/ambari/blob/d2e10b5b/ambari-server/src/test/resources/PreconfigureActionTest_cluster_config.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/resources/PreconfigureActionTest_cluster_config.json b/ambari-server/src/test/resources/PreconfigureActionTest_cluster_config.json
new file mode 100644
index 0000000..2a744c7
--- /dev/null
+++ b/ambari-server/src/test/resources/PreconfigureActionTest_cluster_config.json
@@ -0,0 +1,110 @@
+{
+  "core-site": {
+    "fs.defaultFS": "hdfs://c6401.ambari.apache.org:8020",
+    "fs.trash.interval": "360",
+    "ha.failover-controller.active-standby-elector.zk.op.retries": "120",
+    "hadoop.custom-extensions.root": "/hdp/ext/{{major_stack_version}}/hadoop",
+    "hadoop.http.authentication.simple.anonymous.allowed": "true",
+    "hadoop.proxyuser.hdfs.groups": "*",
+    "hadoop.proxyuser.hdfs.hosts": "*",
+    "hadoop.proxyuser.root.groups": "*",
+    "hadoop.proxyuser.root.hosts": "c6401.ambari.apache.org",
+    "hadoop.security.auth_to_local": "DEFAULT",
+    "hadoop.security.authentication": "simple",
+    "hadoop.security.authorization": "false",
+    "io.compression.codecs": "org.apache.hadoop.io.compress.GzipCodec,org.apache.hadoop.io.compress.DefaultCodec,org.apache.hadoop.io.compress.SnappyCodec",
+    "io.file.buffer.size": "131072",
+    "io.serializations": "org.apache.hadoop.io.serializer.WritableSerialization",
+    "ipc.client.connect.max.retries": "50",
+    "ipc.client.connection.maxidletime": "30000",
+    "ipc.client.idlethreshold": "8000",
+    "ipc.server.tcpnodelay": "true",
+    "mapreduce.jobtracker.webinterface.trusted": "false",
+    "net.topology.script.file.name": "/etc/hadoop/conf/topology_script.py"
+  },
+  "hadoop-env": {
+    "dtnode_heapsize": "1024m",
+    "hadoop_heapsize": "1024",
+    "hadoop_pid_dir_prefix": "/var/run/hadoop",
+    "hadoop_root_logger": "INFO,RFA",
+    "hdfs_log_dir_prefix": "/var/log/hadoop",
+    "hdfs_principal_name": "hdfs-c1@EXAMPLE.COM",
+    "hdfs_tmp_dir": "/tmp",
+    "hdfs_user": "hdfs",
+    "hdfs_user_keytab": "/etc/security/keytabs/hdfs.headless.keytab",
+    "hdfs_user_nofile_limit": "128000",
+    "hdfs_user_nproc_limit": "65536",
+    "keyserver_host": " ",
+    "keyserver_port": "",
+    "namenode_backup_dir": "/tmp/upgrades",
+    "namenode_heapsize": "1024m",
+    "namenode_opt_maxnewsize": "128m",
+    "namenode_opt_maxpermsize": "256m",
+    "namenode_opt_newsize": "128m",
+    "namenode_opt_permsize": "128m",
+    "nfsgateway_heapsize": "1024",
+    "proxyuser_group": "users"
+  },
+  "cluster-env" : {
+    "agent_mounts_ignore_list": "",
+    "alerts_repeat_tolerance": "1",
+    "ambari_principal_name": "ambari-server-c1@EXAMPLE.COM",
+    "enable_external_ranger": "false",
+    "fetch_nonlocal_groups": "true",
+    "hide_yarn_memory_widget": "false",
+    "ignore_bad_mounts": "false",
+    "ignore_groupsusers_create": "false",
+    "kerberos_domain": "EXAMPLE.COM",
+    "manage_dirs_on_root": "true",
+    "managed_hdfs_resource_property_names": "",
+    "one_dir_per_partition": "false",
+    "override_uid": "true",
+    "recovery_enabled": "false",
+    "recovery_lifetime_max_count": "1024",
+    "recovery_max_count": "6",
+    "recovery_retry_interval": "5",
+    "recovery_type": "AUTO_START",
+    "recovery_window_in_minutes": "60",
+    "repo_ubuntu_template": "{{package_type}} {{base_url}} {{components}}",
+    "security_enabled": "true",
+    "smokeuser": "ambari-qa",
+    "smokeuser_keytab": "/etc/security/keytabs/smokeuser.headless.keytab",
+    "smokeuser_principal_name": "ambari-qa-c1@EXAMPLE.COM",
+    "stack_name": "HDP",
+    "sysprep_skip_copy_fast_jar_hdfs": "false",
+    "sysprep_skip_copy_oozie_share_lib_to_hdfs": "false",
+    "sysprep_skip_copy_tarballs_hdfs": "false",
+    "sysprep_skip_create_users_and_groups": "false",
+    "sysprep_skip_setup_jce": "false",
+    "user_group": "hadoop"
+  },
+  "kerberos-env" : {
+    "ad_create_attributes_template": "\n{\n  \"objectClass\": [\"top\", \"person\", \"organizationalPerson\", \"user\"],\n  \"cn\": \"$principal_name\",\n  #if( $is_service )\n  \"servicePrincipalName\": \"$principal_name\",\n  #end\n  \"userPrincipalName\": \"$normalized_principal\",\n  \"unicodePwd\": \"$password\",\n  \"accountExpires\": \"0\",\n  \"userAccountControl\": \"66048\"\n}",
+    "admin_server_host": "c6401",
+    "case_insensitive_username_rules": "false",
+    "container_dn": "",
+    "create_ambari_principal": "true",
+    "encryption_types": "aes des3-cbc-sha1 rc4 des-cbc-md5",
+    "executable_search_paths": "/usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin",
+    "group": "ambari-managed-principals",
+    "install_packages": "true",
+    "kdc_create_attributes": "",
+    "kdc_hosts": "c6401",
+    "kdc_type": "mit-kdc",
+    "ldap_url": "",
+    "manage_auth_to_local": "true",
+    "manage_identities": "true",
+    "master_kdc": "",
+    "password_chat_timeout": "5",
+    "password_length": "20",
+    "password_min_digits": "1",
+    "password_min_lowercase_letters": "1",
+    "password_min_punctuation": "1",
+    "password_min_uppercase_letters": "1",
+    "password_min_whitespace": "0",
+    "preconfigure_services": "DEFAULT",
+    "realm": "EXAMPLE.COM",
+    "service_check_principal_name": "${cluster_name|toLower()}-${short_date}",
+    "set_password_expiry": "false"
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/d2e10b5b/ambari-server/src/test/resources/PreconfigureActionTest_kerberos_descriptor_stack.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/resources/PreconfigureActionTest_kerberos_descriptor_stack.json b/ambari-server/src/test/resources/PreconfigureActionTest_kerberos_descriptor_stack.json
new file mode 100644
index 0000000..ddd00bd
--- /dev/null
+++ b/ambari-server/src/test/resources/PreconfigureActionTest_kerberos_descriptor_stack.json
@@ -0,0 +1,713 @@
+{
+  "identities": [
+    {
+      "keytab": {
+        "configuration": "cluster-env/smokeuser_keytab",
+        "file": "${keytab_dir}/smokeuser.headless.keytab",
+        "group": {
+          "access": "r",
+          "name": "${cluster-env/user_group}"
+        },
+        "owner": {
+          "access": "r",
+          "name": "${cluster-env/smokeuser}"
+        }
+      },
+      "name": "smokeuser",
+      "principal": {
+        "configuration": "cluster-env/smokeuser_principal_name",
+        "local_username": "${cluster-env/smokeuser}",
+        "type": "user",
+        "value": "${cluster-env/smokeuser}${principal_suffix}@${realm}"
+      }
+    },
+    {
+      "keytab": {
+        "file": "${keytab_dir}/spnego.service.keytab",
+        "group": {
+          "access": "r",
+          "name": "${cluster-env/user_group}"
+        },
+        "owner": {
+          "access": "r",
+          "name": "root"
+        }
+      },
+      "name": "spnego",
+      "principal": {
+        "configuration": null,
+        "local_username": null,
+        "type": "service",
+        "value": "HTTP/_HOST@${realm}"
+      }
+    }
+  ],
+  "services": [
+    {
+      "components": [
+        {
+          "identities": [
+            {
+              "keytab": {
+                "file": "${keytab_dir}/ambari.server.keytab",
+                "group": {},
+                "owner": {
+                  "access": "r"
+                }
+              },
+              "name": "ambari-server",
+              "principal": {
+                "configuration": "cluster-env/ambari_principal_name",
+                "local_username": null,
+                "type": "user",
+                "value": "ambari-server${principal_suffix}@${realm}"
+              }
+            },
+            {
+              "name": "ambari-server_spnego",
+              "reference": "/spnego"
+            }
+          ],
+          "name": "AMBARI_SERVER"
+        }
+      ],
+      "name": "AMBARI"
+    },
+    {
+      "auth_to_local_properties": [
+        "core-site/hadoop.security.auth_to_local"
+      ],
+      "components": [
+        {
+          "configurations": [
+            {
+              "hdfs-site": {
+                "dfs.datanode.address": "0.0.0.0:1019",
+                "dfs.datanode.http.address": "0.0.0.0:1022"
+              }
+            }
+          ],
+          "identities": [
+            {
+              "keytab": {
+                "configuration": "hdfs-site/dfs.datanode.keytab.file",
+                "file": "${keytab_dir}/dn.service.keytab",
+                "group": {
+                  "access": "",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${hadoop-env/hdfs_user}"
+                }
+              },
+              "name": "datanode_dn",
+              "principal": {
+                "configuration": "hdfs-site/dfs.datanode.kerberos.principal",
+                "local_username": "${hadoop-env/hdfs_user}",
+                "type": "service",
+                "value": "dn/_HOST@${realm}"
+              }
+            }
+          ],
+          "name": "DATANODE"
+        },
+        {
+          "identities": [
+            {
+              "name": "/HDFS/NAMENODE/hdfs"
+            }
+          ],
+          "name": "HDFS_CLIENT"
+        },
+        {
+          "identities": [
+            {
+              "name": "/spnego",
+              "principal": {
+                "configuration": "hdfs-site/dfs.journalnode.kerberos.internal.spnego.principal",
+                "local_username": null,
+                "type": null,
+                "value": "HTTP/_HOST@${realm}"
+              }
+            },
+            {
+              "keytab": {
+                "configuration": "hdfs-site/dfs.journalnode.keytab.file",
+                "file": "${keytab_dir}/jn.service.keytab",
+                "group": {
+                  "access": "",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${hadoop-env/hdfs_user}"
+                }
+              },
+              "name": "journalnode_jn",
+              "principal": {
+                "configuration": "hdfs-site/dfs.journalnode.kerberos.principal",
+                "local_username": "${hadoop-env/hdfs_user}",
+                "type": "service",
+                "value": "jn/_HOST@${realm}"
+              }
+            }
+          ],
+          "name": "JOURNALNODE"
+        },
+        {
+          "configurations": [
+            {
+              "hdfs-site": {
+                "dfs.block.access.token.enable": "true"
+              }
+            }
+          ],
+          "identities": [
+            {
+              "keytab": {
+                "configuration": "ranger-hdfs-audit/xasecure.audit.jaas.Client.option.keyTab",
+                "file": "${keytab_dir}/nn.service.keytab"
+              },
+              "name": "/HDFS/NAMENODE/namenode_nn",
+              "principal": {
+                "configuration": "ranger-hdfs-audit/xasecure.audit.jaas.Client.option.principal",
+                "local_username": null,
+                "type": null,
+                "value": "nn/_HOST@${realm}"
+              }
+            },
+            {
+              "name": "/spnego",
+              "principal": {
+                "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal",
+                "local_username": null,
+                "type": null,
+                "value": "HTTP/_HOST@${realm}"
+              }
+            },
+            {
+              "keytab": {
+                "configuration": "hadoop-env/hdfs_user_keytab",
+                "file": "${keytab_dir}/hdfs.headless.keytab",
+                "group": {
+                  "access": "",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${hadoop-env/hdfs_user}"
+                }
+              },
+              "name": "hdfs",
+              "principal": {
+                "configuration": "hadoop-env/hdfs_principal_name",
+                "local_username": "${hadoop-env/hdfs_user}",
+                "type": "user",
+                "value": "${hadoop-env/hdfs_user}${principal_suffix}@${realm}"
+              }
+            },
+            {
+              "keytab": {
+                "configuration": "hdfs-site/dfs.namenode.keytab.file",
+                "file": "${keytab_dir}/nn.service.keytab",
+                "group": {
+                  "access": "",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${hadoop-env/hdfs_user}"
+                }
+              },
+              "name": "namenode_nn",
+              "principal": {
+                "configuration": "hdfs-site/dfs.namenode.kerberos.principal",
+                "local_username": "${hadoop-env/hdfs_user}",
+                "type": "service",
+                "value": "nn/_HOST@${realm}"
+              }
+            }
+          ],
+          "name": "NAMENODE"
+        },
+        {
+          "identities": [
+            {
+              "keytab": {
+                "configuration": "hdfs-site/nfs.keytab.file",
+                "file": "${keytab_dir}/nfs.service.keytab",
+                "group": {
+                  "access": "",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${hadoop-env/hdfs_user}"
+                }
+              },
+              "name": "nfsgateway",
+              "principal": {
+                "configuration": "hdfs-site/nfs.kerberos.principal",
+                "local_username": "${hadoop-env/hdfs_user}",
+                "type": "service",
+                "value": "nfs/_HOST@${realm}"
+              }
+            }
+          ],
+          "name": "NFS_GATEWAY"
+        },
+        {
+          "identities": [
+            {
+              "name": "/spnego",
+              "principal": {
+                "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal",
+                "local_username": null,
+                "type": null,
+                "value": "HTTP/_HOST@${realm}"
+              }
+            },
+            {
+              "keytab": {
+                "configuration": "hdfs-site/dfs.secondary.namenode.keytab.file",
+                "file": "${keytab_dir}/nn.service.keytab",
+                "group": {
+                  "access": "",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${hadoop-env/hdfs_user}"
+                }
+              },
+              "name": "secondary_namenode_nn",
+              "principal": {
+                "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.principal",
+                "local_username": "${hadoop-env/hdfs_user}",
+                "type": "service",
+                "value": "nn/_HOST@${realm}"
+              }
+            }
+          ],
+          "name": "SECONDARY_NAMENODE"
+        }
+      ],
+      "configurations": [
+        {
+          "core-site": {
+            "ha.zookeeper.acl": "sasl:nn:rwcda",
+            "hadoop.proxyuser.HTTP.groups": "${hadoop-env/proxyuser_group}",
+            "hadoop.security.authentication": "kerberos",
+            "hadoop.security.authorization": "true"
+          }
+        },
+        {
+          "ranger-hdfs-audit": {
+            "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true",
+            "xasecure.audit.jaas.Client.loginModuleControlFlag": "required",
+            "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule",
+            "xasecure.audit.jaas.Client.option.serviceName": "solr",
+            "xasecure.audit.jaas.Client.option.storeKey": "false",
+            "xasecure.audit.jaas.Client.option.useKeyTab": "true"
+          }
+        }
+      ],
+      "identities": [
+        {
+          "name": "/smokeuser"
+        },
+        {
+          "keytab": {
+            "configuration": "hdfs-site/dfs.web.authentication.kerberos.keytab",
+            "file": "${keytab_dir}/spnego.service.keytab"
+          },
+          "name": "/spnego",
+          "principal": {
+            "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal",
+            "local_username": null,
+            "type": null,
+            "value": "HTTP/_HOST@${realm}"
+          }
+        }
+      ],
+      "name": "HDFS"
+    },
+    {
+      "components": [
+        {
+          "identities": [
+            {
+              "name": "/HDFS/NAMENODE/hdfs"
+            },
+            {
+              "keytab": {
+                "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.keytab",
+                "file": "${keytab_dir}/spnego.service.keytab"
+              },
+              "name": "/spnego",
+              "principal": {
+                "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal",
+                "local_username": null,
+                "type": null,
+                "value": "HTTP/_HOST@${realm}"
+              }
+            },
+            {
+              "keytab": {
+                "configuration": "yarn-site/yarn.timeline-service.keytab",
+                "file": "${keytab_dir}/yarn.service.keytab",
+                "group": {
+                  "access": "",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${yarn-env/yarn_user}"
+                }
+              },
+              "name": "app_timeline_server_yarn",
+              "principal": {
+                "configuration": "yarn-site/yarn.timeline-service.principal",
+                "local_username": "${yarn-env/yarn_user}",
+                "type": "service",
+                "value": "yarn/_HOST@${realm}"
+              }
+            }
+          ],
+          "name": "APP_TIMELINE_SERVER"
+        },
+        {
+          "configurations": [
+            {
+              "yarn-site": {
+                "yarn.nodemanager.container-executor.class": "org.apache.hadoop.yarn.server.nodemanager.DefaultContainerExecutor"
+              }
+            }
+          ],
+          "identities": [
+            {
+              "keytab": {
+                "configuration": "hive-interactive-site/hive.llap.daemon.keytab.file",
+                "file": null
+              },
+              "name": "/HIVE/HIVE_SERVER/hive_server_hive",
+              "principal": {
+                "configuration": "hive-interactive-site/hive.llap.daemon.service.principal",
+                "local_username": null,
+                "type": null,
+                "value": null
+              },
+              "when": {
+                "contains": [
+                  "services",
+                  "HIVE"
+                ]
+              }
+            },
+            {
+              "keytab": {
+                "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-keytab-file",
+                "file": "${keytab_dir}/spnego.service.keytab"
+              },
+              "name": "/spnego",
+              "principal": {
+                "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal",
+                "local_username": null,
+                "type": null,
+                "value": "HTTP/_HOST@${realm}"
+              }
+            },
+            {
+              "keytab": {
+                "configuration": "hive-interactive-site/hive.llap.zk.sm.keytab.file",
+                "file": "${keytab_dir}/hive.llap.zk.sm.keytab",
+                "group": {
+                  "access": "r",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${yarn-env/yarn_user}"
+                }
+              },
+              "name": "llap_zk_hive",
+              "principal": {
+                "configuration": "hive-interactive-site/hive.llap.zk.sm.principal",
+                "local_username": null,
+                "type": "service",
+                "value": "hive/_HOST@${realm}"
+              },
+              "when": {
+                "contains": [
+                  "services",
+                  "HIVE"
+                ]
+              }
+            },
+            {
+              "keytab": {
+                "configuration": "yarn-site/yarn.nodemanager.keytab",
+                "file": "${keytab_dir}/nm.service.keytab",
+                "group": {
+                  "access": "",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${yarn-env/yarn_user}"
+                }
+              },
+              "name": "nodemanager_nm",
+              "principal": {
+                "configuration": "yarn-site/yarn.nodemanager.principal",
+                "local_username": "${yarn-env/yarn_user}",
+                "type": "service",
+                "value": "nm/_HOST@${realm}"
+              }
+            }
+          ],
+          "name": "NODEMANAGER"
+        },
+        {
+          "identities": [
+            {
+              "keytab": {
+                "configuration": "ranger-yarn-audit/xasecure.audit.jaas.Client.option.keyTab",
+                "file": "${keytab_dir}/rm.service.keytab"
+              },
+              "name": "/YARN/RESOURCEMANAGER/resource_manager_rm",
+              "principal": {
+                "configuration": "ranger-yarn-audit/xasecure.audit.jaas.Client.option.principal",
+                "local_username": null,
+                "type": null,
+                "value": "rm/_HOST@${realm}"
+              }
+            },
+            {
+              "keytab": {
+                "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-keytab-file",
+                "file": "${keytab_dir}/spnego.service.keytab"
+              },
+              "name": "/spnego",
+              "principal": {
+                "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal",
+                "local_username": null,
+                "type": null,
+                "value": "HTTP/_HOST@${realm}"
+              }
+            },
+            {
+              "keytab": {
+                "configuration": "yarn-site/yarn.resourcemanager.keytab",
+                "file": "${keytab_dir}/rm.service.keytab",
+                "group": {
+                  "access": "",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${yarn-env/yarn_user}"
+                }
+              },
+              "name": "resource_manager_rm",
+              "principal": {
+                "configuration": "yarn-site/yarn.resourcemanager.principal",
+                "local_username": "${yarn-env/yarn_user}",
+                "type": "service",
+                "value": "rm/_HOST@${realm}"
+              }
+            }
+          ],
+          "name": "RESOURCEMANAGER"
+        }
+      ],
+      "configurations": [
+        {
+          "capacity-scheduler": {
+            "yarn.scheduler.capacity.root.acl_administer_jobs": "${yarn-env/yarn_user}",
+            "yarn.scheduler.capacity.root.acl_administer_queue": "${yarn-env/yarn_user}",
+            "yarn.scheduler.capacity.root.default.acl_administer_jobs": "${yarn-env/yarn_user}",
+            "yarn.scheduler.capacity.root.default.acl_administer_queue": "${yarn-env/yarn_user}",
+            "yarn.scheduler.capacity.root.default.acl_submit_applications": "${yarn-env/yarn_user}"
+          }
+        },
+        {
+          "core-site": {
+            "hadoop.proxyuser.${yarn-env/yarn_user}.groups": "*",
+            "hadoop.proxyuser.${yarn-env/yarn_user}.hosts": "${clusterHostInfo/rm_host}"
+          }
+        },
+        {
+          "ranger-yarn-audit": {
+            "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true",
+            "xasecure.audit.jaas.Client.loginModuleControlFlag": "required",
+            "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule",
+            "xasecure.audit.jaas.Client.option.serviceName": "solr",
+            "xasecure.audit.jaas.Client.option.storeKey": "false",
+            "xasecure.audit.jaas.Client.option.useKeyTab": "true"
+          }
+        },
+        {
+          "yarn-site": {
+            "hadoop.registry.client.auth": "kerberos",
+            "hadoop.registry.jaas.context": "Client",
+            "hadoop.registry.secure": "true",
+            "hadoop.registry.system.accounts": "sasl:${principals/YARN/APP_TIMELINE_SERVER/app_timeline_server_yarn|principalPrimary()},sasl:${principals/MAPREDUCE2/HISTORYSERVER/history_server_jhs|principalPrimary()},sasl:${principals/HDFS/NAMENODE/hdfs|principalPrimary()},sasl:${principals/YARN/RESOURCEMANAGER/resource_manager_rm|principalPrimary()},sasl:${principals/HIVE/HIVE_SERVER/hive_server_hive|principalPrimary()}",
+            "yarn.acl.enable": "true",
+            "yarn.admin.acl": "${activity-conf/global.activity.analyzer.user},dr.who,${yarn-env/yarn_user}",
+            "yarn.resourcemanager.proxy-user-privileges.enabled": "true",
+            "yarn.resourcemanager.proxyuser.*.groups": "",
+            "yarn.resourcemanager.proxyuser.*.hosts": "",
+            "yarn.resourcemanager.proxyuser.*.users": "",
+            "yarn.resourcemanager.zk-acl": "sasl:${principals/YARN/RESOURCEMANAGER/resource_manager_rm|principalPrimary()}:rwcda",
+            "yarn.timeline-service.enabled": "true",
+            "yarn.timeline-service.http-authentication.cookie.domain": "",
+            "yarn.timeline-service.http-authentication.cookie.path": "",
+            "yarn.timeline-service.http-authentication.kerberos.name.rules": "",
+            "yarn.timeline-service.http-authentication.proxyuser.*.groups": "",
+            "yarn.timeline-service.http-authentication.proxyuser.*.hosts": "",
+            "yarn.timeline-service.http-authentication.proxyuser.*.users": "",
+            "yarn.timeline-service.http-authentication.signature.secret": "",
+            "yarn.timeline-service.http-authentication.signature.secret.file": "",
+            "yarn.timeline-service.http-authentication.signer.secret.provider": "",
+            "yarn.timeline-service.http-authentication.signer.secret.provider.object": "",
+            "yarn.timeline-service.http-authentication.token.validity": "",
+            "yarn.timeline-service.http-authentication.type": "kerberos"
+          }
+        }
+      ],
+      "identities": [
+        {
+          "name": "/smokeuser"
+        },
+        {
+          "name": "/spnego"
+        }
+      ],
+      "name": "YARN"
+    },
+    {
+      "components": [
+        {
+          "configurations": [
+            {
+              "core-site": {
+                "hadoop.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}",
+                "hadoop.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}"
+              }
+            },
+            {
+              "gateway-site": {
+                "gateway.hadoop.kerberos.secured": "true",
+                "java.security.krb5.conf": "/etc/krb5.conf"
+              }
+            },
+            {
+              "oozie-site": {
+                "oozie.service.ProxyUserService.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}",
+                "oozie.service.ProxyUserService.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}"
+              }
+            },
+            {
+              "ranger-knox-audit": {
+                "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true",
+                "xasecure.audit.jaas.Client.loginModuleControlFlag": "required",
+                "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule",
+                "xasecure.audit.jaas.Client.option.serviceName": "solr",
+                "xasecure.audit.jaas.Client.option.storeKey": "false",
+                "xasecure.audit.jaas.Client.option.useKeyTab": "true"
+              }
+            },
+            {
+              "webhcat-site": {
+                "webhcat.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}",
+                "webhcat.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}"
+              }
+            }
+          ],
+          "identities": [
+            {
+              "keytab": {
+                "configuration": "ranger-knox-audit/xasecure.audit.jaas.Client.option.keyTab",
+                "file": null
+              },
+              "name": "/KNOX/KNOX_GATEWAY/knox_principal",
+              "principal": {
+                "configuration": "ranger-knox-audit/xasecure.audit.jaas.Client.option.principal",
+                "local_username": null,
+                "type": null,
+                "value": null
+              }
+            },
+            {
+              "keytab": {
+                "configuration": "knox-env/knox_keytab_path",
+                "file": "${keytab_dir}/knox.service.keytab",
+                "group": {
+                  "access": "",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${knox-env/knox_user}"
+                }
+              },
+              "name": "knox_principal",
+              "principal": {
+                "configuration": "knox-env/knox_principal_name",
+                "local_username": "${knox-env/knox_user}",
+                "type": "service",
+                "value": "${knox-env/knox_user}/_HOST@${realm}"
+              }
+            }
+          ],
+          "name": "KNOX_GATEWAY"
+        }
+      ],
+      "name": "KNOX"
+    },
+    {
+      "components": [
+        {
+          "identities": [
+            {
+              "keytab": {
+                "configuration": "zookeeper-env/zookeeper_keytab_path",
+                "file": "${keytab_dir}/zk.service.keytab",
+                "group": {
+                  "access": "",
+                  "name": "${cluster-env/user_group}"
+                },
+                "owner": {
+                  "access": "r",
+                  "name": "${zookeeper-env/zk_user}"
+                }
+              },
+              "name": "zookeeper_zk",
+              "principal": {
+                "configuration": "zookeeper-env/zookeeper_principal_name",
+                "local_username": null,
+                "type": "service",
+                "value": "zookeeper/_HOST@${realm}"
+              }
+            }
+          ],
+          "name": "ZOOKEEPER_SERVER"
+        }
+      ],
+      "identities": [
+        {
+          "name": "/smokeuser"
+        }
+      ],
+      "name": "ZOOKEEPER"
+    }
+  ],
+  "properties": {
+    "additional_realms": "",
+    "keytab_dir": "/etc/security/keytabs",
+    "principal_suffix": "-${cluster_name|toLower()}",
+    "realm": "EXAMPLE.COM"
+  }
+}
\ No newline at end of file


Mime
View raw message