ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <>
Subject [jira] [Created] (AMBARI-8343) Components should indicate Kerberos State (via ambari-agent)
Date Sat, 15 Nov 2014 16:30:33 GMT
Robert Levas created AMBARI-8343:

             Summary: Components should indicate Kerberos State (via ambari-agent)
                 Key: AMBARI-8343
             Project: Ambari
          Issue Type: New Feature
          Components: ambari-agent
    Affects Versions: 2.0.0
            Reporter: Robert Levas
            Assignee: Robert Levas
            Priority: Critical
             Fix For: 2.0.0

In order to properly handle the automated installation or removal of Kerberos from the cluster,
Ambari needs to know whether each component on the hosts of the cluster is properly Kerberized
or not.  This information may be compared with data on the Ambari server to help determine
what steps should be taken to ensure the cluster is in the correct Kerbrerized state.

To do this, the current and desired component Kerbrerization state is maintained in the Ambari
database.  The Ambari server will update the desired state details according to whether the
cluster is to be Kerberized or not and whether the relevant service has enough metadata to
be Kerberized.  If the desired and actual Kerberization state details do not match, the Ambari
server will take the necessary steps to work towards synchronization. 

In order for a component to indicate its Kerberization status, a new property needs to be
returned in the {{STATUS_COMMAND}} response message (from the Ambari agent).  This property
should be named ‘kerberosState’ and should have one of the following values:

{{ON}} - indicates Kerberos is configured and working properly
{{OFF}} - indicates Kerberos is not configured and working properly
{{ERROR}} - indicates that Kerberos is configured but is not working properly
{{UNKNOWN}} - indicates that the state cannot be determined

To properly set this state value, a call needs to be executed per component querying for its
specific state.  Due to the differences on how each component is configured for Kerberos and
how it may be determined if Kerberos is setup and working properly, it is necessary for each
component to have its own logic for determining this state. Therefore the ambari-agent process
will need to call into the component’s configured (lifecycle) script and wait for its response
- not unlike how it determines whether the component is up and running.

After the infrastructure is in place, each service definition needs to be updated to implement
the new Kerberos status check function.  The function should perform the following steps:

* Determine if Kerberos is enabled for disabled
** If disabled, return “OFF”
** If enabled, perform tests (kinit?, ping KDC?) to determine if the configuration appears
to be working
*** If working, return “ON”
*** If not working, return “ERROR”

If no function is available, the Ambari agent should return “UNKNOWN”.

On the Ambari server, the {{org.apache.ambari.server.agent.HeartBeatHandler}} class needs
to be updated to set the Kerberos state of the relevant component, as indicated from the {{STATUS_COMMAND}}
response.  This should be done {{org.apache.ambari.server.agent.HeartBeatHandler#processStatusReports}}
method, by calling the relavant ServiceComponentHost’s setKerberosState method.

This message was sent by Atlassian JIRA

View raw message