ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-8478) Falcon service components should indicate security state
Date Tue, 30 Dec 2014 20:14:14 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-8478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14261443#comment-14261443
] 

Hudson commented on AMBARI-8478:
--------------------------------

FAILURE: Integrated in Ambari-trunk-Commit-docker #635 (See [https://builds.apache.org/job/Ambari-trunk-Commit-docker/635/])
AMBARI-8478. Falcon service components should indicate security state. (robert levas via jaimin)
(jaimin: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=e3c9aa7a4336a43be61342c80395b45288979d5f)
* ambari-server/src/main/resources/common-services/FALCON/0.5.0.2.1/package/scripts/falcon_server.py
* ambari-server/src/main/resources/common-services/FALCON/0.5.0.2.1/package/scripts/falcon_client.py
* ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/namenode.py
* ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/snamenode.py
* ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/journalnode.py
* ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/hdfs_client.py
* ambari-server/src/test/python/stacks/2.1/FALCON/test_falcon_client.py
* ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py
* ambari-server/src/test/python/stacks/2.1/FALCON/test_falcon_server.py
* ambari-server/src/main/resources/common-services/FALCON/0.5.0.2.1/package/scripts/status_params.py
* ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/datanode.py
* ambari-server/src/test/python/stacks/utils/RMFTestCase.py
* ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py


> Falcon service components should indicate security state
> --------------------------------------------------------
>
>                 Key: AMBARI-8478
>                 URL: https://issues.apache.org/jira/browse/AMBARI-8478
>             Project: Ambari
>          Issue Type: Improvement
>          Components: ambari-server, stacks
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: kerberos, lifecycle, security
>             Fix For: 2.0.0
>
>         Attachments: AMBARI-8478_01.patch, AMBARI-8478_02.patch
>
>
> The Falcon service components should indicate security state when queried by Ambari Agent
via STATUS_COMMAND. Each component should determine it's state as follows:
> h3. FALCON_CLIENT
> h4. Indicators
> * Command JSON
> ** config\['configurations']\['cluster-env']\['security_enabled'] 
> *** = “true”
> h4. PseudoCode
> {code}
> if indicators imply security is on and validate
>     state = SECURED_KERBEROS
> else
>     state = UNSECURED
> {code}
> h3. FALCON_SERVER
> h4. Indicators
> * Command JSON
> ** config\['configurations']\['cluster-env']\['security_enabled'] 
> *** = “true”
> * Configuration File: params.falcon_conf_dir + ‘/startup.properties’
> ** *.falcon.authentication.type
> *** = “kerberos”
> ** *.falcon.service.authentication.kerberos.principal
> *** not empty
> *** required
> ** *.falcon.service.authentication.kerberos.keytab
> *** not empty
> *** required
> *** path exists and is readable
> ** *.dfs.namenode.kerberos.principal
> *** not empty
> *** required
> ** *.falcon.http.authentication.type
> *** = “kerberos”
> ** *.falcon.http.authentication.kerberos.principal
> *** not empty
> *** required
> ** *.falcon.http.authentication.kerberos.keytab
> *** not empty
> *** required
> *** path exists and is readable
> h4. Pseudocode
> {code} 
> if indicators imply security is on and validate
>     if kinit(falcon principal) && kinit(http principal) succeeds
>         state = SECURED_KERBEROS
>     else
>         state = ERROR 
> else
>     state = UNSECURED
> {code}
>  
> _*Note*_: Due to the _cost_ of calling {{kinit}} results should be cached for a period
of time before retrying.  This may be an issue depending on the frequency of the heartbeat
timeout.
> _*Note*_: {{kinit}} calls should specify a _temporary_ cache file which should be destroyed
after command is executed - BUG-29477



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message