ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMBARI-8899) Knox service components should indicate security state
Date Tue, 23 Dec 2014 21:18:13 GMT
Robert Levas created AMBARI-8899:
------------------------------------

             Summary: Knox service components should indicate security state
                 Key: AMBARI-8899
                 URL: https://issues.apache.org/jira/browse/AMBARI-8899
             Project: Ambari
          Issue Type: Improvement
          Components: ambari-agent, stacks
    Affects Versions: 2.0.0
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 2.0.0


The Knox service components should indicate security state when queried by Ambari Agent via
STATUS_COMMAND.  Each component should determine it's state as follows:

h2. KNOX_GATEWAY
h3. Indicators
* Command JSON
** config\['configurations']\['cluster-env']\['security_enabled'] 
*** = “true”
* Configuration File: knox_conf_dir + '/krb5JAASLogin.conf'
** keyTab
*** not empty
*** path exists and is readable
*** required
** principal
*** not empty
*** required

h3. Pseudocode
{code}
if indicators imply security is on and validate
    if kinit(principal) succeeds
        state = SECURED_KERBEROS
    else
        state = ERROR 
else
    state = UNSECURED
{code}

_*Note*_: Due to the _cost_ of calling {{kinit}} results should be cached for a period of
time before retrying.  This may be an issue depending on the frequency of the heartbeat timeout.
_*Note*_: {{kinit}} calls should specify a _temporary_ cache file which should be destroyed
after command is executed - BUG-29477



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message