Return-Path: 
 <dev-return-52547-apmail-ambari-dev-archive=ambari.apache.org@ambari.apache.org>
X-Original-To: apmail-ambari-dev-archive@www.apache.org
Delivered-To: apmail-ambari-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A277310E8D
	for <apmail-ambari-dev-archive@www.apache.org>;
 Tue, 23 Dec 2014 12:07:13 +0000 (UTC)
Received: (qmail 49165 invoked by uid 500); 23 Dec 2014 12:07:13 -0000
Delivered-To: apmail-ambari-dev-archive@ambari.apache.org
Received: (qmail 49136 invoked by uid 500); 23 Dec 2014 12:07:13 -0000
Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@ambari.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@ambari.apache.org>
List-Post: <mailto:dev@ambari.apache.org>
List-Id: <dev.ambari.apache.org>
Reply-To: dev@ambari.apache.org
Delivered-To: mailing list dev@ambari.apache.org
Received: (qmail 48932 invoked by uid 99); 23 Dec 2014 12:07:13 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Dec 2014 12:07:13 +0000
Date: Tue, 23 Dec 2014 12:07:13 +0000 (UTC)
From: "Robert Levas (JIRA)" <jira@apache.org>
To: dev@ambari.apache.org
Message-ID: <JIRA.12758487.1417345806000.90802.1419336433404@Atlassian.JIRA>
In-Reply-To: <JIRA.12758487.1417345806000@Atlassian.JIRA>
References: <JIRA.12758487.1417345806000@Atlassian.JIRA>
 <JIRA.12758487.1417345806036@arcas>
Subject: [jira] [Updated] (AMBARI-8485) Hive service components should
 indicate security state
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/AMBARI-8485?page=3Dcom.atlassi=
an.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Levas updated AMBARI-8485:
---------------------------------
    Description:=20
The Hive service components should indicate security state when queried by =
Ambari Agent via STATUS_COMMAND.  Each component should determine it's stat=
e as follows:

h3. HIVE_METASTORE
h4. Indicators
* Command JSON
** config\['configurations']\['cluster-env']\['security_enabled']=20
*** =3D =E2=80=9Ctrue=E2=80=9D
* Configuration File: params.hive_client_conf_dir + =E2=80=98hive-site.xml=
=E2=80=99
** hive.metastore.sasl.enabled"
*** =3D "true"
*** required=20
** hive.server2.authentication
*** =3D =E2=80=9Ckerberos=E2=80=9D
*** required
** hive.security.authorization.enabled
*** =3D =E2=80=9Ctrue=E2=80=9D
*** required
** hive.metastore.kerberos.principal
*** not empty
*** required
** hive.metastore.kerberos.keytab.file
*** not empty
*** path exists and is readable
*** required

h4. Pseudocode
{code}
if indicators imply security is on and validate
    if kinit(have metastore principal) succeeds
        state =3D SECURED_KERBEROS
    else
        state =3D ERROR=20
else
    state =3D UNSECURED
{code}

h3. HIVE_SERVER
h4. Indicators
* Command JSON
** config\['configurations']\['cluster-env']\['security_enabled']=20
*** =3D =E2=80=9Ctrue=E2=80=9D
* Configuration File: params.hive_client_conf_dir + =E2=80=98hive-site.xml=
=E2=80=99
** hive.metastore.sasl.enabled"
*** =3D "true"
*** required=20
** hive.server2.authentication
*** =3D =E2=80=9Ckerberos=E2=80=9D
*** required
** hive.security.authorization.enabled
*** =3D =E2=80=9Ctrue=E2=80=9D
*** required
** hive.server2.authentication.kerberos.principal
*** not empty
*** required
** hive.server2.authentication.kerberos.keytab
*** not empty
*** path exists and is readable
*** required
** hive.server2.authentication.spnego.principal
*** not empty
*** required
** hive.server2.authentication.spnego.keytab
*** not empty
*** path exists and is readable
*** required

h4. Pseudocode
{code}
if indicators imply security is on and validate
    if kinit(hive server principal) succeeds
        state =3D SECURED_KERBEROS
    else
        state =3D ERROR=20
else
    state =3D UNSECURED
{code}

h3. WEBHCAT_SERVER
h4. Indicators
* Command JSON
** config\['configurations']\['cluster-env']\['security_enabled']=20
*** =3D =E2=80=9Ctrue=E2=80=9D
* Configuration File: params.hive_client_conf_dir + =E2=80=98hive-site.xml=
=E2=80=99
** hive.metastore.sasl.enabled"
*** =3D "true"
*** required=20
** hive.server2.authentication
*** =3D =E2=80=9Ckerberos=E2=80=9D
*** required
** hive.security.authorization.enabled
*** =3D =E2=80=9Ctrue=E2=80=9D
*** required
* Configuration File: params.config_dir + =E2=80=98webhcat-site.xml=E2=80=
=99
** templeton.kerberos.secret
*** =3D =E2=80=9Csecret=E2=80=9D
*** required
** templeton.kerberos.principal
*** not empty
*** required
** templeton.kerberos.keytab
*** not empty
*** path exists and is readable
*** required

h4. Pseudocode
{code}
if indicators imply security is on and validate
    if kinit(webhcat server principal) succeeds
        state =3D SECURED_KERBEROS
    else
        state =3D ERROR=20
else
    state =3D UNSECURED
{code}

h3. HIVE_CLIENT
h4. Indicators
* Command JSON
** config\['configurations']\['cluster-env']\['security_enabled']=20
*** =3D =E2=80=9Ctrue=E2=80=9D

h4. Pseudocode
{code}
if indicators imply security is on and validate
    state =3D SECURED_KERBEROS
else
    state =3D UNSECURED
{code}

_*Note*_: Due to the _cost_ of calling {{kinit}} results should be cached f=
or a period of time before retrying.  This may be an issue depending on the=
 frequency of the heartbeat timeout.
_*Note*_: {{kinit}} calls should specify a _temporary_ cache file which sho=
uld be destroyed after command is executed - BUG-29477

  was:
The Hive service components should indicate security state when queried by =
Ambari Agent via STATUS_COMMAND.  Each component should determine it's stat=
e as follows:

h3. HIVE_METASTORE
h4. Indicators
* Command JSON
** config\['configurations']\['cluster-env']\['security_enabled']=20
*** =3D =E2=80=9Ctrue=E2=80=9D
* Configuration File: params.hive_client_conf_dir + =E2=80=98hive-site.xml=
=E2=80=99
** hive.metastore.sasl.enabled"
*** =3D "true"
*** required=20
** hive.server2.authentication
*** =3D =E2=80=9Ckerberos=E2=80=9D
*** required
** hive.security.authorization.enabled
*** =3D =E2=80=9Ctrue=E2=80=9D
*** required
** hive.metastore.kerberos.principal
*** not empty
*** required
** hive.metastore.kerberos.keytab.file
*** not empty
*** path exists and is readable
*** required

h4. Pseudocode
{code}
if indicators imply security is on and validate
    if kinit(have metastore principal) succeeds
        state =3D SECURED_KERBEROS
    else
        state =3D ERROR=20
else
    state =3D UNSECURED
{code}

h3. HIVE_SERVER
h4. Indicators
* Command JSON
** config\['configurations']\['cluster-env']\['security_enabled']=20
*** =3D =E2=80=9Ctrue=E2=80=9D
* Configuration File: params.hive_client_conf_dir + =E2=80=98hive-site.xml=
=E2=80=99
** hive.metastore.sasl.enabled"
*** =3D "true"
*** required=20
** hive.server2.authentication
*** =3D =E2=80=9Ckerberos=E2=80=9D
*** required
** hive.security.authorization.enabled
*** =3D =E2=80=9Ctrue=E2=80=9D
*** required
** hive.server2.authentication.kerberos.principal
*** not empty
*** required
** hive.server2.authentication.kerberos.keytab
*** not empty
*** path exists and is readable
*** required
** hive.server2.authentication.spnego.principal
*** not empty
*** required
** hive.server2.authentication.spnego.keytab
*** not empty
*** path exists and is readable
*** required

h4. Pseudocode
{code}
if indicators imply security is on and validate
    if kinit(hive server principal) succeeds
        state =3D SECURED_KERBEROS
    else
        state =3D ERROR=20
else
    state =3D UNSECURED
{code}

h3. WEBHCAT_SERVER
h4. Indicators
* Command JSON
** config\['configurations']\['cluster-env']\['security_enabled']=20
*** =3D =E2=80=9Ctrue=E2=80=9D
* Configuration File: params.hive_client_conf_dir + =E2=80=98hive-site.xml=
=E2=80=99
** hive.metastore.sasl.enabled"
*** =3D "true"
*** required=20
** hive.server2.authentication
*** =3D =E2=80=9Ckerberos=E2=80=9D
*** required
** hive.security.authorization.enabled
*** =3D =E2=80=9Ctrue=E2=80=9D
*** required
* Configuration File: params.config_dir + =E2=80=98webhcat-site.xml=E2=80=
=99
** templeton.kerberos.secret
*** =3D =E2=80=9Csecret=E2=80=9D
*** required
** templeton.kerberos.principal
*** not empty
*** required
** templeton.kerberos.keytab
*** not empty
*** path exists and is readable
*** required

h4. Pseudocode
{code}
if indicators imply security is on and validate
    if kinit(webhcat server principal) succeeds
        state =3D SECURED_KERBEROS
    else
        state =3D ERROR=20
else
    state =3D UNSECURED
{code}

h3. HIVE_CLIENT
h4. Indicators
* Command JSON
** config\['configurations']\['cluster-env']\['security_enabled']=20
*** =3D =E2=80=9Ctrue=E2=80=9D

h4. Pseudocode
{code}
if indicators imply security is on and validate
    state =3D SECURED_KERBEROS
else
    state =3D UNSECURED
{code}

_*Note*_: Due to the _cost_ of calling {{kinit}} results should be cached f=
or a period of time before retrying.  This may be an issue depending on the=
 frequency of the heartbeat timeout.



> Hive service components should indicate security state
> ------------------------------------------------------
>
>                 Key: AMBARI-8485
>                 URL: https://issues.apache.org/jira/browse/AMBARI-8485
>             Project: Ambari
>          Issue Type: Improvement
>          Components: ambari-server, stacks
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: hcatalog, hive, kerberos, metastore, mysql, security
>             Fix For: 2.0.0
>
>
> The Hive service components should indicate security state when queried b=
y Ambari Agent via STATUS_COMMAND.  Each component should determine it's st=
ate as follows:
> h3. HIVE_METASTORE
> h4. Indicators
> * Command JSON
> ** config\['configurations']\['cluster-env']\['security_enabled']=20
> *** =3D =E2=80=9Ctrue=E2=80=9D
> * Configuration File: params.hive_client_conf_dir + =E2=80=98hive-site.xm=
l=E2=80=99
> ** hive.metastore.sasl.enabled"
> *** =3D "true"
> *** required=20
> ** hive.server2.authentication
> *** =3D =E2=80=9Ckerberos=E2=80=9D
> *** required
> ** hive.security.authorization.enabled
> *** =3D =E2=80=9Ctrue=E2=80=9D
> *** required
> ** hive.metastore.kerberos.principal
> *** not empty
> *** required
> ** hive.metastore.kerberos.keytab.file
> *** not empty
> *** path exists and is readable
> *** required
> h4. Pseudocode
> {code}
> if indicators imply security is on and validate
>     if kinit(have metastore principal) succeeds
>         state =3D SECURED_KERBEROS
>     else
>         state =3D ERROR=20
> else
>     state =3D UNSECURED
> {code}
> h3. HIVE_SERVER
> h4. Indicators
> * Command JSON
> ** config\['configurations']\['cluster-env']\['security_enabled']=20
> *** =3D =E2=80=9Ctrue=E2=80=9D
> * Configuration File: params.hive_client_conf_dir + =E2=80=98hive-site.xm=
l=E2=80=99
> ** hive.metastore.sasl.enabled"
> *** =3D "true"
> *** required=20
> ** hive.server2.authentication
> *** =3D =E2=80=9Ckerberos=E2=80=9D
> *** required
> ** hive.security.authorization.enabled
> *** =3D =E2=80=9Ctrue=E2=80=9D
> *** required
> ** hive.server2.authentication.kerberos.principal
> *** not empty
> *** required
> ** hive.server2.authentication.kerberos.keytab
> *** not empty
> *** path exists and is readable
> *** required
> ** hive.server2.authentication.spnego.principal
> *** not empty
> *** required
> ** hive.server2.authentication.spnego.keytab
> *** not empty
> *** path exists and is readable
> *** required
> h4. Pseudocode
> {code}
> if indicators imply security is on and validate
>     if kinit(hive server principal) succeeds
>         state =3D SECURED_KERBEROS
>     else
>         state =3D ERROR=20
> else
>     state =3D UNSECURED
> {code}
> h3. WEBHCAT_SERVER
> h4. Indicators
> * Command JSON
> ** config\['configurations']\['cluster-env']\['security_enabled']=20
> *** =3D =E2=80=9Ctrue=E2=80=9D
> * Configuration File: params.hive_client_conf_dir + =E2=80=98hive-site.xm=
l=E2=80=99
> ** hive.metastore.sasl.enabled"
> *** =3D "true"
> *** required=20
> ** hive.server2.authentication
> *** =3D =E2=80=9Ckerberos=E2=80=9D
> *** required
> ** hive.security.authorization.enabled
> *** =3D =E2=80=9Ctrue=E2=80=9D
> *** required
> * Configuration File: params.config_dir + =E2=80=98webhcat-site.xml=E2=80=
=99
> ** templeton.kerberos.secret
> *** =3D =E2=80=9Csecret=E2=80=9D
> *** required
> ** templeton.kerberos.principal
> *** not empty
> *** required
> ** templeton.kerberos.keytab
> *** not empty
> *** path exists and is readable
> *** required
> h4. Pseudocode
> {code}
> if indicators imply security is on and validate
>     if kinit(webhcat server principal) succeeds
>         state =3D SECURED_KERBEROS
>     else
>         state =3D ERROR=20
> else
>     state =3D UNSECURED
> {code}
> h3. HIVE_CLIENT
> h4. Indicators
> * Command JSON
> ** config\['configurations']\['cluster-env']\['security_enabled']=20
> *** =3D =E2=80=9Ctrue=E2=80=9D
> h4. Pseudocode
> {code}
> if indicators imply security is on and validate
>     state =3D SECURED_KERBEROS
> else
>     state =3D UNSECURED
> {code}
> _*Note*_: Due to the _cost_ of calling {{kinit}} results should be cached=
 for a period of time before retrying.  This may be an issue depending on t=
he frequency of the heartbeat timeout.
> _*Note*_: {{kinit}} calls should specify a _temporary_ cache file which s=
hould be destroyed after command is executed - BUG-29477



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)