ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-8487) Oozie service components should indicate security state
Date Wed, 07 Jan 2015 12:59:34 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-8487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14267595#comment-14267595
] 

Hudson commented on AMBARI-8487:
--------------------------------

SUCCESS: Integrated in Ambari-trunk-Commit #1415 (See [https://builds.apache.org/job/Ambari-trunk-Commit/1415/])
AMBARI-8487. Oozie service components should indicate security state (rlevas) (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=b0e587e42ad8e0c9acbbc9b643581e6a98e13652)
* ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params.py
* ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py
* ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/status_params.py
* ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie_server.py
* ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie_service.py


> Oozie service components should indicate security state
> -------------------------------------------------------
>
>                 Key: AMBARI-8487
>                 URL: https://issues.apache.org/jira/browse/AMBARI-8487
>             Project: Ambari
>          Issue Type: Improvement
>          Components: ambari-server, stacks
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: kerberos, oozie, security
>             Fix For: 2.0.0
>
>         Attachments: AMBARI-8487_01.patch
>
>
> `The Oozie service components should indicate security state when queried by Ambari Agent
via STATUS_COMMAND.  Each component should determine it's state as follows:
> h3. OOZIE_SERVER
> h4. Indicators
> * Command JSON
> ** config\['configurations']\['cluster-env']\['security_enabled'] 
> *** = “true”
> * Configuration File: params.conf_dir + ‘/oozie-site.xml’
> ** oozie.service.AuthorizationService.security.enabled
> *** = “true”
> *** required
> ** oozie.service.HadoopAccessorService.kerberos.enabled
> *** = “true”
> *** required
> ** local.realm
> *** not empty
> *** required
> ** oozie.authentication.type
> *** = “kerberos”
> *** required
> ** oozie.authentication.kerberos.principal
> *** not empty
> *** required
> ** oozie.authentication.kerberos.keytab
> *** not empty
> *** path exists and is readable
> *** required
> ** oozie.authentication.kerberos.name.rules
> *** not empty
> *** required
> ** oozie.service.HadoopAccessorService.keytab.file
> *** not empty
> *** path exists and is readable
> *** required
> ** oozie.service.HadoopAccessorService.kerberos.principal
> *** not empty
> *** required
> h4. Pseudocode
> {code}
> if indicators imply security is on and validate
>     if kinit(oozie principal) && kinit(HadoopAccessorService principal) succeeds
> `        state = SECURED_KERBEROS
>     else
>         state = ERROR 
> else
>     state = UNSECURED
> {code}
> _*Note*_: Due to the _cost_ of calling {{kinit}} results should be cached for a period
of time before retrying.  This may be an issue depending on the frequency of the heartbeat
timeout.
> _*Note*_: {{kinit}} calls should specify a _temporary_ cache file which should be destroyed
after command is executed - BUG-29477



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message