You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2017/06/19 16:21:24 UTC
ambari git commit: AMBARI-21230. Add Kerberos HTTP SPNEGO
authentication support to Accumulo (Qin Liu via rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk 958776415 -> cd8fb1b04
AMBARI-21230. Add Kerberos HTTP SPNEGO authentication support to Accumulo (Qin Liu via rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/cd8fb1b0
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/cd8fb1b0
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/cd8fb1b0
Branch: refs/heads/trunk
Commit: cd8fb1b04823aa5a072889b7445525e00291baa3
Parents: 9587764
Author: Qin Liu <qi...@gmail.com>
Authored: Mon Jun 19 15:12:06 2017 +0200
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Mon Jun 19 12:21:04 2017 -0400
----------------------------------------------------------------------
.../timeline/AbstractTimelineMetricsSink.java | 54 ++++++++++----------
.../1.6.1.2.2.0/configuration/accumulo-env.xml | 5 ++
.../package/scripts/accumulo_configuration.py | 3 ++
.../1.6.1.2.2.0/package/scripts/params.py | 5 +-
.../package/templates/accumulo_jaas.conf.j2 | 29 +++++++++++
5 files changed, 67 insertions(+), 29 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/cd8fb1b0/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
----------------------------------------------------------------------
diff --git a/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
index 644d978..7a84627 100644
--- a/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
+++ b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
@@ -174,23 +174,7 @@ public abstract class AbstractTimelineMetricsSink {
connection.setRequestProperty(COOKIE, appCookie);
}
- connection.setRequestMethod("POST");
- connection.setRequestProperty("Content-Type", "application/json");
- connection.setRequestProperty("Connection", "Keep-Alive");
- connection.setConnectTimeout(timeout);
- connection.setReadTimeout(timeout);
- connection.setDoOutput(true);
-
- if (jsonData != null) {
- try (OutputStream os = connection.getOutputStream()) {
- os.write(jsonData.getBytes("UTF-8"));
- }
- }
-
- int statusCode = connection.getResponseCode();
- if (LOG.isDebugEnabled()) {
- LOG.debug("emitMetricsJson: statusCode = " + statusCode);
- }
+ int statusCode = emitMetricsJson(connection, timeout, jsonData);
if (statusCode == HttpStatus.SC_UNAUTHORIZED ) {
String wwwAuthHeader = connection.getHeaderField(WWW_AUTHENTICATE);
@@ -200,18 +184,11 @@ public abstract class AbstractTimelineMetricsSink {
if (wwwAuthHeader != null && wwwAuthHeader.trim().startsWith(NEGOTIATE)) {
appCookie = appCookieManager.getAppCookie(connectUrl, true);
if (appCookie != null) {
+ cleanupInputStream(connection.getInputStream());
+ connection = connectUrl.startsWith("https") ?
+ getSSLConnection(connectUrl) : getConnection(connectUrl);
connection.setRequestProperty(COOKIE, appCookie);
-
- if (jsonData != null) {
- try (OutputStream os = connection.getOutputStream()) {
- os.write(jsonData.getBytes("UTF-8"));
- }
- }
-
- statusCode = connection.getResponseCode();
- if (LOG.isDebugEnabled()) {
- LOG.debug("emitMetricsJson: statusCode2 = " + statusCode);
- }
+ statusCode = emitMetricsJson(connection, timeout, jsonData);
}
} else {
// no supported authentication type found
@@ -261,6 +238,27 @@ public abstract class AbstractTimelineMetricsSink {
}
}
+ private int emitMetricsJson(HttpURLConnection connection, int timeout, String jsonData) throws IOException {
+ connection.setRequestMethod("POST");
+ connection.setRequestProperty("Content-Type", "application/json");
+ connection.setRequestProperty("Connection", "Keep-Alive");
+ connection.setConnectTimeout(timeout);
+ connection.setReadTimeout(timeout);
+ connection.setDoOutput(true);
+
+ if (jsonData != null) {
+ try (OutputStream os = connection.getOutputStream()) {
+ os.write(jsonData.getBytes("UTF-8"));
+ }
+ }
+
+ int statusCode = connection.getResponseCode();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("emitMetricsJson: statusCode = " + statusCode);
+ }
+ return statusCode;
+ }
+
protected String getCurrentCollectorHost() {
String collectorHost;
// Get cached target
http://git-wip-us.apache.org/repos/asf/ambari/blob/cd8fb1b0/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
index 1e5eb54..e4aa21e 100644
--- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
@@ -233,6 +233,11 @@ export ACCUMULO_MONITOR_OPTS="-Xmx{{accumulo_monitor_heapsize}}m -Xms{{accumulo_
export ACCUMULO_GC_OPTS="-Xmx{{accumulo_gc_heapsize}}m -Xms{{accumulo_gc_heapsize}}m"
export ACCUMULO_GENERAL_OPTS="-XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -Djava.net.preferIPv4Stack=true ${ACCUMULO_GENERAL_OPTS}"
export ACCUMULO_OTHER_OPTS="-Xmx{{accumulo_other_heapsize}}m -Xms{{accumulo_other_heapsize}}m ${ACCUMULO_OTHER_OPTS}"
+{% if security_enabled %}
+export ACCUMULO_TSERVER_OPTS="${ACCUMULO_TSERVER_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false"
+export ACCUMULO_MASTER_OPTS="${ACCUMULO_MASTER_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false"
+export ACCUMULO_GC_OPTS="${ACCUMULO_GC_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false"
+{% endif %}
export ACCUMULO_MONITOR_BIND_ALL={{monitor_bind_str}}
# what do when the JVM runs out of heap memory
export ACCUMULO_KILL_CMD='kill -9 %p'
http://git-wip-us.apache.org/repos/asf/ambari/blob/cd8fb1b0/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
index f65b68a..c1a60e4 100644
--- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
@@ -113,6 +113,9 @@ def setup_conf_dir(name=None): # 'master' or 'tserver' or 'monitor' or 'gc' or '
content=InlineTemplate(params.server_env_sh_template)
)
+ if params.security_enabled:
+ accumulo_TemplateConfig("accumulo_jaas.conf", dest_conf_dir)
+
# create client.conf file
configs = {}
if 'client' in params.config['configurations']:
http://git-wip-us.apache.org/repos/asf/ambari/blob/cd8fb1b0/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
index 5d21514..14c1682 100644
--- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
@@ -165,6 +165,7 @@ master_hosts = default('/clusterHostInfo/accumulo_master_hosts', [])
monitor_hosts = default('/clusterHostInfo/accumulo_monitor_hosts', [])
gc_hosts = default('/clusterHostInfo/accumulo_gc_hosts', [])
tracer_hosts = default('/clusterHostInfo/accumulo_tracer_hosts', [])
+hostname = status_params.hostname
# security properties
accumulo_user_keytab = config['configurations']['accumulo-env']['accumulo_user_keytab']
@@ -175,11 +176,13 @@ kinit_path_local = status_params.kinit_path_local
if security_enabled:
bare_accumulo_principal = get_bare_principal(config['configurations']['accumulo-site']['general.kerberos.principal'])
kinit_cmd = format("{kinit_path_local} -kt {accumulo_user_keytab} {accumulo_principal_name};")
+ general_kerberos_keytab = config['configurations']['accumulo-site']['general.kerberos.keytab']
+ general_kerberos_principal = config['configurations']['accumulo-site']['general.kerberos.principal'].replace('_HOST', hostname.lower())
+ accumulo_jaas_file = format("{server_conf_dir}/accumulo_jaas.conf")
else:
kinit_cmd = ""
#for create_hdfs_directory
-hostname = status_params.hostname
hdfs_user_keytab = config['configurations']['hadoop-env']['hdfs_user_keytab']
hdfs_user = config['configurations']['hadoop-env']['hdfs_user']
hdfs_principal_name = config['configurations']['hadoop-env']['hdfs_principal_name']
http://git-wip-us.apache.org/repos/asf/ambari/blob/cd8fb1b0/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2
new file mode 100644
index 0000000..1ac5cea
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2
@@ -0,0 +1,29 @@
+{#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#}
+
+com.sun.security.jgss.krb5.initiate {
+com.sun.security.auth.module.Krb5LoginModule required
+renewTGT=false
+doNotPrompt=true
+useKeyTab=true
+storeKey=true
+useTicketCache=false
+debug=true
+keyTab="{{general_kerberos_keytab}}"
+principal="{{general_kerberos_principal}}";
+};