You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2017/06/19 16:21:24 UTC

ambari git commit: AMBARI-21230. Add Kerberos HTTP SPNEGO authentication support to Accumulo (Qin Liu via rlevas)

Repository: ambari
Updated Branches:
  refs/heads/trunk 958776415 -> cd8fb1b04


AMBARI-21230. Add Kerberos HTTP SPNEGO authentication support to Accumulo (Qin Liu via rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/cd8fb1b0
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/cd8fb1b0
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/cd8fb1b0

Branch: refs/heads/trunk
Commit: cd8fb1b04823aa5a072889b7445525e00291baa3
Parents: 9587764
Author: Qin Liu <qi...@gmail.com>
Authored: Mon Jun 19 15:12:06 2017 +0200
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Mon Jun 19 12:21:04 2017 -0400

----------------------------------------------------------------------
 .../timeline/AbstractTimelineMetricsSink.java   | 54 ++++++++++----------
 .../1.6.1.2.2.0/configuration/accumulo-env.xml  |  5 ++
 .../package/scripts/accumulo_configuration.py   |  3 ++
 .../1.6.1.2.2.0/package/scripts/params.py       |  5 +-
 .../package/templates/accumulo_jaas.conf.j2     | 29 +++++++++++
 5 files changed, 67 insertions(+), 29 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/cd8fb1b0/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
----------------------------------------------------------------------
diff --git a/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
index 644d978..7a84627 100644
--- a/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
+++ b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
@@ -174,23 +174,7 @@ public abstract class AbstractTimelineMetricsSink {
         connection.setRequestProperty(COOKIE, appCookie);
       }
 
-      connection.setRequestMethod("POST");
-      connection.setRequestProperty("Content-Type", "application/json");
-      connection.setRequestProperty("Connection", "Keep-Alive");
-      connection.setConnectTimeout(timeout);
-      connection.setReadTimeout(timeout);
-      connection.setDoOutput(true);
-
-      if (jsonData != null) {
-        try (OutputStream os = connection.getOutputStream()) {
-          os.write(jsonData.getBytes("UTF-8"));
-        }
-      }
-
-      int statusCode = connection.getResponseCode();
-      if (LOG.isDebugEnabled()) {
-        LOG.debug("emitMetricsJson: statusCode = " + statusCode);
-      }
+      int statusCode = emitMetricsJson(connection, timeout, jsonData);
 
       if (statusCode == HttpStatus.SC_UNAUTHORIZED ) {
         String wwwAuthHeader = connection.getHeaderField(WWW_AUTHENTICATE);
@@ -200,18 +184,11 @@ public abstract class AbstractTimelineMetricsSink {
         if (wwwAuthHeader != null && wwwAuthHeader.trim().startsWith(NEGOTIATE)) {
           appCookie = appCookieManager.getAppCookie(connectUrl, true);
           if (appCookie != null) {
+            cleanupInputStream(connection.getInputStream());
+            connection = connectUrl.startsWith("https") ?
+                getSSLConnection(connectUrl) : getConnection(connectUrl);
             connection.setRequestProperty(COOKIE, appCookie);
-
-            if (jsonData != null) {
-              try (OutputStream os = connection.getOutputStream()) {
-                os.write(jsonData.getBytes("UTF-8"));
-              }
-            }
-
-            statusCode = connection.getResponseCode();
-            if (LOG.isDebugEnabled()) {
-              LOG.debug("emitMetricsJson: statusCode2 = " + statusCode);
-            }
+            statusCode = emitMetricsJson(connection, timeout, jsonData);
           }
         } else {
           // no supported authentication type found
@@ -261,6 +238,27 @@ public abstract class AbstractTimelineMetricsSink {
     }
   }
 
+  private int emitMetricsJson(HttpURLConnection connection, int timeout, String jsonData) throws IOException {
+    connection.setRequestMethod("POST");
+    connection.setRequestProperty("Content-Type", "application/json");
+    connection.setRequestProperty("Connection", "Keep-Alive");
+    connection.setConnectTimeout(timeout);
+    connection.setReadTimeout(timeout);
+    connection.setDoOutput(true);
+
+    if (jsonData != null) {
+      try (OutputStream os = connection.getOutputStream()) {
+        os.write(jsonData.getBytes("UTF-8"));
+      }
+    }
+
+    int statusCode = connection.getResponseCode();
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("emitMetricsJson: statusCode = " + statusCode);
+    }
+    return statusCode;
+  }
+
   protected String getCurrentCollectorHost() {
     String collectorHost;
     // Get cached target

http://git-wip-us.apache.org/repos/asf/ambari/blob/cd8fb1b0/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
index 1e5eb54..e4aa21e 100644
--- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
@@ -233,6 +233,11 @@ export ACCUMULO_MONITOR_OPTS="-Xmx{{accumulo_monitor_heapsize}}m -Xms{{accumulo_
 export ACCUMULO_GC_OPTS="-Xmx{{accumulo_gc_heapsize}}m -Xms{{accumulo_gc_heapsize}}m"
 export ACCUMULO_GENERAL_OPTS="-XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -Djava.net.preferIPv4Stack=true ${ACCUMULO_GENERAL_OPTS}"
 export ACCUMULO_OTHER_OPTS="-Xmx{{accumulo_other_heapsize}}m -Xms{{accumulo_other_heapsize}}m ${ACCUMULO_OTHER_OPTS}"
+{% if security_enabled %}
+export ACCUMULO_TSERVER_OPTS="${ACCUMULO_TSERVER_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false"
+export ACCUMULO_MASTER_OPTS="${ACCUMULO_MASTER_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false"
+export ACCUMULO_GC_OPTS="${ACCUMULO_GC_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}} -Djavax.security.auth.useSubjectCredsOnly=false"
+{% endif %}
 export ACCUMULO_MONITOR_BIND_ALL={{monitor_bind_str}}
 # what do when the JVM runs out of heap memory
 export ACCUMULO_KILL_CMD='kill -9 %p'

http://git-wip-us.apache.org/repos/asf/ambari/blob/cd8fb1b0/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
index f65b68a..c1a60e4 100644
--- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
@@ -113,6 +113,9 @@ def setup_conf_dir(name=None): # 'master' or 'tserver' or 'monitor' or 'gc' or '
          content=InlineTemplate(params.server_env_sh_template)
     )
 
+    if  params.security_enabled:
+      accumulo_TemplateConfig("accumulo_jaas.conf", dest_conf_dir)
+
   # create client.conf file
   configs = {}
   if 'client' in params.config['configurations']:

http://git-wip-us.apache.org/repos/asf/ambari/blob/cd8fb1b0/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
index 5d21514..14c1682 100644
--- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
@@ -165,6 +165,7 @@ master_hosts = default('/clusterHostInfo/accumulo_master_hosts', [])
 monitor_hosts = default('/clusterHostInfo/accumulo_monitor_hosts', [])
 gc_hosts = default('/clusterHostInfo/accumulo_gc_hosts', [])
 tracer_hosts = default('/clusterHostInfo/accumulo_tracer_hosts', [])
+hostname = status_params.hostname
 
 # security properties
 accumulo_user_keytab = config['configurations']['accumulo-env']['accumulo_user_keytab']
@@ -175,11 +176,13 @@ kinit_path_local = status_params.kinit_path_local
 if security_enabled:
   bare_accumulo_principal = get_bare_principal(config['configurations']['accumulo-site']['general.kerberos.principal'])
   kinit_cmd = format("{kinit_path_local} -kt {accumulo_user_keytab} {accumulo_principal_name};")
+  general_kerberos_keytab = config['configurations']['accumulo-site']['general.kerberos.keytab']
+  general_kerberos_principal = config['configurations']['accumulo-site']['general.kerberos.principal'].replace('_HOST', hostname.lower())
+  accumulo_jaas_file = format("{server_conf_dir}/accumulo_jaas.conf")
 else:
   kinit_cmd = ""
 
 #for create_hdfs_directory
-hostname = status_params.hostname
 hdfs_user_keytab = config['configurations']['hadoop-env']['hdfs_user_keytab']
 hdfs_user = config['configurations']['hadoop-env']['hdfs_user']
 hdfs_principal_name = config['configurations']['hadoop-env']['hdfs_principal_name']

http://git-wip-us.apache.org/repos/asf/ambari/blob/cd8fb1b0/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2 b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2
new file mode 100644
index 0000000..1ac5cea
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2
@@ -0,0 +1,29 @@
+{#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#}
+
+com.sun.security.jgss.krb5.initiate {
+com.sun.security.auth.module.Krb5LoginModule required
+renewTGT=false
+doNotPrompt=true
+useKeyTab=true
+storeKey=true
+useTicketCache=false
+debug=true
+keyTab="{{general_kerberos_keytab}}"
+principal="{{general_kerberos_principal}}";
+};