You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ds...@apache.org on 2016/12/08 11:55:46 UTC
[2/2] ambari git commit: AMBARI-18737 Perf: Allow Kerberizing the
PERF stack (dsen)
AMBARI-18737 Perf: Allow Kerberizing the PERF stack (dsen)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/cdf65c34
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/cdf65c34
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/cdf65c34
Branch: refs/heads/trunk
Commit: cdf65c3450c02f96760fab940a074eaa8583be70
Parents: a62a4f3
Author: Dmytro Sen <ds...@apache.org>
Authored: Thu Dec 8 13:55:33 2016 +0200
Committer: Dmytro Sen <ds...@apache.org>
Committed: Thu Dec 8 13:55:33 2016 +0200
----------------------------------------------------------------------
.../libraries/script/dummy.py | 11 +
.../PERF/1.0/configuration/cluster-env.xml | 27 +-
.../resources/stacks/PERF/1.0/kerberos.json | 78 ++++
.../GRUMPY/configuration/grumpy-site.xml | 12 +
.../PERF/1.0/services/GRUMPY/kerberos.json | 78 ++++
.../services/GRUMPY/package/scripts/dwarf.py | 4 +
.../services/HAPPY/configuration/happy-site.xml | 12 +
.../PERF/1.0/services/HAPPY/kerberos.json | 78 ++++
.../1.0/services/HAPPY/package/scripts/dwarf.py | 4 +
.../HBASE/package/scripts/hbase_master.py | 4 +
.../HBASE/package/scripts/hbase_regionserver.py | 4 +
.../package/scripts/phoenix_queryserver.py | 4 +
.../services/HDFS/package/scripts/datanode.py | 4 +
.../HDFS/package/scripts/journalnode.py | 4 +
.../services/HDFS/package/scripts/namenode.py | 4 +
.../services/HDFS/package/scripts/nfsgateway.py | 4 +
.../services/HDFS/package/scripts/snamenode.py | 4 +
.../KERBEROS/configuration/kerberos-env.xml | 380 +++++++++++++++
.../KERBEROS/configuration/krb5-conf.xml | 109 +++++
.../PERF/1.0/services/KERBEROS/kerberos.json | 17 +
.../PERF/1.0/services/KERBEROS/metainfo.xml | 123 +++++
.../KERBEROS/package/scripts/kerberos_client.py | 80 ++++
.../KERBEROS/package/scripts/kerberos_common.py | 468 +++++++++++++++++++
.../services/KERBEROS/package/scripts/params.py | 200 ++++++++
.../KERBEROS/package/scripts/service_check.py | 30 ++
.../KERBEROS/package/scripts/status_params.py | 32 ++
.../services/KERBEROS/package/scripts/utils.py | 105 +++++
.../KERBEROS/package/templates/krb5_conf.j2 | 54 +++
.../SLEEPY/configuration/sleepy-site.xml | 12 +
.../PERF/1.0/services/SLEEPY/kerberos.json | 78 ++++
.../services/SLEEPY/package/scripts/dwarf.py | 4 +
.../services/SNOW/configuration/snow-site.xml | 12 +
.../stacks/PERF/1.0/services/SNOW/kerberos.json | 78 ++++
.../services/SNOW/package/scripts/snow_white.py | 4 +
.../scripts/application_timeline_server.py | 4 +
.../YARN/package/scripts/historyserver.py | 4 +
.../YARN/package/scripts/nodemanager.py | 4 +
.../YARN/package/scripts/resourcemanager.py | 4 +
.../PERF/1.0/services/ZOOKEEPER/kerberos.json | 39 ++
.../package/scripts/zookeeper_server.py | 4 +
40 files changed, 2180 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-common/src/main/python/resource_management/libraries/script/dummy.py
----------------------------------------------------------------------
diff --git a/ambari-common/src/main/python/resource_management/libraries/script/dummy.py b/ambari-common/src/main/python/resource_management/libraries/script/dummy.py
index 2a48de3..3dcece5 100644
--- a/ambari-common/src/main/python/resource_management/libraries/script/dummy.py
+++ b/ambari-common/src/main/python/resource_management/libraries/script/dummy.py
@@ -31,6 +31,9 @@ from ambari_commons.constants import AMBARI_SUDO_BINARY
from resource_management.core.exceptions import ComponentIsNotRunning
+from resource_management.libraries.functions.default import default
+from resource_management.libraries.functions import get_kinit_path
+
class Dummy(Script):
"""
Dummy component to be used for performance testing since doesn't actually run a service.
@@ -75,6 +78,14 @@ class Dummy(Script):
print "Start"
self.prepare()
+ if self.config['configurations']['cluster-env']['security_enabled'] :
+ print "Executing kinit... "
+ kinit_path_local = get_kinit_path(default('/configurations/kerberos-env/executable_search_paths', None))
+ principal_replaced = self.config['configurations'][self.principal_conf_name][self.principal_name].replace("_HOST", self.host_name)
+ keytab_path_replaced = self.config['configurations'][self.keytab_conf_name][self.keytab_name].replace("_HOST", self.host_name)
+ Execute("%s -kt %s %s" % (kinit_path_local, keytab_path_replaced, principal_replaced),
+ user="root")
+
if not os.path.isfile(self.pid_file):
print "Creating pid file: %s" % self.pid_file
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/configuration/cluster-env.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/configuration/cluster-env.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/configuration/cluster-env.xml
index 7d6dac4..7df00ee 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/configuration/cluster-env.xml
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/configuration/cluster-env.xml
@@ -71,5 +71,30 @@
<description>Security</description>
<on-ambari-upgrade add="false"/>
</property>
-
+ <property>
+ <name>user_group</name>
+ <display-name>Hadoop Group</display-name>
+ <value>hadoop</value>
+ <property-type>GROUP</property-type>
+ <description>Hadoop user group.</description>
+ <value-attributes>
+ <type>user</type>
+ <visible>false</visible>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>smokeuser</name>
+ <display-name>Smoke User</display-name>
+ <value>ambari-qa</value>
+ <property-type>USER</property-type>
+ <description>User executing service checks</description>
+ <value-attributes>
+ <type>user</type>
+ <visible>false</visible>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/kerberos.json b/ambari-server/src/main/resources/stacks/PERF/1.0/kerberos.json
new file mode 100644
index 0000000..a2a667b
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/kerberos.json
@@ -0,0 +1,78 @@
+{
+ "properties": {
+ "realm": "${kerberos-env/realm}",
+ "keytab_dir": "/home/_HOST/etc/security/keytabs",
+ "additional_realms": ""
+ },
+ "identities": [
+ {
+ "name": "spnego",
+ "principal": {
+ "value": "HTTP/_HOST@${realm}",
+ "type": "service"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/spnego.service.keytab",
+ "owner": {
+ "name": "root",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": "r"
+ }
+ }
+ },
+ {
+ "name": "smokeuser",
+ "principal": {
+ "value": "${cluster-env/smokeuser}-${cluster_name|toLower()}@${realm}",
+ "type": "user",
+ "configuration": "cluster-env/smokeuser_principal_name",
+ "local_username": "${cluster-env/smokeuser}"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/smokeuser.headless.keytab",
+ "owner": {
+ "name": "${cluster-env/smokeuser}",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": "r"
+ },
+ "configuration": "cluster-env/smokeuser_keytab"
+ }
+ }
+ ],
+ "services": [
+ {
+ "name": "AMBARI",
+ "components": [
+ {
+ "name": "AMBARI_SERVER",
+ "identities": [
+ {
+ "name": "ambari-server",
+ "principal": {
+ "value": "ambari-server-${cluster_name|toLower()}@${realm}",
+ "type": "user",
+ "configuration": "cluster-env/ambari_principal_name"
+ },
+ "keytab": {
+ "file": "/etc/security/keytabs/ambari.server.keytab",
+ "owner": {
+ "access": "r"
+ }
+ }
+ },
+ {
+ "name" : "ambari-server_spnego",
+ "reference" : "/spnego"
+ }
+ ]
+ }
+ ]
+ }
+ ]
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/configuration/grumpy-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/configuration/grumpy-site.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/configuration/grumpy-site.xml
index 7952789..3cf8ea1 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/configuration/grumpy-site.xml
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/configuration/grumpy-site.xml
@@ -33,4 +33,16 @@
</value-attributes>
<on-ambari-upgrade add="false"/>
</property>
+ <property>
+ <name>grumpy_user</name>
+ <display-name>grumpy User</display-name>
+ <value>grumpy</value>
+ <property-type>USER</property-type>
+ <description>grumpy Username.</description>
+ <value-attributes>
+ <type>user</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/kerberos.json b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/kerberos.json
new file mode 100644
index 0000000..3bf5fbd
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/kerberos.json
@@ -0,0 +1,78 @@
+{
+ "services": [
+ {
+ "name": "GRUMPY",
+ "identities": [
+ {
+ "name": "/spnego"
+ },
+ {
+ "name": "grumpy",
+ "principal": {
+ "value": "${grumpy-site/grumpy_user}-${cluster_name|toLower()}@${realm}",
+ "type" : "user",
+ "configuration": "grumpy-site/grumpy_principal_name",
+ "local_username": "${grumpy-site/grumpy_user}"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/grumpy.headless.keytab",
+ "owner": {
+ "name": "${grumpy-site/grumpy_user}",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": "r"
+ },
+ "configuration": "grumpy-site/grumpy_user_keytab"
+ }
+ },
+ {
+ "name": "/smokeuser"
+ }
+ ],
+ "configurations": [
+ ],
+ "components": [
+ {
+ "name": "GRUMPY",
+ "identities": [
+ {
+ "name": "/HDFS/NAMENODE/hdfs"
+ },
+ {
+ "name": "grumpy_grumpy",
+ "principal": {
+ "value": "grumpy/_HOST@${realm}",
+ "type" : "service",
+ "configuration": "grumpy-site/grumpy.grumpy.kerberos.principal",
+ "local_username": "${grumpy-site/grumpy_user}"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/grumpy.service.keytab",
+ "owner": {
+ "name": "${grumpy-site/grumpy_user}",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": ""
+ },
+ "configuration": "grumpy-site/grumpy.grumpy.keytab.file"
+ }
+ },
+ {
+ "name": "/spnego",
+ "principal": {
+ "configuration": "grumpy-site/grumpy.security.authentication.spnego.kerberos.principal"
+ },
+ "keytab": {
+ "configuration": "grumpy-site/grumpy.security.authentication.spnego.kerberos.keytab"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/package/scripts/dwarf.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/package/scripts/dwarf.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/package/scripts/dwarf.py
index cf4206c..de2f4b4 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/package/scripts/dwarf.py
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/package/scripts/dwarf.py
@@ -33,6 +33,10 @@ class Grumpy(Dummy):
def __init__(self):
super(Grumpy, self).__init__()
self.component_name = "GRUMPY"
+ self.principal_conf_name = "grumpy-site"
+ self.principal_name = "grumpy.grumpy.kerberos.principal"
+ self.keytab_conf_name = "grumpy-site"
+ self.keytab_name = "grumpy.grumpy.keytab.file"
if __name__ == "__main__":
Grumpy().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/configuration/happy-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/configuration/happy-site.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/configuration/happy-site.xml
index 67762a5..693046e 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/configuration/happy-site.xml
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/configuration/happy-site.xml
@@ -33,4 +33,16 @@
</value-attributes>
<on-ambari-upgrade add="false"/>
</property>
+ <property>
+ <name>happy_user</name>
+ <display-name>happy User</display-name>
+ <value>happy</value>
+ <property-type>USER</property-type>
+ <description>happy Username.</description>
+ <value-attributes>
+ <type>user</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/kerberos.json b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/kerberos.json
new file mode 100644
index 0000000..ae84eaf
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/kerberos.json
@@ -0,0 +1,78 @@
+{
+ "services": [
+ {
+ "name": "HAPPY",
+ "identities": [
+ {
+ "name": "/spnego"
+ },
+ {
+ "name": "happy",
+ "principal": {
+ "value": "${happy-site/happy_user}-${cluster_name|toLower()}@${realm}",
+ "type" : "user",
+ "configuration": "happy-site/happy_principal_name",
+ "local_username": "${happy-site/happy_user}"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/happy.headless.keytab",
+ "owner": {
+ "name": "${happy-site/happy_user}",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": "r"
+ },
+ "configuration": "happy-site/happy_user_keytab"
+ }
+ },
+ {
+ "name": "/smokeuser"
+ }
+ ],
+ "configurations": [
+ ],
+ "components": [
+ {
+ "name": "HAPPY",
+ "identities": [
+ {
+ "name": "/HDFS/NAMENODE/hdfs"
+ },
+ {
+ "name": "happy_happy",
+ "principal": {
+ "value": "happy/_HOST@${realm}",
+ "type" : "service",
+ "configuration": "happy-site/happy.happy.kerberos.principal",
+ "local_username": "${happy-site/happy_user}"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/happy.service.keytab",
+ "owner": {
+ "name": "${happy-site/happy_user}",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": ""
+ },
+ "configuration": "happy-site/happy.happy.keytab.file"
+ }
+ },
+ {
+ "name": "/spnego",
+ "principal": {
+ "configuration": "happy-site/happy.security.authentication.spnego.kerberos.principal"
+ },
+ "keytab": {
+ "configuration": "happy-site/happy.security.authentication.spnego.kerberos.keytab"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/package/scripts/dwarf.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/package/scripts/dwarf.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/package/scripts/dwarf.py
index b86c4c7..dc8198d 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/package/scripts/dwarf.py
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/package/scripts/dwarf.py
@@ -33,6 +33,10 @@ class Happy(Dummy):
def __init__(self):
super(Happy, self).__init__()
self.component_name = "HAPPY"
+ self.principal_conf_name = "happy-site"
+ self.principal_name = "happy.happy.kerberos.principal"
+ self.keytab_conf_name = "happy-site"
+ self.keytab_name = "happy.happy.keytab.file"
if __name__ == "__main__":
Happy().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_master.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_master.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_master.py
index 7ea42ab..3761fcf 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_master.py
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_master.py
@@ -33,6 +33,10 @@ class HBaseMaster(Dummy):
def __init__(self):
super(HBaseMaster, self).__init__()
self.component_name = "HBASE_MASTER"
+ self.principal_conf_name = "hbase-site"
+ self.principal_name = "hbase.master.kerberos.principal"
+ self.keytab_conf_name = "hbase-site"
+ self.keytab_name = "hbase.master.keytab.file"
def decommission(self, env):
print "Decommission"
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_regionserver.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_regionserver.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_regionserver.py
index a866715..101c36f 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_regionserver.py
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/hbase_regionserver.py
@@ -33,6 +33,10 @@ class HBaseRegionServer(Dummy):
def __init__(self):
super(HBaseRegionServer, self).__init__()
self.component_name = "HBASE_REGIONSERVER"
+ self.principal_conf_name = "hbase-site"
+ self.principal_name = "hbase.regionserver.kerberos.principal"
+ self.keytab_conf_name = "hbase-site"
+ self.keytab_name = "hbase.regionserver.keytab.file"
def decommission(self, env):
print "Decommission"
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/phoenix_queryserver.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/phoenix_queryserver.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/phoenix_queryserver.py
index 9cf3cec..76a49d9 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/phoenix_queryserver.py
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HBASE/package/scripts/phoenix_queryserver.py
@@ -33,6 +33,10 @@ class PhoenixQueryServer(Dummy):
def __init__(self):
super(PhoenixQueryServer, self).__init__()
self.component_name = "PHOENIX_QUERY_SERVER"
+ self.principal_conf_name = "hbase-site"
+ self.principal_name = "phoenix.queryserver.kerberos.principal"
+ self.keytab_conf_name = "hbase-site"
+ self.keytab_name = "phoenix.queryserver.keytab.file"
if __name__ == "__main__":
PhoenixQueryServer().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/datanode.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/datanode.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/datanode.py
index 36edc31..6fc338b 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/datanode.py
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/datanode.py
@@ -33,6 +33,10 @@ class DataNode(Dummy):
def __init__(self):
super(DataNode, self).__init__()
self.component_name = "DATANODE"
+ self.principal_conf_name = "hdfs-site"
+ self.principal_name = "dfs.datanode.kerberos.principal"
+ self.keytab_conf_name = "hdfs-site"
+ self.keytab_name = "dfs.datanode.keytab.file"
if __name__ == "__main__":
DataNode().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/journalnode.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/journalnode.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/journalnode.py
index 1ad13b7..96be630 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/journalnode.py
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/journalnode.py
@@ -33,6 +33,10 @@ class JournalNode(Dummy):
def __init__(self):
super(JournalNode, self).__init__()
self.component_name = "JOURNALNODE"
+ self.principal_conf_name = "hdfs-site"
+ self.principal_name = "dfs.journalnode.kerberos.principal"
+ self.keytab_conf_name = "hdfs-site"
+ self.keytab_name = "dfs.journalnode.keytab.file"
if __name__ == "__main__":
JournalNode().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/namenode.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/namenode.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/namenode.py
index ded09cb..c3488e8 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/namenode.py
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/namenode.py
@@ -34,6 +34,10 @@ class NameNode(Dummy):
def __init__(self):
super(NameNode, self).__init__()
self.component_name = "NAMENODE"
+ self.principal_conf_name = "hdfs-site"
+ self.principal_name = "dfs.namenode.kerberos.principal"
+ self.keytab_conf_name = "hdfs-site"
+ self.keytab_name = "dfs.namenode.keytab.file"
def rebalancehdfs(self, env):
print "Rebalance HDFS"
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/nfsgateway.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/nfsgateway.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/nfsgateway.py
index ab9855d..b750522 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/nfsgateway.py
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/nfsgateway.py
@@ -33,6 +33,10 @@ class NFSGateway(Dummy):
def __init__(self):
super(NFSGateway, self).__init__()
self.component_name = "NFS_GATEWAY"
+ self.principal_conf_name = "hdfs-site"
+ self.principal_name = "nfs.kerberos.principal"
+ self.keytab_conf_name = "hdfs-site"
+ self.keytab_name = "nfs.keytab.file"
if __name__ == "__main__":
NFSGateway().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/snamenode.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/snamenode.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/snamenode.py
index 8815aa3..91ce7da 100644
--- a/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/snamenode.py
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/HDFS/package/scripts/snamenode.py
@@ -33,6 +33,10 @@ class SNameNode(Dummy):
def __init__(self):
super(SNameNode, self).__init__()
self.component_name = "SECONDARY_NAMENODE"
+ self.principal_conf_name = "hdfs-site"
+ self.principal_name = "dfs.secondary.namenode.kerberos.principal"
+ self.keytab_conf_name = "hdfs-site"
+ self.keytab_name = "dfs.secondary.namenode.keytab.file"
if __name__ == "__main__":
SNameNode().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/kerberos-env.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/kerberos-env.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/kerberos-env.xml
new file mode 100644
index 0000000..7016437
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/kerberos-env.xml
@@ -0,0 +1,380 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration supports_final="false" supports_adding_forbidden="true">
+ <property require-input="true">
+ <name>kdc_type</name>
+ <description>
+ The type of KDC being used. Either mit-kdc, ipa, or active-directory
+ </description>
+ <value>mit-kdc</value>
+ <display-name>KDC type</display-name>
+ <value-attributes>
+ <type>componentHost</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>manage_identities</name>
+ <description>
+ Indicates whether the Ambari user and service Kerberos identities (principals and keytab files)
+ should be managed (created, deleted, updated, etc...) by Ambari or managed manually.
+ </description>
+ <value>true</value>
+ <display-name>Manage Kerberos Identities</display-name>
+ <value-attributes>
+ <visible>false</visible>
+ <overridable>false</overridable>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>manage_auth_to_local</name>
+ <description>
+ Indicates whether the hadoop auth_to_local rules should be managed by Ambari or managed manually.
+ </description>
+ <value>true</value>
+ <display-name>Manage Hadoop auth_to_local rules</display-name>
+ <value-attributes>
+ <visible>true</visible>
+ <overridable>false</overridable>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>install_packages</name>
+ <display-name>Install OS-specific Kerberos client package(s)</display-name>
+ <description>
+ Indicates whether Ambari should install the Kerberos client package(s) or not. If not, it is
+ expected that Kerberos utility programs (such as kadmin, kinit, klist, and kdestroy) are
+ compatible with MIT Kerberos 5 version 1.10.3 in command line options and behaviors.
+ </description>
+ <value>true</value>
+ <value-attributes>
+ <type>boolean</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>ldap_url</name>
+ <display-name>LDAP url</display-name>
+ <description>
+ The URL to the Active Directory LDAP Interface
+ Example: ldaps://ad.example.com:636
+ </description>
+ <value/>
+ <value-attributes>
+ <visible>false</visible>
+ <overridable>false</overridable>
+ <type>ldap_url</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>container_dn</name>
+ <display-name>Container DN</display-name>
+ <description>
+ The distinguished name (DN) of the container used store service principals
+ </description>
+ <value-attributes>
+ <visible>false</visible>
+ <overridable>false</overridable>
+ </value-attributes>
+ <value/>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>encryption_types</name>
+ <display-name>Encryption Types</display-name>
+ <description>
+ The supported list of session key encryption types that should be returned by the KDC.
+ </description>
+ <value>aes des3-cbc-sha1 rc4 des-cbc-md5</value>
+ <value-attributes>
+ <type>multiLine</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property require-input="true">
+ <name>realm</name>
+ <description>
+ The default realm to use when creating service principals
+ </description>
+ <display-name>Realm name</display-name>
+ <value/>
+ <value-attributes>
+ <type>host</type>
+ <editable-only-at-install>true</editable-only-at-install>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>kdc_hosts</name>
+ <description>
+ A comma-delimited list of IP addresses or FQDNs declaring the KDC hosts.
+ Optionally a port number may be included in each entry by separating each host and port by a
+ colon (:). Example: kdc1.example.com:88, kdc2.example.com:88
+ </description>
+ <display-name>KDC hosts</display-name>
+ <value/>
+ <value-attributes>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>admin_server_host</name>
+ <display-name>Kadmin host</display-name>
+ <description>
+ The IP address or FQDN for the KDC Kerberos administrative host. Optionally a port number may be included.
+ </description>
+ <value/>
+ <value-attributes>
+ <type>host</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>executable_search_paths</name>
+ <display-name>Executable Search Paths</display-name>
+ <description>
+ A comma-delimited list of search paths to use to find Kerberos utilities like kadmin, kinit and ipa.
+ </description>
+ <value>/usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ <type>multiLine</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_length</name>
+ <display-name>Password Length</display-name>
+ <description>
+ The length required length for generated passwords.
+ </description>
+ <value>20</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_min_lowercase_letters</name>
+ <display-name>Password Minimum # Lowercase Letters</display-name>
+ <description>
+ The minimum number of lowercase letters (a-z) required in generated passwords
+ </description>
+ <value>1</value>
+ <value-attributes>
+ <type>int</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_min_uppercase_letters</name>
+ <display-name>Password Minimum # Uppercase Letters</display-name>
+ <description>
+ The minimum number of uppercase letters (A-Z) required in generated passwords
+ </description>
+ <value>1</value>
+ <value-attributes>
+ <type>int</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_min_digits</name>
+ <display-name>Password Minimum # Digits</display-name>
+ <description>
+ The minimum number of digits (0-9) required in generated passwords
+ </description>
+ <value>1</value>
+ <value-attributes>
+ <type>int</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_min_punctuation</name>
+ <display-name>Password Minimum # Punctuation Characters</display-name>
+ <description>
+ The minimum number of punctuation characters (?.!$%^*()-_+=~) required in generated passwords
+ </description>
+ <value>1</value>
+ <value-attributes>
+ <type>int</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_min_whitespace</name>
+ <display-name>Password Minimum # Whitespace Characters</display-name>
+ <description>
+ The minimum number of whitespace characters required in generated passwords
+ </description>
+ <value>0</value>
+ <value-attributes>
+ <type>int</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>service_check_principal_name</name>
+ <display-name>Test Kerberos Principal</display-name>
+ <description>
+ The principal name to use when executing the Kerberos service check
+ </description>
+ <value>${cluster_name|toLower()}-${short_date}</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>case_insensitive_username_rules</name>
+ <display-name>Enable case insensitive username rules</display-name>
+ <description>
+ Force principal names to resolve to lowercase local usernames in auth-to-local rules
+ </description>
+ <value>false</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>ad_create_attributes_template</name>
+ <display-name>Account Attribute Template</display-name>
+ <description>
+ A Velocity template to use to generate a JSON-formatted document containing the set of
+ attribute names and values needed to create a new Kerberos identity in the relevant
+ Active Directory.
+ Variables include:
+ principal_name, principal_primary, principal_instance, realm, realm_lowercase,
+ normalized_principal, principal digest, password, is_service, container_dn
+ </description>
+ <value>
+{
+ "objectClass": ["top", "person", "organizationalPerson", "user"],
+ "cn": "$principal_name",
+ #if( $is_service )
+ "servicePrincipalName": "$principal_name",
+ #end
+ "userPrincipalName": "$normalized_principal",
+ "unicodePwd": "$password",
+ "accountExpires": "0",
+ "userAccountControl": "66048"
+}
+ </value>
+ <value-attributes>
+ <type>content</type>
+ <empty-value-valid>true</empty-value-valid>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>create_ambari_principal</name>
+ <description>
+ Indicates whether Ambari should create the principal, keytab for itself, used by different views.
+ </description>
+ <value>true</value>
+ <display-name>Create Ambari Principal & Keytab</display-name>
+ <value-attributes>
+ <visible>true</visible>
+ <overridable>false</overridable>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>kdc_create_attributes</name>
+ <display-name>Principal Attributes</display-name>
+ <description>
+ The set of attributes to use when creating a new Kerberos identity in the relevant (MIT) KDC.
+ </description>
+ <value/>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>group</name>
+ <display-name>IPA Group</display-name>
+ <description>
+ The group in IPA user principals should be member of
+ </description>
+ <value>ambari-managed-principals</value>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ <visible>false</visible>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>set_password_expiry</name>
+ <display-name>Set IPA principal password expiry</display-name>
+ <description>
+ Indicates whether Ambari should set the password expiry for the principals it creates. By default
+ IPA does not allow this. It requires write permission of the admin principal to the krbPasswordExpiry
+ attribute. If set IPA principal password expiry is not true it is assumed that a suitable password
+ policy is in place for the IPA Group principals are added to.
+ </description>
+ <value>false</value>
+ <value-attributes>
+ <type>boolean</type>
+ <overridable>false</overridable>
+ <visible>false</visible>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>password_chat_timeout</name>
+ <display-name>Set IPA kinit password chat timeout</display-name>
+ <description>
+ Indicates the timeout in seconds that Ambari should wait for a response during a password chat. This is
+ because it can take some time due to lookups before a response is there.
+ </description>
+ <value>5</value>
+ <value-attributes>
+ <visible>false</visible>
+ <type>int</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/krb5-conf.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/krb5-conf.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/krb5-conf.xml
new file mode 100644
index 0000000..c692b92
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/krb5-conf.xml
@@ -0,0 +1,109 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+ <property require-input="false">
+ <name>domains</name>
+ <display-name>Domains</display-name>
+ <description>
+ A comma-separated list of domain names used to map server host names to the Realm name (e.g. .example.com,example.com). This is optional
+ </description>
+ <value/>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>manage_krb5_conf</name>
+ <display-name>Manage Kerberos client krb5.conf</display-name>
+ <description>
+ Indicates whether your krb5.conf file should be managed by the wizard or should you manage it yourself
+ </description>
+ <value>true</value>
+ <value-attributes>
+ <overridable>false</overridable>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>conf_dir</name>
+ <display-name>krb5-conf directory path</display-name>
+ <description>The krb5.conf configuration directory</description>
+ <value>/etc</value>
+ <value-attributes>
+ <type>directory</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>content</name>
+ <display-name>krb5-conf template</display-name>
+ <description>Customizable krb5.conf template (Jinja template engine)</description>
+ <value>
+[libdefaults]
+ renew_lifetime = 7d
+ forwardable = true
+ default_realm = {{realm}}
+ ticket_lifetime = 24h
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ default_ccache_name = /tmp/krb5cc_%{uid}
+ #default_tgs_enctypes = {{encryption_types}}
+ #default_tkt_enctypes = {{encryption_types}}
+{% if domains %}
+[domain_realm]
+{%- for domain in domains.split(',') %}
+ {{domain|trim()}} = {{realm}}
+{%- endfor %}
+{% endif %}
+[logging]
+ default = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+ kdc = FILE:/var/log/krb5kdc.log
+
+[realms]
+ {{realm}} = {
+{%- if kdc_hosts > 0 -%}
+{%- set kdc_host_list = kdc_hosts.split(',') -%}
+{%- if kdc_host_list and kdc_host_list|length > 0 %}
+ admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}
+{%- if kdc_host_list -%}
+{% for kdc_host in kdc_host_list %}
+ kdc = {{kdc_host|trim()}}
+{%- endfor -%}
+{% endif %}
+{%- endif %}
+{%- endif %}
+ }
+
+{# Append additional realm declarations below #}
+ </value>
+ <value-attributes>
+ <type>content</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/kerberos.json b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/kerberos.json
new file mode 100644
index 0000000..6ab7610
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/kerberos.json
@@ -0,0 +1,17 @@
+{
+ "services": [
+ {
+ "name": "KERBEROS",
+ "identities": [
+ {
+ "name": "/smokeuser"
+ }
+ ],
+ "components": [
+ {
+ "name": "KERBEROS_CLIENT"
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/metainfo.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/metainfo.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/metainfo.xml
new file mode 100644
index 0000000..3ec6340
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/metainfo.xml
@@ -0,0 +1,123 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<metainfo>
+ <schemaVersion>2.0</schemaVersion>
+ <services>
+ <service>
+ <name>KERBEROS</name>
+ <displayName>Kerberos</displayName>
+ <comment>A computer network authentication protocol which works on
+ the basis of 'tickets' to allow nodes communicating over a
+ non-secure network to prove their identity to one another in a
+ secure manner.
+ </comment>
+ <version>1.10.3-10</version>
+
+ <components>
+ <component>
+ <name>KERBEROS_CLIENT</name>
+ <displayName>Kerberos Client</displayName>
+ <category>CLIENT</category>
+ <cardinality>ALL</cardinality>
+ <versionAdvertised>false</versionAdvertised>
+ <auto-deploy>
+ <enabled>true</enabled>
+ </auto-deploy>
+ <commandScript>
+ <script>scripts/kerberos_client.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>1200</timeout>
+ </commandScript>
+ <customCommands>
+ <customCommand>
+ <name>SET_KEYTAB</name>
+ <commandScript>
+ <script>scripts/kerberos_client.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>1000</timeout>
+ </commandScript>
+ </customCommand>
+ <customCommand>
+ <name>REMOVE_KEYTAB</name>
+ <commandScript>
+ <script>scripts/kerberos_client.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>1000</timeout>
+ </commandScript>
+ </customCommand>
+ </customCommands>
+ <configFiles>
+ <configFile>
+ <type>env</type>
+ <fileName>krb5.conf</fileName>
+ <dictionaryName>krb5-conf</dictionaryName>
+ </configFile>
+ </configFiles>
+ </component>
+ </components>
+
+ <osSpecifics>
+ <osSpecific>
+ <osFamily>redhat7,amazon2015,redhat6</osFamily>
+ <packages>
+ <package>
+ <name>krb5-workstation</name>
+ <skipUpgrade>true</skipUpgrade>
+ </package>
+ </packages>
+ </osSpecific>
+
+ <osSpecific>
+ <osFamily>debian7,ubuntu12,ubuntu14,ubuntu16</osFamily>
+ <packages>
+ <package>
+ <name>krb5-user</name>
+ <skipUpgrade>true</skipUpgrade>
+ </package>
+ <package>
+ <name>krb5-config</name>
+ <skipUpgrade>true</skipUpgrade>
+ </package>
+ </packages>
+ </osSpecific>
+
+ <osSpecific>
+ <osFamily>suse11,suse12</osFamily>
+ <packages>
+ <package>
+ <name>krb5-client</name>
+ <skipUpgrade>true</skipUpgrade>
+ </package>
+ </packages>
+ </osSpecific>
+ </osSpecifics>
+
+ <commandScript>
+ <script>scripts/service_check.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>300</timeout>
+ </commandScript>
+
+ <configuration-dependencies>
+ <config-type>krb5-conf</config-type>
+ <config-type>kerberos-env</config-type>
+ </configuration-dependencies>
+ <restartRequiredAfterChange>true</restartRequiredAfterChange>
+ </service>
+ </services>
+</metainfo>
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py
new file mode 100644
index 0000000..ddc8063
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py
@@ -0,0 +1,80 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+from kerberos_common import *
+from resource_management.libraries.functions.security_commons import cached_kinit_executor
+from resource_management.core.exceptions import ClientComponentHasNoStatus
+
+class KerberosClient(KerberosScript):
+ def install(self, env):
+ install_packages = default('/configurations/kerberos-env/install_packages', "true")
+ if install_packages:
+ self.install_packages(env)
+ else:
+ print "Kerberos client packages are not being installed, manual installation is required."
+
+ self.configure(env)
+
+
+ def configure(self, env):
+ import params
+ env.set_params(params)
+ if params.manage_krb5_conf:
+ self.write_krb5_conf()
+ #delete krb cache to prevent using old krb tickets on fresh kerberos setup
+ self.clear_tmp_cache()
+
+ self.setup_jce()
+
+ def status(self, env):
+ raise ClientComponentHasNoStatus()
+
+ def security_status(self, env):
+ import status_params
+ if status_params.security_enabled:
+ if status_params.smoke_user and status_params.smoke_user_keytab:
+ try:
+ cached_kinit_executor(status_params.kinit_path_local,
+ status_params.smoke_user,
+ status_params.smoke_user_keytab,
+ status_params.smoke_user_principal,
+ status_params.hostname,
+ status_params.tmp_dir)
+ self.put_structured_out({"securityState": "SECURED_KERBEROS"})
+ except Exception as e:
+ self.put_structured_out({"securityState": "ERROR"})
+ self.put_structured_out({"securityStateErrorInfo": str(e)})
+ else:
+ self.put_structured_out({"securityState": "UNKNOWN"})
+ self.put_structured_out({"securityStateErrorInfo": "Missing smoke user credentials"})
+ else:
+ self.put_structured_out({"securityState": "UNSECURED"})
+
+ def set_keytab(self, env):
+ self.write_keytab_file()
+
+ def remove_keytab(self, env):
+ self.delete_keytab_file()
+
+ def download_install_jce(self, env):
+ self.setup_jce()
+
+
+if __name__ == "__main__":
+ KerberosClient().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_common.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_common.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_common.py
new file mode 100644
index 0000000..3c6c83e
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_common.py
@@ -0,0 +1,468 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+import base64
+import getpass
+import os
+import string
+import subprocess
+import sys
+import tempfile
+from tempfile import gettempdir
+
+from resource_management import *
+from utils import get_property_value
+from ambari_commons.os_utils import remove_file
+from ambari_agent import Constants
+
+class KerberosScript(Script):
+ KRB5_REALM_PROPERTIES = [
+ 'kdc',
+ 'admin_server',
+ 'default_domain',
+ 'master_kdc'
+ ]
+
+ KRB5_SECTION_NAMES = [
+ 'libdefaults',
+ 'logging',
+ 'realms',
+ 'domain_realm',
+ 'capaths',
+ 'ca_paths',
+ 'appdefaults',
+ 'plugins'
+ ]
+
+ @staticmethod
+ def create_random_password():
+ import random
+
+ chars = string.digits + string.ascii_letters
+ return ''.join(random.choice(chars) for x in range(13))
+
+ @staticmethod
+ def write_conf_section(output_file, section_name, section_data):
+ if section_name is not None:
+ output_file.write('[%s]\n' % section_name)
+
+ if section_data is not None:
+ for key, value in section_data.iteritems():
+ output_file.write(" %s = %s\n" % (key, value))
+
+
+ @staticmethod
+ def _write_conf_realm(output_file, realm_name, realm_data):
+ """ Writes out realm details
+
+ Example:
+
+ EXAMPLE.COM = {
+ kdc = kerberos.example.com
+ admin_server = kerberos.example.com
+ }
+
+ """
+ if realm_name is not None:
+ output_file.write(" %s = {\n" % realm_name)
+
+ if realm_data is not None:
+ for key, value in realm_data.iteritems():
+ if key in KerberosScript.KRB5_REALM_PROPERTIES:
+ output_file.write(" %s = %s\n" % (key, value))
+
+ output_file.write(" }\n")
+
+ @staticmethod
+ def write_conf_realms_section(output_file, section_name, realms_data):
+ if section_name is not None:
+ output_file.write('[%s]\n' % section_name)
+
+ if realms_data is not None:
+ for realm, realm_data in realms_data.iteritems():
+ KerberosScript._write_conf_realm(output_file, realm, realm_data)
+ output_file.write('\n')
+
+ @staticmethod
+ def write_krb5_conf():
+ import params
+
+ Directory(params.krb5_conf_dir,
+ owner='root',
+ create_parents = True,
+ group='root',
+ mode=0755
+ )
+
+ if (params.krb5_conf_template is None) or not params.krb5_conf_template.strip():
+ content = Template('krb5_conf.j2')
+ else:
+ content = InlineTemplate(params.krb5_conf_template)
+
+ File(params.krb5_conf_path,
+ content=content,
+ owner='root',
+ group='root',
+ mode=0644
+ )
+
+ @staticmethod
+ def invoke_kadmin(query, admin_identity=None, default_realm=None):
+ """
+ Executes the kadmin or kadmin.local command (depending on whether auth_identity is set or not
+ and returns command result code and standard out data.
+
+ :param query: the kadmin query to execute
+ :param admin_identity: the identity for the administrative user (optional)
+ :param default_realm: the default realm to assume
+ :return: return_code, out
+ """
+ if (query is not None) and (len(query) > 0):
+ auth_principal = None
+ auth_keytab_file = None
+
+ if admin_identity is not None:
+ auth_principal = get_property_value(admin_identity, 'principal')
+
+ if auth_principal is None:
+ kadmin = 'kadmin.local'
+ credential = ''
+ else:
+ kadmin = 'kadmin -p "%s"' % auth_principal
+
+ auth_password = get_property_value(admin_identity, 'password')
+
+ if auth_password is None:
+ auth_keytab = get_property_value(admin_identity, 'keytab')
+
+ if auth_keytab is not None:
+ (fd, auth_keytab_file) = tempfile.mkstemp()
+ keytab_file_path = keytab_file_path.replace("_HOST", params.hostname)
+ os.write(fd, base64.b64decode(auth_keytab))
+ os.close(fd)
+
+ credential = '-k -t %s' % auth_keytab_file
+ else:
+ credential = '-w "%s"' % auth_password
+
+ if (default_realm is not None) and (len(default_realm) > 0):
+ realm = '-r %s' % default_realm
+ else:
+ realm = ''
+
+ try:
+ command = '%s %s %s -q "%s"' % (kadmin, credential, realm, query.replace('"', '\\"'))
+ return shell.checked_call(command)
+ except:
+ raise
+ finally:
+ if auth_keytab_file is not None:
+ os.remove(auth_keytab_file)
+
+ @staticmethod
+ def create_keytab_file(principal, path, auth_identity=None):
+ success = False
+
+ if (principal is not None) and (len(principal) > 0):
+ if (auth_identity is None) or (len(auth_identity) == 0):
+ norandkey = '-norandkey'
+ else:
+ norandkey = ''
+
+ if (path is not None) and (len(path) > 0):
+ keytab_file = '-k %s' % path
+ else:
+ keytab_file = ''
+
+ try:
+ result_code, output = KerberosScript.invoke_kadmin(
+ 'ktadd %s %s %s' % (keytab_file, norandkey, principal),
+ auth_identity)
+
+ success = (result_code == 0)
+ except:
+ raise Fail("Failed to create keytab for principal: %s (in %s)" % (principal, path))
+
+ return success
+
+ @staticmethod
+ def create_keytab(principal, auth_identity=None):
+ keytab = None
+
+ (fd, temp_path) = tempfile.mkstemp()
+ os.remove(temp_path)
+
+ try:
+ if KerberosScript.create_keytab_file(principal, temp_path, auth_identity):
+ with open(temp_path, 'r') as f:
+ keytab = base64.b64encode(f.read())
+ finally:
+ if os.path.isfile(temp_path):
+ os.remove(temp_path)
+
+ return keytab
+
+ @staticmethod
+ def principal_exists(identity, auth_identity=None):
+ exists = False
+
+ if identity is not None:
+ principal = get_property_value(identity, 'principal')
+
+ if (principal is not None) and (len(principal) > 0):
+ try:
+ result_code, output = KerberosScript.invoke_kadmin('getprinc %s' % principal,
+ auth_identity)
+ exists = (output is not None) and (("Principal: %s" % principal) in output)
+ except:
+ raise Fail("Failed to determine if principal exists: %s" % principal)
+
+ return exists
+
+ @staticmethod
+ def change_principal_password(identity, auth_identity=None):
+ success = False
+
+ if identity is not None:
+ principal = get_property_value(identity, 'principal')
+
+ if (principal is not None) and (len(principal) > 0):
+ password = get_property_value(identity, 'password')
+
+ if password is None:
+ credentials = '-randkey'
+ else:
+ credentials = '-pw "%s"' % password
+
+ try:
+ result_code, output = KerberosScript.invoke_kadmin(
+ 'change_password %s %s' % (credentials, principal),
+ auth_identity)
+
+ success = (result_code == 0)
+ except:
+ raise Fail("Failed to create principal: %s" % principal)
+
+ return success
+
+ @staticmethod
+ def create_principal(identity, auth_identity=None):
+ success = False
+
+ if identity is not None:
+ principal = get_property_value(identity, 'principal')
+
+ if (principal is not None) and (len(principal) > 0):
+ password = get_property_value(identity, 'password')
+
+ if password is None:
+ credentials = '-randkey'
+ else:
+ credentials = '-pw "%s"' % password
+
+ try:
+ result_code, out = KerberosScript.invoke_kadmin(
+ 'addprinc %s %s' % (credentials, principal),
+ auth_identity)
+
+ success = (result_code == 0)
+ except:
+ raise Fail("Failed to create principal: %s" % principal)
+
+ return success
+
+ @staticmethod
+ def clear_tmp_cache():
+ tmp_dir = Constants.AGENT_TMP_DIR
+ if tmp_dir is None:
+ tmp_dir = gettempdir()
+ curl_krb_cache_path = os.path.join(tmp_dir, "curl_krb_cache")
+ Directory(curl_krb_cache_path, action="delete")
+
+ @staticmethod
+ def create_principals(identities, auth_identity=None):
+ if identities is not None:
+ for identity in identities:
+ KerberosScript.create_principal(identity, auth_identity)
+
+ @staticmethod
+ def create_or_update_administrator_identity():
+ import params
+
+ if params.realm is not None:
+ admin_identity = params.get_property_value(params.realm, 'admin_identity')
+
+ if KerberosScript.principal_exists(admin_identity):
+ KerberosScript.change_principal_password(admin_identity)
+ else:
+ KerberosScript.create_principal(admin_identity)
+
+ @staticmethod
+ def test_kinit(identity, user="root"):
+ principal = get_property_value(identity, 'principal')
+ kinit_path_local = functions.get_kinit_path(default('/configurations/kerberos-env/executable_search_paths', None))
+ kdestroy_path_local = functions.get_kdestroy_path(default('/configurations/kerberos-env/executable_search_paths', None))
+
+ if principal is not None:
+ keytab_file = get_property_value(identity, 'keytab_file')
+ keytab = get_property_value(identity, 'keytab')
+ password = get_property_value(identity, 'password')
+
+ # If a test keytab file is available, simply use it
+ if (keytab_file is not None) and (os.path.isfile(keytab_file)):
+ keytab_file = keytab_file.replace("_HOST", params.hostname)
+ command = '%s -k -t %s %s' % (kinit_path_local, keytab_file, principal)
+ Execute(command,
+ user = user,
+ )
+ return shell.checked_call(kdestroy_path_local)
+
+ # If base64-encoded test keytab data is available; then decode it, write it to a temporary file
+ # use it, and then remove the temporary file
+ elif keytab is not None:
+ (fd, test_keytab_file) = tempfile.mkstemp()
+ os.write(fd, base64.b64decode(keytab))
+ os.close(fd)
+
+ try:
+ command = '%s -k -t %s %s' % (kinit_path_local, test_keytab_file, principal)
+ Execute(command,
+ user = user,
+ )
+ return shell.checked_call(kdestroy_path_local)
+ except:
+ raise
+ finally:
+ if test_keytab_file is not None:
+ os.remove(test_keytab_file)
+
+ # If no keytab data is available and a password was supplied, simply use it.
+ elif password is not None:
+ process = subprocess.Popen([kinit_path_local, principal], stdin=subprocess.PIPE)
+ stdout, stderr = process.communicate(password)
+ if process.returncode:
+ err_msg = Logger.filter_text("Execution of kinit returned %d. %s" % (process.returncode, stderr))
+ raise Fail(err_msg)
+ else:
+ return shell.checked_call(kdestroy_path_local)
+ else:
+ return 0, ''
+ else:
+ return 0, ''
+
+
+ def write_keytab_file(self):
+ import params
+ import stat
+
+ if params.kerberos_command_params is not None:
+ for item in params.kerberos_command_params:
+ keytab_content_base64 = get_property_value(item, 'keytab_content_base64')
+ if (keytab_content_base64 is not None) and (len(keytab_content_base64) > 0):
+ keytab_file_path = get_property_value(item, 'keytab_file_path')
+ if (keytab_file_path is not None) and (len(keytab_file_path) > 0):
+ keytab_file_path = keytab_file_path.replace("_HOST", params.hostname)
+ head, tail = os.path.split(keytab_file_path)
+ if head:
+ Directory(head, create_parents = True, mode=0755, owner="root", group="root")
+
+ owner = "root"
+ group = "root"
+ mode = 0
+
+ mode |= stat.S_IREAD | stat.S_IWRITE
+ mode |= stat.S_IRGRP | stat.S_IWGRP
+
+ keytab_content = base64.b64decode(keytab_content_base64)
+
+ # to hide content in command output
+ def make_lambda(data):
+ return lambda: data
+
+ File(keytab_file_path,
+ content=make_lambda(keytab_content),
+ mode=mode,
+ owner=owner,
+ group=group)
+
+ principal = get_property_value(item, 'principal')
+ if principal is not None:
+ curr_content = Script.structuredOut
+
+ if "keytabs" not in curr_content:
+ curr_content['keytabs'] = {}
+
+ curr_content['keytabs'][principal.replace("_HOST", params.hostname)] = keytab_file_path
+
+ self.put_structured_out(curr_content)
+
+ def delete_keytab_file(self):
+ import params
+
+ if params.kerberos_command_params is not None:
+ for item in params.kerberos_command_params:
+ keytab_file_path = get_property_value(item, 'keytab_file_path')
+ if (keytab_file_path is not None) and (len(keytab_file_path) > 0):
+ keytab_file_path = keytab_file_path.replace("_HOST", params.hostname)
+ # Delete the keytab file
+ File(keytab_file_path, action="delete")
+
+ principal = get_property_value(item, 'principal')
+ if principal is not None:
+ curr_content = Script.structuredOut
+
+ if "keytabs" not in curr_content:
+ curr_content['keytabs'] = {}
+
+ curr_content['keytabs'][principal.replace("_HOST", params.hostname)] = '_REMOVED_'
+
+ self.put_structured_out(curr_content)
+
+ def setup_jce(self):
+ import params
+
+ if not params.jdk_name:
+ return
+ jce_curl_target = None
+ if params.jce_policy_zip is not None:
+ jce_curl_target = format("{artifact_dir}/{jce_policy_zip}")
+ Directory(params.artifact_dir,
+ create_parents = True,
+ )
+ File(jce_curl_target,
+ content = DownloadSource(format("{jce_location}/{jce_policy_zip}")),
+ )
+ elif params.security_enabled:
+ # Something weird is happening
+ raise Fail("Security is enabled, but JCE policy zip is not specified.")
+
+ # The extraction will occur only after the security flag is set
+ if params.security_enabled:
+ security_dir = format("{java_home}/jre/lib/security")
+
+ File([format("{security_dir}/US_export_policy.jar"), format("{security_dir}/local_policy.jar")],
+ action = "delete",
+ )
+
+ extract_cmd = ("unzip", "-o", "-j", "-q", jce_curl_target, "-d", security_dir)
+ Execute(extract_cmd,
+ only_if = format("test -e {security_dir} && test -f {jce_curl_target}"),
+ path = ['/bin/','/usr/bin'],
+ sudo = True
+ )
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/params.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/params.py
new file mode 100644
index 0000000..3533b35
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/params.py
@@ -0,0 +1,200 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+from resource_management import *
+from utils import get_property_value, get_unstructured_data
+from ambari_commons.os_check import OSCheck
+from resource_management.libraries.functions.expect import expect
+
+krb5_conf_dir = '/etc'
+krb5_conf_file = 'krb5.conf'
+krb5_conf_path = krb5_conf_dir + '/' + krb5_conf_file
+
+if OSCheck.is_suse_family():
+ kdc_conf_dir = '/var/lib/kerberos/krb5kdc'
+elif OSCheck.is_ubuntu_family():
+ kdc_conf_dir = '/etc/krb5kdc'
+else:
+ kdc_conf_dir = '/var/kerberos/krb5kdc'
+kdc_conf_file = 'kdc.conf'
+kdc_conf_path = kdc_conf_dir + '/' + kdc_conf_file
+
+kadm5_acl_dir = kdc_conf_dir # Typically kadm5.acl and kdc.conf exist in the same directory
+kadm5_acl_file = 'kadm5.acl'
+kadm5_acl_path = kadm5_acl_dir + '/' + kadm5_acl_file
+
+config = Script.get_config()
+tmp_dir = Script.get_tmp_dir()
+
+configurations = None
+keytab_details = None
+default_group = None
+kdc_server_host = None
+cluster_host_info = None
+
+hostname = config['hostname']
+
+kdb5_util_path = 'kdb5_util'
+
+kdamin_pid_path = '/var/run/kadmind.pid'
+krb5kdc_pid_path = '/var/run/krb5kdc.pid'
+
+smoke_test_principal = None
+smoke_test_keytab_file = None
+
+smoke_user = 'ambari-qa'
+
+manage_identities = 'true'
+
+artifact_dir = format("{tmp_dir}/AMBARI-artifacts/")
+jce_policy_zip = default("/hostLevelParams/jce_name", None) # None when jdk is already installed by user
+jce_location = config['hostLevelParams']['jdk_location']
+jdk_name = default("/hostLevelParams/jdk_name", None)
+java_home = config['hostLevelParams']['java_home']
+java_version = expect("/hostLevelParams/java_version", int)
+
+security_enabled = config['configurations']['cluster-env']['security_enabled']
+
+if config is not None:
+ kerberos_command_params = get_property_value(config, 'kerberosCommandParams')
+
+ cluster_host_info = get_property_value(config, 'clusterHostInfo')
+ if cluster_host_info is not None:
+ kdc_server_hosts = get_property_value(cluster_host_info, 'kdc_server_hosts')
+
+ if (kdc_server_hosts is not None) and (len(kdc_server_hosts) > 0):
+ kdc_server_host = kdc_server_hosts[0]
+
+ configurations = get_property_value(config, 'configurations')
+ if configurations is not None:
+ cluster_env = get_property_value(configurations, 'cluster-env')
+
+ if cluster_env is not None:
+ smoke_test_principal = get_property_value(cluster_env, 'smokeuser_principal_name', None, True, None)
+ smoke_test_keytab_file = get_property_value(cluster_env, 'smokeuser_keytab', None, True, None)
+ smoke_user = get_property_value(cluster_env, 'smokeuser', smoke_user, True, smoke_user)
+
+ default_group = get_property_value(cluster_env, 'user_group')
+
+ if default_group is None:
+ default_group = get_property_value(cluster_env, 'user-group')
+
+ # ##############################################################################################
+ # Get krb5.conf template data
+ # ##############################################################################################
+ realm = 'EXAMPLE.COM'
+ domains = ''
+ kdc_hosts = 'localhost'
+ admin_server_host = None
+ admin_principal = None
+ admin_password = None
+ admin_keytab = None
+ test_principal = None
+ test_password = None
+ test_keytab = None
+ test_keytab_file = None
+ encryption_types = None
+ manage_krb5_conf = "true"
+ krb5_conf_template = None
+
+ krb5_conf_data = get_property_value(configurations, 'krb5-conf')
+
+ kerberos_env = get_property_value(configurations, "kerberos-env")
+
+ if kerberos_env is not None:
+ manage_identities = get_property_value(kerberos_env, "manage_identities", "true", True, "true")
+ encryption_types = get_property_value(kerberos_env, "encryption_types", None, True, None)
+ realm = get_property_value(kerberos_env, "realm", None, True, None)
+ kdc_hosts = get_property_value(kerberos_env, 'kdc_hosts', kdc_hosts)
+ admin_server_host = get_property_value(kerberos_env, 'admin_server_host', admin_server_host)
+
+ if krb5_conf_data is not None:
+ realm = get_property_value(krb5_conf_data, 'realm', realm)
+ domains = get_property_value(krb5_conf_data, 'domains', domains)
+
+ admin_principal = get_property_value(krb5_conf_data, 'admin_principal', admin_principal, True, None)
+ admin_password = get_property_value(krb5_conf_data, 'admin_password', admin_password, True, None)
+ admin_keytab = get_property_value(krb5_conf_data, 'admin_keytab', admin_keytab, True, None)
+
+ test_principal = get_property_value(krb5_conf_data, 'test_principal', test_principal, True, None)
+ test_password = get_property_value(krb5_conf_data, 'test_password', test_password, True, None)
+ test_keytab = get_property_value(krb5_conf_data, 'test_keytab', test_keytab, True, None)
+ test_keytab_file = get_property_value(krb5_conf_data, 'test_keytab_file', test_keytab_file, True, None)
+
+ krb5_conf_template = get_property_value(krb5_conf_data, 'content', krb5_conf_template)
+ krb5_conf_dir = get_property_value(krb5_conf_data, 'conf_dir', krb5_conf_dir)
+ krb5_conf_file = get_property_value(krb5_conf_data, 'conf_file', krb5_conf_file)
+ krb5_conf_path = krb5_conf_dir + '/' + krb5_conf_file
+
+ manage_krb5_conf = get_property_value(krb5_conf_data, 'manage_krb5_conf', "true")
+
+ # For backward compatibility, ensure that kdc_host exists. This may be needed if the krb5.conf
+ # template in krb5-conf/content had not be updated during the Ambari upgrade to 2.4.0 - which
+ # will happen if the template was altered from its stack-default value.
+ kdc_host_parts = kdc_hosts.split(',')
+ if kdc_host_parts:
+ kdc_host = kdc_host_parts[0]
+ else:
+ kdc_host = kdc_hosts
+
+ # ##############################################################################################
+ # Get kdc.conf template data
+ # ##############################################################################################
+ kdcdefaults_kdc_ports = "88"
+ kdcdefaults_kdc_tcp_ports = "88"
+
+ kdc_conf_template = None
+
+ kdc_conf_data = get_property_value(configurations, 'kdc-conf')
+
+ if kdc_conf_data is not None:
+ kdcdefaults_kdc_ports = get_property_value(kdc_conf_data, 'kdcdefaults_kdc_ports', kdcdefaults_kdc_ports)
+ kdcdefaults_kdc_tcp_ports = get_property_value(kdc_conf_data, 'kdcdefaults_kdc_tcp_ports', kdcdefaults_kdc_tcp_ports)
+
+ kdc_conf_template = get_property_value(kdc_conf_data, 'content', kdc_conf_template)
+ kdc_conf_dir = get_property_value(kdc_conf_data, 'conf_dir', kdc_conf_dir)
+ kdc_conf_file = get_property_value(kdc_conf_data, 'conf_file', kdc_conf_file)
+ kdc_conf_path = kdc_conf_dir + '/' + kdc_conf_file
+
+ # ##############################################################################################
+ # Get kadm5.acl template data
+ # ##############################################################################################
+ kdcdefaults_kdc_ports = '88'
+ kdcdefaults_kdc_tcp_ports = '88'
+
+ kadm5_acl_template = None
+
+ kadm5_acl_data = get_property_value(configurations, 'kadm5-acl')
+
+ if kadm5_acl_data is not None:
+ kadm5_acl_template = get_property_value(kadm5_acl_data, 'content', kadm5_acl_template)
+ kadm5_acl_dir = get_property_value(kadm5_acl_data, 'conf_dir', kadm5_acl_dir)
+ kadm5_acl_file = get_property_value(kadm5_acl_data, 'conf_file', kadm5_acl_file)
+ kadm5_acl_path = kadm5_acl_dir + '/' + kadm5_acl_file
+
+ # ################################################################################################
+ # Get commandParams
+ # ################################################################################################
+ command_params = get_property_value(config, 'commandParams')
+ if command_params is not None:
+ keytab_details = get_unstructured_data(command_params, 'keytab')
+
+ if manage_identities:
+ smoke_test_principal = get_property_value(command_params, 'principal_name', smoke_test_principal)
+ smoke_test_keytab_file = get_property_value(command_params, 'keytab_file', smoke_test_keytab_file)
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/service_check.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/service_check.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/service_check.py
new file mode 100644
index 0000000..555a93c
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/service_check.py
@@ -0,0 +1,30 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Ambari Agent
+
+"""
+
+from resource_management.libraries.script.script import Script
+
+class ServiceCheck(Script):
+
+ def service_check(self, env):
+ print "Service Check"
+
+if __name__ == "__main__":
+ ServiceCheck().execute()
http://git-wip-us.apache.org/repos/asf/ambari/blob/cdf65c34/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/status_params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/status_params.py b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/status_params.py
new file mode 100644
index 0000000..bbae4a3
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/status_params.py
@@ -0,0 +1,32 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+from resource_management import *
+
+config = Script.get_config()
+tmp_dir = Script.get_tmp_dir()
+
+hostname = config['hostname']
+kinit_path_local = functions.get_kinit_path(default('/configurations/kerberos-env/executable_search_paths', None))
+
+security_enabled = config['configurations']['cluster-env']['security_enabled']
+
+smoke_user_keytab = config['configurations']['cluster-env']['smokeuser_keytab']
+smoke_user = config['configurations']['cluster-env']['smokeuser']
+smoke_user_principal = config['configurations']['cluster-env']['smokeuser_principal_name']