Repository: ambari Updated Branches: refs/heads/trunk 2ca58368e -> 8963501be
AMBARI-10986. HBase security authorization/authentication should set appropriate classes (srimanth) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/8963501b Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/8963501b Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/8963501b Branch: refs/heads/trunk Commit: 8963501be6c25ebd421d1935cb2a1ddb5b6ffee9 Parents: 2ca5836 Author: Srimanth Gunturi <sgunt...@hortonworks.com> Authored: Wed May 6 17:24:55 2015 -0700 Committer: Srimanth Gunturi <sgunt...@hortonworks.com> Committed: Wed May 6 19:05:31 2015 -0700 ---------------------------------------------------------------------- .../0.96.0.2.0/configuration/hbase-site.xml | 23 +++++++-- .../services/HBASE/configuration/hbase-site.xml | 10 ++++ .../stacks/HDP/2.2/services/stack_advisor.py | 51 ++++++++++++++++++++ .../stacks/2.2/common/test_stack_advisor.py | 42 +++++++++++++++- 4 files changed, 120 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/8963501b/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/configuration/hbase-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/configuration/hbase-site.xml b/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/configuration/hbase-site.xml index bd6b72e..2122ce8 100644 --- a/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/configuration/hbase-site.xml +++ b/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/configuration/hbase-site.xml @@ -333,8 +333,7 @@ <property> <name>hbase.security.authentication</name> <value>simple</value> - <description> Controls whether or not secure authentication is enabled for HBase. Possible values are 'simple' - (no authentication), and 'kerberos'. + <description>Select Simple or Kerberos authentication. Note: Kerberos must be set up before the Kerberos option will take effect. </description> <display-name>Enable Authentication</display-name> <value-attributes> @@ -364,11 +363,11 @@ <entries> <entry> <value>true</value> - <label>Enabled</label> + <label>Native</label> </entry> <entry> <value>false</value> - <label>Disabled</label> + <label>Off</label> </entry> </entries> <selection-cardinality>1</selection-cardinality> @@ -384,6 +383,16 @@ it in HBase's classpath and add the fully qualified class name here. A coprocessor can also be loaded on demand by setting HTableDescriptor. </description> + <depends-on> + <property> + <type>hbase-site</type> + <name>hbase.security.authorization</name> + </property> + <property> + <type>hbase-site</type> + <name>hbase.security.authentication</name> + </property> + </depends-on> </property> <property> @@ -396,6 +405,12 @@ implementing your own MasterObserver, just put it in HBase's classpath and add the fully qualified class name here. </description> + <depends-on> + <property> + <type>hbase-site</type> + <name>hbase.security.authorization</name> + </property> + </depends-on> </property> <property> http://git-wip-us.apache.org/repos/asf/ambari/blob/8963501b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/hbase-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/hbase-site.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/hbase-site.xml index 13b91ed..4a9b84b 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/hbase-site.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/hbase-site.xml @@ -137,4 +137,14 @@ </property> </depends-on> </property> + <property> + <name>hbase.coprocessor.regionserver.classes</name> + <value> </value> + <depends-on> + <property> + <type>hbase-site</type> + <name>hbase.security.authorization</name> + </property> + </depends-on> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/8963501b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py index 89e9ae7..0e08fdb 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py @@ -481,6 +481,45 @@ class HDP22StackAdvisor(HDP21StackAdvisor): putHbaseEnvProperty = self.putProperty(configurations, "hbase-env", services) putHbaseEnvProperty('hbase_max_direct_memory_size', '') + # Authorization + # If configurations has it - it has priority as it is calculated. Then, the service's configurations will be used. + hbase_security_authorization = None + if 'hbase-site' in configurations and 'hbase.security.authorization' in configurations['hbase-site']['properties']: + hbase_security_authorization = configurations['hbase-site']['properties']['hbase.security.authorization'] + elif 'hbase-site' in services['configurations'] and 'hbase.security.authorization' in services['configurations']['hbase-site']['properties']: + hbase_security_authorization = services['configurations']['hbase-site']['properties']['hbase.security.authorization'] + if hbase_security_authorization: + if 'true' == hbase_security_authorization.lower(): + putHbaseProperty('hbase.coprocessor.master.classes', "org.apache.hadoop.hbase.security.access.AccessController") + putHbaseProperty('hbase.coprocessor.region.classes', "org.apache.hadoop.hbase.security.access.AccessController") + putHbaseProperty('hbase.coprocessor.regionserver.classes', "org.apache.hadoop.hbase.security.access.AccessController") + else: + putHbaseProperty('hbase.coprocessor.master.classes', "") + putHbaseProperty('hbase.coprocessor.region.classes', "") + putHbaseSitePropertyAttributes('hbase.coprocessor.regionserver.classes', 'delete', 'true') + else: + putHbaseSitePropertyAttributes('hbase.coprocessor.regionserver.classes', 'delete', 'true') + + # Authentication + if 'hbase-site' in services['configurations'] and 'hbase.security.authentication' in services['configurations']['hbase-site']['properties']: + hbase_coprocessor_region_classes = None + if 'hbase.coprocessor.region.classes' in configurations["hbase-site"]["properties"]: + hbase_coprocessor_region_classes = configurations["hbase-site"]["properties"]["hbase.coprocessor.region.classes"].strip() + elif 'hbase.coprocessor.region.classes' in services['configurations']["hbase-site"]["properties"]: + hbase_coprocessor_region_classes = services['configurations']["hbase-site"]["properties"]["hbase.coprocessor.region.classes"].strip() + if hbase_coprocessor_region_classes: + coprocessorRegionClassList = hbase_coprocessor_region_classes.split(',') + else: + coprocessorRegionClassList = [] + if 'kerberos' == services['configurations']['hbase-site']['properties']['hbase.security.authentication'].lower(): + if 'org.apache.hadoop.hbase.security.token.TokenProvider' not in coprocessorRegionClassList: + coprocessorRegionClassList.append('org.apache.hadoop.hbase.security.token.TokenProvider') + putHbaseProperty('hbase.coprocessor.region.classes', ','.join(coprocessorRegionClassList)) + else: + if 'org.apache.hadoop.hbase.security.token.TokenProvider' in coprocessorRegionClassList: + coprocessorRegionClassList.remove('org.apache.hadoop.hbase.security.token.TokenProvider') + putHbaseProperty('hbase.coprocessor.region.classes', ','.join(coprocessorRegionClassList)) + def recommendTezConfigurations(self, configurations, clusterData, services, hosts): putTezProperty = self.putProperty(configurations, "tez-site") @@ -849,6 +888,18 @@ class HDP22StackAdvisor(HDP21StackAdvisor): "item": self.getWarnItem( "If bucketcache ioengine is enabled, {0} should be set".format(prop_name3))}) + # Validate hbase.security.authentication. + # Kerberos works only when security enabled. + if "hbase.security.authentication" in properties: + hbase_security_kerberos = properties["hbase.security.authentication"].lower() == "kerberos" + core_site_properties = getSiteProperties(configurations, "core-site") + security_enabled = False + if core_site_properties: + security_enabled = core_site_properties['hadoop.security.authentication'] == 'kerberos' and core_site_properties['hadoop.security.authorization'] == 'true' + if not security_enabled and hbase_security_kerberos: + validationItems.append({"config-name": "hbase.security.authentication", + "item": self.getWarnItem("Cluster must be secured with Kerberos before hbase.security.authentication's value of kerberos will have effect")}) + return self.toConfigurationValidationProblems(validationItems, "hbase-site") def validateHBASEEnvConfigurations(self, properties, recommendedDefaults, configurations, services, hosts): http://git-wip-us.apache.org/repos/asf/ambari/blob/8963501b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py index 41ee352..9d5435d 100644 --- a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py +++ b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py @@ -1425,6 +1425,9 @@ class TestHDP22StackAdvisor(TestCase): "properties": { "phoenix_sql_enabled": "true" } + }, + "hbase-site": { + "properties": {} } } } @@ -1438,6 +1441,11 @@ class TestHDP22StackAdvisor(TestCase): "hbase.bucketcache.percentage.in.combinedcache": "", "hbase.regionserver.global.memstore.upperLimit": "0.4", "hbase.bucketcache.ioengine": "" + }, + 'property_attributes': { + 'hbase.coprocessor.regionserver.classes': { + 'delete': 'true' + } } }, "hbase-env": { @@ -1459,7 +1467,7 @@ class TestHDP22StackAdvisor(TestCase): # Test when phoenix_sql_enabled = false services['configurations']['hbase-env']['properties']['phoenix_sql_enabled'] = 'false' expected['hbase-site']['properties']['hbase.regionserver.wal.codec'] = 'org.apache.hadoop.hbase.regionserver.wal.WALCellCodec' - expected['hbase-site']['property_attributes'] = {'hbase.region.server.rpc.scheduler.factory.class': {'delete': 'true'}, 'hbase.rpc.controllerfactory.class': {'delete': 'true'}} + expected['hbase-site']['property_attributes'] = {'hbase.region.server.rpc.scheduler.factory.class': {'delete': 'true'}, 'hbase.rpc.controllerfactory.class': {'delete': 'true'}, 'hbase.coprocessor.regionserver.classes': {'delete': 'true'}} self.stackAdvisor.recommendHBASEConfigurations(configurations, clusterData, services, None) self.assertEquals(configurations, expected) @@ -1491,11 +1499,41 @@ class TestHDP22StackAdvisor(TestCase): }]}) services['configurations']['hbase-env']['properties']['phoenix_sql_enabled'] = 'false' expected['hbase-site']['properties']['hbase.regionserver.wal.codec'] = 'org.apache.hadoop.hbase.regionserver.wal.WALCellCodec' - expected['hbase-site']['property_attributes'] = {'hbase.region.server.rpc.scheduler.factory.class': {'delete': 'true'}, 'hbase.rpc.controllerfactory.class': {'delete': 'true'}} + expected['hbase-site']['property_attributes'] = {'hbase.region.server.rpc.scheduler.factory.class': {'delete': 'true'}, 'hbase.rpc.controllerfactory.class': {'delete': 'true'}, 'hbase.coprocessor.regionserver.classes': {'delete': 'true'}} expected['hbase-env']['property_attributes'] = {'hbase_master_heapsize': {'maximum': '49152'}} self.stackAdvisor.recommendHBASEConfigurations(configurations, clusterData, services, hosts) self.assertEquals(configurations, expected) + # Test when hbase.security.authentication = kerberos + services['configurations']['hbase-site']['properties']['hbase.security.authentication'] = 'kerberos' + expected['hbase-site']['properties']['hbase.coprocessor.region.classes'] = 'org.apache.hadoop.hbase.security.token.TokenProvider' + self.stackAdvisor.recommendHBASEConfigurations(configurations, clusterData, services, None) + self.assertEquals(configurations, expected) + + # Test when hbase.security.authentication = simple + services['configurations']['hbase-site']['properties']['hbase.security.authentication'] = 'simple' + expected['hbase-site']['properties']['hbase.coprocessor.region.classes'] = '' + self.stackAdvisor.recommendHBASEConfigurations(configurations, clusterData, services, None) + self.assertEquals(configurations, expected) + + # Test when hbase.security.authentication = kerberos AND class already there + configurations['hbase-site']['properties'].pop('hbase.coprocessor.region.classes', None) + services['configurations']['hbase-site']['properties']['hbase.security.authentication'] = 'kerberos' + services['configurations']['hbase-site']['properties']['hbase.coprocessor.region.classes'] = 'a.b.c.d' + expected['hbase-site']['properties']['hbase.coprocessor.region.classes'] = 'a.b.c.d,org.apache.hadoop.hbase.security.token.TokenProvider' + self.stackAdvisor.recommendHBASEConfigurations(configurations, clusterData, services, None) + self.assertEquals(configurations, expected) + + # Test when hbase.security.authentication = kerberos AND authorization = true + configurations['hbase-site']['properties'].pop('hbase.coprocessor.region.classes', None) + services['configurations']['hbase-site']['properties']['hbase.security.authentication'] = 'kerberos' + services['configurations']['hbase-site']['properties']['hbase.security.authorization'] = 'true' + expected['hbase-site']['properties']['hbase.coprocessor.master.classes'] = "org.apache.hadoop.hbase.security.access.AccessController" + expected['hbase-site']['properties']['hbase.coprocessor.region.classes'] = 'org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider' + expected['hbase-site']['properties']['hbase.coprocessor.regionserver.classes'] = "org.apache.hadoop.hbase.security.access.AccessController" + self.stackAdvisor.recommendHBASEConfigurations(configurations, clusterData, services, None) + self.assertEquals(configurations, expected) + def test_recommendHDFSConfigurations(self): configurations = {