[jira] [Created] (AMBARI-8478) HDFS service components should indicate security state

Fri, 28 Nov 2014 15:30:35 -0800 

Robert Levas created AMBARI-8478:
------------------------------------

             Summary: HDFS service components should indicate security state
                 Key: AMBARI-8478
                 URL: https://issues.apache.org/jira/browse/AMBARI-8478
             Project: Ambari
          Issue Type: Improvement
          Components: ambari-server, stacks
    Affects Versions: 2.0.0
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 2.0.0


The Falcon service components should indicate security state when queried by 
Ambari Agent via STATUS_COMMAND. Each component should determine it's state as 
follows:

h2. FALCON_CLIENT
h3. Indicators:
* Command JSON
** config\['configurations']\['cluster-env']\['security_enabled'] 
*** = “true”

h3. PseudoCode
{code}
if indicators imply security is on and validate
    state = SECURED_KERBEROS
else
    state = UNSECURED
{code}

h2. FALCON_SERVER
h3. Indicators:
* Command JSON
** config\['configurations']\['cluster-env']\['security_enabled'] 
*** = “true”
* Configuration File: /etc/falcon/conf/startup.properties
** *.falcon.authentication.type
*** = “kerberos”
** *.falcon.service.authentication.kerberos.principal
*** not empty
*** required
** *.falcon.service.authentication.kerberos.keytab
*** not empty
*** required
*** path exists and is readable
** *.dfs.namenode.kerberos.principal
*** not empty
*** required?
** *.falcon.http.authentication.type
*** = “kerberos”
** *.falcon.http.authentication.kerberos.principal
*** required if *.falcon.http.authentication.type == ”kerberos”
*** not empty
** *.falcon.http.authentication.kerberos.keytab
*** required if *.falcon.http.authentication.type == ”kerberos”
*** not empty
*** path exists and is readable

h3. Pseudocode:
{code} 
if indicators imply security is on and validate
    if kinit(falcon principal) && kinit(http principal) succeeds
        state = SECURED_KERBEROS
    else
        state = ERROR 
else
    state = UNSECURED
{code}
 
_*Note*_: Due to the _cost_ of calling {{kinit}} results should be cached for a 
period of time before retrying.  This may be an issue depending on the 
frequency of the heartbeat timeout.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to