AMBARI-9693. Review and update kerberos descriptors for various services.(vbrodetskyi)

ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java

@@ -78,6 +78,7 @@ import org.apache.ambari.server.state.PropertyInfo;
 import org.apache.ambari.server.state.SecurityState;
 import org.apache.ambari.server.state.SecurityType;
 import org.apache.ambari.server.state.Service;
+import org.apache.ambari.server.state.ServiceComponent;
 import org.apache.ambari.server.state.ServiceComponentHost;
 import org.apache.ambari.server.state.StackId;
 import org.apache.ambari.server.state.kerberos.KerberosComponentDescriptor;
@@ -91,6 +92,7 @@ import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor;
 import org.apache.ambari.server.state.svccomphost.ServiceComponentHostServerActionEvent;
 import org.apache.ambari.server.utils.StageUtils;
 import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -1135,6 +1137,18 @@ public class KerberosHelper {
       configHelper.cloneAttributesMap(attributes, configurationAttributes.get(type));
     }
 
+    // add clusterHostInfo config
+    Map<String, String> componentHosts = new HashMap<String, String>();
+    for (Map.Entry<String, Service> service : cluster.getServices().entrySet()) {
+      for (Map.Entry<String, ServiceComponent> serviceComponent : service.getValue().getServiceComponents().entrySet()) {
+        if (StageUtils.getComponentToClusterInfoKeyMap().keySet().contains(serviceComponent.getValue().getName())) {
+          componentHosts.put(StageUtils.getComponentToClusterInfoKeyMap().get(serviceComponent.getValue().getName()),
+                  StringUtils.join(serviceComponent.getValue().getServiceComponentHosts().keySet(), ","));
+        }
+      }
+    }
+    configurations.put("clusterHostInfo", componentHosts);
+
     return configurations;
   }
 

ambari-server/src/main/java/org/apache/ambari/server/utils/StageUtils.java

@@ -17,26 +17,8 @@
  */
 package org.apache.ambari.server.utils;
 
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.nio.charset.Charset;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-import java.util.Set;
-import java.util.SortedSet;
-import java.util.TreeMap;
-import java.util.TreeSet;
-
-import javax.xml.bind.JAXBException;
-
+import com.google.common.base.Joiner;
+import com.google.gson.Gson;
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.Role;
 import org.apache.ambari.server.RoleCommand;
@@ -57,8 +39,24 @@ import org.codehaus.jackson.map.JsonMappingException;
 import org.codehaus.jackson.map.ObjectMapper;
 import org.codehaus.jackson.map.SerializationConfig;
 
-import com.google.common.base.Joiner;
-import com.google.gson.Gson;
+import javax.xml.bind.JAXBException;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.nio.charset.Charset;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+import java.util.SortedSet;
+import java.util.TreeMap;
+import java.util.TreeSet;
 
 public class StageUtils {
 
@@ -140,6 +138,10 @@ public class StageUtils {
     return requestId + "-" + stageId;
   }
 
+  public static Map<String, String> getComponentToClusterInfoKeyMap() {
+    return componentToClusterInfoKeyMap;
+  }
+
   public static long[] getRequestStage(String actionId) {
     String[] fields = actionId.split("-");
     long[] requestStageIds = new long[2];

ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json

@@ -39,7 +39,10 @@
           "hbase-site": {
             "hbase.security.authentication": "kerberos",
             "hbase.security.authorization": "true",
-            "zookeeper.znode.parent": "/hbase-secure"
+            "zookeeper.znode.parent": "/hbase-secure",
+            "hbase.coprocessor.master.classes": "org.apache.hadoop.hbase.security.access.AccessController",
+            "hbase.coprocessor.region.classes": "org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.hadoop.hbase.security.access.AccessController",
+            "hbase.bulkload.staging.dir": "/apps/hbase/staging"
           }
         }
       ],

ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json

@@ -25,7 +25,19 @@
             "hadoop.security.authentication": "kerberos",
             "hadoop.rpc.protection": "authentication",
             "hadoop.security.authorization": "true",
-            "hadoop.security.auth_to_local": "_AUTH_TO_LOCAL_RULES"
+            "hadoop.security.auth_to_local": "_AUTH_TO_LOCAL_RULES",
+            "hadoop.http.authentication.kerberos.name.rules": "",
+            "hadoop.http.filter.initializers": "",
+            "hadoop.http.authentication.type": "simple",
+            "hadoop.http.authentication.signature.secret": "",
+            "hadoop.http.authentication.signature.secret.file": "",
+            "hadoop.http.authentication.signer.secret.provider": "",
+            "hadoop.http.authentication.signer.secret.provider.object": "",
+            "hadoop.http.authentication.token.validity": "",
+            "hadoop.http.authentication.cookie.domain": "",
+            "hadoop.http.authentication.cookie.path": "",
+            "hadoop.proxyuser.HTTP.groups": "${core-site/proxyuser_group}",
+            "hadoop.proxyuser.HTTP.hosts": "${clusterHostInfo/webhcat_server_host}"
           }
         }
       ],

ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/kerberos.json

@@ -18,7 +18,23 @@
           "yarn-site": {
             "yarn.timeline-service.enabled": "true",
             "yarn.timeline-service.http-authentication.type": "kerberos",
-            "yarn.acl.enable": "true"
+            "yarn.acl.enable": "true",
+            "yarn.timeline-service.http-authentication.signature.secret": "",
+            "yarn.timeline-service.http-authentication.signature.secret.file": "",
+            "yarn.timeline-service.http-authentication.signer.secret.provider": "",
+            "yarn.timeline-service.http-authentication.signer.secret.provider.object": "",
+            "yarn.timeline-service.http-authentication.token.validity": "",
+            "yarn.timeline-service.http-authentication.cookie.domain": "",
+            "yarn.timeline-service.http-authentication.cookie.path": "",
+            "yarn.timeline-service.http-authentication.proxyusers.*.hosts": "",
+            "yarn.timeline-service.http-authentication.proxyusers.*.users": "",
+            "yarn.timeline-service.http-authentication.proxyusers.*.groups": "",
+            "yarn.timeline-service.http-authentication.kerberos.name.rules": "",
+            "yarn.resourcemanager.proxyusers.*.groups": "",
+            "yarn.resourcemanager.proxyusers.*.hosts": "",
+            "yarn.resourcemanager.proxyusers.*.users": "",
+            "yarn.resourcemanager.proxy-user-privileges.enabled": "true",
+            "yarn.nodemanager.linux-container-executor.cgroups.mount-path": ""
           }
         }
       ],

ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java

@@ -375,7 +375,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(service1.getName()).andReturn("SERVICE1").anyTimes();
     expect(service1.getServiceComponents())
         .andReturn(Collections.<String, ServiceComponent>emptyMap())
-        .once();
+        .times(2);
     service1.setSecurityState(SecurityState.SECURED_KERBEROS);
     expectLastCall().once();
 
@@ -383,7 +383,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(service2.getName()).andReturn("SERVICE2").anyTimes();
     expect(service2.getServiceComponents())
         .andReturn(Collections.<String, ServiceComponent>emptyMap())
-        .once();
+        .times(2);
     service2.setSecurityState(SecurityState.SECURED_KERBEROS);
     expectLastCall().once();
 
@@ -625,7 +625,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(service1.getName()).andReturn("SERVICE1").anyTimes();
     expect(service1.getServiceComponents())
         .andReturn(Collections.<String, ServiceComponent>emptyMap())
-        .once();
+        .times(2);
     service1.setSecurityState(SecurityState.UNSECURED);
     expectLastCall().once();
 
@@ -633,7 +633,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(service2.getName()).andReturn("SERVICE2").anyTimes();
     expect(service2.getServiceComponents())
         .andReturn(Collections.<String, ServiceComponent>emptyMap())
-        .once();
+        .times(2);
     service2.setSecurityState(SecurityState.UNSECURED);
     expectLastCall().once();
 
@@ -852,13 +852,13 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(service1.getName()).andReturn("SERVICE1").anyTimes();
     expect(service1.getServiceComponents())
         .andReturn(Collections.<String, ServiceComponent>emptyMap())
-        .once();
+        .times(2);
 
     final Service service2 = createStrictMock(Service.class);
     expect(service2.getName()).andReturn("SERVICE2").anyTimes();
     expect(service2.getServiceComponents())
         .andReturn(Collections.<String, ServiceComponent>emptyMap())
-        .once();
+        .times(2);
 
     final Map<String, String> kerberosEnvProperties = createNiceMock(Map.class);
     expect(kerberosEnvProperties.get("kdc_type")).andReturn("mit-kdc").anyTimes();
@@ -1130,13 +1130,13 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(service1.getName()).andReturn("SERVICE1").anyTimes();
     expect(service1.getServiceComponents())
         .andReturn(Collections.<String, ServiceComponent>emptyMap())
-        .once();
+        .times(2);
 
     final Service service2 = createStrictMock(Service.class);
     expect(service2.getName()).andReturn("SERVICE2").anyTimes();
     expect(service2.getServiceComponents())
         .andReturn(Collections.<String, ServiceComponent>emptyMap())
-        .once();
+        .times(2);
 
     final Map<String, String> kerberosEnvProperties = createNiceMock(Map.class);
     expect(kerberosEnvProperties.get("kdc_type")).andReturn("mit-kdc").anyTimes();