AMBARI-1634. Integrate Frontend Security work to enable security on Oozie, Hive, and WebHCat Server. (jaimin)

git-svn-id: https://svn.apache.org/repos/asf/incubator/ambari/trunk@1456293 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -11,6 +11,9 @@ Trunk (unreleased changes):
  INCOMPATIBLE CHANGES 
 
  NEW FEATURES
+ 
+ AMBARI-1634. Integrate Frontend Security work to enable security on
+ Oozie, Hive, and WebHCat Server. (jaimin)
 
  AMBARI-1633. Reassign Master Wizard - Step 5. (yusaku)
 

ambari-web/app/controllers/main/admin.js

@@ -119,12 +119,17 @@ App.MainAdminController = Em.Controller.extend({
     if (configs['mapred_user']) {
       serviceUsers.pushObject({id: 'puppet var', name: 'mapred_user', value: configs['mapred_user']});
     } else {
-      serviceUsers.pushObject({id: 'puppet var', name: 'hdfs_user', value: 'mapred'});
+      serviceUsers.pushObject({id: 'puppet var', name: 'mapred_user', value: 'mapred'});
     }
     if (configs['hbase_user']) {
       serviceUsers.pushObject({id: 'puppet var', name: 'hbase_user', value: configs['hbase_user']});
     } else {
-      serviceUsers.pushObject({id: 'puppet var', name: 'hdfs_user', value: 'hbase'});
+      serviceUsers.pushObject({id: 'puppet var', name: 'hbase_user', value: 'hbase'});
+    }
+    if (configs['hive_user']) {
+      serviceUsers.pushObject({id: 'puppet var', name: 'hive_user', value: configs['hive_user']});
+    } else {
+      serviceUsers.pushObject({id: 'puppet var', name: 'hive_user', value: 'hive'});
     }
   }
 

ambari-web/app/controllers/main/admin/security/add/step3.js

@@ -27,6 +27,17 @@ App.MainAdminSecurityAddStep3Controller = Em.Controller.extend({
   secureServices: [],
   serviceConfigTags: [],
   globalProperties: [],
+
+  isSubmitDisabled: true,
+
+  isOozieSelected: function () {
+    return this.get('content.services').someProperty('serviceName', 'OOZIE');
+  }.property('content.services'),
+
+  isWebHcatSelected: function () {
+    return this.get('content.services').someProperty('serviceName', 'WEBHCAT');
+  }.property('content.services'),
+
   serviceUsersBinding: 'App.router.mainAdminController.serviceUsers',
   hasHostPopup:true,
   services:[],
@@ -34,6 +45,7 @@ App.MainAdminSecurityAddStep3Controller = Em.Controller.extend({
 
   clearStep: function () {
     this.get('stages').clear();
+    this.set('isSubmitDisabled',true);
   },
 
   loadStep: function () {
@@ -171,9 +183,17 @@ App.MainAdminSecurityAddStep3Controller = Em.Controller.extend({
       newValue = globalProperty.value;
       var isInstanceName = this.get('globalProperties').findProperty('name', 'instance_name');
       if (isInstanceName) {
-        if (/primary_name?$/.test(globalProperty.name) && property !== 'hadoop.security.auth_to_local') {
-          if (!/_HOST?$/.test(newValue)) {
-            newValue = newValue + '/_HOST';
+        if (/primary_name?$/.test(globalProperty.name) && property !== 'hadoop.security.auth_to_local' && property !== 'oozie.authentication.kerberos.name.rules') {
+          if (this.get('isOozieSelected') && (property === 'oozie.service.HadoopAccessorService.kerberos.principal' || property === 'oozie.authentication.kerberos.principal')) {
+            var oozieServerName = App.Service.find('OOZIE').get('hostComponents').findProperty('componentName', 'OOZIE_SERVER').get('host.hostName');
+            newValue = newValue + '/' + oozieServerName;
+          } else if (this.get('isWebHcatSelected') && property === 'templeton.kerberos.principal') {
+            var webHcatName = App.Service.find('WEBHCAT').get('hostComponents').findProperty('componentName', 'WEBHCAT_SERVER').get('host.hostName');
+            newValue = newValue + '/' + webHcatName;
+          } else {
+            if (!/_HOST?$/.test(newValue)) {
+              newValue = newValue + '/_HOST';
+            }
           }
         }
       }
@@ -303,6 +323,7 @@ App.MainAdminSecurityAddStep3Controller = Em.Controller.extend({
       serviceUsers.pushObject({id: 'puppet var', name: 'hdfs_user', value: 'hdfs'});
       serviceUsers.pushObject({id: 'puppet var', name: 'mapred_user', value: 'mapred'});
       serviceUsers.pushObject({id: 'puppet var', name: 'hbase_user', value: 'hbase'});
+      serviceUsers.pushObject({id: 'puppet var', name: 'hive_user', value: 'hive'});
     } else {
       App.router.get('mainAdminController').getHDFSDetailsFromServer();
     }
@@ -482,8 +503,8 @@ App.MainAdminSecurityAddStep3Controller = Em.Controller.extend({
   moveToNextStage: function () {
     var nextStage = this.get('stages').findProperty('isStarted', false);
     if (nextStage) {
-      // this.get('content').saveCurrentStage(nextStage.get('stage').charAt(nextStage.get('stage').length - 1));
       nextStage.set('isStarted', true);
+      this.set('isSubmitDisabled', true);
     } else {
       this.set('isSubmitDisabled', false);
     }
@@ -521,7 +542,6 @@ App.MainAdminSecurityAddStep3Controller = Em.Controller.extend({
         console.log("TRACE: In error function for the getServiceConfigsFromServer call");
         console.log("TRACE: value of the url is: " + url);
         console.log("TRACE: error code status is: " + request.status);
-
       },
 
       statusCode: require('data/statusCodes')

ambari-web/app/data/secure_configs.js

@@ -40,7 +40,7 @@ module.exports = [
     configCategories: [
       App.ServiceConfigCategory.create({ name: 'General', displayName: 'General'}),
       App.ServiceConfigCategory.create({ name: 'NameNode', displayName: 'NameNode'}),
-     // App.ServiceConfigCategory.create({ name: 'SNameNode'}),
+      App.ServiceConfigCategory.create({ name: 'SNameNode',displayName: 'SNameNode'}),
       App.ServiceConfigCategory.create({ name: 'DataNode', displayName: 'DataNode'})
     ],
     configs: configProperties.filterProperty('serviceName', 'HDFS')
@@ -86,7 +86,7 @@ module.exports = [
       App.ServiceConfigCategory.create({ name: 'RegionServer', displayName: 'RegionServer'})
     ],
     configs: configProperties.filterProperty('serviceName', 'HBASE')
-  }
+  },
   /*
   {
     serviceName: 'ZOOKEEPER',
@@ -97,7 +97,7 @@ module.exports = [
     configs: configProperties.filterProperty('serviceName', 'ZOOKEEPER')
 
   },
-
+   */
 
   {
     serviceName: 'OOZIE',
@@ -107,6 +107,6 @@ module.exports = [
       App.ServiceConfigCategory.create({ name: 'Oozie Server'})
     ],
     configs: configProperties.filterProperty('serviceName', 'OOZIE')
-  },
-  */
+  }
+
 ];

ambari-web/app/data/secure_mapping.js

@@ -34,13 +34,11 @@ module.exports = [
 
   {
     "name": "hadoop.security.auth_to_local",
-    "templateName": ["jobtracker_primary_name", "kerberos_domain", "mapred_user", "tasktracker_primary_name","namenode_primary_name", "hdfs_user", "datanode_primary_name", "hbase_master_primary_name", "hbase_user", "regionserver_primary_name"],
+    "templateName": ["jobtracker_primary_name", "kerberos_domain", "mapred_user", "tasktracker_primary_name", "namenode_primary_name", "hdfs_user", "datanode_primary_name", "hbase_master_primary_name", "hbase_user", "regionserver_primary_name"],
     "foreignKey": null,
     "value": "RULE:[2:$1@$0](<templateName[0]>@.*<templateName[1]>)s/.*/<templateName[2]>/ RULE:[2:$1@$0](<templateName[3]>@.*<templateName[1]>)s/.*/<templateName[2]>/ RULE:[2:$1@$0](<templateName[4]>@.*<templateName[1]>)s/.*/<templateName[5]>/ RULE:[2:$1@$0](<templateName[6]>@.*<templateName[1]>)s/.*/<templateName[5]>/ RULE:[2:$1@$0](<templateName[7]>@.*<templateName[1]>)s/.*/<templateName[8]>/ RULE:[2:$1@$0](<templateName[9]>@.*<templateName[1]>)s/.*/<templateName[8]>/ DEFAULT",
     "filename": "core-site.xml"
   },
-
-
   {
     "name": "dfs.namenode.kerberos.principal",
     "templateName": ["namenode_primary_name", "kerberos_domain"],
@@ -64,7 +62,7 @@ module.exports = [
   },
   {
     "name": "dfs.secondary.namenode.keytab.file",
-    "templateName": ["namenode_keytab"],
+    "templateName": ["snamenode_keytab"],
     "foreignKey": null,
     "value": "<templateName[0]>",
     "filename": "hdfs-site.xml"
@@ -223,19 +221,97 @@ module.exports = [
     "value": "<templateName[0]>",
     "filename": "hive-site.xml"
   },
+  {
+    "name": "oozie.service.AuthorizationService.security.enabled",
+    "templateName": [],
+    "foreignKey": null,
+    "value": "true",
+    "filename": "oozie-site.xml"
+  },
+  {
+    "name": "oozie.service.HadoopAccessorService.kerberos.enabled",
+    "templateName": [],
+    "foreignKey": null,
+    "value": "true",
+    "filename": "oozie-site.xml"
+  },
+  {
+    "name": "local.realm",
+    "templateName": ["kerberos_domain"],
+    "foreignKey": null,
+    "value": "<templateName[0]>",
+    "filename": "oozie-site.xml"
+  },
+  {
+    "name": "oozie.service.HadoopAccessorService.keytab.file",
+    "templateName": ["oozie_keytab"],
+    "foreignKey": null,
+    "value": "<templateName[0]>",
+    "filename": "oozie-site.xml"
+  },
+  {
+    "name": "oozie.service.HadoopAccessorService.kerberos.principal",
+    "templateName": ["oozie_primary_name", "kerberos_domain"],
+    "foreignKey": null,
+    "value": "<templateName[0]>@<templateName[1]>",
+    "filename": "oozie-site.xml"
+  },
+  {
+    "name": "oozie.authentication.type",
+    "templateName": [],
+    "foreignKey": null,
+    "value": "kerberos",
+    "filename": "oozie-site.xml"
+  },
+  {
+    "name": "oozie.authentication.kerberos.principal",
+    "templateName": ["oozie_http_primary_name", "kerberos_domain"],
+    "foreignKey": null,
+    "value": "<templateName[0]>@<templateName[1]>",
+    "filename": "oozie-site.xml"
+  },
+  {
+    "name": "oozie.authentication.kerberos.keytab",
+    "templateName": ["oozie_http_keytab"],
+    "foreignKey": null,
+    "value": "<templateName[0]>",
+    "filename": "oozie-site.xml"
+  },
+  {
+    "name": "oozie.authentication.kerberos.name.rules",
+    "templateName": ["jobtracker_primary_name", "kerberos_domain", "mapred_user", "tasktracker_primary_name", "namenode_primary_name", "hdfs_user", "datanode_primary_name", "hbase_master_primary_name", "hbase_user", "regionserver_primary_name"],
+    "foreignKey": null,
+    "value": "RULE:[2:$1@$0](<templateName[0]>@.*<templateName[1]>)s/.*/<templateName[2]>/ RULE:[2:$1@$0](<templateName[3]>@.*<templateName[1]>)s/.*/<templateName[2]>/ RULE:[2:$1@$0](<templateName[4]>@.*<templateName[1]>)s/.*/<templateName[5]>/ RULE:[2:$1@$0](<templateName[6]>@.*<templateName[1]>)s/.*/<templateName[5]>/ RULE:[2:$1@$0](<templateName[7]>@.*<templateName[1]>)s/.*/<templateName[8]>/ RULE:[2:$1@$0](<templateName[9]>@.*<templateName[1]>)s/.*/<templateName[8]>/ DEFAULT",
+    "filename": "oozie-site.xml"
+  },
   {
     "name": "templeton.kerberos.principal",
     "templateName": ["webhcat_http_primary_name", "kerberos_domain"],
     "foreignKey": null,
     "value": "<templateName[0]>@<templateName[1]>",
-    "filename": "hive-site.xml"
+    "filename": "webhcat-site.xml"
   },
   {
     "name": "templeton.kerberos.keytab",
     "templateName": ["webhcat_http_keytab"],
     "foreignKey": null,
     "value": "<templateName[0]>",
-    "filename": "hive-site.xml"
+    "filename": "webhcat-site.xml"
+  },
+  {
+    "name": "templeton.kerberos.secret",
+    "templateName": [""],
+    "foreignKey": null,
+    "value": "secret",
+    "filename": "webhcat-site.xml"
+  },
+  {
+    "name": "templeton.kerberos.properties",
+    "templateName": ["hive_user"],
+    "foreignKey": null,
+    "value": "hive.metastore.local=false, hive.metastore.uris=thrift://MetastoreHost_FQDN:9083, hive.q" +
+      "metastore.sasl.enabled=true,hive.metastore.execute.setugi= true, hive.exec.mode.local.auto=false, hive.metastore.kerberos.principal=<templateName[0]>/_HOST@EXAMPLE.COM",
+    "filename": "webhcat-site.xml"
   }
 ];
 

ambari-web/app/data/secure_properties.js

@@ -139,24 +139,26 @@ module.exports =
       "serviceName": "HDFS",
       "category": "General"
     },
-    {
-      "id": "puppet var",
-      "name": "snamenode_primary_name",
-      "displayName": "primary name",
-      "value": "",
-      "defaultValue": "sn",
-      "description": "Primary name for SecondaryNameNode",
-      "displayType": "principal",
-      "isVisible": true,
-      "serviceName": "HDFS",
-      "category": "SNameNode"
-    },
+    /*
+     {
+     "id": "puppet var",
+     "name": "snamenode_primary_name",
+     "displayName": "primary name",
+     "value": "",
+     "defaultValue": "sn",
+     "description": "Primary name for SecondaryNameNode",
+     "displayType": "principal",
+     "isVisible": true,
+     "serviceName": "HDFS",
+     "category": "SNameNode"
+     },
+     */
     {
       "id": "puppet var",
       "name": "snamenode_keytab",
       "displayName": "Path to keytab file",
       "value": "",
-      "defaultValue": "/etc/security/keytabs/nn.service.keytab",
+      "defaultValue": "/etc/security/keytabs/sn.service.keytab",
       "description": "path to SecondaryNameNode keytab file",
       "displayType": "directory",
       "isVisible": true,
@@ -305,7 +307,7 @@ module.exports =
       "name": "hive_metastore__keytab",
       "displayName": "Path to Keytab file",
       "value": "",
-      "defaultValue": "/etc/security/keytabs",
+      "defaultValue": "/etc/security/keytabs/hive.service.keytab",
       "description": "keytab for Hive Metastore",
       "displayType": "directory",
       "isVisible": true,
@@ -315,6 +317,18 @@ module.exports =
     },
 
     //OOZIE
+    {
+      "id": "puppet var",
+      "name": "oozie_server_name",
+      "displayName": "Oozie server host",
+      "value": "",
+      "defaultValue": "",
+      "description": "Oozie server host",
+      "displayType": "masterHosts",
+      "isVisible": false,
+      "serviceName": "OOZIE",
+      "category": "Oozie Server"
+    },
     {
       "id": "puppet var",
       "name": "oozie_primary_name",
@@ -332,7 +346,7 @@ module.exports =
       "name": "oozie_keytab",
       "displayName": "Path to keytab file",
       "value": "",
-      "defaultValue": "/etc/security/keytabs",
+      "defaultValue": "/etc/security/keytabs/oozie.service.keytab",
       "description": "Keytab for Oozie server",
       "displayType": "directory",
       "isVisible": true,
@@ -357,7 +371,7 @@ module.exports =
       "name": "oozie_http_keytab",
       "displayName": "Path to HTTP Keytab file",
       "value": "",
-      "defaultValue": "/etc/security/keytabs",
+      "defaultValue": "/etc/security/keytabs/spnego.service.keytab",
       "description": "Keytab for http Oozie server",
       "displayType": "directory",
       "isVisible": true,
@@ -385,7 +399,7 @@ module.exports =
       "name": "webhcat_http_keytab",
       "displayName": "Path to HTTP Keytab file",
       "value": "",
-      "defaultValue": "/etc/security/keytabs",
+      "defaultValue": "/etc/security/keytabs/spnego.service.keytab",
       "description": "Keytab for http webHCat",
       "displayType": "directory",
       "isVisible": true,
@@ -394,6 +408,7 @@ module.exports =
     },
     //HUE
 
+
     //NAGIOS
     {
       "id": "puppet var",