AMBARI-9468. Support secure HDFS with AMS in distributed mode service (rlevas)

ambari-metrics/ambari-metrics-timelineservice/conf/unix/ambari-metrics-collector

@@ -228,7 +228,7 @@ case "$1" in
         rm -f "${PIDFILE}" >/dev/null 2>&1
     fi
 
-    nohup "${JAVA}" "-cp" "/usr/lib/ambari-metrics-collector/*:${COLLECTOR_CONF_DIR}" "-Djava.net.preferIPv4Stack=true" "-Dams.log.dir=${AMS_COLLECTOR_LOG_DIR}" "-Dproc_${DAEMON_NAME}" "${CLASS}" "$@" > $OUTFILE 2>&1 &
+    nohup "${JAVA}" "-cp" "/usr/lib/ambari-metrics-collector/*:${COLLECTOR_CONF_DIR}" ${AMS_COLLECTOR_OPTS} "-Djava.net.preferIPv4Stack=true" "-Dams.log.dir=${AMS_COLLECTOR_LOG_DIR}" "-Dproc_${DAEMON_NAME}" "${CLASS}" "$@" > $OUTFILE 2>&1 &
     PID=$!
     write_pidfile "${PIDFILE}"
     sleep 2

ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-env.xml

@@ -68,6 +68,12 @@ export AMS_MONITOR_PID_DIR={{ams_monitor_pid_dir}}
 
 # AMS HBase pid directory
 export AMS_HBASE_PID_DIR={{hbase_pid_dir}}
+
+export AMS_COLLECTOR_OPTS=
+{% if security_enabled %}
+export AMS_COLLECTOR_OPTS="-Djava.security.auth.login.config={{ams_collector_jaas_config_file}}"
+{% endif %}
+
     </value>
   </property>
 

ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-env.xml

@@ -120,18 +120,17 @@ export HBASE_MANAGES_ZK=false
 export HBASE_OPTS="$HBASE_OPTS -Djava.security.auth.login.config={{client_jaas_config_file}}"
 export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Djava.security.auth.login.config={{master_jaas_config_file}}"
 export HBASE_REGIONSERVER_OPTS="$HBASE_REGIONSERVER_OPTS -Djava.security.auth.login.config={{regionserver_jaas_config_file}}"
+export HBASE_ZOOKEEPER_OPTS="$HBASE_ZOOKEEPER_OPTS -Djava.security.auth.login.config={{ams_zookeeper_jaas_config_file}}"
 {% endif %}
 
-#Specify native libraries of installed Hadoop paltform
-#_HADOOP_IN_PATH=$(PATH="${HADOOP_HOME:-${HADOOP_PREFIX}}/bin:$PATH" which hadoop 2>/dev/null)
-#_HADOOP_CLASSPATH="/usr/lib/ams-hbase/lib/*"
-#_HADOOP_JAVA_LIBRARY_PATH=$(HADOOP_CLASSPATH="$_HADOOP_CLASSPATH" ${_HADOOP_IN_PATH} org.apache.hadoop.hbase.util.GetJavaProperty java.library.path)
-#use embedded native libs
+# use embedded native libs
 _HADOOP_NATIVE_LIB="/usr/lib/ams-hbase/lib/hadoop-native/"
 export HBASE_OPTS="$HBASE_OPTS -Djava.library.path=${_HADOOP_NATIVE_LIB}"
 
-#"Unsetting" HADOOP_HOME to avoid importing HADOOP installed cluster related configs like: /usr/hdp/2.2.0.0-2041/hadoop/conf/ 
-export HADOOP_HOME=`pwd`
+{% if disable_hadoop_environment %}
+# Unset HADOOP_HOME to avoid importing HADOOP installed cluster related configs like: /usr/hdp/2.2.0.0-2041/hadoop/conf/
+export HADOOP_HOME=`pwd`	138	export HADOOP_HOME=`pwd`
+{% endif %}
     </value>
   </property>
 

ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-security-site.xml

@@ -0,0 +1,79 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+  <property>
+    <name>ams.zookeeper.keytab</name>
+  </property>
+  <property>
+    <name>ams.zookeeper.principal</name>
+  </property>
+  <property>
+    <name>hadoop.security.authentication</name>
+  </property>
+  <property>
+    <name>hbase.coprocessor.master.classes</name>
+  </property>
+  <property>
+    <name>hbase.coprocessor.region.classes</name>
+  </property>
+  <property>
+    <name>hbase.master.kerberos.principal</name>
+  </property>
+  <property>
+    <name>hbase.master.keytab.file</name>
+  </property>
+  <property>
+    <name>hbase.myclient.keytab</name>
+  </property>
+  <property>
+    <name>hbase.myclient.principal</name>
+  </property>
+  <property>
+    <name>hbase.regionserver.kerberos.principal</name>
+  </property>
+  <property>
+    <name>hbase.regionserver.keytab.file</name>
+  </property>
+  <property>
+    <name>hbase.security.authentication</name>
+  </property>
+  <property>
+    <name>hbase.security.authorization</name>
+  </property>
+  <property>
+    <name>hbase.zookeeper.property.authProvider.1</name>
+  </property>
+  <property>
+    <name>hbase.zookeeper.property.jaasLoginRenew</name>
+  </property>
+  <property>
+    <name>hbase.zookeeper.property.kerberos.removeHostFromPrincipal
+    </name>
+  </property>
+  <property>
+    <name>hbase.zookeeper.property.kerberos.removeRealmFromPrincipal
+    </name>
+  </property>
+  <property>
+    <name>zookeeper.znode.parent</name>
+  </property>
+</configuration>

ambari-server/src/main/resources/common-services/AMS/0.1.0/configuration/ams-hbase-site.xml

@@ -48,7 +48,7 @@
   </property>
   <property>
     <name>hbase.cluster.distributed</name>
-    <value>false</value>
+    <value>{{hbase_cluster_distributed}}</value>
     <description>
       The mode the cluster will be in. Possible values are false for
       standalone mode and true for distributed mode. If false, startup will run
@@ -64,7 +64,7 @@
   </property>
   <property>
     <name>hbase.zookeeper.quorum</name>
-    <value>localhost</value>
+    <value>{{zookeeper_quorum_hosts}}</value>
     <description>Comma separated list of servers in the ZooKeeper Quorum.
       For example, "host1.mydomain.com,host2.mydomain.com,host3.mydomain.com".
       By default this is set to localhost for local and pseudo-distributed modes

ambari-server/src/main/resources/common-services/AMS/0.1.0/kerberos.json

@@ -0,0 +1,122 @@
+{
+  "services": [
+    {
+      "name": "AMS",
+      "identities": [
+        {
+          "name": "/spnego"
+        },
+        {
+          "name": "/hdfs"
+        }
+      ],
+      "components": [
+        {
+          "name": "METRIC_COLLECTOR",
+          "identities": [
+            {
+              "name": "ams_hbase_master_hbase",
+              "principal": {
+                "value": "amshbase/_HOST@${realm}",
+                "type": "service",
+                "configuration": "ams-hbase-security-site/hbase.master.kerberos.principal",
+                "local_username": "${ams-hbase-env/hbase_user}"
+              },
+              "keytab": {
+                "file": "${keytab_dir}/ams-hbase.master.keytab",
+                "owner": {
+                  "name": "${ams-hbase-env/hbase_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                },
+                "configuration": "ams-hbase-security-site/hbase.master.keytab.file"
+              }
+            },
+            {
+              "name": "ams_hbase_regionserver_hbase",
+              "principal": {
+                "value": "amshbase/_HOST@${realm}",
+                "type": "service",
+                "configuration": "ams-hbase-security-site/hbase.regionserver.kerberos.principal",
+                "local_username": "${ams-hbase-env/hbase_user}"
+              },
+              "keytab": {
+                "file": "${keytab_dir}/ams-hbase.regionserver.keytab",
+                "owner": {
+                  "name": "${ams-hbase-env/hbase_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                },
+                "configuration": "ams-hbase-security-site/hbase.regionserver.keytab.file"
+              }
+            },
+            {
+              "name": "ams_collector",
+              "principal": {
+                "value": "amshbase/_HOST@${realm}",
+                "type": "service",
+                "configuration": "ams-hbase-security-site/hbase.myclient.principal",
+                "local_username": "${ams-hbase-env/hbase_user}"
+              },
+              "keytab": {
+                "file": "${keytab_dir}/ams.collector.keytab",
+                "owner": {
+                  "name": "${ams-hbase-env/hbase_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                },
+                "configuration": "ams-hbase-security-site/hbase.myclient.keytab"
+              }
+            },
+            {
+              "name": "ams_zookeeper",
+              "principal": {
+                "value": "zookeeper/_HOST@${realm}",
+                "type": "service",
+                "configuration": "ams-hbase-security-site/ams.zookeeper.principal",
+                "local_username": "${ams-hbase-env/hbase_user}"
+              },
+              "keytab": {
+                "file": "${keytab_dir}/zk.service.ams.keytab",
+                "owner": {
+                  "name": "${ams-hbase-env/hbase_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                },
+                "configuration": "ams-hbase-security-site/ams.zookeeper.keytab"
+              }
+            }
+          ],
+          "configurations": [
+            {
+              "ams-hbase-security-site": {
+                "hbase.security.authentication": "kerberos",
+                "hbase.security.authorization": "true",
+                "hadoop.security.authentication": "kerberos",
+                "hbase.coprocessor.master.classes": "org.apache.hadoop.hbase.security.access.AccessController",
+                "hbase.coprocessor.region.classes": "org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController",
+                "zookeeper.znode.parent": "/ams-hbase-secure",
+                "hbase.zookeeper.property.kerberos.removeHostFromPrincipal": "true",
+                "hbase.zookeeper.property.kerberos.removeRealmFromPrincipal": "true",
+                "hbase.zookeeper.property.authProvider.1": "org.apache.zookeeper.server.auth.SASLAuthenticationProvider",
+                "hbase.zookeeper.property.jaasLoginRenew": "3600000"
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

ambari-server/src/main/resources/common-services/AMS/0.1.0/metainfo.xml

@@ -119,6 +119,7 @@
         <config-type>ams-log4j</config-type>
         <config-type>ams-hbase-policy</config-type>
         <config-type>ams-hbase-site</config-type>
+        <config-type>ams-hbase-security-site</config-type>
         <config-type>ams-hbase-env</config-type>
         <config-type>ams-hbase-log4j</config-type>
       </configuration-dependencies>

ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/ams.py

@@ -18,6 +18,7 @@ limitations under the License.
 
 """
 
+import os
 from resource_management import *
 from ambari_commons import OSConst
 from service_mapping import *
@@ -49,9 +50,14 @@ def ams(name=None):
               owner=params.ams_user,
     )
 
+    merged_ams_hbase_site = {}
+    merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-site'])
+    if params.security_enabled:
+      merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-security-site'])
+
     XmlConfig( "hbase-site.xml",
                conf_dir = params.ams_collector_conf_dir,
-               configurations = params.config['configurations']['ams-hbase-site'],
+               configurations = merged_ams_hbase_site,
                configuration_attributes=params.config['configuration_attributes']['ams-hbase-site'],
                owner = params.ams_user,
     )
@@ -130,14 +136,24 @@ def ams(name=None):
               group=params.user_group
     )
 
+    merged_ams_hbase_site = {}
+    merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-site'])
+    if params.security_enabled:
+      merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-security-site'])
+
     XmlConfig( "hbase-site.xml",
                conf_dir = params.ams_collector_conf_dir,
-               configurations = params.config['configurations']['ams-hbase-site'],
+               configurations = merged_ams_hbase_site,
                configuration_attributes=params.config['configuration_attributes']['ams-hbase-site'],
                owner = params.ams_user,
                group = params.user_group
     )
 
+    if params.security_enabled:
+      TemplateConfig(os.path.join(params.hbase_conf_dir, "ams_collector_jaas.conf"),
+                     owner = params.ams_user,
+                     template_tag = None)
+
     if (params.log4j_props != None):
       File(format("{params.ams_collector_conf_dir}/log4j.properties"),
            mode=0644,

ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/hbase.py

@@ -114,9 +114,14 @@ def hbase(name=None # 'master' or 'regionserver' or 'client'
              recursive = True
   )
 
+  merged_ams_hbase_site = {}
+  merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-site'])
+  if params.security_enabled:
+    merged_ams_hbase_site.update(params.config['configurations']['ams-hbase-security-site'])
+
   XmlConfig("hbase-site.xml",
             conf_dir = params.hbase_conf_dir,
-            configurations = params.config['configurations']['ams-hbase-site'],
+            configurations = merged_ams_hbase_site,
             configuration_attributes=params.config['configuration_attributes']['ams-hbase-site'],
             owner = params.hbase_user,
             group = params.user_group
@@ -157,7 +162,9 @@ def hbase(name=None # 'master' or 'regionserver' or 'client'
 
   if params.security_enabled:
     hbase_TemplateConfig( format("hbase_{name}_jaas.conf"), user=params.hbase_user)
-  
+    hbase_TemplateConfig( format("hbase_client_jaas.conf"), user=params.hbase_user)
+    hbase_TemplateConfig( format("ams_zookeeper_jaas.conf"), user=params.hbase_user)
+
   if name in ["master","regionserver"]:
 
     if params.is_hbase_distributed:
@@ -167,6 +174,13 @@ def hbase(name=None # 'master' or 'regionserver' or 'client'
                            owner=params.hbase_user,
                            mode=0775
       )
+
+      params.HdfsDirectory(params.hbase_staging_dir,
+                           action="create_delayed",
+                           owner=params.hbase_user,
+                           mode=0711
+      )
+
       params.HdfsDirectory(None, action="create")
 
     else:

ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/metric_collector.py

@@ -19,6 +19,9 @@ limitations under the License.
 """
 
 from resource_management import *
+from resource_management.libraries.functions.security_commons import build_expectations, \
+  cached_kinit_executor, get_params_from_filesystem, validate_security_config_properties, \
+  FILE_TYPE_XML
 from ams import ams
 from ams_service import ams_service
 from hbase import hbase
@@ -56,5 +59,66 @@ class AmsCollector(Script):
     check_service_status(name='collector')
 
 
+  def security_status(self, env):
+    import status_params
+
+    env.set_params(status_params)
+    props_value_check = {"hbase.security.authentication": "kerberos",
+                         "hbase.security.authorization": "true"}
+
+    props_empty_check = ["hbase.zookeeper.property.authProvider.1",
+                         "hbase.master.keytab.file",
+                         "hbase.master.kerberos.principal",
+                         "hbase.regionserver.keytab.file",
+                         "hbase.regionserver.kerberos.principal"
+    ]
+    props_read_check = ['hbase.master.keytab.file', 'hbase.regionserver.keytab.file']
+    ams_hbase_site_expectations = build_expectations('hbase-site', props_value_check,
+                                                     props_empty_check,
+                                                     props_read_check)
+
+    expectations = {}
+    expectations.update(ams_hbase_site_expectations)
+
+    security_params = get_params_from_filesystem(status_params.ams_hbase_conf_dir,
+                                                 {'hbase-site.xml': FILE_TYPE_XML})
+
+    is_hbase_distributed = security_params['hbase-site']['hbase.rootdir'].startswith('hdfs://')
+    # for embedded mode, when HBase is backed by file, security state is SECURED_KERBEROS by definition when cluster is secured
+    if status_params.security_enabled and not is_hbase_distributed:
+      self.put_structured_out({"securityState": "SECURED_KERBEROS"})
+      return
+
+    result_issues = validate_security_config_properties(security_params, expectations)
+
+    if not result_issues:  # If all validations passed successfully
+      try:
+        # Double check the dict before calling execute
+        if ('hbase-site' not in security_params or
+                'hbase.master.keytab.file' not in security_params['hbase-site'] or
+                'hbase.master.kerberos.principal' not in security_params['hbase-site']):
+          self.put_structured_out({"securityState": "UNSECURED"})
+          self.put_structured_out(
+            {"securityIssuesFound": "Keytab file or principal are not set property."})
+          return
+
+        cached_kinit_executor(status_params.kinit_path_local,
+                              status_params.hbase_user,
+                              security_params['hbase-site']['hbase.master.keytab.file'],
+                              security_params['hbase-site']['hbase.master.kerberos.principal'],
+                              status_params.hostname,
+                              status_params.tmp_dir)
+        self.put_structured_out({"securityState": "SECURED_KERBEROS"})
+      except Exception as e:
+        self.put_structured_out({"securityState": "ERROR"})
+        self.put_structured_out({"securityStateErrorInfo": str(e)})
+    else:
+      issues = []
+      for cf in result_issues:
+        issues.append("Configuration file %s did not pass the validation. Reason: %s" % (
+        cf, result_issues[cf]))
+      self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
+      self.put_structured_out({"securityState": "UNSECURED"})
+
 if __name__ == "__main__":
   AmsCollector().execute()

ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params.py

@@ -65,7 +65,9 @@ hbase_root_dir = config['configurations']['ams-hbase-site']['hbase.rootdir']
 is_hbase_distributed = hbase_root_dir.startswith('hdfs://')
 
 # security is disabled for embedded mode, when HBase is backed by file
-security_enabled = False if not is_hbase_distributed else config['configurations']['cluster-env']['security_enabled'] 
+security_enabled = False if not is_hbase_distributed else config['configurations']['cluster-env']['security_enabled']
+# if cluster is secured and embedded we have to disable haddop env
+disable_hadoop_environment = config['configurations']['cluster-env']['security_enabled'] and not is_hbase_distributed
 
 # this is "hadoop-metrics.properties" for 1.x stacks
 metric_prop_file_name = "hadoop-metrics2-hbase.properties"
@@ -83,6 +85,9 @@ regionserver_xmn_size = calc_xmn_from_xms(regionserver_heapsize, regionserver_xm
 # For embedded mode
 hbase_heapsize = master_heapsize
 
+zookeeper_quorum_hosts = ','.join(ams_collector_hosts) if is_hbase_distributed else 'localhost'
+hbase_cluster_distributed = 'true' if is_hbase_distributed else 'false'
+
 ams_checkpoint_dir = config['configurations']['ams-site']['timeline.metrics.aggregator.checkpoint.dir']
 hbase_pid_dir = status_params.hbase_pid_dir
 hbase_tmp_dir = config['configurations']['ams-hbase-site']['hbase.tmp.dir']
@@ -102,21 +107,30 @@ service_check_data = functions.get_unique_id_and_date()
 user_group = config['configurations']['cluster-env']["user_group"]
 hadoop_user = "hadoop"
 
+kinit_cmd = ""
+
 if security_enabled:
   _hostname_lowercase = config['hostname'].lower()
-  master_jaas_princ = default('/configurations/ams-hbase-site/hbase.master.kerberos.principal', 'hbase/_HOST@EXAMPLE.COM').replace('_HOST',_hostname_lowercase)
-  regionserver_jaas_princ = default('/configurations/ams-hbase-site/hbase.regionserver.kerberos.principal', 'hbase/_HOST@EXAMPLE.COM').replace('_HOST',_hostname_lowercase)
 
-  master_keytab_path = config['configurations']['ams-hbase-site']['hbase.master.keytab.file']
-  regionserver_keytab_path = config['configurations']['ams-hbase-site']['hbase.regionserver.keytab.file']
+  client_jaas_config_file = format("{hbase_conf_dir}/hbase_client_jaas.conf")
   smoke_user_keytab = config['configurations']['cluster-env']['smokeuser_keytab']
   hbase_user_keytab = config['configurations']['ams-hbase-env']['hbase_user_keytab']
-  kinit_path_local = functions.get_kinit_path(["/usr/bin", "/usr/kerberos/bin", "/usr/sbin"])
 
-if security_enabled:
-   kinit_cmd = format("{kinit_path_local} -kt {hbase_user_keytab} {hbase_user};")
-else:
-   kinit_cmd = ""
+  ams_collector_jaas_config_file = format("{hbase_conf_dir}/ams_collector_jaas.conf")
+  ams_collector_keytab_path = config['configurations']['ams-hbase-security-site']['hbase.myclient.keytab']
+  ams_collector_jaas_princ = config['configurations']['ams-hbase-security-site']['hbase.myclient.principal'].replace('_HOST',_hostname_lowercase)
+
+  ams_zookeeper_jaas_config_file = format("{hbase_conf_dir}/ams_zookeeper_jaas.conf")
+  ams_zookeeper_keytab = config['configurations']['ams-hbase-security-site']['ams.zookeeper.keytab']
+  ams_zookeeper_principal_name = config['configurations']['ams-hbase-security-site']['ams.zookeeper.principal'].replace('_HOST',_hostname_lowercase)
+
+  master_jaas_config_file = format("{hbase_conf_dir}/hbase_master_jaas.conf")
+  master_keytab_path = config['configurations']['ams-hbase-security-site']['hbase.master.keytab.file']
+  master_jaas_princ = config['configurations']['ams-hbase-security-site']['hbase.master.kerberos.principal'].replace('_HOST',_hostname_lowercase)
+
+  regionserver_jaas_config_file = format("{hbase_conf_dir}/hbase_regionserver_jaas.conf")
+  regionserver_keytab_path = config['configurations']['ams-hbase-security-site']['hbase.regionserver.keytab.file']
+  regionserver_jaas_princ = config['configurations']['ams-hbase-security-site']['hbase.regionserver.kerberos.principal'].replace('_HOST',_hostname_lowercase)
 
 #log4j.properties
 if (('ams-hbase-log4j' in config['configurations']) and ('content' in config['configurations']['ams-hbase-log4j'])):

ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/params_linux.py

@@ -20,12 +20,12 @@ limitations under the License.
 
 from resource_management import *
 from ambari_commons import OSCheck
-import status_params
+
 config = Script.get_config()
 
 ams_collector_conf_dir = "/etc/ambari-metrics-collector/conf"
 ams_monitor_conf_dir = "/etc/ambari-metrics-monitor/conf/"
-ams_user = status_params.ams_user
+ams_user = config['configurations']['ams-env']['ams_user']
 #RPM versioning support
 rpm_version = default("/configurations/hadoop-env/rpm_version", None)
 

ambari-server/src/main/resources/common-services/AMS/0.1.0/package/scripts/status_params.py

@@ -20,11 +20,20 @@ limitations under the License.
 
 from resource_management import *
 
-config = Script.get_config()
+from ambari_commons import OSCheck
+if OSCheck.is_windows_family():
+    from params_windows import *
+else:
+    from params_linux import *
 
 hbase_pid_dir = config['configurations']['ams-hbase-env']['hbase_pid_dir']
-ams_user = config['configurations']['ams-env']['ams_user']
 hbase_user = ams_user
 ams_collector_pid_dir = config['configurations']['ams-env']['ams_collector_pid_dir']
 ams_monitor_pid_dir = config['configurations']['ams-env']['ams_monitor_pid_dir']
 
+security_enabled = config['configurations']['cluster-env']['security_enabled']
+ams_hbase_conf_dir = format("{hbase_conf_dir}")
+
+kinit_path_local = functions.get_kinit_path(["/usr/bin", "/usr/kerberos/bin", "/usr/sbin"])
+hostname = config['hostname']
+tmp_dir = Script.get_tmp_dir()

ambari-server/src/main/resources/common-services/AMS/0.1.0/package/templates/ams_collector_jaas.conf.j2

@@ -0,0 +1,26 @@
+{#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#}
+
+Client {
+com.sun.security.auth.module.Krb5LoginModule required
+useKeyTab=true
+storeKey=true
+useTicketCache=false
+keyTab="{{ams_collector_keytab_path}}"
+principal="{{ams_collector_jaas_princ}}";
+};

ambari-server/src/main/resources/common-services/AMS/0.1.0/package/templates/ams_zookeeper_jaas.conf.j2

@@ -0,0 +1,26 @@
+{#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#}
+
+Server {
+com.sun.security.auth.module.Krb5LoginModule required
+useKeyTab=true
+storeKey=true
+useTicketCache=false
+keyTab="{{ams_zookeeper_keytab}}"
+principal="{{ams_zookeeper_principal_name}}";
+};

pom.xml

@@ -271,7 +271,8 @@
             <exclude>ambari-metrics/ambari-metrics-timelineservice/src/test/resources/lib/org/apache/phoenix/phoenix-core-tests/4.2.0/phoenix-core-tests-4.2.0.pom</exclude>
             <exclude>ambari-metrics/ambari-metrics-timelineservice/src/test/resources/lib/org/apache/phoenix/phoenix-core-tests/maven-metadata-local.xml</exclude>
             <exclude>ambari-metrics/*/target/**</exclude>
-
+            <!-- ignore .settings and .project  -->
+            <exclude>ambari-metrics/**/.*/**</exclude>
           </excludes>
         </configuration>
         <executions>