Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.0.0
Description
The HDFS service components should indicate security state when queried by Ambari Agent via STATUS_COMMAND. Each component should determine it's state as follows:
NAMENODE
Indicators
- Command JSON
- config['configurations']['cluster-env']['security_enabled']
- = “true”
- config['configurations']['cluster-env']['security_enabled']
- Configuration File: params.hadoop_conf_dir + '/core-site.xml'
- hadoop.security.authentication
- = “kerberos”
- required
- hadoop.security.authorization
- = “true”
- required
- hadoop.rpc.protection
- = “authentication”
- required
- hadoop.security.auth_to_local
- not empty
- required
- hadoop.security.authentication
- Configuration File: /params.hadoop_conf_dir + '/hdfs-site.xml'
- dfs.namenode.keytab.file
- not empty
- path exists and is readable
- required
- dfs.namenode.kerberos.principal
- not empty
- required
- dfs.namenode.keytab.file
Pseudocode
if indicators imply security is on and validate if kinit(namenode principal) && kinit(https principal) succeeds state = SECURED_KERBEROS else state = ERROR else state = UNSECURED
DATANODE
Indicators
- Command JSON
- config['configurations']['cluster-env']['security_enabled']
- = “true”
- config['configurations']['cluster-env']['security_enabled']
- Configuration File: params.hadoop_conf_dir + '/core-site.xml'
- hadoop.security.authentication
- = “kerberos”
- required
- hadoop.security.authorization
- = “true”
- required
- hadoop.rpc.protection
- = “authentication”
- required
- hadoop.security.auth_to_local
- not empty
- required
- hadoop.security.authentication
- Configuration File: params.hadoop_conf_dir + '/hdfs-site.xml'
- dfs.datanode.keytab.file
- not empty
- path exists and is readable
- required
- dfs.datanode.kerberos.principal
- not empty
- required
- dfs.datanode.keytab.file
Pseudocode
if indicators imply security is on and validate if kinit(datanode principal) && kinit(https principal) succeeds state = SECURED_KERBEROS else state = ERROR else state = UNSECURED
SECONDARY_NAMENODE
Indicators
- Command JSON
- config['configurations']['cluster-env']['security_enabled']
- = “true”
- config['configurations']['cluster-env']['security_enabled']
- Configuration File: params.hadoop_conf_dir + '/core-site.xml'
- hadoop.security.authentication
- = “kerberos”
- required
- hadoop.security.authorization
- = “true”
- required
- hadoop.rpc.protection
- = “authentication”
- required
- hadoop.security.auth_to_local
- not empty
- required
- hadoop.security.authentication
- Configuration File: params.hadoop_conf_dir + '/hdfs-site.xml'
- dfs.secondary.namenode.keytab.file
- not empty
- path exists and is readable
- required
- dfs.secondary.namenode.kerberos.principal
- not empty
- required
- dfs.secondary.namenode.keytab.file
Pseudocode
if indicators imply security is on and validate if kinit(namenode principal) && kinit(https principal) succeeds state = SECURED_KERBEROS else state = ERROR else state = UNSECURED
HDFS_CLIENT
Indicators
- Command JSON
- config['configurations']['cluster-env']['security_enabled']
- = “true”
- config['configurations']['cluster-env']['security_enabled']
- Configuration File: params.hadoop_conf_dir + '/core-site.xml'
- hadoop.security.authentication
- = “kerberos”
- required
- hadoop.security.authorization
- = “true”
- required
- hadoop.rpc.protection
- = “authentication”
- required
- hadoop.security.auth_to_local
- not empty
- required
- hadoop.security.authentication
- Env Params: hadoop-env
- hdfs_user_keytab
- not empty
- path exists and is readable
- required
- hdfs_user_principal
- not empty
- required
- hdfs_user_keytab
Pseudocode
if indicators imply security is on and validate if kinit(hdfs user principal) succeeds state = SECURED_KERBEROS else state = ERROR else state = UNSECURED
JOURNALNODE
Indicators
- Command JSON
- config['configurations']['cluster-env']['security_enabled']
- = “true”
- config['configurations']['cluster-env']['security_enabled']
- Configuration File: params.hadoop_conf_dir + '/core-site.xml'
- hadoop.security.authentication
- = “kerberos”
- required
- hadoop.security.authorization
- = “true”
- required
- hadoop.rpc.protection
- = “authentication”
- required
- hadoop.security.auth_to_local
- not empty
- required
- hadoop.security.authentication
- Configuration File: /params.hadoop_conf_dir + '/hdfs-site.xml'
ZKFC
Indicators
- Command JSON
- config['configurations']['cluster-env']['security_enabled']
- = “true”
- config['configurations']['cluster-env']['security_enabled']
- Configuration File: params.hadoop_conf_dir + '/core-site.xml'
- hadoop.security.authentication
- = “kerberos”
- required
- hadoop.security.authorization
- = “true”
- required
- hadoop.rpc.protection
- = “authentication”
- required
- hadoop.security.auth_to_local
- not empty
- required
- hadoop.security.authentication
Pseudocode
if indicators imply security is on and validate state = SECURED_KERBEROS else state = UNSECURED
Note: Due to the cost of calling kinit results should be cached for a period of time before retrying. This may be an issue depending on the frequency of the heartbeat timeout.
Note: kinit calls should specify a temporary cache file which should be destroyed after command is executed - BUG-29477
Attachments
Attachments
Issue Links
- requires
-
AMBARI-8343 Components should indicate Security State (via ambari-agent)
- Resolved
- links to