Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.0.0
Description
The Falcon service components should indicate security state when queried by Ambari Agent via STATUS_COMMAND. Each component should determine it's state as follows:
FALCON_CLIENT
Indicators
- Command JSON
- config['configurations']['cluster-env']['security_enabled']
- = “true”
- config['configurations']['cluster-env']['security_enabled']
PseudoCode
if indicators imply security is on and validate state = SECURED_KERBEROS else state = UNSECURED
FALCON_SERVER
Indicators
- Command JSON
- config['configurations']['cluster-env']['security_enabled']
- = “true”
- config['configurations']['cluster-env']['security_enabled']
- Configuration File: params.falcon_conf_dir + ‘/startup.properties’
- *.falcon.authentication.type
- = “kerberos”
- *.falcon.service.authentication.kerberos.principal
- not empty
- required
- *.falcon.service.authentication.kerberos.keytab
- not empty
- required
- path exists and is readable
- *.dfs.namenode.kerberos.principal
- not empty
- required
- *.falcon.http.authentication.type
- = “kerberos”
- *.falcon.http.authentication.kerberos.principal
- not empty
- required
- *.falcon.http.authentication.kerberos.keytab
- not empty
- required
- path exists and is readable
- *.falcon.authentication.type
Pseudocode
if indicators imply security is on and validate if kinit(falcon principal) && kinit(http principal) succeeds state = SECURED_KERBEROS else state = ERROR else state = UNSECURED
Note: Due to the cost of calling kinit results should be cached for a period of time before retrying. This may be an issue depending on the frequency of the heartbeat timeout.
Note: kinit calls should specify a temporary cache file which should be destroyed after command is executed - BUG-29477
Attachments
Attachments
Issue Links
- requires
-
AMBARI-8343 Components should indicate Security State (via ambari-agent)
- Resolved