Falcon service components should indicate security state

The Falcon service components should indicate security state when queried by Ambari Agent via STATUS_COMMAND. Each component should determine it's state as follows:

FALCON_CLIENT

Indicators

• Command JSON
  • config['configurations']['cluster-env']['security_enabled']
    • = “true”

PseudoCode

if indicators imply security is on and validate
    state = SECURED_KERBEROS
else
    state = UNSECURED

FALCON_SERVER

Indicators

• Command JSON
  • config['configurations']['cluster-env']['security_enabled']
    • = “true”
• Configuration File: params.falcon_conf_dir + ‘/startup.properties’
  • *.falcon.authentication.type
    • = “kerberos”
  • *.falcon.service.authentication.kerberos.principal
    • not empty
    • required
  • *.falcon.service.authentication.kerberos.keytab
    • not empty
    • required
    • path exists and is readable
  • *.dfs.namenode.kerberos.principal
    • not empty
    • required
  • *.falcon.http.authentication.type
    • = “kerberos”
  • *.falcon.http.authentication.kerberos.principal
    • not empty
    • required
  • *.falcon.http.authentication.kerberos.keytab
    • not empty
    • required
    • path exists and is readable

Pseudocode

 
if indicators imply security is on and validate
    if kinit(falcon principal) && kinit(http principal) succeeds
        state = SECURED_KERBEROS
    else
        state = ERROR 
else
    state = UNSECURED

Note: Due to the cost of calling kinit results should be cached for a period of time before retrying. This may be an issue depending on the frequency of the heartbeat timeout.
Note: kinit calls should specify a temporary cache file which should be destroyed after command is executed - BUG-29477