Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.0.0
Description
The YARN service components should indicate security state when queried by Ambari Agent via STATUS_COMMAND. Each component should determine it's state as follows:
RESOURCEMANAGER
Indicators
- Command JSON
- config['configurations']['cluster-env']['security_enabled']
- = “true”
- config['configurations']['cluster-env']['security_enabled']
- Configuration File: /etc/hadoop/conf/yarn-site.xml
- yarn.timeline-service.enabled
- = "true"
- required
- yarn.timeline-service.http-authentication.type
- = "kerberos"
- required
- yarn.acl.enable
- = "true"
- required
- yarn.resourcemanager.keytab
- not empty
- path exists and is readable
- required
- yarn.resourcemanager.principal
- not empty
- required
- yarn.resourcemanager.webapp.spnego-keytab-file
- not empty
- path exists and is readable
- required
- yarn.resourcemanager.webapp.spnego-principal
- not empty
- required
- yarn.timeline-service.enabled
Pseudocode
if indicators imply security is on and validate if kinit(resourcemanager principal) succeeds state = SECURED_KERBEROS else state = ERROR else state = UNSECURED
NODEMANAGER
Indicators
- Command JSON
- config['configurations']['cluster-env']['security_enabled']
- = “true”
- config['configurations']['cluster-env']['security_enabled']
- Configuration File: /etc/hadoop/conf/yarn-site.xml
- yarn.timeline-service.enabled
- = "true"
- required
- yarn.timeline-service.http-authentication.type
- = "kerberos"
- required
- yarn.acl.enable
- = "true"
- required
- yarn.nodemanager.keytab
- not empty
- path exists and is readable
- required
- yarn.nodemanager.principal
- not empty
- required
- yarn.nodemanager.webapp.spnego-keytab-file
- not empty
- path exists and is readable
- required
- yarn.nodemanager.webapp.spnego-principal
- not empty
- required
- yarn.timeline-service.enabled
Pseudocode
if indicators imply security is on and validate if kinit(nodemanager principal) succeeds state = SECURED_KERBEROS else state = ERROR else state = UNSECURED
APP_TIMELINE_SERVER
Indicators
- Command JSON
- config['configurations']['cluster-env']['security_enabled']
- = “true”
- config['configurations']['cluster-env']['security_enabled']
- Configuration File: /etc/hadoop/conf/yarn-site.xml
- yarn.timeline-service.enabled
- = "true"
- required
- yarn.timeline-service.http-authentication.type
- = "kerberos"
- required
- yarn.acl.enable
- = "true"
- required
- yarn.timeline-service.keytab
- not empty
- path exists and is readable
- required
- yarn.timeline-service.principal
- not empty
- required
- yarn.timeline-service.http-authentication.kerberos.keytab
- not empty
- path exists and is readable
- required
- yarn.timeline-service.http-authentication.kerberos.principal
- not empty
- required
- yarn.timeline-service.enabled
Pseudocode
if indicators imply security is on and validate if kinit(nodemanager principal) succeeds state = SECURED_KERBEROS else state = ERROR else state = UNSECURED
Note: Due to the cost of calling kinit results should be cached for a period of time before retrying. This may be an issue depending on the frequency of the heartbeat timeout.
Note: kinit calls should specify a temporary cache file which should be destroyed after command is executed - BUG-29477
Attachments
Attachments
Issue Links
- requires
-
AMBARI-8343 Components should indicate Security State (via ambari-agent)
- Resolved