Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-9037

Storm service components should indicate security state

    XMLWordPrintableJSON

Details

    Description

      The Storm service components should indicate security state when queried by Ambari Agent via STATUS_COMMAND. Each component should determine it's state as follows:

      DRPC_SERVER

      Indicators

      • Command JSON
        • config['configurations']['cluster-env']['security_enabled']
          • = “true”
      • Configuration File: params.conf_dir + ‘/storm-jaas.conf’
        • StormServer/keyTab
          • not empty
          • path exists and is readable
          • required
        • StormServer/principal
          • not empty
          • required

      Pseudocode

      if indicators imply security is on and validate
          if kinit(drpc server master principal) succeeds
              state = SECURED_KERBEROS
          else
              state = ERROR 
      else
          state = UNSECURED
      

      STORM_UI_SERVER

      Indicators

      • Command JSON
        • config['configurations']['cluster-env']['security_enabled']
          • = “true”
      • Configuration File: params.conf_dir + ‘/storm-jaas.conf’
        • StormClient/keyTab
          • not empty
          • path exists and is readable
          • required
        • StormClient/principal
          • not empty
          • required

      Pseudocode

      if indicators imply security is on and validate
          if kinit(storm ui server principal) succeeds
              state = SECURED_KERBEROS
          else
              state = ERROR 
      else
          state = UNSECURED
      

      NIMBUS

      Indicators

      • Command JSON
        • config['configurations']['cluster-env']['security_enabled']
          • = “true”
      • Configuration File: params.conf_dir + ‘/storm-jaas.conf’
        • StormServer/keyTab
          • not empty
          • path exists and is readable
          • required
        • StormServer/principal
          • not empty
          • required

      Pseudocode

      if indicators imply security is on and validate
          if kinit(nimbus master principal) succeeds
              state = SECURED_KERBEROS
          else
              state = ERROR 
      else
          state = UNSECURED
      

      Note: Due to the cost of calling kinit results should be cached for a period of time before retrying. This may be an issue depending on the frequency of the heartbeat timeout.
      Note: kinit calls should specify a temporary cache file which should be destroyed after command is executed - BUG-29477

      Note: There may be additional work related to REST gateway impersonation

      Attachments

        1. AMBARI-9037_01.patch
          29 kB
          Robert Levas
        2. AMBARI-9037_02.patch
          30 kB
          Robert Levas

        Issue Links

          Activity

            People

              rlevas Robert Levas
              rlevas Robert Levas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: