org.apache.ambari.server.controller

Interface KerberosHelper

All Known Implementing Classes:

KerberosHelperImpl

public interface KerberosHelper

Nested Class Summary

Nested Classes

Modifier and Type	Interface and Description
static interface	KerberosHelper.Command<T,A> Command to invoke against the Ambari backend.
static class	KerberosHelper.KerberosDescriptorType Types of Kerberos descriptors related to where the data is stored.

Field Summary

Fields

Modifier and Type	Field and Description
static String	ALLOW_RETRY If true, then this will create the stages and tasks as being retry-able.
static String	AMBARI_SERVER_HOST_NAME The hostname used to hold the place of the actual hostname of the host that the Ambari server is on.
static String	AMBARI_SERVER_KERBEROS_IDENTITY_NAME The name of the Ambari server's Kerberos identities as defined in the Kerberos descriptor
static String	CASE_INSENSITIVE_USERNAME_RULES The kerberos-env property name declaring whether auth-to-local rules should be case-insensitive or not
static String	CLUSTER_HOST_INFO Used as key in config maps to store component to host assignment mapping.
static String	CREATE_AMBARI_PRINCIPAL The kerberos-env property name declaring whether Ambari should manage its own required identities or not
static String	DEFAULT_REALM The kerberos-env property name declaring the default realm
static String	DIRECTIVE_COMPONENTS directive used to pass list of services and their components to regenerate keytabs for
static String	DIRECTIVE_CONFIG_UPDATE_POLICY directive used to indicate how to handle configuration updates when regenerating keytab files expected values: none identities_only new_and_identities all
static String	DIRECTIVE_FORCE_TOGGLE_KERBEROS directive used to indicate that the enable Kerberos operation should proceed even if the cluster's security type is not changing
static String	DIRECTIVE_HOSTS directive used to pass host list to regenerate keytabs on
static String	DIRECTIVE_IGNORE_CONFIGS Deprecated. use DIRECTIVE_CONFIG_UPDATE_POLICY
static String	DIRECTIVE_MANAGE_KERBEROS_IDENTITIES directive used to override the behavior of the kerberos-env/manage_identities property
static String	DIRECTIVE_REGENERATE_KEYTABS directive used to indicate that the enable Kerberos operation is only to regenerate keytab files
static String	INCLUDE_ALL_COMPONENTS_IN_AUTH_TO_LOCAL_RULES The kerberos-env property name declaring whether the Hadoop auth_to_local rules should be included for all components of an installed service even if the component itself is not installed
static String	KDC_ADMINISTRATOR_CREDENTIAL_ALIAS The alias to assign to the KDC administrator credential Keystore item
static String	KDC_TYPE The kerberos-env property name declaring the kdc_type
static String	KERBEROS_ENV The name of the Kerberos environment configuration type
static String	MANAGE_AUTH_TO_LOCAL_RULES The kerberos-env property name declaring whether to manage auth-to-local rules or not
static String	MANAGE_IDENTITIES The kerberos-env property name declaring whether Ambari should manage the cluster's required identities or not
static String	PRECONFIGURE_SERVICES The kerberos-env property name declaring how to preprocess services.
static String	SECURITY_ENABLED_CONFIG_TYPE config type which contains the property used to determine if Kerberos is enabled
static String	SECURITY_ENABLED_PROPERTY_NAME name of property which states whether kerberos is enabled

Method Summary

Modifier and Type	Method and Description
int	addIdentities(KerberosIdentityDataFileWriter kerberosIdentityDataFileWriter, Collection<KerberosIdentityDescriptor> identities, Collection<String> identityFilter, String hostname, Long hostId, String serviceName, String componentName, Map<String,Map<String,String>> kerberosConfigurations, Map<String,Map<String,String>> configurations, Map<String,ResolvedKerberosKeytab> resolvedKeytabs, String realm) Adds identities to the KerberosIdentityDataFileWriter.
Map<String,Map<String,String>>	applyStackAdvisorUpdates(Cluster cluster, Set<String> services, Map<String,Map<String,String>> existingConfigurations, Map<String,Map<String,String>> kerberosConfigurations, Map<String,Set<String>> propertiesToIgnore, Map<String,Set<String>> propertiesToRemove, boolean kerberosEnabled) Invokes the Stack Advisor to help determine relevant configuration changes when enabling or disabling Kerberos.
Map<String,Map<String,String>>	calculateConfigurations(Cluster cluster, String hostname, KerberosDescriptor kerberosDescriptor, boolean includePreconfigureData, boolean calculateClusterHostInfo) Calculates the map of configurations relative to the cluster and host.
void	configureServices(Cluster cluster, Map<String,Collection<String>> serviceFilter) Updates the relevant configurations for the components specified in the service filter.
boolean	createAmbariIdentities(Map<String,String> kerberosEnvProperties) Determines if the Ambari identities should be created when enabling Kerberos.
void	createResolvedKeytab(ResolvedKerberosKeytab resolvedKerberosKeytab) Saves underlying entities in persistent storage.
File	createTemporaryDirectory() Creates a temporary directory within the system temporary directory The resulting directory is to be removed by the caller when desired.
RequestStageContainer	createTestIdentity(Cluster cluster, Map<String,String> commandParamsStage, RequestStageContainer requestStageContainer) Create a unique identity to use for testing the general Kerberos configuration.
void	deleteIdentities(Cluster cluster, List<Component> components, Set<String> identities)
RequestStageContainer	deleteIdentities(Cluster cluster, Map<String,? extends Collection<String>> serviceComponentFilter, Set<String> hostFilter, Collection<String> identityFilter, RequestStageContainer requestStageContainer, Boolean manageIdentities) Deletes the set of filtered principals and keytabs from the cluster.
RequestStageContainer	deleteTestIdentity(Cluster cluster, Map<String,String> commandParamsStage, RequestStageContainer requestStageContainer) Deletes the unique identity to use for testing the general Kerberos configuration.
boolean	ensureHeadlessIdentities(Cluster cluster, Map<String,Map<String,String>> existingConfigurations, Set<String> services) Ensures that the relevant headless (or user) Kerberos identities are created and cached.
RequestStageContainer	ensureIdentities(Cluster cluster, Map<String,? extends Collection<String>> serviceComponentFilter, Set<String> hostFilter, Collection<String> identityFilter, Set<String> hostsToForceKerberosOperations, RequestStageContainer requestStageContainer, Boolean manageIdentities) Ensures the set of filtered principals and keytabs exist on the cluster.
RequestStageContainer	executeCustomOperations(Cluster cluster, Map<String,String> requestProperties, RequestStageContainer requestStageContainer, Boolean manageIdentities) Used to execute custom security operations which are sent as directives in URI
Map<String,Collection<KerberosIdentityDescriptor>>	getActiveIdentities(String clusterName, String hostName, String serviceName, String componentName, boolean replaceHostNames, Map<String,Map<String,Map<String,String>>> hostConfigurations, KerberosDescriptor kerberosDescriptor) Returns the active identities for the named cluster.
List<KerberosIdentityDescriptor>	getAmbariServerIdentities(KerberosDescriptor kerberosDescriptor) Gets the Ambari server Kerberos identities found in the Kerberos descriptor.
boolean	getForceToggleKerberosDirective(Map<String,String> requestProperties) Retrieves the value of the force_toggle_kerberos directive from the request properties, if it exists.
Set<String>	getHostsWithValidKerberosClient(Cluster cluster)
Map<String,Map<String,String>>	getIdentityConfigurations(List<KerberosIdentityDescriptor> identityDescriptors) Given a list of KerberosIdentityDescriptors, returns a Map fo configuration types to property names and values.
PrincipalKeyCredential	getKDCAdministratorCredentials(String clusterName) Gets the previously stored KDC administrator credentials.
KerberosDescriptor	getKerberosDescriptor(Cluster cluster, boolean includePreconfigureData) Builds a composite Kerberos descriptor using the default Kerberos descriptor and a user-specified Kerberos descriptor, if it exists.
KerberosDescriptor	getKerberosDescriptor(KerberosHelper.KerberosDescriptorType kerberosDescriptorType, Cluster cluster, boolean evaluateWhenClauses, Collection<String> additionalServices, boolean includePreconfigureData) Gets the requested Kerberos descriptor.
KerberosDescriptor	getKerberosDescriptor(KerberosHelper.KerberosDescriptorType kerberosDescriptorType, Cluster cluster, StackId stackId, boolean includePreconfigureData) Gets the Kerberos descriptor for the requested stack.
KerberosDetails	getKerberosDetails(Cluster cluster, Boolean manageIdentities) Gathers the Kerberos-related data from configurations and stores it in a new KerberosDetails instance.
Boolean	getManageIdentitiesDirective(Map<String,String> requestProperties) Retrieves the value of the manage_kerberos_identities directive from the request properties, if it exists.
List<ServiceComponentHost>	getServiceComponentHostsToProcess(Cluster cluster, KerberosDescriptor kerberosDescriptor, Map<String,? extends Collection<String>> serviceComponentFilter, Collection<String> hostFilter)
Map<String,Map<String,String>>	getServiceConfigurationUpdates(Cluster cluster, Map<String,Map<String,String>> existingConfigurations, Map<String,Set<String>> installedServices, Map<String,Collection<String>> serviceFilter, Set<String> previouslyExistingServices, boolean kerberosEnabled, boolean applyStackAdvisorUpdates) Returns the updates configurations that are expected when the given set of services are configured for Kerberos.
boolean	isClusterKerberosEnabled(Cluster cluster) Determine if a cluster has kerberos enabled.
Map<String,Map<String,String>>	mergeConfigurations(Map<String,Map<String,String>> configurations, Map<String,KerberosConfigurationDescriptor> updates, Map<String,Map<String,String>> replacements, Set<String> configurationTypeFilter) Merges configurations from a Map of configuration updates into a main configurations Map.
Map<String,Map<String,String>>	processPreconfiguredServiceConfigurations(Map<String,Map<String,String>> configurations, Map<String,Map<String,String>> replacements, Cluster cluster, KerberosDescriptor kerberosDescriptor) Determines which services, not currently installed, should be preconfigured to aid in reducing the number of service restarts when new services are added to a cluster where Kerberos is enabled.
void	removeStaleKeytabs(Collection<ResolvedKerberosKeytab> expectedKeytabs) Removes existent persisted keytabs if they are not in expectedKeytabs collection.
void	setAuthToLocalRules(Cluster cluster, KerberosDescriptor kerberosDescriptor, String realm, Map<String,Set<String>> installedServices, Map<String,Map<String,String>> existingConfigurations, Map<String,Map<String,String>> kerberosConfigurations, boolean includePreconfigureData) Sets the relevant auth-to-local rule configuration properties using the services installed on the cluster and their relevant Kerberos descriptors to determine the rules to be created.
boolean	shouldExecuteCustomOperations(SecurityType requestSecurityType, Map<String,String> requestProperties) Tests the request properties to check for directives that need to be acted upon It is required that the SecurityType from the request is either KERBEROS or NONE and that at least one directive in the requestProperties map is supported.
RequestStageContainer	toggleKerberos(Cluster cluster, SecurityType securityType, RequestStageContainer requestStageContainer, Boolean manageIdentities) Toggles Kerberos security to enable it or remove it depending on the state of the cluster.
Map<String,Set<String>>	translateConfigurationSpecifications(Collection<String> configurationSpecifications) Translates a collection of configuration specifications (config-type/property-name) to a map of configuration types to a set of property names.
void	validateKDCCredentials(Cluster cluster) Validate the KDC admin credentials.

Field Detail

DIRECTIVE_MANAGE_KERBEROS_IDENTITIES

static final String DIRECTIVE_MANAGE_KERBEROS_IDENTITIES

directive used to override the behavior of the kerberos-env/manage_identities property

See Also:

Constant Field Values

DIRECTIVE_REGENERATE_KEYTABS

static final String DIRECTIVE_REGENERATE_KEYTABS

directive used to indicate that the enable Kerberos operation is only to regenerate keytab files

See Also:

Constant Field Values

DIRECTIVE_HOSTS

static final String DIRECTIVE_HOSTS

directive used to pass host list to regenerate keytabs on

See Also:

Constant Field Values

DIRECTIVE_COMPONENTS

static final String DIRECTIVE_COMPONENTS

directive used to pass list of services and their components to regenerate keytabs for

See Also:

Constant Field Values

DIRECTIVE_IGNORE_CONFIGS

static final String DIRECTIVE_IGNORE_CONFIGS

Deprecated. use DIRECTIVE_CONFIG_UPDATE_POLICY

directive used to indicate configurations are not to be updated (if set to "true") when regenerating keytab files

See Also:

Constant Field Values

DIRECTIVE_CONFIG_UPDATE_POLICY

static final String DIRECTIVE_CONFIG_UPDATE_POLICY

directive used to indicate how to handle configuration updates when regenerating keytab files expected values:

• none
• identities_only
• new_and_identities
• all

See Also:

UpdateConfigurationPolicy, Constant Field Values

DIRECTIVE_FORCE_TOGGLE_KERBEROS

static final String DIRECTIVE_FORCE_TOGGLE_KERBEROS

directive used to indicate that the enable Kerberos operation should proceed even if the cluster's security type is not changing

See Also:

Constant Field Values

SECURITY_ENABLED_CONFIG_TYPE

static final String SECURITY_ENABLED_CONFIG_TYPE

config type which contains the property used to determine if Kerberos is enabled

See Also:

Constant Field Values

SECURITY_ENABLED_PROPERTY_NAME

static final String SECURITY_ENABLED_PROPERTY_NAME

name of property which states whether kerberos is enabled

See Also:

Constant Field Values

KDC_ADMINISTRATOR_CREDENTIAL_ALIAS

static final String KDC_ADMINISTRATOR_CREDENTIAL_ALIAS

The alias to assign to the KDC administrator credential Keystore item

See Also:

Constant Field Values

AMBARI_SERVER_HOST_NAME

static final String AMBARI_SERVER_HOST_NAME

The hostname used to hold the place of the actual hostname of the host that the Ambari server is on.

See Also:

Constant Field Values

KERBEROS_ENV

static final String KERBEROS_ENV

The name of the Kerberos environment configuration type

See Also:

Constant Field Values

AMBARI_SERVER_KERBEROS_IDENTITY_NAME

static final String AMBARI_SERVER_KERBEROS_IDENTITY_NAME

The name of the Ambari server's Kerberos identities as defined in the Kerberos descriptor

See Also:

Constant Field Values

CREATE_AMBARI_PRINCIPAL

static final String CREATE_AMBARI_PRINCIPAL

The kerberos-env property name declaring whether Ambari should manage its own required identities or not

See Also:

Constant Field Values

MANAGE_IDENTITIES

static final String MANAGE_IDENTITIES

The kerberos-env property name declaring whether Ambari should manage the cluster's required identities or not

See Also:

Constant Field Values

DEFAULT_REALM

static final String DEFAULT_REALM

The kerberos-env property name declaring the default realm

See Also:

Constant Field Values

KDC_TYPE

static final String KDC_TYPE

The kerberos-env property name declaring the kdc_type

See Also:

KDCType, Constant Field Values

MANAGE_AUTH_TO_LOCAL_RULES

static final String MANAGE_AUTH_TO_LOCAL_RULES

The kerberos-env property name declaring whether to manage auth-to-local rules or not

See Also:

Constant Field Values

INCLUDE_ALL_COMPONENTS_IN_AUTH_TO_LOCAL_RULES

static final String INCLUDE_ALL_COMPONENTS_IN_AUTH_TO_LOCAL_RULES

The kerberos-env property name declaring whether the Hadoop auth_to_local rules should be included for all components of an installed service even if the component itself is not installed

See Also:

Constant Field Values

CASE_INSENSITIVE_USERNAME_RULES

static final String CASE_INSENSITIVE_USERNAME_RULES

The kerberos-env property name declaring whether auth-to-local rules should be case-insensitive or not

See Also:

Constant Field Values

PRECONFIGURE_SERVICES

static final String PRECONFIGURE_SERVICES

The kerberos-env property name declaring how to preprocess services.

Expected values are "ALL", "DEFAULT", "NONE"

See Also:

PreconfigureServiceType, Constant Field Values

ALLOW_RETRY

static final String ALLOW_RETRY

If true, then this will create the stages and tasks as being retry-able. A failure during Kerberos operations will not cause the entire request to be aborted.

See Also:

Constant Field Values

CLUSTER_HOST_INFO

static final String CLUSTER_HOST_INFO

Used as key in config maps to store component to host assignment mapping.

See Also:

Constant Field Values

Method Detail

toggleKerberos

RequestStageContainer toggleKerberos(Cluster cluster,
                                     SecurityType securityType,
                                     RequestStageContainer requestStageContainer,
                                     Boolean manageIdentities)
                              throws org.apache.ambari.server.AmbariException,
                                     KerberosOperationException

Toggles Kerberos security to enable it or remove it depending on the state of the cluster.

The cluster "security_type" property is used to determine the security state of the cluster. If the declared security type is KERBEROS, than an attempt will be make to enable Kerberos; if the security type is NONE, an attempt will be made to disable Kerberos; otherwise, no operations will be performed.

It is expected tht the "kerberos-env" configuration type is available. It is used to obtain information about the Kerberos configuration, generally specific to the KDC being used.

This process is idempotent such that it may be called several times, each time only affecting items that need to be brought up to date.

Parameters:

cluster - the relevant Cluster

securityType - the SecurityType to handle; this value is expected to be either SecurityType.KERBEROS or SecurityType.NONE

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

manageIdentities - a Boolean value indicating how to override the configured behavior of managing Kerberos identities; if null the configured behavior will not be overridden

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

org.apache.ambari.server.AmbariException

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

KerberosOperationException

executeCustomOperations

RequestStageContainer executeCustomOperations(Cluster cluster,
                                              Map<String,String> requestProperties,
                                              RequestStageContainer requestStageContainer,
                                              Boolean manageIdentities)
                                       throws org.apache.ambari.server.AmbariException,
                                              KerberosOperationException

Used to execute custom security operations which are sent as directives in URI

Parameters:

cluster - the relevant Cluster

requestProperties - this structure is expected to hold already supported and validated directives for the 'Cluster' resource. See ClusterResourceDefinition#getUpdateDirectives

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

manageIdentities - a Boolean value indicating how to override the configured behavior of managing Kerberos identities; if null the configured behavior will not be overridden

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

org.apache.ambari.server.AmbariException

KerberosOperationException

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

ensureIdentities

RequestStageContainer ensureIdentities(Cluster cluster,
                                       Map<String,? extends Collection<String>> serviceComponentFilter,
                                       Set<String> hostFilter,
                                       Collection<String> identityFilter,
                                       Set<String> hostsToForceKerberosOperations,
                                       RequestStageContainer requestStageContainer,
                                       Boolean manageIdentities)
                                throws org.apache.ambari.server.AmbariException,
                                       KerberosOperationException

Ensures the set of filtered principals and keytabs exist on the cluster.

No configurations will be altered as a result of this operation, however principals and keytabs may be updated or created.

It is expected that the "kerberos-env" configuration type is available. It is used to obtain information about the relevant KDC. For example, the "kdc_type" property is used to determine what type of KDC is being used so that the appropriate actions maybe taken in order interact with it properly.

It is expected tht the "kerberos-env" configuration type is available. It is used to obtain information about the Kerberos configuration, generally specific to the KDC being used.

Parameters:

cluster - the relevant Cluster

serviceComponentFilter - a Map of service names to component names indicating the relevant set of services and components - if null, no filter is relevant; if empty, the filter indicates no relevant services or components

hostFilter - a set of hostname indicating the set of hosts to process - if null, no filter is relevant; if empty, the filter indicates no relevant hosts

identityFilter - a Collection of identity names indicating the relevant identities - if null, no filter is relevant; if empty, the filter indicates no relevant identities

hostsToForceKerberosOperations - a set of host names on which it is expected that the Kerberos client is or will be in the INSTALLED state by the time the operations targeted for them are to be executed - if empty or null, this no hosts will be "forced"

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

manageIdentities - a Boolean value indicating how to override the configured behavior of managing Kerberos identities; if null the configured behavior will not be overridden

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

org.apache.ambari.server.AmbariException

KerberosOperationException

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

deleteIdentities

RequestStageContainer deleteIdentities(Cluster cluster,
                                       Map<String,? extends Collection<String>> serviceComponentFilter,
                                       Set<String> hostFilter,
                                       Collection<String> identityFilter,
                                       RequestStageContainer requestStageContainer,
                                       Boolean manageIdentities)
                                throws org.apache.ambari.server.AmbariException,
                                       KerberosOperationException

Deletes the set of filtered principals and keytabs from the cluster.

No configurations will be altered as a result of this operation, however principals and keytabs may be removed.

It is expected that the "kerberos-env" configuration type is available. It is used to obtain information about the relevant KDC. For example, the "kdc_type" property is used to determine what type of KDC is being used so that the appropriate actions maybe taken in order interact with it properly.

It is expected tht the "kerberos-env" configuration type is available. It is used to obtain information about the Kerberos configuration, generally specific to the KDC being used.

Parameters:

cluster - the relevant Cluster

serviceComponentFilter - a Map of service names to component names indicating the relevant set of services and components - if null, no filter is relevant; if empty, the filter indicates no relevant services or components

hostFilter - a set of hostname indicating the set of hosts to process - if null, no filter is relevant; if empty, the filter indicates no relevant hosts

identityFilter - a Collection of identity names indicating the relevant identities - if null, no filter is relevant; if empty, the filter indicates no relevant identities

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

manageIdentities - a Boolean value indicating how to override the configured behavior of managing Kerberos identities; if null the configured behavior will not be overridden

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

org.apache.ambari.server.AmbariException

KerberosOperationException

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

deleteIdentities

void deleteIdentities(Cluster cluster,
                      List<Component> components,
                      Set<String> identities)
               throws org.apache.ambari.server.AmbariException,
                      KerberosOperationException

Throws:

org.apache.ambari.server.AmbariException

KerberosOperationException

configureServices

void configureServices(Cluster cluster,
                       Map<String,Collection<String>> serviceFilter)
                throws org.apache.ambari.server.AmbariException,
                       KerberosInvalidConfigurationException

Updates the relevant configurations for the components specified in the service filter.

If null is passed in as the service filter, all installed services and components will be affected. If an empty map is passed in, no services or components will be affected.

If the relevant services and components have Kerberos descriptors, configuration values from the descriptors are used to update the relevant configuration sets.

Parameters:

cluster - the relevant Cluster

serviceFilter - a Map of service names to component names indicating the relevant set of services and components - if null, no filter is relevant; if empty, the filter indicates no relevant services or components

Throws:

org.apache.ambari.server.AmbariException

KerberosInvalidConfigurationException

getServiceConfigurationUpdates

Map<String,Map<String,String>> getServiceConfigurationUpdates(Cluster cluster,
                                                              Map<String,Map<String,String>> existingConfigurations,
                                                              Map<String,Set<String>> installedServices,
                                                              Map<String,Collection<String>> serviceFilter,
                                                              Set<String> previouslyExistingServices,
                                                              boolean kerberosEnabled,
                                                              boolean applyStackAdvisorUpdates)
                                                       throws KerberosInvalidConfigurationException,
                                                              org.apache.ambari.server.AmbariException

Returns the updates configurations that are expected when the given set of services are configured for Kerberos.

Parameters:

cluster - the cluster

existingConfigurations - the cluster's existing configurations

installedServices - the map of services and relevant components to process

serviceFilter - a Map of service names to component names indicating the relevant set of services and components - if null, no filter is relevant; if empty, the filter indicates no relevant services or components

previouslyExistingServices - a set of previously existing service names - null or a subset of installedServices

kerberosEnabled - true if kerberos is (to be) enabled; otherwise false

applyStackAdvisorUpdates - true to invoke the stack advisor to validate property updates; false to skip

Returns:

a map of configuration updates

Throws:

org.apache.ambari.server.AmbariException

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

applyStackAdvisorUpdates

Map<String,Map<String,String>> applyStackAdvisorUpdates(Cluster cluster,
                                                        Set<String> services,
                                                        Map<String,Map<String,String>> existingConfigurations,
                                                        Map<String,Map<String,String>> kerberosConfigurations,
                                                        Map<String,Set<String>> propertiesToIgnore,
                                                        Map<String,Set<String>> propertiesToRemove,
                                                        boolean kerberosEnabled)
                                                 throws org.apache.ambari.server.AmbariException

Invokes the Stack Advisor to help determine relevant configuration changes when enabling or disabling Kerberos. If kerberosEnabled = true, recommended properties are inserted into kerberosConfigurations, while properties to remove in propertiesToRemove map. In case kerberosEnabled = false, recommended properties are inserted into propertiesToInsert and properties to remove in propertiesToInsert map. This is because in first case properties in kerberosConfigurations are going to be set, while in second case going to be removed from cluster config.

Parameters:

cluster - a cluster

services - a set of services that are being configured to enabled or disable Kerberos

existingConfigurations - the cluster's existing configurations

kerberosConfigurations - the configuration updates to make

propertiesToIgnore - the configuration properties that should be ignored when applying recommendations

propertiesToRemove - the configuration properties that must be removed from cluster config are inserted into this map in case if provided (not null) and kerberosEnabled

kerberosEnabled - true if kerberos is (to be) enabled; otherwise false

Returns:

the configuration updates

Throws:

org.apache.ambari.server.AmbariException

ensureHeadlessIdentities

boolean ensureHeadlessIdentities(Cluster cluster,
                                 Map<String,Map<String,String>> existingConfigurations,
                                 Set<String> services)
                          throws KerberosInvalidConfigurationException,
                                 org.apache.ambari.server.AmbariException

Ensures that the relevant headless (or user) Kerberos identities are created and cached.

This can be called any number of times and only the missing identities will be created.

Parameters:

cluster - the cluster

existingConfigurations - the cluster's existing configurations

services - the set of services to process

Returns:

Throws:

org.apache.ambari.server.AmbariException

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

createTestIdentity

RequestStageContainer createTestIdentity(Cluster cluster,
                                         Map<String,String> commandParamsStage,
                                         RequestStageContainer requestStageContainer)
                                  throws KerberosOperationException,
                                         org.apache.ambari.server.AmbariException

Create a unique identity to use for testing the general Kerberos configuration.

Parameters:

cluster - the relevant Cluster

commandParamsStage - the command parameters map that will be sent to the agent side command

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

KerberosOperationException

org.apache.ambari.server.AmbariException

deleteTestIdentity

RequestStageContainer deleteTestIdentity(Cluster cluster,
                                         Map<String,String> commandParamsStage,
                                         RequestStageContainer requestStageContainer)
                                  throws KerberosOperationException,
                                         org.apache.ambari.server.AmbariException

Deletes the unique identity to use for testing the general Kerberos configuration.

Parameters:

cluster - the relevant Cluster

commandParamsStage - the command parameters map that will be sent to the agent side command

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

KerberosOperationException

org.apache.ambari.server.AmbariException

validateKDCCredentials

void validateKDCCredentials(Cluster cluster)
                     throws KerberosMissingAdminCredentialsException,
                            KerberosAdminAuthenticationException,
                            KerberosInvalidConfigurationException,
                            org.apache.ambari.server.AmbariException

Validate the KDC admin credentials.

Parameters:

cluster - associated cluster

Throws:

org.apache.ambari.server.AmbariException - if any other error occurs while trying to validate the credentials

KerberosMissingAdminCredentialsException

KerberosAdminAuthenticationException

KerberosInvalidConfigurationException

setAuthToLocalRules

void setAuthToLocalRules(Cluster cluster,
                         KerberosDescriptor kerberosDescriptor,
                         String realm,
                         Map<String,Set<String>> installedServices,
                         Map<String,Map<String,String>> existingConfigurations,
                         Map<String,Map<String,String>> kerberosConfigurations,
                         boolean includePreconfigureData)
                  throws org.apache.ambari.server.AmbariException

Sets the relevant auth-to-local rule configuration properties using the services installed on the cluster and their relevant Kerberos descriptors to determine the rules to be created.

Parameters:

cluster - cluster instance

kerberosDescriptor - the current Kerberos descriptor

realm - the default realm

installedServices - the map of services and relevant components to process

existingConfigurations - a map of the current configurations

kerberosConfigurations - a map of the configurations to update, this where the generated auth-to-local values will be stored

includePreconfigureData - true to include the preconfigure data; false otherwise

Throws:

org.apache.ambari.server.AmbariException

getServiceComponentHostsToProcess

List<ServiceComponentHost> getServiceComponentHostsToProcess(Cluster cluster,
                                                             KerberosDescriptor kerberosDescriptor,
                                                             Map<String,? extends Collection<String>> serviceComponentFilter,
                                                             Collection<String> hostFilter)
                                                      throws org.apache.ambari.server.AmbariException

Parameters:

cluster - the cluster

kerberosDescriptor - the current Kerberos descriptor

serviceComponentFilter - a Map of service names to component names indicating the relevant set of services and components - if null, no filter is relevant; if empty, the filter indicates no relevant services or components

hostFilter - a set of hostname indicating the set of hosts to process - if null, no filter is relevant; if empty, the filter indicates no relevant hosts

Returns:

a list of ServiceComponentHost instances and should be processed during the relevant Kerberos operation.

Throws:

org.apache.ambari.server.AmbariException

getHostsWithValidKerberosClient

Set<String> getHostsWithValidKerberosClient(Cluster cluster)
                                     throws org.apache.ambari.server.AmbariException

Throws:

org.apache.ambari.server.AmbariException

getKerberosDescriptor

KerberosDescriptor getKerberosDescriptor(Cluster cluster,
                                         boolean includePreconfigureData)
                                  throws org.apache.ambari.server.AmbariException

Builds a composite Kerberos descriptor using the default Kerberos descriptor and a user-specified Kerberos descriptor, if it exists.

The default Kerberos descriptor is built from the kerberos.json files in the stack. It can be retrieved via the stacks/:stackName/versions/:version/artifacts/kerberos_descriptor endpoint

The user-specified Kerberos descriptor was registered to the cluster/:clusterName/artifacts/kerberos_descriptor endpoint.

If the user-specified Kerberos descriptor exists, it is used to update the default Kerberos descriptor and the composite is returned. If not, the default cluster descriptor is returned as-is.

Parameters:

cluster - cluster instance

includePreconfigureData - true to include the preconfigure data; false otherwise

Returns:

the kerberos descriptor associated with the specified cluster

Throws:

org.apache.ambari.server.AmbariException - if unable to obtain the descriptor

See Also:

getKerberosDescriptor(KerberosDescriptorType, Cluster, boolean, Collection, boolean)

getKerberosDescriptor

KerberosDescriptor getKerberosDescriptor(KerberosHelper.KerberosDescriptorType kerberosDescriptorType,
                                         Cluster cluster,
                                         boolean evaluateWhenClauses,
                                         Collection<String> additionalServices,
                                         boolean includePreconfigureData)
                                  throws org.apache.ambari.server.AmbariException

Gets the requested Kerberos descriptor.

One of the following Kerberos descriptors will be returned - with or without pruning identity definitions based on the evaluation of their when clauses:

KerberosHelper.KerberosDescriptorType.STACK

A Kerberos descriptor built using data from the current stack definition, only

KerberosHelper.KerberosDescriptorType.USER

A Kerberos descriptor built using user-specified data stored as an artifact of the cluster, only

KerberosHelper.KerberosDescriptorType.COMPOSITE

A Kerberos descriptor built using data from the current stack definition with user-specified data stored as an artifact of the cluster applied - see getKerberosDescriptor(Cluster, boolean)

Parameters:

kerberosDescriptorType - the type of Kerberos descriptor to retrieve - see KerberosHelper.KerberosDescriptorType

cluster - the relevant Cluster

evaluateWhenClauses - true to evaluate Kerberos identity when clauses and prune if necessary; false otherwise.

additionalServices - an optional collection of service names declaring additional services to add to the set of currently installed services to use while evaluating when clauses

includePreconfigureData - true to include the preconfigure data; false otherwise

Returns:

a Kerberos descriptor

Throws:

org.apache.ambari.server.AmbariException

getKerberosDescriptor

KerberosDescriptor getKerberosDescriptor(KerberosHelper.KerberosDescriptorType kerberosDescriptorType,
                                         Cluster cluster,
                                         StackId stackId,
                                         boolean includePreconfigureData)
                                  throws org.apache.ambari.server.AmbariException

Gets the Kerberos descriptor for the requested stack.

One of the following Kerberos descriptors will be returned:

KerberosHelper.KerberosDescriptorType.STACK

A Kerberos descriptor built using data from the current stack definition, only

KerberosHelper.KerberosDescriptorType.USER

A Kerberos descriptor built using user-specified data stored as an artifact of the cluster, only

KerberosHelper.KerberosDescriptorType.COMPOSITE

A Kerberos descriptor built using data from the current stack definition with user-specified data stored as an artifact of the cluster applied - see getKerberosDescriptor(Cluster, boolean)

Parameters:

kerberosDescriptorType - the type of Kerberos descriptor to retrieve - see KerberosHelper.KerberosDescriptorType

cluster - the relevant Cluster

stackId - the relevant stack id, used for COMPOSITE or STACK Kerberos descriptor requests

includePreconfigureData - true to include the preconfigure data; false otherwise

Returns:

a Kerberos descriptor

Throws:

org.apache.ambari.server.AmbariException

mergeConfigurations

Map<String,Map<String,String>> mergeConfigurations(Map<String,Map<String,String>> configurations,
                                                   Map<String,KerberosConfigurationDescriptor> updates,
                                                   Map<String,Map<String,String>> replacements,
                                                   Set<String> configurationTypeFilter)
                                            throws org.apache.ambari.server.AmbariException

Merges configurations from a Map of configuration updates into a main configurations Map.

Each property in the updates Map is processed to replace variables using the replacement Map, unless it has been filtered out using an optionally supplied configuration type filter (configurationTypeFilter).

See VariableReplacementHelper.replaceVariables(String, java.util.Map) for information on variable replacement.

Parameters:

configurations - a Map of existing configurations (updated in-place)

updates - a Map of configuration updates

replacements - a Map of (grouped) replacement values

configurationTypeFilter - a Set of config types to filter from the map of updates; null indicate no filter

Returns:

the updated configurations map

Throws:

org.apache.ambari.server.AmbariException - if an issue occurs

processPreconfiguredServiceConfigurations

Map<String,Map<String,String>> processPreconfiguredServiceConfigurations(Map<String,Map<String,String>> configurations,
                                                                         Map<String,Map<String,String>> replacements,
                                                                         Cluster cluster,
                                                                         KerberosDescriptor kerberosDescriptor)
                                                                  throws org.apache.ambari.server.AmbariException

Determines which services, not currently installed, should be preconfigured to aid in reducing the number of service restarts when new services are added to a cluster where Kerberos is enabled.

Parameters:

configurations - a Map of existing configurations (updated in-place)

replacements - a Map of (grouped) replacement values

cluster - the cluster

kerberosDescriptor - the Kerberos Descriptor

Returns:

the updated configurations map

Throws:

org.apache.ambari.server.AmbariException - if an issue occurs

addIdentities

int addIdentities(KerberosIdentityDataFileWriter kerberosIdentityDataFileWriter,
                  Collection<KerberosIdentityDescriptor> identities,
                  Collection<String> identityFilter,
                  String hostname,
                  Long hostId,
                  String serviceName,
                  String componentName,
                  Map<String,Map<String,String>> kerberosConfigurations,
                  Map<String,Map<String,String>> configurations,
                  Map<String,ResolvedKerberosKeytab> resolvedKeytabs,
                  String realm)
           throws IOException

Adds identities to the KerberosIdentityDataFileWriter.

Parameters:

kerberosIdentityDataFileWriter - a KerberosIdentityDataFileWriter to use for storing identity records

identities - a List of KerberosIdentityDescriptors to add to the data file

identityFilter - a Collection of identity names indicating the relevant identities - if null, no filter is relevant; if empty, the filter indicates no relevant identities

hostname - the relevant hostname

serviceName - the relevant service name

componentName - the relevant component name

kerberosConfigurations - a map of the configurations to update with identity-specific values

configurations - a Map of configurations to use a replacements for variables in identity fields

Returns:

an integer indicating the number of identities added to the data file

Throws:

IOException - if an error occurs while writing a record to the data file

calculateConfigurations

Map<String,Map<String,String>> calculateConfigurations(Cluster cluster,
                                                       String hostname,
                                                       KerberosDescriptor kerberosDescriptor,
                                                       boolean includePreconfigureData,
                                                       boolean calculateClusterHostInfo)
                                                throws org.apache.ambari.server.AmbariException

Calculates the map of configurations relative to the cluster and host.

Most of this was borrowed from ExecutionCommandWrapper.getExecutionCommand()

Parameters:

cluster - the relevant Cluster

hostname - the relevant hostname

kerberosDescriptor - a map of general Kerberos descriptor properties

includePreconfigureData - true to include the preconfigure data; otherwise false

calculateClusterHostInfo -

Returns:

a Map of calculated configuration types

Throws:

org.apache.ambari.server.AmbariException

isClusterKerberosEnabled

boolean isClusterKerberosEnabled(Cluster cluster)

Determine if a cluster has kerberos enabled.

Parameters:

cluster - cluster to test

Returns:

true if the provided cluster has kerberos enabled; false otherwise

shouldExecuteCustomOperations

boolean shouldExecuteCustomOperations(SecurityType requestSecurityType,
                                      Map<String,String> requestProperties)

Tests the request properties to check for directives that need to be acted upon

It is required that the SecurityType from the request is either KERBEROS or NONE and that at least one directive in the requestProperties map is supported.

Parameters:

requestSecurityType - the SecurityType from the request

requestProperties - A Map of request directives and their values

Returns:

true if custom operations should be executed; false otherwise

getManageIdentitiesDirective

Boolean getManageIdentitiesDirective(Map<String,String> requestProperties)

Retrieves the value of the manage_kerberos_identities directive from the request properties, if it exists.

If manage_kerberos_identities does not exist in the map of request properties, null is returned

If manage_kerberos_identities does exists in the map of request properties, a Boolean value is returned indicating whether its value is "false" (Boolean.FALSE) or not (Boolean.TRUE).

Parameters:

requestProperties - a map of the request property name/value pairs

Returns:

Boolean.TRUE or Boolean.FALSE if the manage_kerberos_identities property exists in the map; otherwise false

getForceToggleKerberosDirective

boolean getForceToggleKerberosDirective(Map<String,String> requestProperties)

Retrieves the value of the force_toggle_kerberos directive from the request properties, if it exists.

If force_toggle_kerberos does not exist in the map of request properties, false is returned.

If force_toggle_kerberos does exists in the map of request properties and is equal to "true", then true is returned; otherwise false is returned.

Parameters:

requestProperties - a map of the request property name/value pairs

Returns:

true if force_toggle_kerberos is "true"; otherwise false

getIdentityConfigurations

Map<String,Map<String,String>> getIdentityConfigurations(List<KerberosIdentityDescriptor> identityDescriptors)

Given a list of KerberosIdentityDescriptors, returns a Map fo configuration types to property names and values.

The property names and values are not expected to have any variable replacements done.

Parameters:

identityDescriptors - a List of KerberosIdentityDescriptor from which to retrieve configurations

Returns:

a Map of configuration types to property name/value pairs (as a Map)

getActiveIdentities

Map<String,Collection<KerberosIdentityDescriptor>> getActiveIdentities(String clusterName,
                                                                       String hostName,
                                                                       String serviceName,
                                                                       String componentName,
                                                                       boolean replaceHostNames,
                                                                       Map<String,Map<String,Map<String,String>>> hostConfigurations,
                                                                       KerberosDescriptor kerberosDescriptor)
                                                                throws org.apache.ambari.server.AmbariException

Returns the active identities for the named cluster. Results are filtered by host, service, and/or component; and grouped by host.

The cluster name is mandatory; however the active identities may be filtered by one or more of host, service, or component. A null value for any of these filters indicates no filter for that parameter.

The return values are grouped by host and optionally _HOST in principals will be replaced with the relevant hostname if specified to do so.

Parameters:

clusterName - the name of the relevant cluster (mandatory)

hostName - the name of a host for which to find results, null indicates all hosts

serviceName - the name of a service for which to find results, null indicates all services

componentName - the name of a component for which to find results, null indicates all components

replaceHostNames - if true, _HOST in principals will be replace with the relevant host name

hostConfigurations - a mapping of hostname to configurations for that host. Fetching this ahead of time for every host in the cluster will ensure that this method doesn't need to do it inside of a loop. If null or empty, then this method will do the lookup itself, at considerable cost.

kerberosDescriptor - the kerberos descriptor to use when looking up identities. If null, then this method will deserialize the descriptor inside of a loop at considerable cost.

Returns:

a map of host names to kerberos identities

Throws:

org.apache.ambari.server.AmbariException - if an error occurs processing the cluster's active identities

getAmbariServerIdentities

List<KerberosIdentityDescriptor> getAmbariServerIdentities(KerberosDescriptor kerberosDescriptor)
                                                    throws org.apache.ambari.server.AmbariException

Gets the Ambari server Kerberos identities found in the Kerberos descriptor.

Parameters:

kerberosDescriptor - the kerberos descriptor

Throws:

org.apache.ambari.server.AmbariException

createAmbariIdentities

boolean createAmbariIdentities(Map<String,String> kerberosEnvProperties)

Determines if the Ambari identities should be created when enabling Kerberos.

If kerberos-env/create_ambari_principal is not set to false the identity should be calculated.

Parameters:

kerberosEnvProperties - the kerberos-env configuration properties

Returns:

true if the Ambari identities should be created; otherwise false

getKDCAdministratorCredentials

PrincipalKeyCredential getKDCAdministratorCredentials(String clusterName)
                                               throws org.apache.ambari.server.AmbariException

Gets the previously stored KDC administrator credentials.

Parameters:

clusterName - the name of the relevant cluster

Returns:

a PrincipalKeyCredential or null, if the KDC administrator credentials have not be set or have been removed

Throws:

org.apache.ambari.server.AmbariException - if an error occurs while retrieving the credentials

createResolvedKeytab

void createResolvedKeytab(ResolvedKerberosKeytab resolvedKerberosKeytab)

Saves underlying entities in persistent storage.

Parameters:

resolvedKerberosKeytab - kerberos keytab to be persisted

removeStaleKeytabs

void removeStaleKeytabs(Collection<ResolvedKerberosKeytab> expectedKeytabs)

Removes existent persisted keytabs if they are not in expectedKeytabs collection.

Parameters:

expectedKeytabs - collection to compare existent keytabs

createTemporaryDirectory

File createTemporaryDirectory()
                       throws org.apache.ambari.server.AmbariException

Creates a temporary directory within the system temporary directory

The resulting directory is to be removed by the caller when desired.

Returns:

a File pointing to the new temporary directory, or null if one was not created

Throws:

org.apache.ambari.server.AmbariException - if a new temporary directory cannot be created

translateConfigurationSpecifications

Map<String,Set<String>> translateConfigurationSpecifications(Collection<String> configurationSpecifications)

Translates a collection of configuration specifications (config-type/property-name) to a map of configuration types to a set of property names.

For example:

• config-type1/property-name1
• config-type1/property-name2
• config-type2/property-name3

Becomes

• config-type
  • property-name1
  • property-name2
• config-type2
  • property-name3

Parameters:

configurationSpecifications - a collection of configuration specifications (config-type/property-name)

Returns:

a map of configuration types to sets of property names

getKerberosDetails

KerberosDetails getKerberosDetails(Cluster cluster,
                                   Boolean manageIdentities)
                            throws KerberosInvalidConfigurationException,
                                   org.apache.ambari.server.AmbariException

Gathers the Kerberos-related data from configurations and stores it in a new KerberosDetails instance.

Parameters:

cluster - the relevant Cluster

manageIdentities - a Boolean value indicating how to override the configured behavior of managing Kerberos identities; if null the configured behavior will not be overridden

Returns:

a new KerberosDetails with the collected configuration data

Throws:

org.apache.ambari.server.AmbariException

KerberosInvalidConfigurationException