org.apache.ambari.server.controller

Class KerberosHelperImpl

java.lang.Object

org.apache.ambari.server.controller.KerberosHelperImpl

All Implemented Interfaces:

KerberosHelper

public class KerberosHelperImpl
extends Object
implements KerberosHelper

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	KerberosHelperImpl.SupportedCustomOperation

Nested classes/interfaces inherited from interface org.apache.ambari.server.controller.KerberosHelper

KerberosHelper.Command<T,A>, KerberosHelper.KerberosDescriptorType

Field Summary

Fields

Modifier and Type	Field and Description
static String	BASE_LOG_DIR
static String	CHECK_KEYTABS
static String	REMOVE_KEYTAB
static String	SET_KEYTAB

Fields inherited from interface org.apache.ambari.server.controller.KerberosHelper

ALLOW_RETRY, AMBARI_SERVER_HOST_NAME, AMBARI_SERVER_KERBEROS_IDENTITY_NAME, CASE_INSENSITIVE_USERNAME_RULES, CLUSTER_HOST_INFO, CREATE_AMBARI_PRINCIPAL, DEFAULT_REALM, DIRECTIVE_COMPONENTS, DIRECTIVE_CONFIG_UPDATE_POLICY, DIRECTIVE_FORCE_TOGGLE_KERBEROS, DIRECTIVE_HOSTS, DIRECTIVE_IGNORE_CONFIGS, DIRECTIVE_MANAGE_KERBEROS_IDENTITIES, DIRECTIVE_REGENERATE_KEYTABS, INCLUDE_ALL_COMPONENTS_IN_AUTH_TO_LOCAL_RULES, KDC_ADMINISTRATOR_CREDENTIAL_ALIAS, KDC_TYPE, KERBEROS_ENV, MANAGE_AUTH_TO_LOCAL_RULES, MANAGE_IDENTITIES, PRECONFIGURE_SERVICES, SECURITY_ENABLED_CONFIG_TYPE, SECURITY_ENABLED_PROPERTY_NAME

Constructor Summary

Constructors

Constructor and Description
KerberosHelperImpl()

Method Summary

Modifier and Type	Method and Description
int	addIdentities(KerberosIdentityDataFileWriter kerberosIdentityDataFileWriter, Collection<KerberosIdentityDescriptor> identities, Collection<String> identityFilter, String hostname, Long hostId, String serviceName, String componentName, Map<String,Map<String,String>> kerberosConfigurations, Map<String,Map<String,String>> configurations, Map<String,ResolvedKerberosKeytab> resolvedKeytabs, String realm) Adds identities to the KerberosIdentityDataFileWriter.
Map<String,Map<String,String>>	applyStackAdvisorUpdates(Cluster cluster, Set<String> services, Map<String,Map<String,String>> existingConfigurations, Map<String,Map<String,String>> kerberosConfigurations, Map<String,Set<String>> propertiesToIgnore, Map<String,Set<String>> propertiesToRemove, boolean kerberosEnabled) Invokes the Stack Advisor to help determine relevant configuration changes when enabling or disabling Kerberos.
Map<String,Map<String,String>>	calculateConfigurations(Cluster cluster, String hostname, KerberosDescriptor kerberosDescriptor, boolean includePreconfigureData, boolean calculateClusterHostInfo) Calculates the map of configurations relative to the cluster and host.
void	configureServices(Cluster cluster, Map<String,Collection<String>> serviceFilter) Updates the relevant configurations for the components specified in the service filter.
boolean	createAmbariIdentities(Map<String,String> kerberosEnvProperties) Determines if the Ambari identities should be created when enabling Kerberos.
void	createResolvedKeytab(ResolvedKerberosKeytab resolvedKerberosKeytab) Creates and saves underlying KerberosPrincipalEntity, KerberosKeytabEntity entities in JPA storage.
File	createTemporaryDirectory() Creates a temporary directory within the system temporary directory The resulting directory is to be removed by the caller when desired.
protected File	createTemporaryFile() Creates a temporary file within the system temporary directory The resulting file is to be removed by the caller when desired.
RequestStageContainer	createTestIdentity(Cluster cluster, Map<String,String> commandParamsStage, RequestStageContainer requestStageContainer) Create a unique identity to use for testing the general Kerberos configuration.
void	deleteIdentities(Cluster cluster, List<Component> components, Set<String> identities) Deletes the kerberos identities of the given component, even if the component is already deleted.
RequestStageContainer	deleteIdentities(Cluster cluster, Map<String,? extends Collection<String>> serviceComponentFilter, Set<String> hostFilter, Collection<String> identityFilter, RequestStageContainer requestStageContainer, Boolean manageIdentities) Deletes the set of filtered principals and keytabs from the cluster.
RequestStageContainer	deleteTestIdentity(Cluster cluster, Map<String,String> commandParamsStage, RequestStageContainer requestStageContainer) Deletes the unique identity to use for testing the general Kerberos configuration.
boolean	ensureHeadlessIdentities(Cluster cluster, Map<String,Map<String,String>> existingConfigurations, Set<String> services) Ensures that the relevant headless (or user) Kerberos identities are created and cached.
RequestStageContainer	ensureIdentities(Cluster cluster, Map<String,? extends Collection<String>> serviceComponentFilter, Set<String> hostFilter, Collection<String> identityFilter, Set<String> hostsToForceKerberosOperations, RequestStageContainer requestStageContainer, Boolean manageIdentities) Ensures the set of filtered principals and keytabs exist on the cluster.
RequestStageContainer	executeCustomOperations(Cluster cluster, Map<String,String> requestProperties, RequestStageContainer requestStageContainer, Boolean manageIdentities) Used to execute custom security operations which are sent as directives in URI
Map<String,Collection<KerberosIdentityDescriptor>>	getActiveIdentities(String clusterName, String hostName, String serviceName, String componentName, boolean replaceHostNames, Map<String,Map<String,Map<String,String>>> hostConfigurations, KerberosDescriptor kerberosDescriptor) Returns the active identities for the named cluster.
List<KerberosIdentityDescriptor>	getAmbariServerIdentities(KerberosDescriptor kerberosDescriptor) Gets the Ambari server Kerberos identities found in the Kerberos descriptor.
protected File	getConfiguredTemporaryDirectory() Gets the configured temporary directory.
boolean	getForceToggleKerberosDirective(Map<String,String> requestProperties) Retrieves the value of the force_toggle_kerberos directive from the request properties, if it exists.
Set<String>	getHostsWithValidKerberosClient(Cluster cluster)
Map<String,Map<String,String>>	getIdentityConfigurations(List<KerberosIdentityDescriptor> identityDescriptors) Given a list of KerberosIdentityDescriptors, returns a Map fo configuration types to property names and values.
PrincipalKeyCredential	getKDCAdministratorCredentials(String clusterName) Gets the previously stored KDC administrator credential.
KerberosDescriptor	getKerberosDescriptor(Cluster cluster, boolean includePreconfigureData) Builds a composite Kerberos descriptor using the default Kerberos descriptor and a user-specified Kerberos descriptor, if it exists.
KerberosDescriptor	getKerberosDescriptor(KerberosHelper.KerberosDescriptorType kerberosDescriptorType, Cluster cluster, boolean evaluateWhenClauses, Collection<String> additionalServices, boolean includePreconfigureData) Gets the requested Kerberos descriptor.
KerberosDescriptor	getKerberosDescriptor(KerberosHelper.KerberosDescriptorType kerberosDescriptorType, Cluster cluster, StackId stackId, boolean includePreconfigureData) Gets the Kerberos descriptor for the requested stack.
KerberosDetails	getKerberosDetails(Cluster cluster, Boolean manageIdentities) Gathers the Kerberos-related data from configurations and stores it in a new KerberosDetails instance.
Boolean	getManageIdentitiesDirective(Map<String,String> requestProperties) Retrieves the value of the manage_kerberos_identities directive from the request properties, if it exists.
List<ServiceComponentHost>	getServiceComponentHostsToProcess(Cluster cluster, KerberosDescriptor kerberosDescriptor, Map<String,? extends Collection<String>> serviceComponentFilter, Collection<String> hostFilter)
Map<String,Map<String,String>>	getServiceConfigurationUpdates(Cluster cluster, Map<String,Map<String,String>> existingConfigurations, Map<String,Set<String>> installedServices, Map<String,Collection<String>> serviceFilter, Set<String> previouslyExistingServices, boolean kerberosEnabled, boolean applyStackAdvisorUpdates) Returns the updates configurations that are expected when the given set of services are configured for Kerberos.
boolean	isClusterKerberosEnabled(Cluster cluster) Determine if a cluster has kerberos enabled.
Map<String,Map<String,String>>	mergeConfigurations(Map<String,Map<String,String>> configurations, Map<String,KerberosConfigurationDescriptor> updates, Map<String,Map<String,String>> replacements, Set<String> configurationTypeFilter) Merges configurations from a Map of configuration updates into a main configurations Map.
static Map<String,Set<String>>	parseComponentFilter(Map<String,String> requestProperties) Parsing 'Kerberos/components' property to get list of components for 'regenerate_keytabs' request.
static Set<String>	parseHostFilter(Map<String,String> requestProperties) Parsing 'Kerberos/hosts' property to get list of hosts for 'regenerate_keytabs' request.
Map<String,Map<String,String>>	processPreconfiguredServiceConfigurations(Map<String,Map<String,String>> configurations, Map<String,Map<String,String>> replacements, Cluster cluster, KerberosDescriptor kerberosDescriptor) Determines which services, not currently installed, should be preconfigured to aid in reducing the number of service restarts when new services are added to a cluster where Kerberos is enabled.
void	removeStaleKeytabs(Collection<ResolvedKerberosKeytab> expectedKeytabs) Removes existent persisted keytabs if they are not in expectedKeytabs collection.
void	setAuthToLocalRules(Cluster cluster, KerberosDescriptor kerberosDescriptor, String realm, Map<String,Set<String>> installedServices, Map<String,Map<String,String>> existingConfigurations, Map<String,Map<String,String>> kerberosConfigurations, boolean includePreconfigureData) Sets the relevant auth-to-local rule configuration properties using the services installed on the cluster and their relevant Kerberos descriptors to determine the rules to be created.
boolean	shouldExecuteCustomOperations(SecurityType requestSecurityType, Map<String,String> requestProperties) Tests the request properties to check for directives that need to be acted upon It is required that the SecurityType from the request is either KERBEROS or NONE and that at least one directive in the requestProperties map is supported.
RequestStageContainer	toggleKerberos(Cluster cluster, SecurityType securityType, RequestStageContainer requestStageContainer, Boolean manageIdentities) Toggles Kerberos security to enable it or remove it depending on the state of the cluster.
Map<String,Set<String>>	translateConfigurationSpecifications(Collection<String> configurationSpecifications) Translates a collection of configuration specifications (config-type/property-name) to a map of configuration types to a set of property names.
void	validateKDCCredentials(Cluster cluster) Validate the KDC admin credentials.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

BASE_LOG_DIR

public static final String BASE_LOG_DIR

See Also:

Constant Field Values

CHECK_KEYTABS

public static final String CHECK_KEYTABS

See Also:

Constant Field Values

SET_KEYTAB

public static final String SET_KEYTAB

See Also:

Constant Field Values

REMOVE_KEYTAB

public static final String REMOVE_KEYTAB

See Also:

Constant Field Values

Constructor Detail

KerberosHelperImpl

public KerberosHelperImpl()

Method Detail

toggleKerberos

public RequestStageContainer toggleKerberos(Cluster cluster,
                                            SecurityType securityType,
                                            RequestStageContainer requestStageContainer,
                                            Boolean manageIdentities)
                                     throws org.apache.ambari.server.AmbariException,
                                            KerberosOperationException

Description copied from interface: KerberosHelper

Toggles Kerberos security to enable it or remove it depending on the state of the cluster.

The cluster "security_type" property is used to determine the security state of the cluster. If the declared security type is KERBEROS, than an attempt will be make to enable Kerberos; if the security type is NONE, an attempt will be made to disable Kerberos; otherwise, no operations will be performed.

It is expected tht the "kerberos-env" configuration type is available. It is used to obtain information about the Kerberos configuration, generally specific to the KDC being used.

This process is idempotent such that it may be called several times, each time only affecting items that need to be brought up to date.

Specified by:

toggleKerberos in interface KerberosHelper

Parameters:

cluster - the relevant Cluster

securityType - the SecurityType to handle; this value is expected to be either SecurityType.KERBEROS or SecurityType.NONE

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

manageIdentities - a Boolean value indicating how to override the configured behavior of managing Kerberos identities; if null the configured behavior will not be overridden

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

org.apache.ambari.server.AmbariException

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

KerberosOperationException

executeCustomOperations

public RequestStageContainer executeCustomOperations(Cluster cluster,
                                                     Map<String,String> requestProperties,
                                                     RequestStageContainer requestStageContainer,
                                                     Boolean manageIdentities)
                                              throws org.apache.ambari.server.AmbariException,
                                                     KerberosOperationException

Description copied from interface: KerberosHelper

Used to execute custom security operations which are sent as directives in URI

Specified by:

executeCustomOperations in interface KerberosHelper

Parameters:

cluster - the relevant Cluster

requestProperties - this structure is expected to hold already supported and validated directives for the 'Cluster' resource. See ClusterResourceDefinition#getUpdateDirectives

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

manageIdentities - a Boolean value indicating how to override the configured behavior of managing Kerberos identities; if null the configured behavior will not be overridden

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

org.apache.ambari.server.AmbariException

KerberosOperationException

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

parseHostFilter

public static Set<String> parseHostFilter(Map<String,String> requestProperties)

Parsing 'Kerberos/hosts' property to get list of hosts for 'regenerate_keytabs' request. Must be a string with coma separated list of hosts. Absent or miss-spelled hosts must be silently ignored by caller code.

Parameters:

requestProperties -

Returns:

parseComponentFilter

public static Map<String,Set<String>> parseComponentFilter(Map<String,String> requestProperties)

Parsing 'Kerberos/components' property to get list of components for 'regenerate_keytabs' request. Must be a comma separated list of strings that follow pattern 'SERVICENAME:COMPONENTNAME;ANOTHERCOMPONENTNAME'. For example: HDFS:NAMENODE;DATANODE,YARN:RESOURCEMANAGER,ZOOKEEPER:ZOOKEEPER_SERVER;ZOOKEEPER_CLIENT. Absent or miss-spelled components and services must be silently ignored by caller code.

Parameters:

requestProperties -

Returns:

ensureIdentities

public RequestStageContainer ensureIdentities(Cluster cluster,
                                              Map<String,? extends Collection<String>> serviceComponentFilter,
                                              Set<String> hostFilter,
                                              Collection<String> identityFilter,
                                              Set<String> hostsToForceKerberosOperations,
                                              RequestStageContainer requestStageContainer,
                                              Boolean manageIdentities)
                                       throws org.apache.ambari.server.AmbariException,
                                              KerberosOperationException

Description copied from interface: KerberosHelper

Ensures the set of filtered principals and keytabs exist on the cluster.

No configurations will be altered as a result of this operation, however principals and keytabs may be updated or created.

It is expected that the "kerberos-env" configuration type is available. It is used to obtain information about the relevant KDC. For example, the "kdc_type" property is used to determine what type of KDC is being used so that the appropriate actions maybe taken in order interact with it properly.

It is expected tht the "kerberos-env" configuration type is available. It is used to obtain information about the Kerberos configuration, generally specific to the KDC being used.

Specified by:

ensureIdentities in interface KerberosHelper

Parameters:

cluster - the relevant Cluster

serviceComponentFilter - a Map of service names to component names indicating the relevant set of services and components - if null, no filter is relevant; if empty, the filter indicates no relevant services or components

hostFilter - a set of hostname indicating the set of hosts to process - if null, no filter is relevant; if empty, the filter indicates no relevant hosts

identityFilter - a Collection of identity names indicating the relevant identities - if null, no filter is relevant; if empty, the filter indicates no relevant identities

hostsToForceKerberosOperations - a set of host names on which it is expected that the Kerberos client is or will be in the INSTALLED state by the time the operations targeted for them are to be executed - if empty or null, this no hosts will be "forced"

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

manageIdentities - a Boolean value indicating how to override the configured behavior of managing Kerberos identities; if null the configured behavior will not be overridden

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

org.apache.ambari.server.AmbariException

KerberosOperationException

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

deleteIdentities

public RequestStageContainer deleteIdentities(Cluster cluster,
                                              Map<String,? extends Collection<String>> serviceComponentFilter,
                                              Set<String> hostFilter,
                                              Collection<String> identityFilter,
                                              RequestStageContainer requestStageContainer,
                                              Boolean manageIdentities)
                                       throws org.apache.ambari.server.AmbariException,
                                              KerberosOperationException

Description copied from interface: KerberosHelper

Deletes the set of filtered principals and keytabs from the cluster.

No configurations will be altered as a result of this operation, however principals and keytabs may be removed.

It is expected that the "kerberos-env" configuration type is available. It is used to obtain information about the relevant KDC. For example, the "kdc_type" property is used to determine what type of KDC is being used so that the appropriate actions maybe taken in order interact with it properly.

It is expected tht the "kerberos-env" configuration type is available. It is used to obtain information about the Kerberos configuration, generally specific to the KDC being used.

Specified by:

deleteIdentities in interface KerberosHelper

Parameters:

cluster - the relevant Cluster

serviceComponentFilter - a Map of service names to component names indicating the relevant set of services and components - if null, no filter is relevant; if empty, the filter indicates no relevant services or components

hostFilter - a set of hostname indicating the set of hosts to process - if null, no filter is relevant; if empty, the filter indicates no relevant hosts

identityFilter - a Collection of identity names indicating the relevant identities - if null, no filter is relevant; if empty, the filter indicates no relevant identities

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

manageIdentities - a Boolean value indicating how to override the configured behavior of managing Kerberos identities; if null the configured behavior will not be overridden

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

org.apache.ambari.server.AmbariException

KerberosOperationException

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

deleteIdentities

public void deleteIdentities(Cluster cluster,
                             List<Component> components,
                             Set<String> identities)
                      throws org.apache.ambari.server.AmbariException,
                             KerberosOperationException

Deletes the kerberos identities of the given component, even if the component is already deleted.

Specified by:

deleteIdentities in interface KerberosHelper

Throws:

org.apache.ambari.server.AmbariException

KerberosOperationException

configureServices

public void configureServices(Cluster cluster,
                              Map<String,Collection<String>> serviceFilter)
                       throws org.apache.ambari.server.AmbariException,
                              KerberosInvalidConfigurationException

Description copied from interface: KerberosHelper

Updates the relevant configurations for the components specified in the service filter.

If null is passed in as the service filter, all installed services and components will be affected. If an empty map is passed in, no services or components will be affected.

If the relevant services and components have Kerberos descriptors, configuration values from the descriptors are used to update the relevant configuration sets.

Specified by:

configureServices in interface KerberosHelper

Parameters:

cluster - the relevant Cluster

serviceFilter - a Map of service names to component names indicating the relevant set of services and components - if null, no filter is relevant; if empty, the filter indicates no relevant services or components

Throws:

org.apache.ambari.server.AmbariException

KerberosInvalidConfigurationException

getServiceConfigurationUpdates

public Map<String,Map<String,String>> getServiceConfigurationUpdates(Cluster cluster,
                                                                     Map<String,Map<String,String>> existingConfigurations,
                                                                     Map<String,Set<String>> installedServices,
                                                                     Map<String,Collection<String>> serviceFilter,
                                                                     Set<String> previouslyExistingServices,
                                                                     boolean kerberosEnabled,
                                                                     boolean applyStackAdvisorUpdates)
                                                              throws KerberosInvalidConfigurationException,
                                                                     org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Returns the updates configurations that are expected when the given set of services are configured for Kerberos.

Specified by:

getServiceConfigurationUpdates in interface KerberosHelper

Parameters:

cluster - the cluster

existingConfigurations - the cluster's existing configurations

installedServices - the map of services and relevant components to process

serviceFilter - a Map of service names to component names indicating the relevant set of services and components - if null, no filter is relevant; if empty, the filter indicates no relevant services or components

previouslyExistingServices - a set of previously existing service names - null or a subset of installedServices

kerberosEnabled - true if kerberos is (to be) enabled; otherwise false

applyStackAdvisorUpdates - true to invoke the stack advisor to validate property updates; false to skip

Returns:

a map of configuration updates

Throws:

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

org.apache.ambari.server.AmbariException

applyStackAdvisorUpdates

public Map<String,Map<String,String>> applyStackAdvisorUpdates(Cluster cluster,
                                                               Set<String> services,
                                                               Map<String,Map<String,String>> existingConfigurations,
                                                               Map<String,Map<String,String>> kerberosConfigurations,
                                                               Map<String,Set<String>> propertiesToIgnore,
                                                               Map<String,Set<String>> propertiesToRemove,
                                                               boolean kerberosEnabled)
                                                        throws org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Invokes the Stack Advisor to help determine relevant configuration changes when enabling or disabling Kerberos. If kerberosEnabled = true, recommended properties are inserted into kerberosConfigurations, while properties to remove in propertiesToRemove map. In case kerberosEnabled = false, recommended properties are inserted into propertiesToInsert and properties to remove in propertiesToInsert map. This is because in first case properties in kerberosConfigurations are going to be set, while in second case going to be removed from cluster config.

Specified by:

applyStackAdvisorUpdates in interface KerberosHelper

Parameters:

cluster - a cluster

services - a set of services that are being configured to enabled or disable Kerberos

existingConfigurations - the cluster's existing configurations

kerberosConfigurations - the configuration updates to make

propertiesToIgnore - the configuration properties that should be ignored when applying recommendations

propertiesToRemove - the configuration properties that must be removed from cluster config are inserted into this map in case if provided (not null) and kerberosEnabled

kerberosEnabled - true if kerberos is (to be) enabled; otherwise false

Returns:

the configuration updates

Throws:

org.apache.ambari.server.AmbariException

ensureHeadlessIdentities

public boolean ensureHeadlessIdentities(Cluster cluster,
                                        Map<String,Map<String,String>> existingConfigurations,
                                        Set<String> services)
                                 throws KerberosInvalidConfigurationException,
                                        org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Ensures that the relevant headless (or user) Kerberos identities are created and cached.

This can be called any number of times and only the missing identities will be created.

Specified by:

ensureHeadlessIdentities in interface KerberosHelper

Parameters:

cluster - the cluster

existingConfigurations - the cluster's existing configurations

services - the set of services to process

Returns:

Throws:

KerberosInvalidConfigurationException - if an issue occurs trying to get the Kerberos-specific configuration details

org.apache.ambari.server.AmbariException

createTestIdentity

public RequestStageContainer createTestIdentity(Cluster cluster,
                                                Map<String,String> commandParamsStage,
                                                RequestStageContainer requestStageContainer)
                                         throws KerberosOperationException,
                                                org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Create a unique identity to use for testing the general Kerberos configuration.

Specified by:

createTestIdentity in interface KerberosHelper

Parameters:

cluster - the relevant Cluster

commandParamsStage - the command parameters map that will be sent to the agent side command

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

KerberosOperationException

org.apache.ambari.server.AmbariException

deleteTestIdentity

public RequestStageContainer deleteTestIdentity(Cluster cluster,
                                                Map<String,String> commandParamsStage,
                                                RequestStageContainer requestStageContainer)
                                         throws KerberosOperationException,
                                                org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Deletes the unique identity to use for testing the general Kerberos configuration.

Specified by:

deleteTestIdentity in interface KerberosHelper

Parameters:

cluster - the relevant Cluster

commandParamsStage - the command parameters map that will be sent to the agent side command

requestStageContainer - a RequestStageContainer to place generated stages, if needed - if null a new RequestStageContainer will be created.

Returns:

the updated or a new RequestStageContainer containing the stages that need to be executed to complete this task; or null if no stages need to be executed.

Throws:

KerberosOperationException

org.apache.ambari.server.AmbariException

validateKDCCredentials

public void validateKDCCredentials(Cluster cluster)
                            throws KerberosMissingAdminCredentialsException,
                                   KerberosAdminAuthenticationException,
                                   KerberosInvalidConfigurationException,
                                   org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Validate the KDC admin credentials.

Specified by:

validateKDCCredentials in interface KerberosHelper

Parameters:

cluster - associated cluster

Throws:

org.apache.ambari.server.AmbariException - if any other error occurs while trying to validate the credentials

KerberosMissingAdminCredentialsException

KerberosAdminAuthenticationException

KerberosInvalidConfigurationException

setAuthToLocalRules

public void setAuthToLocalRules(Cluster cluster,
                                KerberosDescriptor kerberosDescriptor,
                                String realm,
                                Map<String,Set<String>> installedServices,
                                Map<String,Map<String,String>> existingConfigurations,
                                Map<String,Map<String,String>> kerberosConfigurations,
                                boolean includePreconfigureData)
                         throws org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Sets the relevant auth-to-local rule configuration properties using the services installed on the cluster and their relevant Kerberos descriptors to determine the rules to be created.

Specified by:

setAuthToLocalRules in interface KerberosHelper

Parameters:

cluster - cluster instance

kerberosDescriptor - the current Kerberos descriptor

realm - the default realm

installedServices - the map of services and relevant components to process

existingConfigurations - a map of the current configurations

kerberosConfigurations - a map of the configurations to update, this where the generated auth-to-local values will be stored

includePreconfigureData - true to include the preconfigure data; false otherwise

Throws:

org.apache.ambari.server.AmbariException

getServiceComponentHostsToProcess

public List<ServiceComponentHost> getServiceComponentHostsToProcess(Cluster cluster,
                                                                    KerberosDescriptor kerberosDescriptor,
                                                                    Map<String,? extends Collection<String>> serviceComponentFilter,
                                                                    Collection<String> hostFilter)
                                                             throws org.apache.ambari.server.AmbariException

Specified by:

getServiceComponentHostsToProcess in interface KerberosHelper

Parameters:

cluster - the cluster

kerberosDescriptor - the current Kerberos descriptor

serviceComponentFilter - a Map of service names to component names indicating the relevant set of services and components - if null, no filter is relevant; if empty, the filter indicates no relevant services or components

hostFilter - a set of hostname indicating the set of hosts to process - if null, no filter is relevant; if empty, the filter indicates no relevant hosts

Returns:

a list of ServiceComponentHost instances and should be processed during the relevant Kerberos operation.

Throws:

org.apache.ambari.server.AmbariException

getHostsWithValidKerberosClient

public Set<String> getHostsWithValidKerberosClient(Cluster cluster)
                                            throws org.apache.ambari.server.AmbariException

Specified by:

getHostsWithValidKerberosClient in interface KerberosHelper

Throws:

org.apache.ambari.server.AmbariException

getKerberosDescriptor

public KerberosDescriptor getKerberosDescriptor(Cluster cluster,
                                                boolean includePreconfigureData)
                                         throws org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Builds a composite Kerberos descriptor using the default Kerberos descriptor and a user-specified Kerberos descriptor, if it exists.

The default Kerberos descriptor is built from the kerberos.json files in the stack. It can be retrieved via the stacks/:stackName/versions/:version/artifacts/kerberos_descriptor endpoint

The user-specified Kerberos descriptor was registered to the cluster/:clusterName/artifacts/kerberos_descriptor endpoint.

If the user-specified Kerberos descriptor exists, it is used to update the default Kerberos descriptor and the composite is returned. If not, the default cluster descriptor is returned as-is.

Specified by:

getKerberosDescriptor in interface KerberosHelper

Parameters:

cluster - cluster instance

includePreconfigureData - true to include the preconfigure data; false otherwise

Returns:

the kerberos descriptor associated with the specified cluster

Throws:

org.apache.ambari.server.AmbariException - if unable to obtain the descriptor

See Also:

KerberosHelper.getKerberosDescriptor(KerberosDescriptorType, Cluster, boolean, Collection, boolean)

getKerberosDescriptor

public KerberosDescriptor getKerberosDescriptor(KerberosHelper.KerberosDescriptorType kerberosDescriptorType,
                                                Cluster cluster,
                                                boolean evaluateWhenClauses,
                                                Collection<String> additionalServices,
                                                boolean includePreconfigureData)
                                         throws org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Gets the requested Kerberos descriptor.

One of the following Kerberos descriptors will be returned - with or without pruning identity definitions based on the evaluation of their when clauses:

KerberosHelper.KerberosDescriptorType.STACK

A Kerberos descriptor built using data from the current stack definition, only

KerberosHelper.KerberosDescriptorType.USER

A Kerberos descriptor built using user-specified data stored as an artifact of the cluster, only

KerberosHelper.KerberosDescriptorType.COMPOSITE

A Kerberos descriptor built using data from the current stack definition with user-specified data stored as an artifact of the cluster applied - see KerberosHelper.getKerberosDescriptor(Cluster, boolean)

Specified by:

getKerberosDescriptor in interface KerberosHelper

Parameters:

kerberosDescriptorType - the type of Kerberos descriptor to retrieve - see KerberosHelper.KerberosDescriptorType

cluster - the relevant Cluster

evaluateWhenClauses - true to evaluate Kerberos identity when clauses and prune if necessary; false otherwise.

additionalServices - an optional collection of service names declaring additional services to add to the set of currently installed services to use while evaluating when clauses

includePreconfigureData - true to include the preconfigure data; false otherwise

Returns:

a Kerberos descriptor

Throws:

org.apache.ambari.server.AmbariException

getKerberosDescriptor

public KerberosDescriptor getKerberosDescriptor(KerberosHelper.KerberosDescriptorType kerberosDescriptorType,
                                                Cluster cluster,
                                                StackId stackId,
                                                boolean includePreconfigureData)
                                         throws org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Gets the Kerberos descriptor for the requested stack.

One of the following Kerberos descriptors will be returned:

KerberosHelper.KerberosDescriptorType.STACK

A Kerberos descriptor built using data from the current stack definition, only

KerberosHelper.KerberosDescriptorType.USER

A Kerberos descriptor built using user-specified data stored as an artifact of the cluster, only

KerberosHelper.KerberosDescriptorType.COMPOSITE

A Kerberos descriptor built using data from the current stack definition with user-specified data stored as an artifact of the cluster applied - see KerberosHelper.getKerberosDescriptor(Cluster, boolean)

Specified by:

getKerberosDescriptor in interface KerberosHelper

Parameters:

kerberosDescriptorType - the type of Kerberos descriptor to retrieve - see KerberosHelper.KerberosDescriptorType

cluster - the relevant Cluster

stackId - the relevant stack id, used for COMPOSITE or STACK Kerberos descriptor requests

includePreconfigureData - true to include the preconfigure data; false otherwise

Returns:

a Kerberos descriptor

Throws:

org.apache.ambari.server.AmbariException

mergeConfigurations

public Map<String,Map<String,String>> mergeConfigurations(Map<String,Map<String,String>> configurations,
                                                          Map<String,KerberosConfigurationDescriptor> updates,
                                                          Map<String,Map<String,String>> replacements,
                                                          Set<String> configurationTypeFilter)
                                                   throws org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Merges configurations from a Map of configuration updates into a main configurations Map.

Each property in the updates Map is processed to replace variables using the replacement Map, unless it has been filtered out using an optionally supplied configuration type filter (configurationTypeFilter).

See VariableReplacementHelper.replaceVariables(String, java.util.Map) for information on variable replacement.

Specified by:

mergeConfigurations in interface KerberosHelper

Parameters:

configurations - a Map of existing configurations (updated in-place)

updates - a Map of configuration updates

replacements - a Map of (grouped) replacement values

configurationTypeFilter - a Set of config types to filter from the map of updates; null indicate no filter

Returns:

the updated configurations map

Throws:

org.apache.ambari.server.AmbariException - if an issue occurs

processPreconfiguredServiceConfigurations

public Map<String,Map<String,String>> processPreconfiguredServiceConfigurations(Map<String,Map<String,String>> configurations,
                                                                                Map<String,Map<String,String>> replacements,
                                                                                Cluster cluster,
                                                                                KerberosDescriptor kerberosDescriptor)
                                                                         throws org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Determines which services, not currently installed, should be preconfigured to aid in reducing the number of service restarts when new services are added to a cluster where Kerberos is enabled.

Specified by:

processPreconfiguredServiceConfigurations in interface KerberosHelper

Parameters:

configurations - a Map of existing configurations (updated in-place)

replacements - a Map of (grouped) replacement values

cluster - the cluster

kerberosDescriptor - the Kerberos Descriptor

Returns:

the updated configurations map

Throws:

org.apache.ambari.server.AmbariException - if an issue occurs

addIdentities

public int addIdentities(KerberosIdentityDataFileWriter kerberosIdentityDataFileWriter,
                         Collection<KerberosIdentityDescriptor> identities,
                         Collection<String> identityFilter,
                         String hostname,
                         Long hostId,
                         String serviceName,
                         String componentName,
                         Map<String,Map<String,String>> kerberosConfigurations,
                         Map<String,Map<String,String>> configurations,
                         Map<String,ResolvedKerberosKeytab> resolvedKeytabs,
                         String realm)
                  throws IOException

Description copied from interface: KerberosHelper

Adds identities to the KerberosIdentityDataFileWriter.

Specified by:

addIdentities in interface KerberosHelper

Parameters:

kerberosIdentityDataFileWriter - a KerberosIdentityDataFileWriter to use for storing identity records

identities - a List of KerberosIdentityDescriptors to add to the data file

identityFilter - a Collection of identity names indicating the relevant identities - if null, no filter is relevant; if empty, the filter indicates no relevant identities

hostname - the relevant hostname

serviceName - the relevant service name

componentName - the relevant component name

kerberosConfigurations - a map of the configurations to update with identity-specific values

configurations - a Map of configurations to use a replacements for variables in identity fields

Returns:

an integer indicating the number of identities added to the data file

Throws:

IOException - if an error occurs while writing a record to the data file

calculateConfigurations

public Map<String,Map<String,String>> calculateConfigurations(Cluster cluster,
                                                              String hostname,
                                                              KerberosDescriptor kerberosDescriptor,
                                                              boolean includePreconfigureData,
                                                              boolean calculateClusterHostInfo)
                                                       throws org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Calculates the map of configurations relative to the cluster and host.

Most of this was borrowed from ExecutionCommandWrapper.getExecutionCommand()

Specified by:

calculateConfigurations in interface KerberosHelper

Parameters:

cluster - the relevant Cluster

hostname - the relevant hostname

kerberosDescriptor - a map of general Kerberos descriptor properties

includePreconfigureData - true to include the preconfigure data; otherwise false

Returns:

a Map of calculated configuration types

Throws:

org.apache.ambari.server.AmbariException

getActiveIdentities

public Map<String,Collection<KerberosIdentityDescriptor>> getActiveIdentities(String clusterName,
                                                                              String hostName,
                                                                              String serviceName,
                                                                              String componentName,
                                                                              boolean replaceHostNames,
                                                                              Map<String,Map<String,Map<String,String>>> hostConfigurations,
                                                                              KerberosDescriptor kerberosDescriptor)
                                                                       throws org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Returns the active identities for the named cluster. Results are filtered by host, service, and/or component; and grouped by host.

The cluster name is mandatory; however the active identities may be filtered by one or more of host, service, or component. A null value for any of these filters indicates no filter for that parameter.

The return values are grouped by host and optionally _HOST in principals will be replaced with the relevant hostname if specified to do so.

Specified by:

getActiveIdentities in interface KerberosHelper

Parameters:

clusterName - the name of the relevant cluster (mandatory)

hostName - the name of a host for which to find results, null indicates all hosts

serviceName - the name of a service for which to find results, null indicates all services

componentName - the name of a component for which to find results, null indicates all components

replaceHostNames - if true, _HOST in principals will be replace with the relevant host name

hostConfigurations - a mapping of hostname to configurations for that host. Fetching this ahead of time for every host in the cluster will ensure that this method doesn't need to do it inside of a loop. If null or empty, then this method will do the lookup itself, at considerable cost.

kerberosDescriptor - the kerberos descriptor to use when looking up identities. If null, then this method will deserialize the descriptor inside of a loop at considerable cost.

Returns:

a map of host names to kerberos identities

Throws:

org.apache.ambari.server.AmbariException - if an error occurs processing the cluster's active identities

getAmbariServerIdentities

public List<KerberosIdentityDescriptor> getAmbariServerIdentities(KerberosDescriptor kerberosDescriptor)
                                                           throws org.apache.ambari.server.AmbariException

Description copied from interface: KerberosHelper

Gets the Ambari server Kerberos identities found in the Kerberos descriptor.

Specified by:

getAmbariServerIdentities in interface KerberosHelper

Parameters:

kerberosDescriptor - the kerberos descriptor

Throws:

org.apache.ambari.server.AmbariException

createAmbariIdentities

public boolean createAmbariIdentities(Map<String,String> kerberosEnvProperties)

Description copied from interface: KerberosHelper

Determines if the Ambari identities should be created when enabling Kerberos.

If kerberos-env/create_ambari_principal is not set to false the identity should be calculated.

Specified by:

createAmbariIdentities in interface KerberosHelper

Parameters:

kerberosEnvProperties - the kerberos-env configuration properties

Returns:

true if the Ambari identities should be created; otherwise false

getKDCAdministratorCredentials

public PrincipalKeyCredential getKDCAdministratorCredentials(String clusterName)
                                                      throws org.apache.ambari.server.AmbariException

Gets the previously stored KDC administrator credential.

This implementation accesses the secure CredentialStoreService instance to get the data.

Specified by:

getKDCAdministratorCredentials in interface KerberosHelper

Parameters:

clusterName - the name of the relevant cluster

Returns:

a PrincipalKeyCredential or null, if the KDC administrator credential is not available

Throws:

org.apache.ambari.server.AmbariException - if an error occurs while retrieving the credentials

createResolvedKeytab

public void createResolvedKeytab(ResolvedKerberosKeytab resolvedKerberosKeytab)

Creates and saves underlying KerberosPrincipalEntity, KerberosKeytabEntity entities in JPA storage.

This method has to be very, very careful WRT how and when it merges bidirectional associations.For larger cluster, merging the KerberosKeytabEntity and KerberosPrincipalEntity even when a KerberosKeytabPrincipalEntity will result in major performance problems.

Specified by:

createResolvedKeytab in interface KerberosHelper

Parameters:

resolvedKerberosKeytab - kerberos keytab to be persisted

removeStaleKeytabs

public void removeStaleKeytabs(Collection<ResolvedKerberosKeytab> expectedKeytabs)

Description copied from interface: KerberosHelper

Removes existent persisted keytabs if they are not in expectedKeytabs collection.

Specified by:

removeStaleKeytabs in interface KerberosHelper

Parameters:

expectedKeytabs - collection to compare existent keytabs

translateConfigurationSpecifications

public Map<String,Set<String>> translateConfigurationSpecifications(Collection<String> configurationSpecifications)

Description copied from interface: KerberosHelper

Translates a collection of configuration specifications (config-type/property-name) to a map of configuration types to a set of property names.

For example:

• config-type1/property-name1
• config-type1/property-name2
• config-type2/property-name3

Becomes

• config-type
  • property-name1
  • property-name2
• config-type2
  • property-name3

Specified by:

translateConfigurationSpecifications in interface KerberosHelper

Parameters:

configurationSpecifications - a collection of configuration specifications (config-type/property-name)

Returns:

a map of configuration types to sets of property names

getKerberosDetails

public KerberosDetails getKerberosDetails(Cluster cluster,
                                          Boolean manageIdentities)
                                   throws KerberosInvalidConfigurationException,
                                          org.apache.ambari.server.AmbariException

Gathers the Kerberos-related data from configurations and stores it in a new KerberosDetails instance.

Specified by:

getKerberosDetails in interface KerberosHelper

Parameters:

cluster - the relevant Cluster

manageIdentities - a Boolean value indicating how to override the configured behavior of managing Kerberos identities; if null the configured behavior will not be overridden

Returns:

a new KerberosDetails with the collected configuration data

Throws:

org.apache.ambari.server.AmbariException

KerberosInvalidConfigurationException

createTemporaryDirectory

public File createTemporaryDirectory()
                              throws org.apache.ambari.server.AmbariException

Creates a temporary directory within the system temporary directory

The resulting directory is to be removed by the caller when desired.

Specified by:

createTemporaryDirectory in interface KerberosHelper

Returns:

a File pointing to the new temporary directory, or null if one was not created

Throws:

org.apache.ambari.server.AmbariException - if a new temporary directory cannot be created

createTemporaryFile

protected File createTemporaryFile()
                            throws org.apache.ambari.server.AmbariException

Creates a temporary file within the system temporary directory

The resulting file is to be removed by the caller when desired.

Returns:

a File pointing to the new temporary file, or null if one was not created

Throws:

org.apache.ambari.server.AmbariException - if a new temporary directory cannot be created

getConfiguredTemporaryDirectory

protected File getConfiguredTemporaryDirectory()
                                        throws IOException

Gets the configured temporary directory.

Returns:

a File pointing to the configured temporary directory

Throws:

IOException

isClusterKerberosEnabled

public boolean isClusterKerberosEnabled(Cluster cluster)

Description copied from interface: KerberosHelper

Determine if a cluster has kerberos enabled.

Specified by:

isClusterKerberosEnabled in interface KerberosHelper

Parameters:

cluster - cluster to test

Returns:

true if the provided cluster has kerberos enabled; false otherwise

shouldExecuteCustomOperations

public boolean shouldExecuteCustomOperations(SecurityType requestSecurityType,
                                             Map<String,String> requestProperties)

Description copied from interface: KerberosHelper

Tests the request properties to check for directives that need to be acted upon

It is required that the SecurityType from the request is either KERBEROS or NONE and that at least one directive in the requestProperties map is supported.

Specified by:

shouldExecuteCustomOperations in interface KerberosHelper

Parameters:

requestSecurityType - the SecurityType from the request

requestProperties - A Map of request directives and their values

Returns:

true if custom operations should be executed; false otherwise

getManageIdentitiesDirective

public Boolean getManageIdentitiesDirective(Map<String,String> requestProperties)

Description copied from interface: KerberosHelper

Retrieves the value of the manage_kerberos_identities directive from the request properties, if it exists.

If manage_kerberos_identities does not exist in the map of request properties, null is returned

If manage_kerberos_identities does exists in the map of request properties, a Boolean value is returned indicating whether its value is "false" (Boolean.FALSE) or not (Boolean.TRUE).

Specified by:

getManageIdentitiesDirective in interface KerberosHelper

Parameters:

requestProperties - a map of the request property name/value pairs

Returns:

Boolean.TRUE or Boolean.FALSE if the manage_kerberos_identities property exists in the map; otherwise false

getForceToggleKerberosDirective

public boolean getForceToggleKerberosDirective(Map<String,String> requestProperties)

Description copied from interface: KerberosHelper

Retrieves the value of the force_toggle_kerberos directive from the request properties, if it exists.

If force_toggle_kerberos does not exist in the map of request properties, false is returned.

If force_toggle_kerberos does exists in the map of request properties and is equal to "true", then true is returned; otherwise false is returned.

Specified by:

getForceToggleKerberosDirective in interface KerberosHelper

Parameters:

requestProperties - a map of the request property name/value pairs

Returns:

true if force_toggle_kerberos is "true"; otherwise false

getIdentityConfigurations

public Map<String,Map<String,String>> getIdentityConfigurations(List<KerberosIdentityDescriptor> identityDescriptors)

Description copied from interface: KerberosHelper

Given a list of KerberosIdentityDescriptors, returns a Map fo configuration types to property names and values.

The property names and values are not expected to have any variable replacements done.

Specified by:

getIdentityConfigurations in interface KerberosHelper

Parameters:

identityDescriptors - a List of KerberosIdentityDescriptor from which to retrieve configurations

Returns:

a Map of configuration types to property name/value pairs (as a Map)