org.apache.ambari.server.serveraction.kerberos

Class KerberosServerAction

java.lang.Object

org.apache.ambari.server.serveraction.AbstractServerAction

org.apache.ambari.server.serveraction.kerberos.KerberosServerAction

All Implemented Interfaces:

ServerAction

Direct Known Subclasses:

AbstractPrepareKerberosServerAction, CleanupServerAction, ConfigureAmbariIdentitiesServerAction, CreateKeytabFilesServerAction, CreatePrincipalsServerAction, DestroyPrincipalsServerAction, FinalizeKerberosServerAction

public abstract class KerberosServerAction
extends AbstractServerAction

KerberosServerAction is an abstract class to be implemented by Kerberos-related ServerAction implementations.

This class provides helper methods used to get common properties from the command parameters map and iterate through the Kerberos identity metadata file (see KerberosIdentityDataFileReader).

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	KerberosServerAction.KerberosCommandParameters
static class	KerberosServerAction.OperationType A Kerberos operation type RECREATE_ALL - regenerate keytabs for all principals CREATE_MISSING - generate keytabs for only those that are missing DEFAULT - generate needed keytabs for new components

Field Summary

Fields

Modifier and Type	Field and Description
static String	AUTHENTICATED_USER_NAME A (command parameter) property name used to hold the authenticated user's name for use in operations that record the acting user.
static String	DATA_DIRECTORY A (command parameter) property name used to hold the absolute path to the directory that is to be used to store transient data while the request is being processed.
static String	DATA_DIRECTORY_PREFIX The prefix to use for the data directory name.
static String	DEFAULT_REALM A (command parameter) property name used to hold the default Kerberos realm value.
static String	HOST_FILTER A (command parameter) property name used to hold the (serialized) host filter list.
static String	IDENTITY_FILTER A (command parameter) property name used to hold the (serialized) identity filter list.
static String	INCLUDE_AMBARI_IDENTITY Key used in kerberosCommandParams in ExecutionCommand to indicate whether to include Ambari server indetity ("true") or ignore it ("false")
static String	KDC_TYPE A (command parameter) property name used to hold the relevant KDC type value.
static String	KEYTAB_CONTENT_BASE64 Key used in kerberosCommandParams in ExecutionCommand for base64 encoded keytab content
static String	OPERATION_TYPE Key used in kerberosCommandParams in ExecutionCommand to indicate why type of creation operation to perform.
static String	PRECONFIGURE_SERVICES Keys used in CommandParams from ExecutionCommand to declare how to pre-configure services.
static String	SERVICE_COMPONENT_FILTER A (command parameter) property name used to hold the (serialized) service/component filter map.
static String	UPDATE_CONFIGURATION_NOTE A (command parameter) property name used to hold the note to set when applying any configuration changes
static String	UPDATE_CONFIGURATION_POLICY A (command parameter) property name used to hold the value indicating how to process configurations updates.

Fields inherited from class org.apache.ambari.server.serveraction.AbstractServerAction

actionLog, gson

Fields inherited from interface org.apache.ambari.server.serveraction.ServerAction

ACTION_NAME, ACTION_USER_NAME, DEFAULT_LONG_RUNNING_TASK_TIMEOUT_SECONDS, WRAPPED_CLASS_NAME

Constructor Summary

Constructors

Constructor and Description
KerberosServerAction()

Method Summary

Modifier and Type	Method and Description
protected Long	ambariServerHostID()
protected void	deleteDataDirectory(String dataDirectoryPath)
protected Cluster	getCluster() Returns the relevant Cluster object
protected String	getClusterName() Returns the relevant cluster's name Using the data from the execution command, retrieve the relevant cluster's name.
protected Clusters	getClusters() The Clusters object for this KerberosServerAction
protected static String	getCommandParameterValue(Map<String,String> commandParameters, String propertyName) Given a (command parameter) Map and a property name, attempts to safely retrieve the requested data.
protected PreconfigureServiceType	getCommandPreconfigureType() Returns preconfigure type passed to current action.
protected Map<String,String>	getConfigurationProperties(String configType) Retrieve the current set of properties for the requested config type for the relevant cluster.
protected String	getDataDirectoryPath() Attempts to safely retrieve the "data_directory" property from the this action's relevant command parameters Map.
protected static String	getDataDirectoryPath(Map<String,String> commandParameters) Given a (command parameter) Map, attempts to safely retrieve the "data_directory" property.
protected static String	getDefaultRealm(Map<String,String> commandParameters) Given a (command parameter) Map, attempts to safely retrieve the "default_realm" property.
protected Set<String>	getHostFilter()
protected Collection<String>	getIdentityFilter()
protected static KDCType	getKDCType(Map<String,String> commandParameters) Given a (command parameter) Map, attempts to safely retrieve the "kdc_type" property.
protected static KerberosServerAction.OperationType	getOperationType(Map<String,String> commandParameters) Given a (command parameter) Map, attempts to safely retrieve the "operation_type" property.
protected static Map<String,Integer>	getPrincipalKeyNumberMap(Map<String,Object> requestSharedDataContext) Gets the shared principal-to-key_number Map used to store principals and key numbers for use within the current request context.
protected static Map<String,String>	getPrincipalPasswordMap(Map<String,Object> requestSharedDataContext) Gets the shared principal-to-password Map used to store principals and generated password for use within the current request context.
protected Map<String,Collection<String>>	getServiceComponentFilter()
protected static UpdateConfigurationPolicy	getUpdateConfigurationPolicy(Map<String,String> commandParameters) Given a (command parameter) Map, attempts to safely retrieve the "update_configuration_policy" property.
protected boolean	hasHostFilters()
protected CommandReport	processIdentities(Map<String,Object> requestSharedDataContext) Iterates through the Kerberos identity metadata from the KerberosIdentityDataFileReader and calls the implementing class to handle each identity found.
protected abstract CommandReport	processIdentity(ResolvedKerberosPrincipal resolvedPrincipal, KerberosOperationHandler operationHandler, Map<String,String> kerberosConfiguration, boolean includedInFilter, Map<String,Object> requestSharedDataContext) Processes an identity as necessary.
protected boolean	pruneServiceFilter()
protected static void	setPrincipalPasswordMap(Map<String,Object> requestSharedDataContext, Map<String,String> principalPasswordMap) Sets the shared principal-to-password Map used to store principals and generated password for use within the current request context.

Methods inherited from class org.apache.ambari.server.serveraction.AbstractServerAction

auditLog, createCommandReport, createCompletedCommandReport, getCommandParameters, getCommandParameterValue, getExecutionCommand, getHostRoleCommand, setExecutionCommand, setHostRoleCommand

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.ambari.server.serveraction.ServerAction

execute

Field Detail

AUTHENTICATED_USER_NAME

public static final String AUTHENTICATED_USER_NAME

A (command parameter) property name used to hold the authenticated user's name for use in operations that record the acting user.

See Also:

Constant Field Values

DATA_DIRECTORY

public static final String DATA_DIRECTORY

A (command parameter) property name used to hold the absolute path to the directory that is to be used to store transient data while the request is being processed. This is expected to be a temporary directory.

See Also:

Constant Field Values

DEFAULT_REALM

public static final String DEFAULT_REALM

A (command parameter) property name used to hold the default Kerberos realm value.

See Also:

Constant Field Values

SERVICE_COMPONENT_FILTER

public static final String SERVICE_COMPONENT_FILTER

A (command parameter) property name used to hold the (serialized) service/component filter map.

See Also:

Constant Field Values

HOST_FILTER

public static final String HOST_FILTER

A (command parameter) property name used to hold the (serialized) host filter list.

See Also:

Constant Field Values

IDENTITY_FILTER

public static final String IDENTITY_FILTER

A (command parameter) property name used to hold the (serialized) identity filter list.

See Also:

Constant Field Values

KDC_TYPE

public static final String KDC_TYPE

A (command parameter) property name used to hold the relevant KDC type value. See KDCType for valid values

See Also:

Constant Field Values

UPDATE_CONFIGURATION_POLICY

public static final String UPDATE_CONFIGURATION_POLICY

A (command parameter) property name used to hold the value indicating how to process configurations updates. One of the of the following values is expected:

none

No configurations will be updated

identities_only

New and updated configurations related to Kerberos identity information - principal, keytab file, and auth-to-local rule properties

new_and_identities

Only new configurations declared by the Kerberos descriptor and stack advisor as well as the identity-related changes

all

All configuration changes (default)

See Also:

Constant Field Values

UPDATE_CONFIGURATION_NOTE

public static final String UPDATE_CONFIGURATION_NOTE

A (command parameter) property name used to hold the note to set when applying any configuration changes

See Also:

Constant Field Values

DATA_DIRECTORY_PREFIX

public static final String DATA_DIRECTORY_PREFIX

The prefix to use for the data directory name.

See Also:

Constant Field Values

KEYTAB_CONTENT_BASE64

public static final String KEYTAB_CONTENT_BASE64

Key used in kerberosCommandParams in ExecutionCommand for base64 encoded keytab content

See Also:

Constant Field Values

OPERATION_TYPE

public static final String OPERATION_TYPE

Key used in kerberosCommandParams in ExecutionCommand to indicate why type of creation operation to perform.

See Also:

KerberosServerAction.OperationType, Constant Field Values

INCLUDE_AMBARI_IDENTITY

public static final String INCLUDE_AMBARI_IDENTITY

Key used in kerberosCommandParams in ExecutionCommand to indicate whether to include Ambari server indetity ("true") or ignore it ("false")

See Also:

Constant Field Values

PRECONFIGURE_SERVICES

public static final String PRECONFIGURE_SERVICES

Keys used in CommandParams from ExecutionCommand to declare how to pre-configure services. Expected values are, "ALL", "DEFAULT", and "NONE".

See Also:

Constant Field Values

Constructor Detail

KerberosServerAction

public KerberosServerAction()

Method Detail

getCommandParameterValue

protected static String getCommandParameterValue(Map<String,String> commandParameters,
                                                 String propertyName)

Given a (command parameter) Map and a property name, attempts to safely retrieve the requested data.

Parameters:

commandParameters - a Map containing the dictionary of data to interrogate

propertyName - a String declaring the name of the item from commandParameters to retrieve

Returns:

a String or null, depending on the property value and if it existed in commandParameters

getUpdateConfigurationPolicy

protected static UpdateConfigurationPolicy getUpdateConfigurationPolicy(Map<String,String> commandParameters)

Given a (command parameter) Map, attempts to safely retrieve the "update_configuration_policy" property.

Parameters:

commandParameters - a Map containing the dictionary of data to interrogate

Returns:

a UpdateConfigurationPolicy

getDefaultRealm

protected static String getDefaultRealm(Map<String,String> commandParameters)

Given a (command parameter) Map, attempts to safely retrieve the "default_realm" property.

Parameters:

commandParameters - a Map containing the dictionary of data to interrogate

Returns:

a String indicating the default realm or null (if not found or set)

getKDCType

protected static KDCType getKDCType(Map<String,String> commandParameters)

Given a (command parameter) Map, attempts to safely retrieve the "kdc_type" property.

If not found, KDCType.MIT_KDC will be returned as a default value.

Parameters:

commandParameters - a Map containing the dictionary of data to interrogate

Returns:

a KDCType or null (if not found or set)

getDataDirectoryPath

protected static String getDataDirectoryPath(Map<String,String> commandParameters)

Given a (command parameter) Map, attempts to safely retrieve the "data_directory" property.

Parameters:

commandParameters - a Map containing the dictionary of data to interrogate

Returns:

a String indicating the data directory or null (if not found or set)

getOperationType

protected static KerberosServerAction.OperationType getOperationType(Map<String,String> commandParameters)

Given a (command parameter) Map, attempts to safely retrieve the "operation_type" property.

Parameters:

commandParameters - a Map containing the dictionary of data to interrogate

Returns:

an OperationType

setPrincipalPasswordMap

protected static void setPrincipalPasswordMap(Map<String,Object> requestSharedDataContext,
                                              Map<String,String> principalPasswordMap)

Sets the shared principal-to-password Map used to store principals and generated password for use within the current request context.

Parameters:

requestSharedDataContext - a Map to be used as shared data among all ServerActions related to a given request

principalPasswordMap - A Map of principals and password to store

getPrincipalPasswordMap

protected static Map<String,String> getPrincipalPasswordMap(Map<String,Object> requestSharedDataContext)

Gets the shared principal-to-password Map used to store principals and generated password for use within the current request context.

If the requested Map is not found in requestSharedDataContext, one will be created and stored, ensuring that a Map will always be returned, assuming requestSharedDataContext is not null.

Parameters:

requestSharedDataContext - a Map to be used a shared data among all ServerActions related to a given request

Returns:

A Map of principals-to-password

getPrincipalKeyNumberMap

protected static Map<String,Integer> getPrincipalKeyNumberMap(Map<String,Object> requestSharedDataContext)

Gets the shared principal-to-key_number Map used to store principals and key numbers for use within the current request context.

If the requested Map is not found in requestSharedDataContext, one will be created and stored, ensuring that a Map will always be returned, assuming requestSharedDataContext is not null.

Parameters:

requestSharedDataContext - a Map to be used a shared data among all ServerActions related to a given request

Returns:

A Map of principals-to-key_numbers

getClusterName

protected String getClusterName()
                         throws org.apache.ambari.server.AmbariException

Returns the relevant cluster's name

Using the data from the execution command, retrieve the relevant cluster's name.

Returns:

a String declaring the relevant cluster's name

Throws:

org.apache.ambari.server.AmbariException - if the cluster's name is not available

getCluster

protected Cluster getCluster()
                      throws org.apache.ambari.server.AmbariException

Returns the relevant Cluster object

Returns:

the relevant Cluster

Throws:

org.apache.ambari.server.AmbariException - if the Cluster object cannot be retrieved

getClusters

protected Clusters getClusters()

The Clusters object for this KerberosServerAction

Returns:

a Clusters object

getDataDirectoryPath

protected String getDataDirectoryPath()

Attempts to safely retrieve the "data_directory" property from the this action's relevant command parameters Map.

Returns:

a String indicating the data directory or null (if not found or set)

getCommandPreconfigureType

protected PreconfigureServiceType getCommandPreconfigureType()

Returns preconfigure type passed to current action.

Returns:

PreconfigureServiceType

processIdentities

protected CommandReport processIdentities(Map<String,Object> requestSharedDataContext)
                                   throws org.apache.ambari.server.AmbariException

Iterates through the Kerberos identity metadata from the KerberosIdentityDataFileReader and calls the implementing class to handle each identity found.

Using getHostFilter(), getIdentityFilter() and getServiceComponentFilter() it retrieve list of filtered keytabs and their principals and process each principal using processIdentity(ResolvedKerberosPrincipal, KerberosOperationHandler, Map, boolean, Map). The configuration option Configuration.getKerberosServerActionThreadpoolSize() defines how many threads will handle processIdentity(ResolvedKerberosPrincipal, KerberosOperationHandler, Map, boolean, Map). The default is 1, but this method must be thread-safe in the event that concurrent threads are used.

Parameters:

requestSharedDataContext - a Map to be used a shared data among all ServerActions related to a given request

Returns:

a CommandReport indicating the result of this operation

Throws:

org.apache.ambari.server.AmbariException

pruneServiceFilter

protected boolean pruneServiceFilter()

processIdentity

protected abstract CommandReport processIdentity(ResolvedKerberosPrincipal resolvedPrincipal,
                                                 KerberosOperationHandler operationHandler,
                                                 Map<String,String> kerberosConfiguration,
                                                 boolean includedInFilter,
                                                 Map<String,Object> requestSharedDataContext)
                                          throws org.apache.ambari.server.AmbariException

Processes an identity as necessary.

This method is called from processIdentities(Map) for each principal found by specified filter. After processing, it is expected that the return value is null on success and a CommandReport (indicating the error) on failure.

Parameters:

resolvedPrincipal - a ResolvedKerberosPrincipal object to process

operationHandler - a KerberosOperationHandler used to perform Kerberos-related tasks for specific Kerberos implementations (MIT, Active Directory, etc...)

kerberosConfiguration - a Map of configuration properties from kerberos-env

includedInFilter - a Boolean value indicating whather the principal is included in the current filter or not

requestSharedDataContext - a Map to be used a shared data among all ServerActions related to a given request @return a CommandReport, indicating an error condition; or null, indicating a success condition

Throws:

org.apache.ambari.server.AmbariException - if an error occurs while processing the identity record

deleteDataDirectory

protected void deleteDataDirectory(String dataDirectoryPath)

getHostFilter

protected Set<String> getHostFilter()

hasHostFilters

protected boolean hasHostFilters()

getServiceComponentFilter

protected Map<String,Collection<String>> getServiceComponentFilter()

getIdentityFilter

protected Collection<String> getIdentityFilter()

ambariServerHostID

protected Long ambariServerHostID()

getConfigurationProperties

protected Map<String,String> getConfigurationProperties(String configType)
                                                 throws org.apache.ambari.server.AmbariException

Retrieve the current set of properties for the requested config type for the relevant cluster.

Returns:

a Map of property names to property values for the requested config type; or null if no data is found

Throws:

org.apache.ambari.server.AmbariException - if an error occurs retrieving the relevant cluster details