def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {}
expectations.update(build_expectations(
'krb5JAASLogin',
None,
['keytab', 'principal'],
None
))
expectations.update(build_expectations(
'gateway-site',
{
"gateway.hadoop.kerberos.secured" : "true"
},
None,
None
))
security_params = {
"krb5JAASLogin":
{
'keytab': status_params.knox_keytab_path,
'principal': status_params.knox_principal_name
}
}
security_params.update(get_params_from_filesystem(status_params.knox_conf_dir,
{"gateway-site.xml" : FILE_TYPE_XML}))
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'krb5JAASLogin' not in security_params
or 'keytab' not in security_params['krb5JAASLogin']
or 'principal' not in security_params['krb5JAASLogin']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({"securityIssuesFound": "Keytab file and principal are not set."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.knox_user,
security_params['krb5JAASLogin']['keytab'],
security_params['krb5JAASLogin']['principal'],
status_params.hostname,
status_params.temp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {}
expectations.update(build_expectations(
'krb5JAASLogin',
None,
['keytab', 'principal'],
None
))
expectations.update(build_expectations(
'gateway-site',
{
"gateway.hadoop.kerberos.secured" : "true"
},
None,
None
))
security_params = {
"krb5JAASLogin":
{
'keytab': status_params.knox_keytab_path,
'principal': status_params.knox_principal_name
}
}
security_params.update(get_params_from_filesystem(status_params.knox_conf_dir,
{"gateway-site.xml" : FILE_TYPE_XML}))
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'krb5JAASLogin' not in security_params
or 'keytab' not in security_params['krb5JAASLogin']
or 'principal' not in security_params['krb5JAASLogin']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({"securityIssuesFound": "Keytab file and principal are not set."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.knox_user,
security_params['krb5JAASLogin']['keytab'],
security_params['krb5JAASLogin']['principal'],
status_params.hostname,
status_params.temp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {"hadoop.security.authentication": "kerberos",
"hadoop.security.authorization": "true"}
props_empty_check = ["hadoop.security.auth_to_local"]
props_read_check = None
core_site_expectations = build_expectations('core-site', props_value_check, props_empty_check,
props_read_check)
props_value_check = None
props_empty_check = ['dfs.secondary.namenode.kerberos.internal.spnego.principal',
'dfs.secondary.namenode.keytab.file',
'dfs.secondary.namenode.kerberos.principal']
props_read_check = ['dfs.secondary.namenode.keytab.file']
hdfs_site_expectations = build_expectations('hdfs-site', props_value_check, props_empty_check,
props_read_check)
hdfs_expectations = {}
hdfs_expectations.update(core_site_expectations)
hdfs_expectations.update(hdfs_site_expectations)
security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
{'core-site.xml': FILE_TYPE_XML,
'hdfs-site.xml': FILE_TYPE_XML})
if 'core-site' in security_params and 'hadoop.security.authentication' in security_params['core-site'] and \
security_params['core-site']['hadoop.security.authentication'].lower() == 'kerberos':
result_issues = validate_security_config_properties(security_params, hdfs_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('hdfs-site' not in security_params or
'dfs.secondary.namenode.keytab.file' not in security_params['hdfs-site'] or
'dfs.secondary.namenode.kerberos.principal' not in security_params['hdfs-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.hdfs_user,
security_params['hdfs-site']['dfs.secondary.namenode.keytab.file'],
security_params['hdfs-site'][
'dfs.secondary.namenode.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {"hive.server2.authentication": "KERBEROS",
"hive.metastore.sasl.enabled": "true",
"hive.security.authorization.enabled": "true"}
props_empty_check = ["hive.server2.authentication.kerberos.keytab",
"hive.server2.authentication.kerberos.principal",
"hive.server2.authentication.spnego.principal",
"hive.server2.authentication.spnego.keytab"]
props_read_check = ["hive.server2.authentication.kerberos.keytab",
"hive.server2.authentication.spnego.keytab"]
hive_site_props = build_expectations('hive-site', props_value_check, props_empty_check,
props_read_check)
hive_expectations ={}
hive_expectations.update(hive_site_props)
security_params = get_params_from_filesystem(status_params.hive_server_interactive_conf_dir,
{'hive-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, hive_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if 'hive-site' not in security_params \
or 'hive.server2.authentication.kerberos.keytab' not in security_params['hive-site'] \
or 'hive.server2.authentication.kerberos.principal' not in security_params['hive-site'] \
or 'hive.server2.authentication.spnego.keytab' not in security_params['hive-site'] \
or 'hive.server2.authentication.spnego.principal' not in security_params['hive-site']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.hive_user,
security_params['hive-site']['hive.server2.authentication.kerberos.keytab'],
security_params['hive-site']['hive.server2.authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.hive_user,
security_params['hive-site']['hive.server2.authentication.spnego.keytab'],
security_params['hive-site']['hive.server2.authentication.spnego.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {"hbase.security.authentication": "kerberos",
"hbase.security.authorization": "true"}
props_empty_check = ["hbase.zookeeper.property.authProvider.1",
"hbase.master.keytab.file",
"hbase.master.kerberos.principal",
"hbase.regionserver.keytab.file",
"hbase.regionserver.kerberos.principal"
]
props_read_check = ['hbase.master.keytab.file', 'hbase.regionserver.keytab.file']
ams_hbase_site_expectations = build_expectations('hbase-site', props_value_check,
props_empty_check,
props_read_check)
expectations = {}
expectations.update(ams_hbase_site_expectations)
security_params = get_params_from_filesystem(status_params.ams_hbase_conf_dir,
{'hbase-site.xml': FILE_TYPE_XML})
is_hbase_distributed = security_params['hbase-site']['hbase.cluster.distributed']
# for embedded mode, when HBase is backed by file, security state is SECURED_KERBEROS by definition when cluster is secured
if status_params.security_enabled and not is_hbase_distributed:
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
return
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('hbase-site' not in security_params or
'hbase.master.keytab.file' not in security_params['hbase-site'] or
'hbase.master.kerberos.principal' not in security_params['hbase-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.hbase_user,
security_params['hbase-site']['hbase.master.keytab.file'],
security_params['hbase-site']['hbase.master.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (
cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {"yarn.timeline-service.enabled": "true",
"yarn.timeline-service.http-authentication.type": "kerberos",
"yarn.acl.enable": "true"}
props_empty_check = ["yarn.timeline-service.principal",
"yarn.timeline-service.keytab",
"yarn.timeline-service.http-authentication.kerberos.principal",
"yarn.timeline-service.http-authentication.kerberos.keytab"]
props_read_check = ["yarn.timeline-service.keytab",
"yarn.timeline-service.http-authentication.kerberos.keytab"]
yarn_site_props = build_expectations('yarn-site', props_value_check, props_empty_check,
props_read_check)
yarn_expectations ={}
yarn_expectations.update(yarn_site_props)
security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
{'yarn-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, yarn_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'yarn-site' not in security_params
or 'yarn.timeline-service.keytab' not in security_params['yarn-site']
or 'yarn.timeline-service.principal' not in security_params['yarn-site']) \
or 'yarn.timeline-service.http-authentication.kerberos.keytab' not in security_params['yarn-site'] \
or 'yarn.timeline-service.http-authentication.kerberos.principal' not in security_params['yarn-site']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.yarn_user,
security_params['yarn-site']['yarn.timeline-service.keytab'],
security_params['yarn-site']['yarn.timeline-service.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.yarn_user,
security_params['yarn-site']['yarn.timeline-service.http-authentication.kerberos.keytab'],
security_params['yarn-site']['yarn.timeline-service.http-authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {"hbase.security.authentication": "kerberos",
"hbase.security.authorization": "true"}
props_empty_check = ["hbase.zookeeper.property.authProvider.1",
"hbase.master.keytab.file",
"hbase.master.kerberos.principal",
"hbase.regionserver.keytab.file",
"hbase.regionserver.kerberos.principal"
]
props_read_check = ['hbase.master.keytab.file', 'hbase.regionserver.keytab.file']
ams_hbase_site_expectations = build_expectations('hbase-site', props_value_check,
props_empty_check,
props_read_check)
expectations = {}
expectations.update(ams_hbase_site_expectations)
security_params = get_params_from_filesystem(status_params.ams_hbase_conf_dir,
{'hbase-site.xml': FILE_TYPE_XML})
is_hbase_distributed = security_params['hbase-site']['hbase.cluster.distributed']
# for embedded mode, when HBase is backed by file, security state is SECURED_KERBEROS by definition when cluster is secured
if status_params.security_enabled and not is_hbase_distributed:
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
return
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('hbase-site' not in security_params or
'hbase.master.keytab.file' not in security_params['hbase-site'] or
'hbase.master.kerberos.principal' not in security_params['hbase-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.hbase_user,
security_params['hbase-site']['hbase.master.keytab.file'],
security_params['hbase-site']['hbase.master.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (
cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {"yarn.timeline-service.enabled": "true",
"yarn.timeline-service.http-authentication.type": "kerberos",
"yarn.acl.enable": "true"}
props_empty_check = ["yarn.timeline-service.principal",
"yarn.timeline-service.keytab",
"yarn.timeline-service.http-authentication.kerberos.principal",
"yarn.timeline-service.http-authentication.kerberos.keytab"]
props_read_check = ["yarn.timeline-service.keytab",
"yarn.timeline-service.http-authentication.kerberos.keytab"]
yarn_site_props = build_expectations('yarn-site', props_value_check, props_empty_check,
props_read_check)
yarn_expectations ={}
yarn_expectations.update(yarn_site_props)
security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
{'yarn-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, yarn_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'yarn-site' not in security_params
or 'yarn.timeline-service.keytab' not in security_params['yarn-site']
or 'yarn.timeline-service.principal' not in security_params['yarn-site']) \
or 'yarn.timeline-service.http-authentication.kerberos.keytab' not in security_params['yarn-site'] \
or 'yarn.timeline-service.http-authentication.kerberos.principal' not in security_params['yarn-site']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.yarn_user,
security_params['yarn-site']['yarn.timeline-service.keytab'],
security_params['yarn-site']['yarn.timeline-service.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.yarn_user,
security_params['yarn-site']['yarn.timeline-service.http-authentication.kerberos.keytab'],
security_params['yarn-site']['yarn.timeline-service.http-authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
# Expect the following files to be available in status_params.config_dir:
# storm_jaas.conf
try:
props_value_check = None
props_empty_check = [
'StormServer/keyTab', 'StormServer/principal'
]
props_read_check = ['StormServer/keyTab']
storm_env_expectations = build_expectations(
'storm_jaas', props_value_check, props_empty_check,
props_read_check)
storm_expectations = {}
storm_expectations.update(storm_env_expectations)
security_params = get_params_from_filesystem(
status_params.conf_dir,
{'storm_jaas.conf': FILE_TYPE_JAAS_CONF})
result_issues = validate_security_config_properties(
security_params, storm_expectations)
if not result_issues: # If all validations passed successfully
# Double check the dict before calling execute
if ('storm_jaas' not in security_params or 'StormServer'
not in security_params['storm_jaas'] or 'keyTab'
not in security_params['storm_jaas']['StormServer']
or 'principal' not in security_params['storm_jaas']
['StormServer']):
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file or principal are not set property."
})
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.storm_user,
security_params['storm_jaas']['StormServer']['keyTab'],
security_params['storm_jaas']['StormServer']
['principal'], status_params.hostname,
status_params.tmp_dir)
self.put_structured_out(
{"securityState": "SECURED_KERBEROS"})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out(
{"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {"*.falcon.authentication.type": "kerberos",
"*.falcon.http.authentication.type": "kerberos"}
props_empty_check = ["*.falcon.service.authentication.kerberos.principal",
"*.falcon.service.authentication.kerberos.keytab",
"*.falcon.http.authentication.kerberos.principal",
"*.falcon.http.authentication.kerberos.keytab"]
props_read_check = ["*.falcon.service.authentication.kerberos.keytab",
"*.falcon.http.authentication.kerberos.keytab"]
falcon_startup_props = build_expectations('startup', props_value_check, props_empty_check,
props_read_check)
falcon_expectations ={}
falcon_expectations.update(falcon_startup_props)
security_params = get_params_from_filesystem('/etc/falcon/conf',
{'startup.properties': FILE_TYPE_PROPERTIES})
result_issues = validate_security_config_properties(security_params, falcon_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'startup' not in security_params
or '*.falcon.service.authentication.kerberos.keytab' not in security_params['startup']
or '*.falcon.service.authentication.kerberos.principal' not in security_params['startup']) \
or '*.falcon.http.authentication.kerberos.keytab' not in security_params['startup'] \
or '*.falcon.http.authentication.kerberos.principal' not in security_params['startup']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.falcon_user,
security_params['startup']['*.falcon.service.authentication.kerberos.keytab'],
security_params['startup']['*.falcon.service.authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.falcon_user,
security_params['startup']['*.falcon.http.authentication.kerberos.keytab'],
security_params['startup']['*.falcon.http.authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {}
props_empty_check = [
'general.kerberos.keytab', 'general.kerberos.principal'
]
props_read_check = ['general.kerberos.keytab']
accumulo_site_expectations = build_expectations(
'accumulo-site', props_value_check, props_empty_check,
props_read_check)
accumulo_expectations = {}
accumulo_expectations.update(accumulo_site_expectations)
security_params = get_params_from_filesystem(
status_params.conf_dir, {'accumulo-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(
security_params, accumulo_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('accumulo-site' not in security_params
or 'general.kerberos.keytab'
not in security_params['accumulo-site']
or 'general.kerberos.principal'
not in security_params['accumulo-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file or principal are not set property."
})
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.accumulo_user,
security_params['accumulo-site']
['general.kerberos.keytab'],
security_params['accumulo-site']
['general.kerberos.principal'], status_params.hostname,
status_params.tmp_dir, 30)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {"*.falcon.authentication.type": "kerberos",
"*.falcon.http.authentication.type": "kerberos"}
props_empty_check = ["*.falcon.service.authentication.kerberos.principal",
"*.falcon.service.authentication.kerberos.keytab",
"*.falcon.http.authentication.kerberos.principal",
"*.falcon.http.authentication.kerberos.keytab"]
props_read_check = ["*.falcon.service.authentication.kerberos.keytab",
"*.falcon.http.authentication.kerberos.keytab"]
falcon_startup_props = build_expectations('startup', props_value_check, props_empty_check,
props_read_check)
falcon_expectations ={}
falcon_expectations.update(falcon_startup_props)
security_params = get_params_from_filesystem('/etc/falcon/conf',
{'startup.properties': FILE_TYPE_PROPERTIES})
result_issues = validate_security_config_properties(security_params, falcon_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'startup' not in security_params
or '*.falcon.service.authentication.kerberos.keytab' not in security_params['startup']
or '*.falcon.service.authentication.kerberos.principal' not in security_params['startup']) \
or '*.falcon.http.authentication.kerberos.keytab' not in security_params['startup'] \
or '*.falcon.http.authentication.kerberos.principal' not in security_params['startup']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.falcon_user,
security_params['startup']['*.falcon.service.authentication.kerberos.keytab'],
security_params['startup']['*.falcon.service.authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.falcon_user,
security_params['startup']['*.falcon.http.authentication.kerberos.keytab'],
security_params['startup']['*.falcon.http.authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {
"hadoop.security.authentication": "kerberos",
"hadoop.security.authorization": "true"
}
props_empty_check = ["hadoop.security.auth_to_local"]
props_read_check = None
core_site_expectations = build_expectations('core-site',
props_value_check,
props_empty_check,
props_read_check)
hdfs_expectations = {}
hdfs_expectations.update(core_site_expectations)
security_params = get_params_from_filesystem(
status_params.hadoop_conf_dir, {'core-site.xml': FILE_TYPE_XML})
if 'core-site' in security_params and 'hadoop.security.authentication' in security_params['core-site'] and \
security_params['core-site']['hadoop.security.authentication'].lower() == 'kerberos':
result_issues = validate_security_config_properties(
security_params, hdfs_expectations)
if not result_issues: # If all validations passed successfully
if status_params.hdfs_user_principal or status_params.hdfs_user_keytab:
try:
cached_kinit_executor(
status_params.kinit_path_local,
status_params.hdfs_user,
status_params.hdfs_user_keytab,
status_params.hdfs_user_principal,
status_params.hostname, status_params.tmp_dir)
self.put_structured_out(
{"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out(
{"securityStateErrorInfo": str(e)})
else:
self.put_structured_out({
"securityIssuesFound":
"hdfs principal and/or keytab file is not specified"
})
self.put_structured_out({"securityState": "UNSECURED"})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out(
{"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {
"hive.server2.authentication": "KERBEROS",
"hive.metastore.sasl.enabled": "true",
"hive.security.authorization.enabled": "true",
}
props_empty_check = ["hive.metastore.kerberos.keytab.file", "hive.metastore.kerberos.principal"]
props_read_check = ["hive.metastore.kerberos.keytab.file"]
hive_site_props = build_expectations("hive-site", props_value_check, props_empty_check, props_read_check)
hive_expectations = {}
hive_expectations.update(hive_site_props)
security_params = get_params_from_filesystem(status_params.hive_conf_dir, {"hive-site.xml": FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, hive_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if (
"hive-site" not in security_params
or "hive.metastore.kerberos.keytab.file" not in security_params["hive-site"]
or "hive.metastore.kerberos.principal" not in security_params["hive-site"]
):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."}
)
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.hive_user,
security_params["hive-site"]["hive.metastore.kerberos.keytab.file"],
security_params["hive-site"]["hive.metastore.kerberos.principal"],
status_params.hostname,
status_params.tmp_dir,
)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf])
)
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {}
expectations.update(build_expectations('mapred-site',
None,
[
'mapreduce.jobhistory.keytab',
'mapreduce.jobhistory.principal',
'mapreduce.jobhistory.webapp.spnego-keytab-file',
'mapreduce.jobhistory.webapp.spnego-principal'
],
None))
security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
{'mapred-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'mapred-site' not in security_params or
'mapreduce.jobhistory.keytab' not in security_params['mapred-site'] or
'mapreduce.jobhistory.principal' not in security_params['mapred-site'] or
'mapreduce.jobhistory.webapp.spnego-keytab-file' not in security_params['mapred-site'] or
'mapreduce.jobhistory.webapp.spnego-principal' not in security_params['mapred-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal not set."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.mapred_user,
security_params['mapred-site']['mapreduce.jobhistory.keytab'],
security_params['mapred-site']['mapreduce.jobhistory.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.mapred_user,
security_params['mapred-site']['mapreduce.jobhistory.webapp.spnego-keytab-file'],
security_params['mapred-site']['mapreduce.jobhistory.webapp.spnego-principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {}
expectations.update(build_expectations('mapred-site',
None,
[
'mapreduce.jobhistory.keytab',
'mapreduce.jobhistory.principal',
'mapreduce.jobhistory.webapp.spnego-keytab-file',
'mapreduce.jobhistory.webapp.spnego-principal'
],
None))
security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
{'mapred-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'mapred-site' not in security_params or
'mapreduce.jobhistory.keytab' not in security_params['mapred-site'] or
'mapreduce.jobhistory.principal' not in security_params['mapred-site'] or
'mapreduce.jobhistory.webapp.spnego-keytab-file' not in security_params['mapred-site'] or
'mapreduce.jobhistory.webapp.spnego-principal' not in security_params['mapred-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal not set."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.mapred_user,
security_params['mapred-site']['mapreduce.jobhistory.keytab'],
security_params['mapred-site']['mapreduce.jobhistory.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.mapred_user,
security_params['mapred-site']['mapreduce.jobhistory.webapp.spnego-keytab-file'],
security_params['mapred-site']['mapreduce.jobhistory.webapp.spnego-principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {'atlas.authentication.method': 'kerberos',
'atlas.http.authentication.enabled': 'true',
'atlas.http.authentication.type': 'kerberos'}
props_empty_check = ['atlas.authentication.principal',
'atlas.authentication.keytab',
'atlas.http.authentication.kerberos.principal',
'atlas.http.authentication.kerberos.keytab']
props_read_check = ['atlas.authentication.keytab',
'atlas.http.authentication.kerberos.keytab']
atlas_site_expectations = build_expectations('application',
props_value_check,
props_empty_check,
props_read_check)
atlas_expectations = {}
atlas_expectations.update(atlas_site_expectations)
security_params = get_params_from_filesystem(status_params.conf_dir,
{status_params.conf_file: FILE_TYPE_PROPERTIES})
result_issues = validate_security_config_properties(security_params, atlas_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'application' not in security_params
or 'atlas.authentication.keytab' not in security_params['application']
or 'atlas.authentication.principal' not in security_params['application']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Atlas service keytab file or principal are not set property."})
return
if ( 'application' not in security_params
or 'atlas.http.authentication.kerberos.keytab' not in security_params['application']
or 'atlas.http.authentication.kerberos.principal' not in security_params['application']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "HTTP Authentication keytab file or principal are not set property."})
return
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {'atlas.authentication.method': 'kerberos',
'atlas.http.authentication.enabled': 'true',
'atlas.http.authentication.type': 'kerberos'}
props_empty_check = ['atlas.authentication.principal',
'atlas.authentication.keytab',
'atlas.http.authentication.kerberos.principal',
'atlas.http.authentication.kerberos.keytab']
props_read_check = ['atlas.authentication.keytab',
'atlas.http.authentication.kerberos.keytab']
atlas_site_expectations = build_expectations('application-properties',
props_value_check,
props_empty_check,
props_read_check)
atlas_expectations = {}
atlas_expectations.update(atlas_site_expectations)
security_params = get_params_from_filesystem(status_params.conf_dir,
{'application.properties': FILE_TYPE_PROPERTIES})
result_issues = validate_security_config_properties(security_params, atlas_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'application-properties' not in security_params
or 'atlas.authentication.keytab' not in security_params['application-properties']
or 'atlas.authentication.principal' not in security_params['application-properties']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Atlas service keytab file or principal are not set property."})
return
if ( 'application-properties' not in security_params
or 'atlas.http.authentication.kerberos.keytab' not in security_params['application-properties']
or 'atlas.http.authentication.kerberos.principal' not in security_params['application-properties']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "HTTP Authentication keytab file or principal are not set property."})
return
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
# Expect the following files to be available in status_params.config_dir:
# storm_jaas.conf
try:
props_value_check = None
props_empty_check = ['storm_ui_principal_name', 'storm_ui_keytab']
props_read_check = ['storm_ui_keytab']
storm_env_expectations = build_expectations('storm_ui', props_value_check, props_empty_check,
props_read_check)
storm_expectations = {}
storm_expectations.update(storm_env_expectations)
security_params = {}
security_params['storm_ui'] = {}
security_params['storm_ui']['storm_ui_principal_name'] = status_params.storm_ui_principal
security_params['storm_ui']['storm_ui_keytab'] = status_params.storm_ui_keytab
result_issues = validate_security_config_properties(security_params, storm_expectations)
if not result_issues: # If all validations passed successfully
# Double check the dict before calling execute
if ( 'storm_ui' not in security_params
or 'storm_ui_principal_name' not in security_params['storm_ui']
or 'storm_ui_keytab' not in security_params['storm_ui']):
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.storm_user,
security_params['storm_ui']['storm_ui_keytab'],
security_params['storm_ui']['storm_ui_principal_name'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
# Expect the following files to be available in status_params.config_dir:
# zookeeper_jaas.conf
# zookeeper_client_jaas.conf
try:
props_value_check = None
props_empty_check = ['Server/keyTab', 'Server/principal']
props_read_check = ['Server/keyTab']
zk_env_expectations = build_expectations('zookeeper_jaas', props_value_check, props_empty_check,
props_read_check)
zk_expectations = {}
zk_expectations.update(zk_env_expectations)
security_params = get_params_from_filesystem(status_params.config_dir,
{'zookeeper_jaas.conf': FILE_TYPE_JAAS_CONF})
result_issues = validate_security_config_properties(security_params, zk_expectations)
if not result_issues: # If all validations passed successfully
# Double check the dict before calling execute
if ( 'zookeeper_jaas' not in security_params
or 'Server' not in security_params['zookeeper_jaas']
or 'keyTab' not in security_params['zookeeper_jaas']['Server']
or 'principal' not in security_params['zookeeper_jaas']['Server']):
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.zk_user,
security_params['zookeeper_jaas']['Server']['keyTab'],
security_params['zookeeper_jaas']['Server']['principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {}
props_empty_check = ['general.kerberos.keytab',
'general.kerberos.principal']
props_read_check = ['general.kerberos.keytab']
accumulo_site_expectations = build_expectations('accumulo-site',
props_value_check, props_empty_check, props_read_check)
accumulo_expectations = {}
accumulo_expectations.update(accumulo_site_expectations)
security_params = get_params_from_filesystem(status_params.conf_dir,
{'accumulo-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, accumulo_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'accumulo-site' not in security_params
or 'general.kerberos.keytab' not in security_params['accumulo-site']
or 'general.kerberos.principal' not in security_params['accumulo-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.accumulo_user,
security_params['accumulo-site']['general.kerberos.keytab'],
security_params['accumulo-site']['general.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir,
30)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {"hadoop.security.authentication": "kerberos",
"hadoop.security.authorization": "true"}
props_empty_check = ["hadoop.security.auth_to_local"]
props_read_check = None
core_site_expectations = build_expectations('core-site', props_value_check, props_empty_check,
props_read_check)
hdfs_expectations = {}
hdfs_expectations.update(core_site_expectations)
security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
{'core-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, hdfs_expectations)
if 'core-site' in security_params and 'hadoop.security.authentication' in security_params['core-site'] and \
security_params['core-site']['hadoop.security.authentication'].lower() == 'kerberos':
if not result_issues: # If all validations passed successfully
if status_params.hdfs_user_principal or status_params.hdfs_user_keytab:
try:
cached_kinit_executor(status_params.kinit_path_local,
status_params.hdfs_user,
status_params.hdfs_user_keytab,
status_params.hdfs_user_principal,
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
self.put_structured_out(
{"securityIssuesFound": "hdfs principal and/or keytab file is not specified"})
self.put_structured_out({"securityState": "UNSECURED"})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {
"oozie-site":
build_expectations('oozie-site',
{
"oozie.authentication.type": "kerberos",
"oozie.service.AuthorizationService.security.enabled": "true",
"oozie.service.HadoopAccessorService.kerberos.enabled": "true"
},
[
"local.realm",
"oozie.authentication.kerberos.principal",
"oozie.authentication.kerberos.keytab",
"oozie.service.HadoopAccessorService.kerberos.principal",
"oozie.service.HadoopAccessorService.keytab.file"
],
None)
}
security_params = get_params_from_filesystem(status_params.conf_dir,
{'oozie-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('oozie-site' not in security_params
or 'oozie.authentication.kerberos.principal' not in security_params['oozie-site']
or 'oozie.authentication.kerberos.keytab' not in security_params['oozie-site']
or 'oozie.service.HadoopAccessorService.kerberos.principal' not in security_params['oozie-site']
or 'oozie.service.HadoopAccessorService.keytab.file' not in security_params['oozie-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.oozie_user,
security_params['oozie-site']['oozie.authentication.kerberos.keytab'],
security_params['oozie-site']['oozie.authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.oozie_user,
security_params['oozie-site']['oozie.service.HadoopAccessorService.keytab.file'],
security_params['oozie-site']['oozie.service.HadoopAccessorService.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations ={}
expectations.update(
build_expectations(
'webhcat-site',
{
"templeton.kerberos.secret": "secret"
},
[
"templeton.kerberos.keytab",
"templeton.kerberos.principal"
],
[
"templeton.kerberos.keytab"
]
)
)
expectations.update(
build_expectations(
'hive-site',
{
"hive.server2.authentication": "KERBEROS",
"hive.metastore.sasl.enabled": "true",
"hive.security.authorization.enabled": "true"
},
None,
None
)
)
security_params = {}
security_params.update(get_params_from_filesystem(status_params.hive_conf_dir,
{'hive-site.xml': FILE_TYPE_XML}))
security_params.update(get_params_from_filesystem(status_params.webhcat_conf_dir,
{'webhcat-site.xml': FILE_TYPE_XML}))
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if 'webhcat-site' not in security_params \
or 'templeton.kerberos.keytab' not in security_params['webhcat-site'] \
or 'templeton.kerberos.principal' not in security_params['webhcat-site']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.webhcat_user,
security_params['webhcat-site']['templeton.kerberos.keytab'],
security_params['webhcat-site']['templeton.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {
"oozie-site":
build_expectations(
'oozie-site', {
"oozie.authentication.type":
"kerberos",
"oozie.service.AuthorizationService.security.enabled":
"true",
"oozie.service.HadoopAccessorService.kerberos.enabled":
"true"
}, [
"local.realm",
"oozie.authentication.kerberos.principal",
"oozie.authentication.kerberos.keytab",
"oozie.service.HadoopAccessorService.kerberos.principal",
"oozie.service.HadoopAccessorService.keytab.file"
], None)
}
security_params = get_params_from_filesystem(
status_params.conf_dir, {'oozie-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(
security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('oozie-site' not in security_params
or 'oozie.authentication.kerberos.principal'
not in security_params['oozie-site']
or 'oozie.authentication.kerberos.keytab'
not in security_params['oozie-site'] or
'oozie.service.HadoopAccessorService.kerberos.principal'
not in security_params['oozie-site'] or
'oozie.service.HadoopAccessorService.keytab.file'
not in security_params['oozie-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file or principal are not set property."
})
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.oozie_user, security_params['oozie-site']
['oozie.authentication.kerberos.keytab'],
security_params['oozie-site']
['oozie.authentication.kerberos.principal'],
status_params.hostname, status_params.tmp_dir)
cached_kinit_executor(
status_params.kinit_path_local,
status_params.oozie_user, security_params['oozie-site']
['oozie.service.HadoopAccessorService.keytab.file'],
security_params['oozie-site']
['oozie.service.HadoopAccessorService.kerberos.principal'],
status_params.hostname, status_params.tmp_dir)
self.put_structured_out(
{"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out(
{"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})