def security_status(self, env):
    import status_params

    env.set_params(status_params)
    props_value_check = {"hbase.security.authentication": "kerberos",
                         "hbase.security.authorization": "true"}

    props_empty_check = ["hbase.zookeeper.property.authProvider.1",
                         "hbase.master.keytab.file",
                         "hbase.master.kerberos.principal",
                         "hbase.regionserver.keytab.file",
                         "hbase.regionserver.kerberos.principal"
                         ]
    props_read_check = ['hbase.master.keytab.file', 'hbase.regionserver.keytab.file']
    ams_hbase_site_expectations = build_expectations('hbase-site', props_value_check,
                                                     props_empty_check,
                                                     props_read_check)

    expectations = {}
    expectations.update(ams_hbase_site_expectations)

    security_params = get_params_from_filesystem(status_params.ams_hbase_conf_dir,
                                                 {'hbase-site.xml': FILE_TYPE_XML})

    is_hbase_distributed = security_params['hbase-site']['hbase.cluster.distributed']
    # for embedded mode, when HBase is backed by file, security state is SECURED_KERBEROS by definition when cluster is secured
    if status_params.security_enabled and not is_hbase_distributed:
      self.put_structured_out({"securityState": "SECURED_KERBEROS"})
      return

    result_issues = validate_security_config_properties(security_params, expectations)

    if not result_issues:  # If all validations passed successfully
      try:
        # Double check the dict before calling execute
        if ('hbase-site' not in security_params or
                'hbase.master.keytab.file' not in security_params['hbase-site'] or
                'hbase.master.kerberos.principal' not in security_params['hbase-site']):
          self.put_structured_out({"securityState": "UNSECURED"})
          self.put_structured_out(
            {"securityIssuesFound": "Keytab file or principal are not set property."})
          return

        cached_kinit_executor(status_params.kinit_path_local,
                              status_params.hbase_user,
                              security_params['hbase-site']['hbase.master.keytab.file'],
                              security_params['hbase-site']['hbase.master.kerberos.principal'],
                              status_params.hostname,
                              status_params.tmp_dir)
        self.put_structured_out({"securityState": "SECURED_KERBEROS"})
      except Exception as e:
        self.put_structured_out({"securityState": "ERROR"})
        self.put_structured_out({"securityStateErrorInfo": str(e)})
    else:
      issues = []
      for cf in result_issues:
        issues.append("Configuration file %s did not pass the validation. Reason: %s" % (
          cf, result_issues[cf]))
      self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
      self.put_structured_out({"securityState": "UNSECURED"})
  def security_status(self, env):
    import status_params
    env.set_params(status_params)
    if status_params.security_enabled:
      props_value_check = {"yarn.timeline-service.enabled": "true",
                           "yarn.timeline-service.http-authentication.type": "kerberos",
                           "yarn.acl.enable": "true"}
      props_empty_check = ["yarn.timeline-service.principal",
                           "yarn.timeline-service.keytab",
                           "yarn.timeline-service.http-authentication.kerberos.principal",
                           "yarn.timeline-service.http-authentication.kerberos.keytab"]

      props_read_check = ["yarn.timeline-service.keytab",
                          "yarn.timeline-service.http-authentication.kerberos.keytab"]
      yarn_site_props = build_expectations('yarn-site', props_value_check, props_empty_check,
                                                  props_read_check)

      yarn_expectations ={}
      yarn_expectations.update(yarn_site_props)

      security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
                                                   {'yarn-site.xml': FILE_TYPE_XML})
      result_issues = validate_security_config_properties(security_params, yarn_expectations)
      if not result_issues: # If all validations passed successfully
        try:
          # Double check the dict before calling execute
          if ( 'yarn-site' not in security_params
               or 'yarn.timeline-service.keytab' not in security_params['yarn-site']
               or 'yarn.timeline-service.principal' not in security_params['yarn-site']) \
            or 'yarn.timeline-service.http-authentication.kerberos.keytab' not in security_params['yarn-site'] \
            or 'yarn.timeline-service.http-authentication.kerberos.principal' not in security_params['yarn-site']:
            self.put_structured_out({"securityState": "UNSECURED"})
            self.put_structured_out(
              {"securityIssuesFound": "Keytab file or principal are not set property."})
            return

          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.yarn_user,
                                security_params['yarn-site']['yarn.timeline-service.keytab'],
                                security_params['yarn-site']['yarn.timeline-service.principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.yarn_user,
                                security_params['yarn-site']['yarn.timeline-service.http-authentication.kerberos.keytab'],
                                security_params['yarn-site']['yarn.timeline-service.http-authentication.kerberos.principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          self.put_structured_out({"securityState": "SECURED_KERBEROS"})
        except Exception as e:
          self.put_structured_out({"securityState": "ERROR"})
          self.put_structured_out({"securityStateErrorInfo": str(e)})
      else:
        issues = []
        for cf in result_issues:
          issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
        self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
        self.put_structured_out({"securityState": "UNSECURED"})
    else:
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #3
0
  def security_status(self, env):
    import status_params
    env.set_params(status_params)

    if status_params.security_enabled:
      expectations = {}
      expectations.update(build_expectations(
        'krb5JAASLogin',
        None,
        ['keytab', 'principal'],
        None
      ))
      expectations.update(build_expectations(
        'gateway-site',
        {
          "gateway.hadoop.kerberos.secured" : "true"
        },
        None,
        None
      ))

      security_params = {
        "krb5JAASLogin":
          {
            'keytab': status_params.knox_keytab_path,
            'principal': status_params.knox_principal_name
          }
      }
      security_params.update(get_params_from_filesystem(status_params.knox_conf_dir,
        {"gateway-site.xml" : FILE_TYPE_XML}))

      result_issues = validate_security_config_properties(security_params, expectations)
      if not result_issues:  # If all validations passed successfully
        try:
          # Double check the dict before calling execute
          if ( 'krb5JAASLogin' not in security_params
               or 'keytab' not in security_params['krb5JAASLogin']
               or 'principal' not in security_params['krb5JAASLogin']):
            self.put_structured_out({"securityState": "UNSECURED"})
            self.put_structured_out({"securityIssuesFound": "Keytab file and principal are not set."})
            return

          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.knox_user,
                                security_params['krb5JAASLogin']['keytab'],
                                security_params['krb5JAASLogin']['principal'],
                                status_params.hostname,
                                status_params.temp_dir)
          self.put_structured_out({"securityState": "SECURED_KERBEROS"})
        except Exception as e:
          self.put_structured_out({"securityState": "ERROR"})
          self.put_structured_out({"securityStateErrorInfo": str(e)})
      else:
        issues = []
        for cf in result_issues:
          issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
        self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
        self.put_structured_out({"securityState": "UNSECURED"})
    else:
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #4
0
  def security_status(self, env):
    import status_params

    env.set_params(status_params)
    props_value_check = {"hadoop.security.authentication": "kerberos",
                         "hadoop.security.authorization": "true"}
    props_empty_check = ["hadoop.security.auth_to_local"]
    props_read_check = None
    core_site_expectations = build_expectations('core-site', props_value_check, props_empty_check,
                                                props_read_check)
    props_value_check = None
    props_empty_check = ['dfs.secondary.namenode.kerberos.internal.spnego.principal',
                         'dfs.secondary.namenode.keytab.file',
                         'dfs.secondary.namenode.kerberos.principal']
    props_read_check = ['dfs.secondary.namenode.keytab.file']
    hdfs_site_expectations = build_expectations('hdfs-site', props_value_check, props_empty_check,
                                                props_read_check)

    hdfs_expectations = {}
    hdfs_expectations.update(core_site_expectations)
    hdfs_expectations.update(hdfs_site_expectations)

    security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
                                                 {'core-site.xml': FILE_TYPE_XML,
                                                  'hdfs-site.xml': FILE_TYPE_XML})

    if 'core-site' in security_params and 'hadoop.security.authentication' in security_params['core-site'] and \
        security_params['core-site']['hadoop.security.authentication'].lower() == 'kerberos':
      result_issues = validate_security_config_properties(security_params, hdfs_expectations)
      if not result_issues:  # If all validations passed successfully
        try:
          # Double check the dict before calling execute
          if ('hdfs-site' not in security_params or
                  'dfs.secondary.namenode.keytab.file' not in security_params['hdfs-site'] or
                  'dfs.secondary.namenode.kerberos.principal' not in security_params['hdfs-site']):
            self.put_structured_out({"securityState": "UNSECURED"})
            self.put_structured_out(
              {"securityIssuesFound": "Keytab file or principal are not set property."})
            return

          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.hdfs_user,
                                security_params['hdfs-site']['dfs.secondary.namenode.keytab.file'],
                                security_params['hdfs-site'][
                                  'dfs.secondary.namenode.kerberos.principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          self.put_structured_out({"securityState": "SECURED_KERBEROS"})
        except Exception as e:
          self.put_structured_out({"securityState": "ERROR"})
          self.put_structured_out({"securityStateErrorInfo": str(e)})
      else:
        issues = []
        for cf in result_issues:
          issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
        self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
        self.put_structured_out({"securityState": "UNSECURED"})
    else:
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #5
0
  def security_status(self, env):
    import status_params
    env.set_params(status_params)
    if status_params.security_enabled:
      props_value_check = {"*.falcon.authentication.type": "kerberos",
                           "*.falcon.http.authentication.type": "kerberos"}
      props_empty_check = ["*.falcon.service.authentication.kerberos.principal",
                           "*.falcon.service.authentication.kerberos.keytab",
                           "*.falcon.http.authentication.kerberos.principal",
                           "*.falcon.http.authentication.kerberos.keytab"]
      props_read_check = ["*.falcon.service.authentication.kerberos.keytab",
                          "*.falcon.http.authentication.kerberos.keytab"]
      falcon_startup_props = build_expectations('startup', props_value_check, props_empty_check,
                                                  props_read_check)

      falcon_expectations ={}
      falcon_expectations.update(falcon_startup_props)

      security_params = get_params_from_filesystem('/etc/falcon/conf',
                                                   {'startup.properties': FILE_TYPE_PROPERTIES})
      result_issues = validate_security_config_properties(security_params, falcon_expectations)
      if not result_issues: # If all validations passed successfully
        try:
          # Double check the dict before calling execute
          if ( 'startup' not in security_params
               or '*.falcon.service.authentication.kerberos.keytab' not in security_params['startup']
               or '*.falcon.service.authentication.kerberos.principal' not in security_params['startup']) \
            or '*.falcon.http.authentication.kerberos.keytab' not in security_params['startup'] \
            or '*.falcon.http.authentication.kerberos.principal' not in security_params['startup']:
            self.put_structured_out({"securityState": "UNSECURED"})
            self.put_structured_out(
              {"securityIssuesFound": "Keytab file or principal are not set property."})
            return

          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.falcon_user,
                                security_params['startup']['*.falcon.service.authentication.kerberos.keytab'],
                                security_params['startup']['*.falcon.service.authentication.kerberos.principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.falcon_user,
                                security_params['startup']['*.falcon.http.authentication.kerberos.keytab'],
                                security_params['startup']['*.falcon.http.authentication.kerberos.principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          self.put_structured_out({"securityState": "SECURED_KERBEROS"})
        except Exception as e:
          self.put_structured_out({"securityState": "ERROR"})
          self.put_structured_out({"securityStateErrorInfo": str(e)})
      else:
        issues = []
        for cf in result_issues:
          issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
        self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
        self.put_structured_out({"securityState": "UNSECURED"})
    else:
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #6
0
    def security_status(self, env):
        import status_params

        env.set_params(status_params)
        if status_params.security_enabled:
            props_value_check = {
                "hive.server2.authentication": "KERBEROS",
                "hive.metastore.sasl.enabled": "true",
                "hive.security.authorization.enabled": "true",
            }
            props_empty_check = ["hive.metastore.kerberos.keytab.file", "hive.metastore.kerberos.principal"]

            props_read_check = ["hive.metastore.kerberos.keytab.file"]
            hive_site_props = build_expectations("hive-site", props_value_check, props_empty_check, props_read_check)

            hive_expectations = {}
            hive_expectations.update(hive_site_props)

            security_params = get_params_from_filesystem(status_params.hive_conf_dir, {"hive-site.xml": FILE_TYPE_XML})
            result_issues = validate_security_config_properties(security_params, hive_expectations)
            if not result_issues:  # If all validations passed successfully
                try:
                    # Double check the dict before calling execute
                    if (
                        "hive-site" not in security_params
                        or "hive.metastore.kerberos.keytab.file" not in security_params["hive-site"]
                        or "hive.metastore.kerberos.principal" not in security_params["hive-site"]
                    ):
                        self.put_structured_out({"securityState": "UNSECURED"})
                        self.put_structured_out(
                            {"securityIssuesFound": "Keytab file or principal are not set property."}
                        )
                        return

                    cached_kinit_executor(
                        status_params.kinit_path_local,
                        status_params.hive_user,
                        security_params["hive-site"]["hive.metastore.kerberos.keytab.file"],
                        security_params["hive-site"]["hive.metastore.kerberos.principal"],
                        status_params.hostname,
                        status_params.tmp_dir,
                    )

                    self.put_structured_out({"securityState": "SECURED_KERBEROS"})
                except Exception as e:
                    self.put_structured_out({"securityState": "ERROR"})
                    self.put_structured_out({"securityStateErrorInfo": str(e)})
            else:
                issues = []
                for cf in result_issues:
                    issues.append(
                        "Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf])
                    )
                self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
                self.put_structured_out({"securityState": "UNSECURED"})
        else:
            self.put_structured_out({"securityState": "UNSECURED"})
Пример #7
0
  def security_status(self, env):
    import status_params
    env.set_params(status_params)
    if status_params.security_enabled:
      expectations = {}
      expectations.update(build_expectations('mapred-site',
                                             None,
                                             [
                                               'mapreduce.jobhistory.keytab',
                                               'mapreduce.jobhistory.principal',
                                               'mapreduce.jobhistory.webapp.spnego-keytab-file',
                                               'mapreduce.jobhistory.webapp.spnego-principal'
                                             ],
                                             None))

      security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
                                                   {'mapred-site.xml': FILE_TYPE_XML})
      result_issues = validate_security_config_properties(security_params, expectations)
      if not result_issues: # If all validations passed successfully
        try:
          # Double check the dict before calling execute
          if ( 'mapred-site' not in security_params or
               'mapreduce.jobhistory.keytab' not in security_params['mapred-site'] or
               'mapreduce.jobhistory.principal' not in security_params['mapred-site'] or
               'mapreduce.jobhistory.webapp.spnego-keytab-file' not in security_params['mapred-site'] or
               'mapreduce.jobhistory.webapp.spnego-principal' not in security_params['mapred-site']):
            self.put_structured_out({"securityState": "UNSECURED"})
            self.put_structured_out(
              {"securityIssuesFound": "Keytab file or principal not set."})
            return

          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.mapred_user,
                                security_params['mapred-site']['mapreduce.jobhistory.keytab'],
                                security_params['mapred-site']['mapreduce.jobhistory.principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.mapred_user,
                                security_params['mapred-site']['mapreduce.jobhistory.webapp.spnego-keytab-file'],
                                security_params['mapred-site']['mapreduce.jobhistory.webapp.spnego-principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          self.put_structured_out({"securityState": "SECURED_KERBEROS"})
        except Exception as e:
          self.put_structured_out({"securityState": "ERROR"})
          self.put_structured_out({"securityStateErrorInfo": str(e)})
      else:
        issues = []
        for cf in result_issues:
          issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
        self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
        self.put_structured_out({"securityState": "UNSECURED"})
    else:
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #8
0
  def security_status(self, env):
    import status_params

    env.set_params(status_params)

    props_value_check = {'atlas.authentication.method': 'kerberos',
                         'atlas.http.authentication.enabled': 'true',
                         'atlas.http.authentication.type': 'kerberos'}
    props_empty_check = ['atlas.authentication.principal',
                         'atlas.authentication.keytab',
                         'atlas.http.authentication.kerberos.principal',
                         'atlas.http.authentication.kerberos.keytab']
    props_read_check = ['atlas.authentication.keytab',
                        'atlas.http.authentication.kerberos.keytab']
    atlas_site_expectations = build_expectations('application-properties',
                                                    props_value_check,
                                                    props_empty_check,
                                                    props_read_check)

    atlas_expectations = {}
    atlas_expectations.update(atlas_site_expectations)

    security_params = get_params_from_filesystem(status_params.conf_dir,
                                                 {'application.properties': FILE_TYPE_PROPERTIES})
    result_issues = validate_security_config_properties(security_params, atlas_expectations)
    if not result_issues:  # If all validations passed successfully
      try:
        # Double check the dict before calling execute
        if ( 'application-properties' not in security_params
             or 'atlas.authentication.keytab' not in security_params['application-properties']
             or 'atlas.authentication.principal' not in security_params['application-properties']):
          self.put_structured_out({"securityState": "UNSECURED"})
          self.put_structured_out(
            {"securityIssuesFound": "Atlas service keytab file or principal are not set property."})
          return

        if ( 'application-properties' not in security_params
             or 'atlas.http.authentication.kerberos.keytab' not in security_params['application-properties']
             or 'atlas.http.authentication.kerberos.principal' not in security_params['application-properties']):
          self.put_structured_out({"securityState": "UNSECURED"})
          self.put_structured_out(
            {"securityIssuesFound": "HTTP Authentication keytab file or principal are not set property."})
          return

        self.put_structured_out({"securityState": "SECURED_KERBEROS"})
      except Exception as e:
        self.put_structured_out({"securityState": "ERROR"})
        self.put_structured_out({"securityStateErrorInfo": str(e)})
    else:
      issues = []
      for cf in result_issues:
        issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
      self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #9
0
  def security_status(self, env):
    import status_params

    env.set_params(status_params)

    if status_params.security_enabled:
      # Expect the following files to be available in status_params.config_dir:
      #   storm_jaas.conf

      try:
        props_value_check = None
        props_empty_check = ['storm_ui_principal_name', 'storm_ui_keytab']
        props_read_check = ['storm_ui_keytab']
        storm_env_expectations = build_expectations('storm_ui', props_value_check, props_empty_check,
                                                 props_read_check)

        storm_expectations = {}
        storm_expectations.update(storm_env_expectations)

        security_params = {}
        security_params['storm_ui'] = {}
        security_params['storm_ui']['storm_ui_principal_name'] = status_params.storm_ui_principal
        security_params['storm_ui']['storm_ui_keytab'] = status_params.storm_ui_keytab

        result_issues = validate_security_config_properties(security_params, storm_expectations)
        if not result_issues:  # If all validations passed successfully
          # Double check the dict before calling execute
          if ( 'storm_ui' not in security_params
               or 'storm_ui_principal_name' not in security_params['storm_ui']
               or 'storm_ui_keytab' not in security_params['storm_ui']):
            self.put_structured_out({"securityState": "ERROR"})
            self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
            return

          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.storm_user,
                                security_params['storm_ui']['storm_ui_keytab'],
                                security_params['storm_ui']['storm_ui_principal_name'],
                                status_params.hostname,
                                status_params.tmp_dir)
          self.put_structured_out({"securityState": "SECURED_KERBEROS"})
        else:
          issues = []
          for cf in result_issues:
            issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
          self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
          self.put_structured_out({"securityState": "UNSECURED"})
      except Exception as e:
        self.put_structured_out({"securityState": "ERROR"})
        self.put_structured_out({"securityStateErrorInfo": str(e)})
    else:
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #10
0
  def security_status(self, env):
    import status_params

    env.set_params(status_params)

    if status_params.security_enabled:
      # Expect the following files to be available in status_params.config_dir:
      #   zookeeper_jaas.conf
      #   zookeeper_client_jaas.conf
      try:
        props_value_check = None
        props_empty_check = ['Server/keyTab', 'Server/principal']
        props_read_check = ['Server/keyTab']
        zk_env_expectations = build_expectations('zookeeper_jaas', props_value_check, props_empty_check,
                                                 props_read_check)

        zk_expectations = {}
        zk_expectations.update(zk_env_expectations)

        security_params = get_params_from_filesystem(status_params.config_dir,
                                                   {'zookeeper_jaas.conf': FILE_TYPE_JAAS_CONF})

        result_issues = validate_security_config_properties(security_params, zk_expectations)
        if not result_issues:  # If all validations passed successfully
          # Double check the dict before calling execute
          if ( 'zookeeper_jaas' not in security_params
               or 'Server' not in security_params['zookeeper_jaas']
               or 'keyTab' not in security_params['zookeeper_jaas']['Server']
               or 'principal' not in security_params['zookeeper_jaas']['Server']):
            self.put_structured_out({"securityState": "ERROR"})
            self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
            return

          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.zk_user,
                                security_params['zookeeper_jaas']['Server']['keyTab'],
                                security_params['zookeeper_jaas']['Server']['principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          self.put_structured_out({"securityState": "SECURED_KERBEROS"})
        else:
          issues = []
          for cf in result_issues:
            issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
          self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
          self.put_structured_out({"securityState": "UNSECURED"})
      except Exception as e:
        self.put_structured_out({"securityState": "ERROR"})
        self.put_structured_out({"securityStateErrorInfo": str(e)})
    else:
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #11
0
  def security_status(self, env):
    import status_params

    env.set_params(status_params)

    props_value_check = {}
    props_empty_check = ['general.kerberos.keytab',
                         'general.kerberos.principal']
    props_read_check = ['general.kerberos.keytab']
    accumulo_site_expectations = build_expectations('accumulo-site',
      props_value_check, props_empty_check, props_read_check)

    accumulo_expectations = {}
    accumulo_expectations.update(accumulo_site_expectations)

    security_params = get_params_from_filesystem(status_params.conf_dir,
      {'accumulo-site.xml': FILE_TYPE_XML})

    result_issues = validate_security_config_properties(security_params, accumulo_expectations)
    if not result_issues:  # If all validations passed successfully
      try:
        # Double check the dict before calling execute
        if ( 'accumulo-site' not in security_params
             or 'general.kerberos.keytab' not in security_params['accumulo-site']
             or 'general.kerberos.principal' not in security_params['accumulo-site']):
          self.put_structured_out({"securityState": "UNSECURED"})
          self.put_structured_out(
            {"securityIssuesFound": "Keytab file or principal are not set property."})
          return

        cached_kinit_executor(status_params.kinit_path_local,
          status_params.accumulo_user,
          security_params['accumulo-site']['general.kerberos.keytab'],
          security_params['accumulo-site']['general.kerberos.principal'],
          status_params.hostname,
          status_params.tmp_dir,
          30)

        self.put_structured_out({"securityState": "SECURED_KERBEROS"})
      except Exception as e:
        self.put_structured_out({"securityState": "ERROR"})
        self.put_structured_out({"securityStateErrorInfo": str(e)})
    else:
      issues = []
      for cf in result_issues:
        issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
      self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #12
0
  def security_status(self, env):
    import status_params

    env.set_params(status_params)

    props_value_check = {"hadoop.security.authentication": "kerberos",
                         "hadoop.security.authorization": "true"}
    props_empty_check = ["hadoop.security.auth_to_local"]
    props_read_check = None
    core_site_expectations = build_expectations('core-site', props_value_check, props_empty_check,
                                                props_read_check)
    hdfs_expectations = {}
    hdfs_expectations.update(core_site_expectations)

    security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
                                                   {'core-site.xml': FILE_TYPE_XML})
    result_issues = validate_security_config_properties(security_params, hdfs_expectations)
    if 'core-site' in security_params and 'hadoop.security.authentication' in security_params['core-site'] and \
        security_params['core-site']['hadoop.security.authentication'].lower() == 'kerberos':
      if not result_issues:  # If all validations passed successfully
        if status_params.hdfs_user_principal or status_params.hdfs_user_keytab:
          try:
            cached_kinit_executor(status_params.kinit_path_local,
                                  status_params.hdfs_user,
                                  status_params.hdfs_user_keytab,
                                  status_params.hdfs_user_principal,
                                  status_params.hostname,
                                  status_params.tmp_dir)
            self.put_structured_out({"securityState": "SECURED_KERBEROS"})
          except Exception as e:
            self.put_structured_out({"securityState": "ERROR"})
            self.put_structured_out({"securityStateErrorInfo": str(e)})
        else:
          self.put_structured_out(
            {"securityIssuesFound": "hdfs principal and/or keytab file is not specified"})
          self.put_structured_out({"securityState": "UNSECURED"})
      else:
        issues = []
        for cf in result_issues:
          issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
        self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
        self.put_structured_out({"securityState": "UNSECURED"})
    else:
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #13
0
  def security_status(self, env):
    import status_params
    env.set_params(status_params)

    if status_params.security_enabled:
      expectations = {
        "oozie-site":
          build_expectations('oozie-site',
                             {
                               "oozie.authentication.type": "kerberos",
                               "oozie.service.AuthorizationService.security.enabled": "true",
                               "oozie.service.HadoopAccessorService.kerberos.enabled": "true"
                             },
                             [
                               "local.realm",
                               "oozie.authentication.kerberos.principal",
                               "oozie.authentication.kerberos.keytab",
                               "oozie.service.HadoopAccessorService.kerberos.principal",
                               "oozie.service.HadoopAccessorService.keytab.file"
                             ],
                             None)
      }

      security_params = get_params_from_filesystem(status_params.conf_dir,
                                                   {'oozie-site.xml': FILE_TYPE_XML})
      result_issues = validate_security_config_properties(security_params, expectations)
      if not result_issues: # If all validations passed successfully
        try:
          # Double check the dict before calling execute
          if ('oozie-site' not in security_params
              or 'oozie.authentication.kerberos.principal' not in security_params['oozie-site']
              or 'oozie.authentication.kerberos.keytab' not in security_params['oozie-site']
              or 'oozie.service.HadoopAccessorService.kerberos.principal' not in security_params['oozie-site']
              or 'oozie.service.HadoopAccessorService.keytab.file' not in security_params['oozie-site']):
            self.put_structured_out({"securityState": "UNSECURED"})
            self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
            return

          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.oozie_user,
                                security_params['oozie-site']['oozie.authentication.kerberos.keytab'],
                                security_params['oozie-site']['oozie.authentication.kerberos.principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.oozie_user,
                                security_params['oozie-site']['oozie.service.HadoopAccessorService.keytab.file'],
                                security_params['oozie-site']['oozie.service.HadoopAccessorService.kerberos.principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          self.put_structured_out({"securityState": "SECURED_KERBEROS"})
        except Exception as e:
          self.put_structured_out({"securityState": "ERROR"})
          self.put_structured_out({"securityStateErrorInfo": str(e)})
      else:
        issues = []
        for cf in result_issues:
          issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
        self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
        self.put_structured_out({"securityState": "UNSECURED"})
    else:
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #14
0
  def security_status(self, env):
    import status_params
    env.set_params(status_params)

    if status_params.security_enabled:
      expectations = {
        "oozie-site":
          build_expectations('oozie-site',
                             {
                               "oozie.authentication.type": "kerberos",
                               "oozie.service.AuthorizationService.security.enabled": "true",
                               "oozie.service.HadoopAccessorService.kerberos.enabled": "true"
                             },
                             [
                               "local.realm",
                               "oozie.authentication.kerberos.principal",
                               "oozie.authentication.kerberos.keytab",
                               "oozie.service.HadoopAccessorService.kerberos.principal",
                               "oozie.service.HadoopAccessorService.keytab.file"
                             ],
                             None)
      }

      security_params = get_params_from_filesystem(status_params.conf_dir,
                                                   {'oozie-site.xml': FILE_TYPE_XML})
      result_issues = validate_security_config_properties(security_params, expectations)
      if not result_issues: # If all validations passed successfully
        try:
          # Double check the dict before calling execute
          if ('oozie-site' not in security_params
              or 'oozie.authentication.kerberos.principal' not in security_params['oozie-site']
              or 'oozie.authentication.kerberos.keytab' not in security_params['oozie-site']
              or 'oozie.service.HadoopAccessorService.kerberos.principal' not in security_params['oozie-site']
              or 'oozie.service.HadoopAccessorService.keytab.file' not in security_params['oozie-site']):
            self.put_structured_out({"securityState": "UNSECURED"})
            self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
            return

          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.oozie_user,
                                security_params['oozie-site']['oozie.authentication.kerberos.keytab'],
                                security_params['oozie-site']['oozie.authentication.kerberos.principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.oozie_user,
                                security_params['oozie-site']['oozie.service.HadoopAccessorService.keytab.file'],
                                security_params['oozie-site']['oozie.service.HadoopAccessorService.kerberos.principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          self.put_structured_out({"securityState": "SECURED_KERBEROS"})
        except Exception as e:
          self.put_structured_out({"securityState": "ERROR"})
          self.put_structured_out({"securityStateErrorInfo": str(e)})
      else:
        issues = []
        for cf in result_issues:
          issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
        self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
        self.put_structured_out({"securityState": "UNSECURED"})
    else:
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #15
0
    def security_status(self, env):
        import status_params
        env.set_params(status_params)
        if status_params.security_enabled:
            expectations = {}
            expectations.update(
                build_expectations('mapred-site', None, [
                    'mapreduce.jobhistory.keytab',
                    'mapreduce.jobhistory.principal',
                    'mapreduce.jobhistory.webapp.spnego-keytab-file',
                    'mapreduce.jobhistory.webapp.spnego-principal'
                ], None))

            security_params = get_params_from_filesystem(
                status_params.hadoop_conf_dir,
                {'mapred-site.xml': FILE_TYPE_XML})
            result_issues = validate_security_config_properties(
                security_params, expectations)
            if not result_issues:  # If all validations passed successfully
                try:
                    # Double check the dict before calling execute
                    if ('mapred-site' not in security_params
                            or 'mapreduce.jobhistory.keytab'
                            not in security_params['mapred-site']
                            or 'mapreduce.jobhistory.principal'
                            not in security_params['mapred-site']
                            or 'mapreduce.jobhistory.webapp.spnego-keytab-file'
                            not in security_params['mapred-site']
                            or 'mapreduce.jobhistory.webapp.spnego-principal'
                            not in security_params['mapred-site']):
                        self.put_structured_out({"securityState": "UNSECURED"})
                        self.put_structured_out({
                            "securityIssuesFound":
                            "Keytab file or principal not set."
                        })
                        return

                    cached_kinit_executor(
                        status_params.kinit_path_local,
                        status_params.mapred_user,
                        security_params['mapred-site']
                        ['mapreduce.jobhistory.keytab'],
                        security_params['mapred-site']
                        ['mapreduce.jobhistory.principal'],
                        status_params.hostname, status_params.tmp_dir)
                    cached_kinit_executor(
                        status_params.kinit_path_local,
                        status_params.mapred_user,
                        security_params['mapred-site']
                        ['mapreduce.jobhistory.webapp.spnego-keytab-file'],
                        security_params['mapred-site']
                        ['mapreduce.jobhistory.webapp.spnego-principal'],
                        status_params.hostname, status_params.tmp_dir)
                    self.put_structured_out(
                        {"securityState": "SECURED_KERBEROS"})
                except Exception as e:
                    self.put_structured_out({"securityState": "ERROR"})
                    self.put_structured_out({"securityStateErrorInfo": str(e)})
            else:
                issues = []
                for cf in result_issues:
                    issues.append(
                        "Configuration file %s did not pass the validation. Reason: %s"
                        % (cf, result_issues[cf]))
                self.put_structured_out(
                    {"securityIssuesFound": ". ".join(issues)})
                self.put_structured_out({"securityState": "UNSECURED"})
        else:
            self.put_structured_out({"securityState": "UNSECURED"})
Пример #16
0
    def security_status(self, env):
        import status_params
        env.set_params(status_params)
        if status_params.security_enabled:
            props_value_check = {
                "*.falcon.authentication.type": "kerberos",
                "*.falcon.http.authentication.type": "kerberos"
            }
            props_empty_check = [
                "*.falcon.service.authentication.kerberos.principal",
                "*.falcon.service.authentication.kerberos.keytab",
                "*.falcon.http.authentication.kerberos.principal",
                "*.falcon.http.authentication.kerberos.keytab"
            ]
            props_read_check = [
                "*.falcon.service.authentication.kerberos.keytab",
                "*.falcon.http.authentication.kerberos.keytab"
            ]
            falcon_startup_props = build_expectations('startup',
                                                      props_value_check,
                                                      props_empty_check,
                                                      props_read_check)

            falcon_expectations = {}
            falcon_expectations.update(falcon_startup_props)

            security_params = get_params_from_filesystem(
                '/etc/falcon/conf',
                {'startup.properties': FILE_TYPE_PROPERTIES})
            result_issues = validate_security_config_properties(
                security_params, falcon_expectations)
            if not result_issues:  # If all validations passed successfully
                try:
                    # Double check the dict before calling execute
                    if ( 'startup' not in security_params
                         or '*.falcon.service.authentication.kerberos.keytab' not in security_params['startup']
                         or '*.falcon.service.authentication.kerberos.principal' not in security_params['startup']) \
                      or '*.falcon.http.authentication.kerberos.keytab' not in security_params['startup'] \
                      or '*.falcon.http.authentication.kerberos.principal' not in security_params['startup']:
                        self.put_structured_out({"securityState": "UNSECURED"})
                        self.put_structured_out({
                            "securityIssuesFound":
                            "Keytab file or principal are not set property."
                        })
                        return

                    cached_kinit_executor(
                        status_params.kinit_path_local,
                        status_params.falcon_user, security_params['startup']
                        ['*.falcon.service.authentication.kerberos.keytab'],
                        security_params['startup']
                        ['*.falcon.service.authentication.kerberos.principal'],
                        status_params.hostname, status_params.tmp_dir)
                    cached_kinit_executor(
                        status_params.kinit_path_local,
                        status_params.falcon_user, security_params['startup']
                        ['*.falcon.http.authentication.kerberos.keytab'],
                        security_params['startup']
                        ['*.falcon.http.authentication.kerberos.principal'],
                        status_params.hostname, status_params.tmp_dir)
                    self.put_structured_out(
                        {"securityState": "SECURED_KERBEROS"})
                except Exception as e:
                    self.put_structured_out({"securityState": "ERROR"})
                    self.put_structured_out({"securityStateErrorInfo": str(e)})
            else:
                issues = []
                for cf in result_issues:
                    issues.append(
                        "Configuration file %s did not pass the validation. Reason: %s"
                        % (cf, result_issues[cf]))
                self.put_structured_out(
                    {"securityIssuesFound": ". ".join(issues)})
                self.put_structured_out({"securityState": "UNSECURED"})
        else:
            self.put_structured_out({"securityState": "UNSECURED"})
Пример #17
0
    def security_status(self, env):
        import status_params

        env.set_params(status_params)
        props_value_check = {
            "hbase.security.authentication": "kerberos",
            "hbase.security.authorization": "true"
        }

        props_empty_check = [
            "hbase.zookeeper.property.authProvider.1",
            "hbase.master.keytab.file", "hbase.master.kerberos.principal",
            "hbase.regionserver.keytab.file",
            "hbase.regionserver.kerberos.principal"
        ]
        props_read_check = [
            'hbase.master.keytab.file', 'hbase.regionserver.keytab.file'
        ]
        ams_hbase_site_expectations = build_expectations(
            'hbase-site', props_value_check, props_empty_check,
            props_read_check)

        expectations = {}
        expectations.update(ams_hbase_site_expectations)

        security_params = get_params_from_filesystem(
            status_params.ams_hbase_conf_dir,
            {'hbase-site.xml': FILE_TYPE_XML})

        # In case of blueprint deployment security_status might be called before AMS collector is installed.
        if ('hbase-site' not in security_params or 'hbase.cluster.distributed'
                not in security_params['hbase-site']):
            self.put_structured_out({"securityState": "UNKNOWN"})
            return

        is_hbase_distributed = security_params['hbase-site'][
            'hbase.cluster.distributed']
        # for embedded mode, when HBase is backed by file, security state is SECURED_KERBEROS by definition when cluster is secured
        if status_params.security_enabled and not is_hbase_distributed:
            self.put_structured_out({"securityState": "SECURED_KERBEROS"})
            return

        result_issues = validate_security_config_properties(
            security_params, expectations)

        if not result_issues:  # If all validations passed successfully
            try:
                # Double check the dict before calling execute
                if ('hbase-site' not in security_params
                        or 'hbase.master.keytab.file'
                        not in security_params['hbase-site']
                        or 'hbase.master.kerberos.principal'
                        not in security_params['hbase-site']):
                    self.put_structured_out({"securityState": "UNSECURED"})
                    self.put_structured_out({
                        "securityIssuesFound":
                        "Keytab file or principal are not set property."
                    })
                    return

                cached_kinit_executor(
                    status_params.kinit_path_local, status_params.hbase_user,
                    security_params['hbase-site']['hbase.master.keytab.file'],
                    security_params['hbase-site']
                    ['hbase.master.kerberos.principal'],
                    status_params.hostname, status_params.tmp_dir)
                self.put_structured_out({"securityState": "SECURED_KERBEROS"})
            except Exception as e:
                self.put_structured_out({"securityState": "ERROR"})
                self.put_structured_out({"securityStateErrorInfo": str(e)})
        else:
            issues = []
            for cf in result_issues:
                issues.append(
                    "Configuration file %s did not pass the validation. Reason: %s"
                    % (cf, result_issues[cf]))
            self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
            self.put_structured_out({"securityState": "UNSECURED"})
Пример #18
0
    def security_status(self, env):
        import status_params

        env.set_params(status_params)
        props_value_check = {
            "hadoop.security.authentication": "kerberos",
            "hadoop.security.authorization": "true"
        }
        props_empty_check = ["hadoop.security.auth_to_local"]
        props_read_check = None
        core_site_expectations = build_expectations('core-site',
                                                    props_value_check,
                                                    props_empty_check,
                                                    props_read_check)
        props_value_check = None
        props_empty_check = ['nfs.keytab.file', 'nfs.kerberos.principal']
        props_read_check = ['nfs.keytab.file']
        hdfs_site_expectations = build_expectations('hdfs-site',
                                                    props_value_check,
                                                    props_empty_check,
                                                    props_read_check)

        hdfs_expectations = {}
        hdfs_expectations.update(core_site_expectations)
        hdfs_expectations.update(hdfs_site_expectations)

        security_params = get_params_from_filesystem(
            status_params.hadoop_conf_dir, {
                'core-site.xml': FILE_TYPE_XML,
                'hdfs-site.xml': FILE_TYPE_XML
            })
        if 'core-site' in security_params and 'hadoop.security.authentication' in security_params['core-site'] and \
            security_params['core-site']['hadoop.security.authentication'].lower() == 'kerberos':
            result_issues = validate_security_config_properties(
                security_params, hdfs_expectations)
            if not result_issues:  # If all validations passed successfully
                try:
                    # Double check the dict before calling execute
                    if ('hdfs-site' not in security_params or 'nfs.keytab.file'
                            not in security_params['hdfs-site']
                            or 'nfs.kerberos.principal'
                            not in security_params['hdfs-site']):
                        self.put_structured_out({"securityState": "UNSECURED"})
                        self.put_structured_out({
                            "securityIssuesFound":
                            "Keytab file or principal are not set property."
                        })
                        return

                    cached_kinit_executor(
                        status_params.kinit_path_local,
                        status_params.hdfs_user,
                        security_params['hdfs-site']['nfs.keytab.file'],
                        security_params['hdfs-site']['nfs.kerberos.principal'],
                        status_params.hostname, status_params.tmp_dir)
                    self.put_structured_out(
                        {"securityState": "SECURED_KERBEROS"})
                except Exception as e:
                    self.put_structured_out({"securityState": "ERROR"})
                    self.put_structured_out({"securityStateErrorInfo": str(e)})
            else:
                issues = []
                for cf in result_issues:
                    issues.append(
                        "Configuration file %s did not pass the validation. Reason: %s"
                        % (cf, result_issues[cf]))
                self.put_structured_out(
                    {"securityIssuesFound": ". ".join(issues)})
                self.put_structured_out({"securityState": "UNSECURED"})
        else:
            self.put_structured_out({"securityState": "UNSECURED"})
Пример #19
0
    def security_status(self, env):
        import status_params
        env.set_params(status_params)
        if status_params.security_enabled:
            props_value_check = {
                "yarn.timeline-service.http-authentication.type": "kerberos",
                "yarn.acl.enable": "true"
            }
            props_empty_check = [
                "yarn.resourcemanager.principal",
                "yarn.resourcemanager.keytab",
                "yarn.resourcemanager.webapp.spnego-principal",
                "yarn.resourcemanager.webapp.spnego-keytab-file"
            ]

            props_read_check = [
                "yarn.resourcemanager.keytab",
                "yarn.resourcemanager.webapp.spnego-keytab-file"
            ]
            yarn_site_props = build_expectations('yarn-site',
                                                 props_value_check,
                                                 props_empty_check,
                                                 props_read_check)

            yarn_expectations = {}
            yarn_expectations.update(yarn_site_props)

            security_params = get_params_from_filesystem(
                status_params.hadoop_conf_dir,
                {'yarn-site.xml': FILE_TYPE_XML})
            result_issues = validate_security_config_properties(
                security_params, yarn_site_props)
            if not result_issues:  # If all validations passed successfully
                try:
                    # Double check the dict before calling execute
                    if ( 'yarn-site' not in security_params
                         or 'yarn.resourcemanager.keytab' not in security_params['yarn-site']
                         or 'yarn.resourcemanager.principal' not in security_params['yarn-site']) \
                      or 'yarn.resourcemanager.webapp.spnego-keytab-file' not in security_params['yarn-site'] \
                      or 'yarn.resourcemanager.webapp.spnego-principal' not in security_params['yarn-site']:
                        self.put_structured_out({"securityState": "UNSECURED"})
                        self.put_structured_out({
                            "securityIssuesFound":
                            "Keytab file or principal are not set property."
                        })
                        return

                    cached_kinit_executor(
                        status_params.kinit_path_local,
                        status_params.yarn_user, security_params['yarn-site']
                        ['yarn.resourcemanager.keytab'],
                        security_params['yarn-site']
                        ['yarn.resourcemanager.principal'],
                        status_params.hostname, status_params.tmp_dir)
                    cached_kinit_executor(
                        status_params.kinit_path_local,
                        status_params.yarn_user, security_params['yarn-site']
                        ['yarn.resourcemanager.webapp.spnego-keytab-file'],
                        security_params['yarn-site']
                        ['yarn.resourcemanager.webapp.spnego-principal'],
                        status_params.hostname, status_params.tmp_dir)
                    self.put_structured_out(
                        {"securityState": "SECURED_KERBEROS"})
                except Exception as e:
                    self.put_structured_out({"securityState": "ERROR"})
                    self.put_structured_out({"securityStateErrorInfo": str(e)})
            else:
                issues = []
                for cf in result_issues:
                    issues.append(
                        "Configuration file %s did not pass the validation. Reason: %s"
                        % (cf, result_issues[cf]))
                self.put_structured_out(
                    {"securityIssuesFound": ". ".join(issues)})
                self.put_structured_out({"securityState": "UNSECURED"})
        else:
            self.put_structured_out({"securityState": "UNSECURED"})
Пример #20
0
  def security_status(self, env):
    import status_params
    env.set_params(status_params)

    if status_params.security_enabled:
      expectations ={}
      expectations.update(
        build_expectations(
          'webhcat-site',
          {
            "templeton.kerberos.secret": "secret"
          },
          [
            "templeton.kerberos.keytab",
            "templeton.kerberos.principal"
          ],
          [
            "templeton.kerberos.keytab"
          ]
        )
      )
      expectations.update(
        build_expectations(
          'hive-site',
          {
            "hive.server2.authentication": "KERBEROS",
            "hive.metastore.sasl.enabled": "true",
            "hive.security.authorization.enabled": "true"
          },
          None,
          None
        )
      )

      security_params = {}
      security_params.update(get_params_from_filesystem(status_params.hive_conf_dir,
                                                        {'hive-site.xml': FILE_TYPE_XML}))
      security_params.update(get_params_from_filesystem(status_params.webhcat_conf_dir,
                                                        {'webhcat-site.xml': FILE_TYPE_XML}))
      result_issues = validate_security_config_properties(security_params, expectations)
      if not result_issues: # If all validations passed successfully
        try:
          # Double check the dict before calling execute
          if 'webhcat-site' not in security_params \
            or 'templeton.kerberos.keytab' not in security_params['webhcat-site'] \
            or 'templeton.kerberos.principal' not in security_params['webhcat-site']:
            self.put_structured_out({"securityState": "UNSECURED"})
            self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
            return

          cached_kinit_executor(status_params.kinit_path_local,
                                status_params.webhcat_user,
                                security_params['webhcat-site']['templeton.kerberos.keytab'],
                                security_params['webhcat-site']['templeton.kerberos.principal'],
                                status_params.hostname,
                                status_params.tmp_dir)
          self.put_structured_out({"securityState": "SECURED_KERBEROS"})
        except Exception as e:
          self.put_structured_out({"securityState": "ERROR"})
          self.put_structured_out({"securityStateErrorInfo": str(e)})
      else:
        issues = []
        for cf in result_issues:
          issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
        self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
        self.put_structured_out({"securityState": "UNSECURED"})
    else:
      self.put_structured_out({"securityState": "UNSECURED"})
Пример #21
0
    def security_status(self, env):
        import status_params
        env.set_params(status_params)
        if status_params.security_enabled:
            props_value_check = {
                "hive.server2.authentication": "KERBEROS",
                "hive.metastore.sasl.enabled": "true",
                "hive.security.authorization.enabled": "true"
            }
            props_empty_check = [
                "hive.metastore.kerberos.keytab.file",
                "hive.metastore.kerberos.principal"
            ]

            props_read_check = ["hive.metastore.kerberos.keytab.file"]
            hive_site_props = build_expectations('hive-site',
                                                 props_value_check,
                                                 props_empty_check,
                                                 props_read_check)

            hive_expectations = {}
            hive_expectations.update(hive_site_props)

            security_params = get_params_from_filesystem(
                status_params.hive_conf_dir, {'hive-site.xml': FILE_TYPE_XML})
            result_issues = validate_security_config_properties(
                security_params, hive_expectations)
            if not result_issues:  # If all validations passed successfully
                try:
                    # Double check the dict before calling execute
                    if 'hive-site' not in security_params \
                      or 'hive.metastore.kerberos.keytab.file' not in security_params['hive-site'] \
                      or 'hive.metastore.kerberos.principal' not in security_params['hive-site']:
                        self.put_structured_out({"securityState": "UNSECURED"})
                        self.put_structured_out({
                            "securityIssuesFound":
                            "Keytab file or principal are not set property."
                        })
                        return

                    cached_kinit_executor(
                        status_params.kinit_path_local,
                        status_params.hive_user, security_params['hive-site']
                        ['hive.metastore.kerberos.keytab.file'],
                        security_params['hive-site']
                        ['hive.metastore.kerberos.principal'],
                        status_params.hostname, status_params.tmp_dir)

                    self.put_structured_out(
                        {"securityState": "SECURED_KERBEROS"})
                except Exception as e:
                    self.put_structured_out({"securityState": "ERROR"})
                    self.put_structured_out({"securityStateErrorInfo": str(e)})
            else:
                issues = []
                for cf in result_issues:
                    issues.append(
                        "Configuration file %s did not pass the validation. Reason: %s"
                        % (cf, result_issues[cf]))
                self.put_structured_out(
                    {"securityIssuesFound": ". ".join(issues)})
                self.put_structured_out({"securityState": "UNSECURED"})
        else:
            self.put_structured_out({"securityState": "UNSECURED"})
Пример #22
0
    def security_status(self, env):
        import status_params

        env.set_params(status_params)

        if status_params.security_enabled:
            # Expect the following files to be available in status_params.config_dir:
            #   zookeeper_jaas.conf
            #   zookeeper_client_jaas.conf
            try:
                props_value_check = None
                props_empty_check = ['Server/keyTab', 'Server/principal']
                props_read_check = ['Server/keyTab']
                zk_env_expectations = build_expectations(
                    'zookeeper_jaas', props_value_check, props_empty_check,
                    props_read_check)

                zk_expectations = {}
                zk_expectations.update(zk_env_expectations)

                security_params = get_params_from_filesystem(
                    status_params.config_dir,
                    {'zookeeper_jaas.conf': FILE_TYPE_JAAS_CONF})

                result_issues = validate_security_config_properties(
                    security_params, zk_expectations)
                if not result_issues:  # If all validations passed successfully
                    # Double check the dict before calling execute
                    if ('zookeeper_jaas' not in security_params or 'Server'
                            not in security_params['zookeeper_jaas']
                            or 'keyTab'
                            not in security_params['zookeeper_jaas']['Server']
                            or 'principal' not in
                            security_params['zookeeper_jaas']['Server']):
                        self.put_structured_out({"securityState": "ERROR"})
                        self.put_structured_out({
                            "securityIssuesFound":
                            "Keytab file or principal are not set property."
                        })
                        return

                    cached_kinit_executor(
                        status_params.kinit_path_local, status_params.zk_user,
                        security_params['zookeeper_jaas']['Server']['keyTab'],
                        security_params['zookeeper_jaas']['Server']
                        ['principal'], status_params.hostname,
                        status_params.tmp_dir)
                    self.put_structured_out(
                        {"securityState": "SECURED_KERBEROS"})
                else:
                    issues = []
                    for cf in result_issues:
                        issues.append(
                            "Configuration file %s did not pass the validation. Reason: %s"
                            % (cf, result_issues[cf]))
                    self.put_structured_out(
                        {"securityIssuesFound": ". ".join(issues)})
                    self.put_structured_out({"securityState": "UNSECURED"})
            except Exception as e:
                self.put_structured_out({"securityState": "ERROR"})
                self.put_structured_out({"securityStateErrorInfo": str(e)})
        else:
            self.put_structured_out({"securityState": "UNSECURED"})
Пример #23
0
    def security_status(self, env):
        import status_params

        env.set_params(status_params)

        if status_params.security_enabled:
            # Expect the following files to be available in status_params.config_dir:
            #   storm_jaas.conf

            try:
                props_value_check = None
                props_empty_check = [
                    'storm_ui_principal_name', 'storm_ui_keytab'
                ]
                props_read_check = ['storm_ui_keytab']
                storm_env_expectations = build_expectations(
                    'storm_ui', props_value_check, props_empty_check,
                    props_read_check)

                storm_expectations = {}
                storm_expectations.update(storm_env_expectations)

                security_params = {}
                security_params['storm_ui'] = {}
                security_params['storm_ui'][
                    'storm_ui_principal_name'] = status_params.storm_ui_principal
                security_params['storm_ui'][
                    'storm_ui_keytab'] = status_params.storm_ui_keytab

                result_issues = validate_security_config_properties(
                    security_params, storm_expectations)
                if not result_issues:  # If all validations passed successfully
                    # Double check the dict before calling execute
                    if ('storm_ui' not in security_params
                            or 'storm_ui_principal_name'
                            not in security_params['storm_ui']
                            or 'storm_ui_keytab'
                            not in security_params['storm_ui']):
                        self.put_structured_out({"securityState": "ERROR"})
                        self.put_structured_out({
                            "securityIssuesFound":
                            "Keytab file or principal are not set property."
                        })
                        return

                    cached_kinit_executor(
                        status_params.kinit_path_local,
                        status_params.storm_user,
                        security_params['storm_ui']['storm_ui_keytab'],
                        security_params['storm_ui']['storm_ui_principal_name'],
                        status_params.hostname, status_params.tmp_dir)
                    self.put_structured_out(
                        {"securityState": "SECURED_KERBEROS"})
                else:
                    issues = []
                    for cf in result_issues:
                        issues.append(
                            "Configuration file %s did not pass the validation. Reason: %s"
                            % (cf, result_issues[cf]))
                    self.put_structured_out(
                        {"securityIssuesFound": ". ".join(issues)})
                    self.put_structured_out({"securityState": "UNSECURED"})
            except Exception as e:
                self.put_structured_out({"securityState": "ERROR"})
                self.put_structured_out({"securityStateErrorInfo": str(e)})
        else:
            self.put_structured_out({"securityState": "UNSECURED"})
Пример #24
0
    def security_status(self, env):
        import status_params

        env.set_params(status_params)

        props_value_check = {
            'atlas.authentication.method': 'kerberos',
            'atlas.http.authentication.enabled': 'true',
            'atlas.http.authentication.type': 'kerberos'
        }
        props_empty_check = [
            'atlas.authentication.principal', 'atlas.authentication.keytab',
            'atlas.http.authentication.kerberos.principal',
            'atlas.http.authentication.kerberos.keytab'
        ]
        props_read_check = [
            'atlas.authentication.keytab',
            'atlas.http.authentication.kerberos.keytab'
        ]
        atlas_site_expectations = build_expectations('application-properties',
                                                     props_value_check,
                                                     props_empty_check,
                                                     props_read_check)

        atlas_expectations = {}
        atlas_expectations.update(atlas_site_expectations)

        security_params = get_params_from_filesystem(
            status_params.conf_dir,
            {'application.properties': FILE_TYPE_PROPERTIES})
        result_issues = validate_security_config_properties(
            security_params, atlas_expectations)
        if not result_issues:  # If all validations passed successfully
            try:
                # Double check the dict before calling execute
                if ('application-properties' not in security_params
                        or 'atlas.authentication.keytab'
                        not in security_params['application-properties']
                        or 'atlas.authentication.principal'
                        not in security_params['application-properties']):
                    self.put_structured_out({"securityState": "UNSECURED"})
                    self.put_structured_out({
                        "securityIssuesFound":
                        "Atlas service keytab file or principal are not set property."
                    })
                    return

                if ('application-properties' not in security_params
                        or 'atlas.http.authentication.kerberos.keytab'
                        not in security_params['application-properties']
                        or 'atlas.http.authentication.kerberos.principal'
                        not in security_params['application-properties']):
                    self.put_structured_out({"securityState": "UNSECURED"})
                    self.put_structured_out({
                        "securityIssuesFound":
                        "HTTP Authentication keytab file or principal are not set property."
                    })
                    return

                self.put_structured_out({"securityState": "SECURED_KERBEROS"})
            except Exception as e:
                self.put_structured_out({"securityState": "ERROR"})
                self.put_structured_out({"securityStateErrorInfo": str(e)})
        else:
            issues = []
            for cf in result_issues:
                issues.append(
                    "Configuration file %s did not pass the validation. Reason: %s"
                    % (cf, result_issues[cf]))
            self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
            self.put_structured_out({"securityState": "UNSECURED"})