def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {}
expectations.update(build_expectations(
'krb5JAASLogin',
None,
['keytab', 'principal'],
None
))
expectations.update(build_expectations(
'gateway-site',
{
"gateway.hadoop.kerberos.secured" : "true"
},
None,
None
))
security_params = {
"krb5JAASLogin":
{
'keytab': status_params.knox_keytab_path,
'principal': status_params.knox_principal_name
}
}
security_params.update(get_params_from_filesystem(status_params.knox_conf_dir,
{"gateway-site.xml" : FILE_TYPE_XML}))
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'krb5JAASLogin' not in security_params
or 'keytab' not in security_params['krb5JAASLogin']
or 'principal' not in security_params['krb5JAASLogin']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({"securityIssuesFound": "Keytab file and principal are not set."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.knox_user,
security_params['krb5JAASLogin']['keytab'],
security_params['krb5JAASLogin']['principal'],
status_params.hostname,
status_params.temp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {"hbase.security.authentication": "kerberos",
"hbase.security.authorization": "true"}
props_empty_check = ["hbase.zookeeper.property.authProvider.1",
"hbase.master.keytab.file",
"hbase.master.kerberos.principal",
"hbase.regionserver.keytab.file",
"hbase.regionserver.kerberos.principal"
]
props_read_check = ['hbase.master.keytab.file', 'hbase.regionserver.keytab.file']
ams_hbase_site_expectations = build_expectations('hbase-site', props_value_check,
props_empty_check,
props_read_check)
expectations = {}
expectations.update(ams_hbase_site_expectations)
security_params = get_params_from_filesystem(status_params.ams_hbase_conf_dir,
{'hbase-site.xml': FILE_TYPE_XML})
is_hbase_distributed = security_params['hbase-site']['hbase.cluster.distributed']
# for embedded mode, when HBase is backed by file, security state is SECURED_KERBEROS by definition when cluster is secured
if status_params.security_enabled and not is_hbase_distributed:
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
return
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('hbase-site' not in security_params or
'hbase.master.keytab.file' not in security_params['hbase-site'] or
'hbase.master.kerberos.principal' not in security_params['hbase-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.hbase_user,
security_params['hbase-site']['hbase.master.keytab.file'],
security_params['hbase-site']['hbase.master.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (
cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {"yarn.timeline-service.enabled": "true",
"yarn.timeline-service.http-authentication.type": "kerberos",
"yarn.acl.enable": "true"}
props_empty_check = ["yarn.timeline-service.principal",
"yarn.timeline-service.keytab",
"yarn.timeline-service.http-authentication.kerberos.principal",
"yarn.timeline-service.http-authentication.kerberos.keytab"]
props_read_check = ["yarn.timeline-service.keytab",
"yarn.timeline-service.http-authentication.kerberos.keytab"]
yarn_site_props = build_expectations('yarn-site', props_value_check, props_empty_check,
props_read_check)
yarn_expectations ={}
yarn_expectations.update(yarn_site_props)
security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
{'yarn-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, yarn_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'yarn-site' not in security_params
or 'yarn.timeline-service.keytab' not in security_params['yarn-site']
or 'yarn.timeline-service.principal' not in security_params['yarn-site']) \
or 'yarn.timeline-service.http-authentication.kerberos.keytab' not in security_params['yarn-site'] \
or 'yarn.timeline-service.http-authentication.kerberos.principal' not in security_params['yarn-site']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.yarn_user,
security_params['yarn-site']['yarn.timeline-service.keytab'],
security_params['yarn-site']['yarn.timeline-service.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.yarn_user,
security_params['yarn-site']['yarn.timeline-service.http-authentication.kerberos.keytab'],
security_params['yarn-site']['yarn.timeline-service.http-authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {"hadoop.security.authentication": "kerberos",
"hadoop.security.authorization": "true"}
props_empty_check = ["hadoop.security.auth_to_local"]
props_read_check = None
core_site_expectations = build_expectations('core-site', props_value_check, props_empty_check,
props_read_check)
props_value_check = None
props_empty_check = ['dfs.secondary.namenode.kerberos.internal.spnego.principal',
'dfs.secondary.namenode.keytab.file',
'dfs.secondary.namenode.kerberos.principal']
props_read_check = ['dfs.secondary.namenode.keytab.file']
hdfs_site_expectations = build_expectations('hdfs-site', props_value_check, props_empty_check,
props_read_check)
hdfs_expectations = {}
hdfs_expectations.update(core_site_expectations)
hdfs_expectations.update(hdfs_site_expectations)
security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
{'core-site.xml': FILE_TYPE_XML,
'hdfs-site.xml': FILE_TYPE_XML})
if 'core-site' in security_params and 'hadoop.security.authentication' in security_params['core-site'] and \
security_params['core-site']['hadoop.security.authentication'].lower() == 'kerberos':
result_issues = validate_security_config_properties(security_params, hdfs_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('hdfs-site' not in security_params or
'dfs.secondary.namenode.keytab.file' not in security_params['hdfs-site'] or
'dfs.secondary.namenode.kerberos.principal' not in security_params['hdfs-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.hdfs_user,
security_params['hdfs-site']['dfs.secondary.namenode.keytab.file'],
security_params['hdfs-site'][
'dfs.secondary.namenode.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {"*.falcon.authentication.type": "kerberos",
"*.falcon.http.authentication.type": "kerberos"}
props_empty_check = ["*.falcon.service.authentication.kerberos.principal",
"*.falcon.service.authentication.kerberos.keytab",
"*.falcon.http.authentication.kerberos.principal",
"*.falcon.http.authentication.kerberos.keytab"]
props_read_check = ["*.falcon.service.authentication.kerberos.keytab",
"*.falcon.http.authentication.kerberos.keytab"]
falcon_startup_props = build_expectations('startup', props_value_check, props_empty_check,
props_read_check)
falcon_expectations ={}
falcon_expectations.update(falcon_startup_props)
security_params = get_params_from_filesystem('/etc/falcon/conf',
{'startup.properties': FILE_TYPE_PROPERTIES})
result_issues = validate_security_config_properties(security_params, falcon_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'startup' not in security_params
or '*.falcon.service.authentication.kerberos.keytab' not in security_params['startup']
or '*.falcon.service.authentication.kerberos.principal' not in security_params['startup']) \
or '*.falcon.http.authentication.kerberos.keytab' not in security_params['startup'] \
or '*.falcon.http.authentication.kerberos.principal' not in security_params['startup']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.falcon_user,
security_params['startup']['*.falcon.service.authentication.kerberos.keytab'],
security_params['startup']['*.falcon.service.authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.falcon_user,
security_params['startup']['*.falcon.http.authentication.kerberos.keytab'],
security_params['startup']['*.falcon.http.authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {
"hive.server2.authentication": "KERBEROS",
"hive.metastore.sasl.enabled": "true",
"hive.security.authorization.enabled": "true",
}
props_empty_check = ["hive.metastore.kerberos.keytab.file", "hive.metastore.kerberos.principal"]
props_read_check = ["hive.metastore.kerberos.keytab.file"]
hive_site_props = build_expectations("hive-site", props_value_check, props_empty_check, props_read_check)
hive_expectations = {}
hive_expectations.update(hive_site_props)
security_params = get_params_from_filesystem(status_params.hive_conf_dir, {"hive-site.xml": FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, hive_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if (
"hive-site" not in security_params
or "hive.metastore.kerberos.keytab.file" not in security_params["hive-site"]
or "hive.metastore.kerberos.principal" not in security_params["hive-site"]
):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."}
)
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.hive_user,
security_params["hive-site"]["hive.metastore.kerberos.keytab.file"],
security_params["hive-site"]["hive.metastore.kerberos.principal"],
status_params.hostname,
status_params.tmp_dir,
)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf])
)
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {}
expectations.update(build_expectations('mapred-site',
None,
[
'mapreduce.jobhistory.keytab',
'mapreduce.jobhistory.principal',
'mapreduce.jobhistory.webapp.spnego-keytab-file',
'mapreduce.jobhistory.webapp.spnego-principal'
],
None))
security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
{'mapred-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'mapred-site' not in security_params or
'mapreduce.jobhistory.keytab' not in security_params['mapred-site'] or
'mapreduce.jobhistory.principal' not in security_params['mapred-site'] or
'mapreduce.jobhistory.webapp.spnego-keytab-file' not in security_params['mapred-site'] or
'mapreduce.jobhistory.webapp.spnego-principal' not in security_params['mapred-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal not set."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.mapred_user,
security_params['mapred-site']['mapreduce.jobhistory.keytab'],
security_params['mapred-site']['mapreduce.jobhistory.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.mapred_user,
security_params['mapred-site']['mapreduce.jobhistory.webapp.spnego-keytab-file'],
security_params['mapred-site']['mapreduce.jobhistory.webapp.spnego-principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {'atlas.authentication.method': 'kerberos',
'atlas.http.authentication.enabled': 'true',
'atlas.http.authentication.type': 'kerberos'}
props_empty_check = ['atlas.authentication.principal',
'atlas.authentication.keytab',
'atlas.http.authentication.kerberos.principal',
'atlas.http.authentication.kerberos.keytab']
props_read_check = ['atlas.authentication.keytab',
'atlas.http.authentication.kerberos.keytab']
atlas_site_expectations = build_expectations('application-properties',
props_value_check,
props_empty_check,
props_read_check)
atlas_expectations = {}
atlas_expectations.update(atlas_site_expectations)
security_params = get_params_from_filesystem(status_params.conf_dir,
{'application.properties': FILE_TYPE_PROPERTIES})
result_issues = validate_security_config_properties(security_params, atlas_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'application-properties' not in security_params
or 'atlas.authentication.keytab' not in security_params['application-properties']
or 'atlas.authentication.principal' not in security_params['application-properties']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Atlas service keytab file or principal are not set property."})
return
if ( 'application-properties' not in security_params
or 'atlas.http.authentication.kerberos.keytab' not in security_params['application-properties']
or 'atlas.http.authentication.kerberos.principal' not in security_params['application-properties']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "HTTP Authentication keytab file or principal are not set property."})
return
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
# Expect the following files to be available in status_params.config_dir:
# storm_jaas.conf
try:
props_value_check = None
props_empty_check = ['StormServer/keyTab', 'StormServer/principal']
props_read_check = ['StormServer/keyTab']
storm_env_expectations = build_expectations('storm_jaas', props_value_check, props_empty_check,
props_read_check)
storm_expectations = {}
storm_expectations.update(storm_env_expectations)
security_params = get_params_from_filesystem(status_params.conf_dir,
{'storm_jaas.conf': FILE_TYPE_JAAS_CONF})
result_issues = validate_security_config_properties(security_params, storm_expectations)
if not result_issues: # If all validations passed successfully
# Double check the dict before calling execute
if ( 'storm_jaas' not in security_params
or 'StormServer' not in security_params['storm_jaas']
or 'keyTab' not in security_params['storm_jaas']['StormServer']
or 'principal' not in security_params['storm_jaas']['StormServer']):
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.storm_user,
security_params['storm_jaas']['StormServer']['keyTab'],
security_params['storm_jaas']['StormServer']['principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {}
props_empty_check = ['general.kerberos.keytab',
'general.kerberos.principal']
props_read_check = ['general.kerberos.keytab']
accumulo_site_expectations = build_expectations('accumulo-site',
props_value_check, props_empty_check, props_read_check)
accumulo_expectations = {}
accumulo_expectations.update(accumulo_site_expectations)
security_params = get_params_from_filesystem(status_params.conf_dir,
{'accumulo-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, accumulo_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'accumulo-site' not in security_params
or 'general.kerberos.keytab' not in security_params['accumulo-site']
or 'general.kerberos.principal' not in security_params['accumulo-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out(
{"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.accumulo_user,
security_params['accumulo-site']['general.kerberos.keytab'],
security_params['accumulo-site']['general.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir,
30)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {"hadoop.security.authentication": "kerberos",
"hadoop.security.authorization": "true"}
props_empty_check = ["hadoop.security.auth_to_local"]
props_read_check = None
core_site_expectations = build_expectations('core-site', props_value_check, props_empty_check,
props_read_check)
hdfs_expectations = {}
hdfs_expectations.update(core_site_expectations)
security_params = get_params_from_filesystem(status_params.hadoop_conf_dir,
{'core-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, hdfs_expectations)
if 'core-site' in security_params and 'hadoop.security.authentication' in security_params['core-site'] and \
security_params['core-site']['hadoop.security.authentication'].lower() == 'kerberos':
if not result_issues: # If all validations passed successfully
if status_params.hdfs_user_principal or status_params.hdfs_user_keytab:
try:
cached_kinit_executor(status_params.kinit_path_local,
status_params.hdfs_user,
status_params.hdfs_user_keytab,
status_params.hdfs_user_principal,
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
self.put_structured_out(
{"securityIssuesFound": "hdfs principal and/or keytab file is not specified"})
self.put_structured_out({"securityState": "UNSECURED"})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {
"hive.server2.authentication": "KERBEROS",
"hive.metastore.sasl.enabled": "true",
"hive.security.authorization.enabled": "true"
}
props_empty_check = [
"hive.metastore.kerberos.keytab.file",
"hive.metastore.kerberos.principal"
]
props_read_check = ["hive.metastore.kerberos.keytab.file"]
hive_site_props = build_expectations('hive-site',
props_value_check,
props_empty_check,
props_read_check)
hive_expectations = {}
hive_expectations.update(hive_site_props)
security_params = get_params_from_filesystem(
status_params.hive_conf_dir, {'hive-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(
security_params, hive_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if 'hive-site' not in security_params \
or 'hive.metastore.kerberos.keytab.file' not in security_params['hive-site'] \
or 'hive.metastore.kerberos.principal' not in security_params['hive-site']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file or principal are not set property."
})
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.hive_user, security_params['hive-site']
['hive.metastore.kerberos.keytab.file'],
security_params['hive-site']
['hive.metastore.kerberos.principal'],
status_params.hostname, status_params.tmp_dir)
self.put_structured_out(
{"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out(
{"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {
"oozie-site":
build_expectations('oozie-site',
{
"oozie.authentication.type": "kerberos",
"oozie.service.AuthorizationService.security.enabled": "true",
"oozie.service.HadoopAccessorService.kerberos.enabled": "true"
},
[
"local.realm",
"oozie.authentication.kerberos.principal",
"oozie.authentication.kerberos.keytab",
"oozie.service.HadoopAccessorService.kerberos.principal",
"oozie.service.HadoopAccessorService.keytab.file"
],
None)
}
security_params = get_params_from_filesystem(status_params.conf_dir,
{'oozie-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('oozie-site' not in security_params
or 'oozie.authentication.kerberos.principal' not in security_params['oozie-site']
or 'oozie.authentication.kerberos.keytab' not in security_params['oozie-site']
or 'oozie.service.HadoopAccessorService.kerberos.principal' not in security_params['oozie-site']
or 'oozie.service.HadoopAccessorService.keytab.file' not in security_params['oozie-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.oozie_user,
security_params['oozie-site']['oozie.authentication.kerberos.keytab'],
security_params['oozie-site']['oozie.authentication.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(status_params.kinit_path_local,
status_params.oozie_user,
security_params['oozie-site']['oozie.service.HadoopAccessorService.keytab.file'],
security_params['oozie-site']['oozie.service.HadoopAccessorService.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {
"hbase.security.authentication": "kerberos",
"hbase.security.authorization": "true"
}
props_empty_check = [
"hbase.zookeeper.property.authProvider.1",
"hbase.master.keytab.file", "hbase.master.kerberos.principal",
"hbase.regionserver.keytab.file",
"hbase.regionserver.kerberos.principal"
]
props_read_check = [
'hbase.master.keytab.file', 'hbase.regionserver.keytab.file'
]
ams_hbase_site_expectations = build_expectations(
'hbase-site', props_value_check, props_empty_check,
props_read_check)
expectations = {}
expectations.update(ams_hbase_site_expectations)
security_params = get_params_from_filesystem(
status_params.ams_hbase_conf_dir,
{'hbase-site.xml': FILE_TYPE_XML})
is_hbase_distributed = security_params['hbase-site'][
'hbase.cluster.distributed']
# for embedded mode, when HBase is backed by file, security state is SECURED_KERBEROS by definition when cluster is secured
if status_params.security_enabled and not is_hbase_distributed:
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
return
result_issues = validate_security_config_properties(
security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('hbase-site' not in security_params
or 'hbase.master.keytab.file'
not in security_params['hbase-site']
or 'hbase.master.kerberos.principal'
not in security_params['hbase-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file or principal are not set property."
})
return
cached_kinit_executor(
status_params.kinit_path_local, status_params.hbase_user,
security_params['hbase-site']['hbase.master.keytab.file'],
security_params['hbase-site']
['hbase.master.kerberos.principal'],
status_params.hostname, status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
# Expect the following files to be available in status_params.config_dir:
# storm_jaas.conf
try:
props_value_check = None
props_empty_check = [
'StormServer/keyTab', 'StormServer/principal'
]
props_read_check = ['StormServer/keyTab']
storm_env_expectations = build_expectations(
'storm_jaas', props_value_check, props_empty_check,
props_read_check)
storm_expectations = {}
storm_expectations.update(storm_env_expectations)
security_params = get_params_from_filesystem(
status_params.conf_dir,
{'storm_jaas.conf': FILE_TYPE_JAAS_CONF})
result_issues = validate_security_config_properties(
security_params, storm_expectations)
if not result_issues: # If all validations passed successfully
# Double check the dict before calling execute
if ('storm_jaas' not in security_params or 'StormServer'
not in security_params['storm_jaas'] or 'keyTab'
not in security_params['storm_jaas']['StormServer']
or 'principal' not in security_params['storm_jaas']
['StormServer']):
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file or principal are not set property."
})
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.storm_user,
security_params['storm_jaas']['StormServer']['keyTab'],
security_params['storm_jaas']['StormServer']
['principal'], status_params.hostname,
status_params.tmp_dir)
self.put_structured_out(
{"securityState": "SECURED_KERBEROS"})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out(
{"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations ={}
expectations.update(
build_expectations(
'webhcat-site',
{
"templeton.kerberos.secret": "secret"
},
[
"templeton.kerberos.keytab",
"templeton.kerberos.principal"
],
[
"templeton.kerberos.keytab"
]
)
)
expectations.update(
build_expectations(
'hive-site',
{
"hive.server2.authentication": "KERBEROS",
"hive.metastore.sasl.enabled": "true",
"hive.security.authorization.enabled": "true"
},
None,
None
)
)
security_params = {}
security_params.update(get_params_from_filesystem(status_params.hive_conf_dir,
{'hive-site.xml': FILE_TYPE_XML}))
security_params.update(get_params_from_filesystem(status_params.webhcat_conf_dir,
{'webhcat-site.xml': FILE_TYPE_XML}))
result_issues = validate_security_config_properties(security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if 'webhcat-site' not in security_params \
or 'templeton.kerberos.keytab' not in security_params['webhcat-site'] \
or 'templeton.kerberos.principal' not in security_params['webhcat-site']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({"securityIssuesFound": "Keytab file or principal are not set property."})
return
cached_kinit_executor(status_params.kinit_path_local,
status_params.webhcat_user,
security_params['webhcat-site']['templeton.kerberos.keytab'],
security_params['webhcat-site']['templeton.kerberos.principal'],
status_params.hostname,
status_params.tmp_dir)
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append("Configuration file %s did not pass the validation. Reason: %s" % (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {}
expectations.update(
build_expectations('mapred-site', None, [
'mapreduce.jobhistory.keytab',
'mapreduce.jobhistory.principal',
'mapreduce.jobhistory.webapp.spnego-keytab-file',
'mapreduce.jobhistory.webapp.spnego-principal'
], None))
security_params = get_params_from_filesystem(
status_params.hadoop_conf_dir,
{'mapred-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(
security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('mapred-site' not in security_params
or 'mapreduce.jobhistory.keytab'
not in security_params['mapred-site']
or 'mapreduce.jobhistory.principal'
not in security_params['mapred-site']
or 'mapreduce.jobhistory.webapp.spnego-keytab-file'
not in security_params['mapred-site']
or 'mapreduce.jobhistory.webapp.spnego-principal'
not in security_params['mapred-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file or principal not set."
})
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.mapred_user,
security_params['mapred-site']
['mapreduce.jobhistory.keytab'],
security_params['mapred-site']
['mapreduce.jobhistory.principal'],
status_params.hostname, status_params.tmp_dir)
cached_kinit_executor(
status_params.kinit_path_local,
status_params.mapred_user,
security_params['mapred-site']
['mapreduce.jobhistory.webapp.spnego-keytab-file'],
security_params['mapred-site']
['mapreduce.jobhistory.webapp.spnego-principal'],
status_params.hostname, status_params.tmp_dir)
self.put_structured_out(
{"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out(
{"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {
'atlas.authentication.method': 'kerberos',
'atlas.http.authentication.enabled': 'true',
'atlas.http.authentication.type': 'kerberos'
}
props_empty_check = [
'atlas.authentication.principal', 'atlas.authentication.keytab',
'atlas.http.authentication.kerberos.principal',
'atlas.http.authentication.kerberos.keytab'
]
props_read_check = [
'atlas.authentication.keytab',
'atlas.http.authentication.kerberos.keytab'
]
atlas_site_expectations = build_expectations('application',
props_value_check,
props_empty_check,
props_read_check)
atlas_expectations = {}
atlas_expectations.update(atlas_site_expectations)
security_params = get_params_from_filesystem(
status_params.conf_dir,
{status_params.conf_file: FILE_TYPE_PROPERTIES})
result_issues = validate_security_config_properties(
security_params, atlas_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('application' not in security_params
or 'atlas.authentication.keytab'
not in security_params['application']
or 'atlas.authentication.principal'
not in security_params['application']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"Atlas service keytab file or principal are not set property."
})
return
if ('application' not in security_params
or 'atlas.http.authentication.kerberos.keytab'
not in security_params['application']
or 'atlas.http.authentication.kerberos.principal'
not in security_params['application']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"HTTP Authentication keytab file or principal are not set property."
})
return
self.put_structured_out({"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out({"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {
"oozie-site":
build_expectations(
'oozie-site', {
"oozie.authentication.type":
"kerberos",
"oozie.service.AuthorizationService.security.enabled":
"true",
"oozie.service.HadoopAccessorService.kerberos.enabled":
"true"
}, [
"local.realm",
"oozie.authentication.kerberos.principal",
"oozie.authentication.kerberos.keytab",
"oozie.service.HadoopAccessorService.kerberos.principal",
"oozie.service.HadoopAccessorService.keytab.file"
], None)
}
security_params = get_params_from_filesystem(
status_params.conf_dir, {'oozie-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(
security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('oozie-site' not in security_params
or 'oozie.authentication.kerberos.principal'
not in security_params['oozie-site']
or 'oozie.authentication.kerberos.keytab'
not in security_params['oozie-site'] or
'oozie.service.HadoopAccessorService.kerberos.principal'
not in security_params['oozie-site'] or
'oozie.service.HadoopAccessorService.keytab.file'
not in security_params['oozie-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file or principal are not set property."
})
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.oozie_user, security_params['oozie-site']
['oozie.authentication.kerberos.keytab'],
security_params['oozie-site']
['oozie.authentication.kerberos.principal'],
status_params.hostname, status_params.tmp_dir)
cached_kinit_executor(
status_params.kinit_path_local,
status_params.oozie_user, security_params['oozie-site']
['oozie.service.HadoopAccessorService.keytab.file'],
security_params['oozie-site']
['oozie.service.HadoopAccessorService.kerberos.principal'],
status_params.hostname, status_params.tmp_dir)
self.put_structured_out(
{"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out(
{"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
expectations = {}
expectations.update(
build_expectations('krb5JAASLogin', None,
['keytab', 'principal'], None))
expectations.update(
build_expectations('gateway-site',
{"gateway.hadoop.kerberos.secured": "true"},
None, None))
security_params = {
"krb5JAASLogin": {
'keytab': status_params.knox_keytab_path,
'principal': status_params.knox_principal_name
}
}
security_params.update(
get_params_from_filesystem(
status_params.knox_conf_dir,
{"gateway-site.xml": FILE_TYPE_XML}))
result_issues = validate_security_config_properties(
security_params, expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('krb5JAASLogin' not in security_params
or 'keytab' not in security_params['krb5JAASLogin']
or 'principal'
not in security_params['krb5JAASLogin']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file and principal are not set."
})
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.knox_user,
security_params['krb5JAASLogin']['keytab'],
security_params['krb5JAASLogin']['principal'],
status_params.hostname, status_params.temp_dir)
self.put_structured_out(
{"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out(
{"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {
"yarn.timeline-service.http-authentication.type": "kerberos",
"yarn.acl.enable": "true"
}
props_empty_check = [
"yarn.nodemanager.principal", "yarn.nodemanager.keytab",
"yarn.nodemanager.webapp.spnego-principal",
"yarn.nodemanager.webapp.spnego-keytab-file"
]
props_read_check = [
"yarn.nodemanager.keytab",
"yarn.nodemanager.webapp.spnego-keytab-file"
]
yarn_site_props = build_expectations('yarn-site',
props_value_check,
props_empty_check,
props_read_check)
yarn_expectations = {}
yarn_expectations.update(yarn_site_props)
security_params = get_params_from_filesystem(
status_params.hadoop_conf_dir,
{'yarn-site.xml': FILE_TYPE_XML})
result_issues = validate_security_config_properties(
security_params, yarn_site_props)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'yarn-site' not in security_params
or 'yarn.nodemanager.keytab' not in security_params['yarn-site']
or 'yarn.nodemanager.principal' not in security_params['yarn-site']) \
or 'yarn.nodemanager.webapp.spnego-keytab-file' not in security_params['yarn-site'] \
or 'yarn.nodemanager.webapp.spnego-principal' not in security_params['yarn-site']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file or principal are not set property."
})
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.yarn_user, security_params['yarn-site']
['yarn.nodemanager.keytab'],
security_params['yarn-site']
['yarn.nodemanager.principal'], status_params.hostname,
status_params.tmp_dir)
cached_kinit_executor(
status_params.kinit_path_local,
status_params.yarn_user, security_params['yarn-site']
['yarn.nodemanager.webapp.spnego-keytab-file'],
security_params['yarn-site']
['yarn.nodemanager.webapp.spnego-principal'],
status_params.hostname, status_params.tmp_dir)
self.put_structured_out(
{"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out(
{"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
props_value_check = {
"hadoop.security.authentication": "kerberos",
"hadoop.security.authorization": "true"
}
props_empty_check = ["hadoop.security.auth_to_local"]
props_read_check = None
core_site_expectations = build_expectations('core-site',
props_value_check,
props_empty_check,
props_read_check)
props_value_check = None
props_empty_check = [
'dfs.datanode.keytab.file', 'dfs.datanode.kerberos.principal'
]
props_read_check = ['dfs.datanode.keytab.file']
hdfs_site_expectations = build_expectations('hdfs-site',
props_value_check,
props_empty_check,
props_read_check)
hdfs_expectations = {}
hdfs_expectations.update(core_site_expectations)
hdfs_expectations.update(hdfs_site_expectations)
security_params = get_params_from_filesystem(
status_params.hadoop_conf_dir, {
'core-site.xml': FILE_TYPE_XML,
'hdfs-site.xml': FILE_TYPE_XML
})
if 'core-site' in security_params and 'hadoop.security.authentication' in security_params['core-site'] and \
security_params['core-site']['hadoop.security.authentication'].lower() == 'kerberos':
result_issues = validate_security_config_properties(
security_params, hdfs_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ('hdfs-site' not in security_params
or 'dfs.datanode.keytab.file'
not in security_params['hdfs-site']
or 'dfs.datanode.kerberos.principal'
not in security_params['hdfs-site']):
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file or principal are not set property."
})
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.hdfs_user, security_params['hdfs-site']
['dfs.datanode.keytab.file'],
security_params['hdfs-site']
['dfs.datanode.kerberos.principal'],
status_params.hostname, status_params.tmp_dir)
self.put_structured_out(
{"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out(
{"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})
def security_status(self, env):
import status_params
env.set_params(status_params)
if status_params.security_enabled:
props_value_check = {
"*.falcon.authentication.type": "kerberos",
"*.falcon.http.authentication.type": "kerberos"
}
props_empty_check = [
"*.falcon.service.authentication.kerberos.principal",
"*.falcon.service.authentication.kerberos.keytab",
"*.falcon.http.authentication.kerberos.principal",
"*.falcon.http.authentication.kerberos.keytab"
]
props_read_check = [
"*.falcon.service.authentication.kerberos.keytab",
"*.falcon.http.authentication.kerberos.keytab"
]
falcon_startup_props = build_expectations('startup',
props_value_check,
props_empty_check,
props_read_check)
falcon_expectations = {}
falcon_expectations.update(falcon_startup_props)
security_params = get_params_from_filesystem(
'/etc/falcon/conf',
{'startup.properties': FILE_TYPE_PROPERTIES})
result_issues = validate_security_config_properties(
security_params, falcon_expectations)
if not result_issues: # If all validations passed successfully
try:
# Double check the dict before calling execute
if ( 'startup' not in security_params
or '*.falcon.service.authentication.kerberos.keytab' not in security_params['startup']
or '*.falcon.service.authentication.kerberos.principal' not in security_params['startup']) \
or '*.falcon.http.authentication.kerberos.keytab' not in security_params['startup'] \
or '*.falcon.http.authentication.kerberos.principal' not in security_params['startup']:
self.put_structured_out({"securityState": "UNSECURED"})
self.put_structured_out({
"securityIssuesFound":
"Keytab file or principal are not set property."
})
return
cached_kinit_executor(
status_params.kinit_path_local,
status_params.falcon_user, security_params['startup']
['*.falcon.service.authentication.kerberos.keytab'],
security_params['startup']
['*.falcon.service.authentication.kerberos.principal'],
status_params.hostname, status_params.tmp_dir)
cached_kinit_executor(
status_params.kinit_path_local,
status_params.falcon_user, security_params['startup']
['*.falcon.http.authentication.kerberos.keytab'],
security_params['startup']
['*.falcon.http.authentication.kerberos.principal'],
status_params.hostname, status_params.tmp_dir)
self.put_structured_out(
{"securityState": "SECURED_KERBEROS"})
except Exception as e:
self.put_structured_out({"securityState": "ERROR"})
self.put_structured_out({"securityStateErrorInfo": str(e)})
else:
issues = []
for cf in result_issues:
issues.append(
"Configuration file %s did not pass the validation. Reason: %s"
% (cf, result_issues[cf]))
self.put_structured_out(
{"securityIssuesFound": ". ".join(issues)})
self.put_structured_out({"securityState": "UNSECURED"})
else:
self.put_structured_out({"securityState": "UNSECURED"})