Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 09D57CDFD for ; Thu, 4 Dec 2014 15:02:14 +0000 (UTC) Received: (qmail 12297 invoked by uid 500); 4 Dec 2014 15:02:12 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 12213 invoked by uid 500); 4 Dec 2014 15:02:12 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 11880 invoked by uid 99); 4 Dec 2014 15:02:12 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Dec 2014 15:02:12 +0000 Date: Thu, 4 Dec 2014 15:02:12 +0000 (UTC) From: "Robert Levas (JIRA)" To: dev@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (AMBARI-8542) Provide a way to parse and handle Kerberos descriptors MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AMBARI-8542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Levas updated AMBARI-8542: --------------------------------- Attachment: AMBARI-8542_01.patch Created classes to process Kerberos descriptors. Unit tests are provided as well. Patch File [^AMBARI-8542_01.patch] > Provide a way to parse and handle Kerberos descriptors > ------------------------------------------------------ > > Key: AMBARI-8542 > URL: https://issues.apache.org/jira/browse/AMBARI-8542 > Project: Ambari > Issue Type: Task > Components: ambari-server, stacks > Affects Versions: 2.0.0 > Reporter: Robert Levas > Assignee: Robert Levas > Labels: kerberos, kerberos_descriptor, stack > Fix For: 2.0.0 > > Attachments: AMBARI-8542_01.patch > > > Provide the ability to read in Kerberos descriptor files (kerberos.json) from the stack at various levels (stack-level, service-level) and to merge them into a single hierarchy. The composite Kerberos descriptor data will be used to control the UI (Kerberos Wizard - see AMBARI-7450). > An example stack-level Kerberos Descriptor: > {code} > { > "properties": { > "realm": "${cluster-env/kerberos_domain}", > "keytab_dir": "/etc/security/keytabs" > }, > "identities": [ > { > "name": "spnego", > "principal": { > "value": "HTTP/_HOST@${realm}" > }, > "keytab": { > "file": "${keytab_dir}/spnego.service.keytab", > "owner": { > "name": "root", > "access": "r" > }, > "group": { > "name": "${cluster-env/user_group}", > "access": "r" > } > } > } > ], > "configurations": [ > ] > } > {code} > An example service-level Kerberos Descriptor - HDFS: > {code} > { > "configurations": [ > { > "core-site": { > "hadoop.security.authentication": "kerberos", > "hadoop.rpc.protection": "authentication; integrity; privacy", > "hadoop.security.authorization": "true" > } > } > ], > "components": [ > { > "name": "NAMENODE", > "identities": [ > { > "name" : "namenode_nn", > "principal": { > "value": "nn/_HOST@${realm}", > "configuration": "hdfs-site/dfs.namenode.kerberos.principal" > }, > "keytab": { > "file": "${keytab_dir}/nn.service.keytab", > "owner": { > "name": "${hadoop-env/hdfs_user}", > "access": "r" > }, > "group": { > "name": "${cluster-env/user_group}", > "access": "" > }, > "configuration": "hdfs-site/dfs.namenode.keytab.file" > } > }, > { > "name" : "namenode_host", > "principal": { > "value": "host/_HOST@${realm}", > "configuration": "hdfs-site/dfs.namenode.kerberos.https.principal" > }, > "keytab": { > "file": "${keytab_dir}/host.keytab", > "owner": { > "name": "${hadoop-env/hdfs_user}", > "access": "r" > }, > "group": { > "name": "${cluster-env/user_group}", > "access": "" > }, > "configuration": "hdfs-site/dfs.namenode.keytab.file" > } > }, > { > "name" : "/spnego", > "principal": { > "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal" > }, > "keytab": { > "configuration": "hdfs/dfs.web.authentication.kerberos.keytab" > } > } > ] > }, > { > "name": "DATANODE", > "identities": [ > { > "name" : "datanode_dn", > "principal": { > "value": "dn/_HOST@${realm}", > "configuration": "hdfs-site/dfs.namenode.kerberos.principal" > }, > "keytab": { > "file": "${keytab_dir}/dn.service.keytab", > "owner": { > "name": "${hadoop-env/hdfs_user}", > "access": "r" > }, > "group": { > "name": "${cluster-env/user_group}", > "access": "" > }, > "configuration": "hdfs-site/dfs.namenode.keytab.file" > } > }, > { > "name" : "datanode_host", > "principal": { > "value": "host/_HOST@${realm}", > "configuration": "hdfs-site/dfs.datanode.kerberos.https.principal" > }, > "keytab": { > "file": "${keytab_dir}/host.keytab.file", > "owner": { > "name": "${hadoop-env/hdfs_user}", > "access": "r" > }, > "group": { > "name": "${cluster-env/user_group}", > "access": "" > }, > "configuration": "hdfs-site/dfs.namenode.secondary.keytab.file" > } > } > ] > }, > { > "name": "SECONDARY_NAMENODE", > "identities": [ > { > "name" : "secondary_namenode_nn", > "principal": { > "value": "nn/_HOST@${realm}", > "configuration": "hdfs-site/dfs.namenode.secondary.kerberos.principal" > }, > "keytab": { > "file": "${keytab_dir}/snn.service.keytab", > "owner": { > "name": "${hadoop-env/hdfs_user}", > "access": "r" > }, > "group": { > "name": "${cluster-env/user_group}", > "access": "" > }, > "configuration": "hdfs-site/dfs.namenode.secondary.keytab.file" > } > }, > { > "name" : "secondary_namenode_host", > "principal": { > "value": "host/_HOST@${realm}", > "configuration": "hdfs-site/dfs.namenode.secondary.kerberos.https.principal" > }, > "keytab": { > "file": "${keytab_dir}/host.keytab.file", > "owner": { > "name": "${hadoop-env/hdfs_user}", > "access": "r" > }, > "group": { > "name": "${cluster-env/user_group}", > "access": "" > }, > "configuration": "hdfs-site/dfs.namenode.secondary.keytab.file" > } > }, > { > "name" : "/spnego", > "principal": { > "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal" > }, > "keytab": { > "configuration": "hdfs/dfs.web.authentication.kerberos.keytab" > } > } > ] > } > ] > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)