ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas" <rle...@hortonworks.com>
Subject Re: Review Request 30105: Add the ability to append a random value to values in LDAP attributes when generating principals in Active Directory
Date Wed, 21 Jan 2015 15:28:31 GMT


> On Jan. 21, 2015, 10:20 a.m., John Speidel wrote:
> > Looks good.  One minor comment is that you state that the values MUST be unique
and a using a hashing function to generate the unique value.  No hashing function will produce
unique values, there will always be multiple inputs which result in the same output.  Truncating
the value will further degrade uniqueness of the hash. That being said, for the small number
of inputs it would be very unlikely to have a collision.  I only mention this because the
requirement states that the values must be unique.

I agree with this statment and tend to shy away from using hashes as unique values, but in
this case the namespace is rather small since the values only need to be unique across a single
cluster.  But the benefit to this method this that the hash can be recreated in the event
we need to use it for lookups.


- Robert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30105/#review68921
-----------------------------------------------------------


On Jan. 20, 2015, 10:55 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30105/
> -----------------------------------------------------------
> 
> (Updated Jan. 20, 2015, 10:55 p.m.)
> 
> 
> Review request for Ambari, John Speidel, Nate Cole, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-9209
>     https://issues.apache.org/jira/browse/AMBARI-9209
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Add ability to append a random value to values in LDAP attributes when generating principals
in Active Directory.
> 
> For example the `cn` and `sAMAccountName` attributes must be unique.  In some caes the
`cn` is not allowed to have `/` characters and in all cases the `sAMAccountName` is not allow
to have `/` characters. Therefore to generate values for these attributes, the _instance_
part of the principal needs to be stripped off and a random string needs to be appended. 
> 
> This can be seen where the principal is `nn/c6501.ambari.apache.org@EXAMPLE.COM`.  The
`cn` would typically be `nn/c6501.ambari.apache.org`.  Providing for a random string would
allow the `cn` value to be something like `nn-ythnskdtarsjko5fsdfdsb`. Since the `sAMAccountName`
can be at most 20 characters, it would be `nn-ythnskdtarsjko5fs`.
> 
> Since the generation of the attributes and values is done using a Velocity template,
this random string will need to be generated and stored in the Velocity engine context before
processing the template.
> 
> The solution is to generate and binhex a MD5 hash of the normalized principal.  This
can be used as the unique value.  The velocity variable this is set to is `principal_digest`.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
20f7e60 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipal.java
PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
7a9233b 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
85ae018 
>   ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
6a89dbb 
>   ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/DeconstructedPrincipalTest.java
PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/30105/diff/
> 
> 
> Testing
> -------
> 
> Manual Testing
> 
> Updated and new test cases:
> 
> #Jenkins test results
> 
> Running org.apache.ambari.server.serveraction.kerberos.DeconstructedPrincipalTest
> Tests run: 10, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.1 sec
> 
> Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
> Tests run: 10, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.742 sec
> 
> Complete ambari-server test results
> Tests run: 2575, Failures: 0, Errors: 0, Skipped: 15
> 
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 57:50 min
> [INFO] Finished at: 2015-01-21T03:29:08+00:00
> [INFO] Final Memory: 44M/468M
> [INFO] ------------------------------------------------------------------------
> 
> 
> Thanks,
> 
> Robert Levas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message