ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas" <rle...@hortonworks.com>
Subject Review Request 30260: Kerberos: host/<hostname>@REALM principals are created (should not be created)
Date Sun, 25 Jan 2015 21:09:42 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30260/
-----------------------------------------------------------

Review request for Ambari, Emil Anca and Yusaku Sako.


Bugs: AMBARI-9323
    https://issues.apache.org/jira/browse/AMBARI-9323


Repository: ambari


Description
-------

While generating principals, `host/<hostname>@REALM` principals are created.  These
should not be created.

And they are ending-up in the resulting keytab. For example:

```
[root@c6402 keytabs]# klist -kt nn.service.keytab 
Keytab name: FILE:nn.service.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
```

The solution is to remove _identities_ from all `kerberos.json` files that lead to the generation
of the `host/<hostname>@<realm>` entries.


Diffs
-----

  ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/kerberos.json 8b7979e 
  ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/kerberos.json 596d607 
  ambari-server/src/test/java/org/apache/ambari/server/stack/KerberosDescriptorTest.java 0abb2f3

  ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json 99a4227 

Diff: https://reviews.apache.org/r/30260/diff/


Testing
-------

Manually tested in test cluster.

Verified `host/<hostname>@<realm>` are no longer created.  Example (does not indicate
all of the keytab files that were fixed):

```
[root@c6503 keytabs]# klist -kt nn.service.keytab
Keytab name: FILE:nn.service.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
   1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
   1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
   1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
```

Since the solution is to remove entries from Kerberos descritptor files from the stack no
unit tests were updated or added.

# Jenkins test results

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:02 h
[INFO] Finished at: 2015-01-25T20:43:13+00:00
[INFO] Final Memory: 44M/508M
[INFO] ------------------------------------------------------------------------


Thanks,

Robert Levas


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message