ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas" <rle...@hortonworks.com>
Subject Review Request 31292: Kerberos: fails when entering admin principal with blank password
Date Mon, 23 Feb 2015 02:09:03 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31292/
-----------------------------------------------------------

Review request for Ambari, John Speidel and Robert Nettleton.


Bugs: AMBARI-9742
    https://issues.apache.org/jira/browse/AMBARI-9742


Repository: ambari


Description
-------

Note: I don't believe the below is specific to add host, but related to the prompting and
how the set admin cred works in case of a blank password. I hit this during testing of add
host though.

- install cluster, kerberize
- add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
- got to the review part of add host, click deploy
- prompted for admin creds (as expected)
- tried messing around by putting in bad creds and that seemed to work...
- expect when I put in the right admin cred principal name (admin/admin) but a blank password.
I was surprised it allowed me to click save (because the password field was blank)
- so I click save, dialog disappears and I am cannot get it to re-prompt.
- this is what it PUT and the response was blank...
 
```
[{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
Response Headersview source
```

in ambari-server.log, nothing

```
17:58:05,860  INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster
request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster,
clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null,
hosts=[] }
```

- back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again

The overall issue is how the credentials are being validated.  If no password is being set,
the command to test the credentials when using a MIT KDC generates the following command:
```
kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
```

The empty password (`-w ""`) in the command creates an interactive session where the command
is waiting for data on STDIN, thus hanging the process.

An empty password should not cause the same behavior when using Active Directory.


Diffs
-----

  ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
9d41691 
  ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java
f4551d2 

Diff: https://reviews.apache.org/r/31292/diff/


Testing
-------

Manually tested in cluster

#Jenkins test results:
Running org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandlerTest
Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.838 sec

Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 1.131 sec

Ambari server test suite
Tests run: 2734, Failures: 0, Errors: 0, Skipped: 15

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:07 h
[INFO] Finished at: 2015-02-23T01:58:43+00:00
[INFO] Final Memory: 43M/473M
[INFO] ------------------------------------------------------------------------


Thanks,

Robert Levas


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message