ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-9385) Implement Keytab regeneration
Date Tue, 03 Feb 2015 20:48:36 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-9385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-9385:
---------------------------------
    Description: 
Create API entry point to initiate Kerberos keytab regeneration for the cluster:
{code}
PUT /api/v1/clusters/{clustername}?regenerate_keytabs=true
{
  "Clusters" : {
    "security_type" : "KERBEROS"
  }
}
{code}

The entry point should invoke code to determine which principals need to be updated and then
generate the following stages:
# Update Principal Passwords
# Generate Keytabs
# Distribute Keytab

This could be done in a method within {{org.apache.ambari.server.controller.KerberosHelper}}
named {{regenerateKeytabs}} and flow similarly to {{org.apache.ambari.server.controller.KerberosHelper#toggleKerberos}}

A Server-side action implementation already exists for generating keytabs - see {{org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction}}.
A process is already in place to distribute keytabs - {{org/apache/ambari/server/controller/KerberosHelper.java:1192}}
A new Server-side action _may_ need to be created to update relavant principal passwords,
however {{org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction}} may
work for this, unaltered.



  was:
Create API entry point to initiate Kerberos keytab regeneration for the cluster:
{code}
PUT /api/v1/clusters/{clustername}?kerberos_regenerate_keytabs="true"
{code}

The entry point should invoke code to determine which principals need to be updated and then
generate the following stages:
# Update Principal Passwords
# Generate Keytabs
# Distribute Keytab

This could be done in a method within {{org.apache.ambari.server.controller.KerberosHelper}}
named {{regenerateKeytabs}} and flow similarly to {{org.apache.ambari.server.controller.KerberosHelper#toggleKerberos}}

A Server-side action implementation already exists for generating keytabs - see {{org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction}}.
A process is already in place to distribute keytabs - {{org/apache/ambari/server/controller/KerberosHelper.java:1192}}
A new Server-side action _may_ need to be created to update relavant principal passwords,
however {{org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction}} may
work for this, unaltered.




> Implement Keytab regeneration
> -----------------------------
>
>                 Key: AMBARI-9385
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9385
>             Project: Ambari
>          Issue Type: Task
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: kerberos, keytabs
>             Fix For: 2.0.0
>
>         Attachments: AMBARI-9385_01.patch, AMBARI-9385_02.patch
>
>
> Create API entry point to initiate Kerberos keytab regeneration for the cluster:
> {code}
> PUT /api/v1/clusters/{clustername}?regenerate_keytabs=true
> {
>   "Clusters" : {
>     "security_type" : "KERBEROS"
>   }
> }
> {code}
> The entry point should invoke code to determine which principals need to be updated and
then generate the following stages:
> # Update Principal Passwords
> # Generate Keytabs
> # Distribute Keytab
> This could be done in a method within {{org.apache.ambari.server.controller.KerberosHelper}}
named {{regenerateKeytabs}} and flow similarly to {{org.apache.ambari.server.controller.KerberosHelper#toggleKerberos}}
> A Server-side action implementation already exists for generating keytabs - see {{org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction}}.
> A process is already in place to distribute keytabs - {{org/apache/ambari/server/controller/KerberosHelper.java:1192}}
> A new Server-side action _may_ need to be created to update relavant principal passwords,
however {{org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction}} may
work for this, unaltered.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message