ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vitalyi Brodetskyi" <vbrodets...@hortonworks.com>
Subject Re: Review Request 31856: Ambari storm logviewer in secure mode doesn't work
Date Mon, 09 Mar 2015 10:22:21 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31856/#review75678
-----------------------------------------------------------

Ship it!


Ship It!

- Vitalyi Brodetskyi


On March 9, 2015, 9:54 a.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31856/
> -----------------------------------------------------------
> 
> (Updated March 9, 2015, 9:54 a.m.)
> 
> 
> Review request for Ambari, Berta Vitaliya, Costel Radulescu, and Emil Anca.
> 
> 
> Bugs: AMBARI-9981
>     https://issues.apache.org/jira/browse/AMBARI-9981
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Storm logviewer uses the same UI.filter config thats being used for Storm UI.
> In secure mode storm UI uses SPENGO to authenticate user to access the UI.
> Similarly logviewer also does the same .
> But in Ambari 1.7 we advise user to create HTTP/storm-ui@REALM and this gets added to
storm.yaml.
> As this is bound to a host storm logviewers which are running one per supervisor won't
be able to use this key .
> 
> Solution:
> There is a configuration problem in the {{/etc/storm/conf/storm.yaml}} file.  In particular
the issue is here:
> #/etc/storm/conf/storm.yaml:109
> ```
> ui.filter.params:
>   "type": "kerberos"
>   "kerberos.principal": "HTTP/host-2.internal@EXAMPLE.COM"
>   "kerberos.keytab": "/etc/security/keytabs/spnego.service.keytab"
>   "kerberos.name.rules": "DEFAULT"
> ```
> 
> The `kerberos.principal` value should be the SPNEGO principal for the localhost, not
the host where the UI server is running.  In this example, the localhost is *host-4.internal*
 so the `kerberos.principal` value should be *HTTP/host-4.internal@EXAMPLE.COM* not *HTTP/host-2.internal@EXAMPLE.COM*.
 The Storm UI server is running on *host-2.internal*
> 
> The fix for this should be in the code around 
> 
> #common-services/STORM/0.9.1.2.1/package/scripts/params.py:103} 
> ```
> _storm_ui_jaas_principal_name = config['configurations']['storm-env']['storm_ui_principal_name']
>     storm_ui_host = default("/clusterHostInfo/storm_ui_server_hosts", [])
>     storm_ui_jaas_principal = _storm_ui_jaas_principal_name.replace('_HOST',storm_ui_host[0].lower())
> ```
> 
> `storm_ui_jaas_principal` is then used in the template to build the storm.yaml file.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/0.9.1.2.1/package/scripts/params.py
5ac3470 
> 
> Diff: https://reviews.apache.org/r/31856/diff/
> 
> 
> Testing
> -------
> 
> #Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message