ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-10493) Ambari 2.0 doesn't recognize Kerberos on existing cluster after upgrade
Date Wed, 29 Apr 2015 13:33:05 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-10493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14519354#comment-14519354
] 

Robert Levas commented on AMBARI-10493:
---------------------------------------

[~harisekhon], According to https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=30755705,
there is not official release date for 2.1.0.  

Also, the solution that I proposed when 2.1.0 comes out enables a manual option for managing
Kerberos in the Ambari cluster. So when you add a new service, you will be required to create
the principals and distribute the keytabs files manually. However, the service configurations
will be updated for you. To get the list of expected principals, a CSV file may be downloaded.
 So far the file will be a complete list of the expected principals, but there may be plans
to return only the ones needed for the new service. 

> Ambari 2.0 doesn't recognize Kerberos on existing cluster after upgrade
> -----------------------------------------------------------------------
>
>                 Key: AMBARI-10493
>                 URL: https://issues.apache.org/jira/browse/AMBARI-10493
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server, security
>    Affects Versions: 2.0.0
>         Environment: HDP 2.2.0
>            Reporter: Hari Sekhon
>            Priority: Critical
>
> After upgrading to Ambari 2.0 (from 1.7) it wants to manage Kerberos but it doesn't seem
to recognize the cluster as already kerberized, nor does it appear to have the capability
to just use the existing keytabs as we have historically done - it wants to redeploy them
from an MIT KDC as part of the enable kerberos process, which would obviously mess up my already
deployed kerberized cluster which is running off FreeIPA (which includes an MIT KDC in each
IPA server but isn't supported to be managed via kadmin interface).
> There doesn't seem to be an obvious way of getting Ambari to re-enable or recognize that
kerberos is deployed and the services are kerberized. The current configurations do seem to
still be intact with the kerberos config settings but Ambari does not recognize that Kerberos
is deployed and I'm concerned this is going to eventually mess up my existing cluster or deploy
new services without Kerberos.
> Hari Sekhon
> http://www.linkedin.com/in/harisekhon



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message