ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Onischuk" <aonis...@hortonworks.com>
Subject Re: Review Request 35875: Kerberos: storm headless princ + keytab seem incorrect
Date Thu, 25 Jun 2015 14:30:23 GMT


> On June 25, 2015, 2:12 p.m., Andrew Onischuk wrote:
> > How will it work after ambari upgrade when this file won't be present?
> 
> Robert Levas wrote:
>     I am not sure I understand.  Why wont 'this file' (`kerberos.json`?) be present after
the upgrade?
> 
> Andrew Onischuk wrote:
>     Maybe I'm wrong. But it is possible that storm.headless.keytab is not present when
user upgrades ambari to 2.1? (user with Ambari-2.0 would have storm.service.keytab instead
as far as I understand)
> 
> Robert Levas wrote:
>     Maybe you are referring to `${keytab_dir}/storm.headless.keytab`. Once established,
the `kerberos.json` file doesn't come into place. So if Storm was previously Kerberized, whatever
the keytab file was as the time will remain and not be an issue. This change only affects
newly Kerberized clusters.

oh, got it now


- Andrew


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35875/#review89348
-----------------------------------------------------------


On June 25, 2015, 2:10 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35875/
> -----------------------------------------------------------
> 
> (Updated June 25, 2015, 2:10 p.m.)
> 
> 
> Review request for Ambari, Andrew Onischuk, Emil Anca, Jaimin Jetly, and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-12137
>     https://issues.apache.org/jira/browse/AMBARI-12137
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> The storm user principals should be derived using the storm user + cluster name: 
> ```
> storm-${cluster_name}@${realm}
> ```
> 
> The keytab name should be consistent with other headless identities: 
> ```
> storm.headless.keytab
> ```
> 
> #Solution
> Update Storm's Kerberos descriptor to fix the relevant identitiy
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/0.9.1.2.1/kerberos.json 94eaae1

>   ambari-server/src/test/python/stacks/2.1/configs/secured-storm-start.json b1022c3 
>   ambari-server/src/test/python/stacks/2.1/configs/secured-storm-start.json.orig 29b9c83

>   ambari-server/src/test/python/stacks/2.3/configs/hbase_secure.json 39f91c0 
>   ambari-server/src/test/python/stacks/2.3/configs/storm_default_secure.json 3ae6941

>   ambari-web/app/assets/data/stacks/HDP-2.1/service_components.json 75eef5e 
> 
> Diff: https://reviews.apache.org/r/35875/diff/
> 
> 
> Testing
> -------
> 
> Manual testing
> 
> Local unit test passed
> 
> #Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message