ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas" <rle...@hortonworks.com>
Subject Re: Review Request 38318: Kerberos: Allow user to specify additional realms for auth-to-local rules
Date Mon, 14 Sep 2015 17:18:35 GMT


> On Sept. 14, 2015, 12:56 p.m., Robert Nettleton wrote:
> > ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json, line
48
> > <https://reviews.apache.org/r/38318/diff/1/?file=1068807#file1068807line48>
> >
> >     Why is this property being removed from the HDFS kerberos.json?  Is this related
to the support for multiple realms described above?

`hadoop.security.auth_to_local` is being removed from the kerberos.json file becuase it was
the reason this issue exists.  It's existance was causing confusion on the front-end since
it appeared that the auth-to-local propery was to be set to "" rathen than to its actual value
(which was to get generated by Ambari).  It's use was to set some initial value so that Ambari
would include it when generating the `core-site/hadoop.security.auth_to_local` value. Generally
that value was default rules for addtional realms needed in a multiple realm scenario - for
example, MIT KDC and Active Directory cross-realm-trust. Though this worked fine, it had 2
problems: confusion (as previously mentioned), and it's scope was limited to `core-site/hadoop.security.auth_to_local`.

This patch solves the 2 issues by removing the field in the UI and adding a new property to
collect the additional realms. Using the additional realms data, the default rules can be
generated and used for any property that is tagged as being an _auth-to-local rule_ (this
is done on the Kerberos Descriptor for each service).


- Robert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38318/#review98864
-----------------------------------------------------------


On Sept. 13, 2015, 7:31 a.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/38318/
> -----------------------------------------------------------
> 
> (Updated Sept. 13, 2015, 7:31 a.m.)
> 
> 
> Review request for Ambari, Jaimin Jetly, Jonathan Hurley, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-13060
>     https://issues.apache.org/jira/browse/AMBARI-13060
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Allow user to specify additional realms for auth-to-local rules. This will add _default_
rules for the specified realm(s) to the generated auth-to-local rule sets. For example:
> 
> ```
> RULE:[1:$1@$0](.*@USER_REALM.COM)s/@.*//
> ```
> 
> The value should be a (comma) delimited list of realm names set in set of global properties
in the Kerberos Descriptor.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
00e8291 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
11f578f 
>   ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json df99bce

>   ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json 03198dc 
>   ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java
14c66a2 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
9e65b5e 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
f28a19b 
>   ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json cf49786 
>   ambari-web/app/mixins/wizard/addSecurityConfigs.js d14d09e 
> 
> Diff: https://reviews.apache.org/r/38318/diff/
> 
> 
> Testing
> -------
> 
> Manually tested existing KDC and manual options, both with various additional realm specifications
(empty, single, multiple, multiple with random spaces between). Updated realms after enabling
Kerberos.
> 
> Local test results: PASSED
> 
> Jenkins test results:
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 02:03 h
> [INFO] Finished at: 2015-09-12T00:12:36+00:00
> [INFO] Final Memory: 50M/555M
> [INFO] ------------------------------------------------------------------------
> 
> 
> Thanks,
> 
> Robert Levas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message