ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-12772) Adding host via blueprint fails on secure cluster
Date Wed, 02 Sep 2015 16:48:46 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-12772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-12772:
----------------------------------
    Attachment: AMBARI-12772_branch-2.1_03.patch

> Adding host via blueprint fails on secure cluster
> -------------------------------------------------
>
>                 Key: AMBARI-12772
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12772
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>              Labels: blueprints, kerberos
>             Fix For: 2.1.2
>
>         Attachments: AMBARI-12772_branch-2.1_01.patch, AMBARI-12772_branch-2.1_03.patch,
AMBARI-12772_trunk_01.patch, AMBARI-12772_trunk_02.patch
>
>
> *STR*
> Install cluster via blueprints
> Enable Kerberos security
> Add host via blueprints
> *Result*
> Adding hosts freeze forever
> In ambari-server.log:
> {code}
> The KDC administrator credentials must be set in session by updating the relevant Cluster
resource.This may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry
point with the following payload:
> {
>   "session_attributes" : {
>     "kerberos_admin" : {"principal" : "(PRINCIPAL)", "password" : "(PASSWORD)"}
>   }
> {code}
> *Cause*
> This is caused because the KDC administrative credentials are not available when needed
during the add host process.  If set in the HTTP session, the credentials are not accessible
since the Kerberos logic is executed outside the scope of that HTTP session.  
> *Solution*
> Store the KDC credentials to a _more secure_ global credential store that is accessible
no matter what the context is.  This storage facility is in-memory and has a retention period
of 90 minutes.  This solution refactors the current CredentialStoreService and MasterKeyService
classes to allow for file-based and in-memory implementations. It also paves the way for future
changes to allow for the KDC administrative credentials to be persisted indefinitely.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message