Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7BDC018509 for ; Thu, 29 Oct 2015 00:56:28 +0000 (UTC) Received: (qmail 43564 invoked by uid 500); 29 Oct 2015 00:56:28 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 43364 invoked by uid 500); 29 Oct 2015 00:56:28 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 43176 invoked by uid 99); 29 Oct 2015 00:56:28 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Oct 2015 00:56:28 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id E8CDE2C033A for ; Thu, 29 Oct 2015 00:56:27 +0000 (UTC) Date: Thu, 29 Oct 2015 00:56:27 +0000 (UTC) From: "Hudson (JIRA)" To: dev@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (AMBARI-13431) Blueprints: Configuration to select Kerberos MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AMBARI-13431?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D14= 979594#comment-14979594 ]=20 Hudson commented on AMBARI-13431: --------------------------------- FAILURE: Integrated in Ambari-trunk-Commit #3731 (See [https://builds.apach= e.org/job/Ambari-trunk-Commit/3731/]) AMBARI-13431. Blueprints Configuration to select Kerberos. (Sandor (rnettle= ton: [http://git-wip-us.apache.org/repos/asf?p=3Dambari.git&a=3Dcommit&h=3D= 2337e5390cac806f80db0e1880b8616cfab7e80d]) * ambari-server/src/test/java/org/apache/ambari/server/controller/internal/= BlueprintResourceProviderTest.java * ambari-server/src/main/java/org/apache/ambari/server/controller/internal/= KerberosDescriptorResourceProvider.java * ambari-server/src/main/java/org/apache/ambari/server/topology/Credential.= java * ambari-server/src/test/java/org/apache/ambari/server/topology/BlueprintFa= ctoryTest.java * ambari-server/src/main/java/org/apache/ambari/server/topology/TopologyReq= uestFactory.java * ambari-server/src/main/java/org/apache/ambari/server/topology/TopologyMan= ager.java * ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql * ambari-server/src/main/java/org/apache/ambari/server/topology/SecurityCon= figuration.java * ambari-server/src/main/java/org/apache/ambari/server/controller/internal/= ProvisionClusterRequest.java * ambari-server/src/main/java/org/apache/ambari/server/topology/BlueprintFa= ctory.java * ambari-server/src/test/java/org/apache/ambari/server/state/cluster/Cluste= rsTest.java * ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql * ambari-server/src/main/java/org/apache/ambari/server/controller/internal/= BaseClusterRequest.java * ambari-server/src/test/java/org/apache/ambari/server/utils/StageUtilsTest= .java * ambari-server/src/test/java/org/apache/ambari/server/topology/AmbariConte= xtTest.java * ambari-server/src/main/resources/properties.json * ambari-server/src/main/java/org/apache/ambari/server/topology/AmbariConte= xt.java * ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatal= og213.java * ambari-server/src/main/java/org/apache/ambari/server/topology/Blueprint.j= ava * ambari-server/src/main/java/org/apache/ambari/server/controller/internal/= ExportBlueprintRequest.java * ambari-server/src/main/java/org/apache/ambari/server/controller/internal/= ClusterResourceProvider.java * ambari-server/src/main/java/org/apache/ambari/server/state/Clusters.java * ambari-server/src/main/java/org/apache/ambari/server/controller/Controlle= rModule.java * ambari-server/src/main/java/org/apache/ambari/server/state/cluster/Cluste= rsImpl.java * ambari-server/src/test/java/org/apache/ambari/server/topology/SecurityCon= figurationFactoryTest.java * ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql * ambari-server/src/test/java/org/apache/ambari/server/topology/BlueprintIm= plTest.java * ambari-server/src/test/java/org/apache/ambari/server/topology/TopologyMan= agerTest.java * ambari-server/src/test/java/org/apache/ambari/server/state/UpgradeHelperT= est.java * ambari-server/src/test/java/org/apache/ambari/server/controller/internal/= ProvisionClusterRequestTest.java * ambari-server/src/test/java/org/apache/ambari/server/controller/internal/= WidgetResourceProviderTest.java * ambari-server/src/main/java/org/apache/ambari/server/topology/SecurityCon= figurationFactory.java * ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql * ambari-server/src/main/java/org/apache/ambari/server/topology/BlueprintIm= pl.java * ambari-server/src/main/java/org/apache/ambari/server/topology/TopologyReq= uestFactoryImpl.java * ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariMan= agementControllerImpl.java * ambari-server/src/main/java/org/apache/ambari/server/controller/internal/= BlueprintConfigurationProcessor.java * ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatal= og213Test.java * ambari-server/src/main/java/org/apache/ambari/server/orm/entities/Bluepri= ntEntity.java * ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql * ambari-server/src/main/java/org/apache/ambari/server/controller/internal/= BlueprintResourceProvider.java * ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariSer= ver.java * ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql * ambari-server/src/test/java/org/apache/ambari/server/controller/internal/= ClusterResourceProviderTest.java * ambari-server/src/test/java/org/apache/ambari/server/controller/internal/= AlertResourceProviderTest.java > Blueprints: Configuration to select Kerberos > -------------------------------------------- > > Key: AMBARI-13431 > URL: https://issues.apache.org/jira/browse/AMBARI-13431 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Reporter: Sandor Magyari > Assignee: Sandor Magyari > Fix For: 2.1.3 > > Attachments: AMBARI-13431-v6.patch, AMBARI-13431-v7.patch > > > This task tracks the required changes in the handling code for the Bluepr= int .json and the Cluster Creation Template .json files in order to allow t= he user to request that a given cluster be Kerberized. =20 > The most natural place for this configuration will likely be in the Clust= er Creation template, which would then allow a given Blueprint to be refere= nced via secure and non-secure cluster creation requests.=20 > Based on feedback from Product Management, a customer should be able to i= ndicate that a cluster is to be Kerberized in either the Blueprint .json or= the Cluster Creation template .json.=20 > This feature should support enabling Kerberos at the level of the Bluepri= nt or the Cluster Creation template. In either JSON document, the user sho= uld be able to indicate a security tag that looks like: > {code} > "security" : { > "type" : "KERBEROS", > "kerberos_descriptor_reference" : "kd1", > "kerberos_descriptor" : { > ... > } > } > {code} > The "type" field in the new "security" map should be set to "KERBEROS" in= order to indicate that Kerberos should be supported. =20 > The "kerberos_descriptor_reference" field in the "security" map could be = used to refer to an existing Kerberos descriptor that has been POST-ed to t= he Ambari REST API. =20 > If the user wishes to embed the Kerberos descriptor in the Blueprint or C= luster Creation template, then the "kerberos_descriptor" field in the "secu= rity" map should be set to the contents of that descriptor. =20 > The "security" map could eventually also include other configuration item= s pertaining to the security of a given cluster. While Kerberos is the ini= tial support being added, other security mechanisms may evolve over time, a= nd we should be able to use the same configuration structures in order to e= ventually integrate with these technologies as well. =20 > *Note: The user should typically only specify a "kerberos_descriptor_refe= rence" or a "kerberos_descriptor". If both are set, the Blueprint processo= r should treat this as an error condition.* > This new JSON element should exist at the top-level of the Cluster Creati= on Template and Blueprint documents. =20 > The following example shows what a Cluster Creation template might look l= ike in this scenario: > {code} > { > "blueprint" : "blueprint-ha", > "default_password" : "default", > "security" : { > "type" : "KERBEROS", > "kerberos_descriptor_reference" : "kd1", > "kerberos_descriptor" : { > ... > } > }, > "host_groups" :[ > { > "name" : "host_group_1",=20 > "hosts" : [ =20 > { > "fqdn" : "c6401.ambari.apache.org" > } > ] > }, > ...=20 > ] > } > {code} > The following example shows what a Blueprint that requires Kerberos suppo= rt should look like: > {code} > { > "host_groups": [ > { > "name": "master", > "configurations": [ > ... > ], > "components": [ > { > "name": "NAMENODE" > }, > { > "name": "SECONDARY_NAMENODE" > }, > { > "name": "RESOURCEMANAGER" > }, > { > "name": "HISTORYSERVER" > }, > { > "name": "APP_TIMELINE_SERVER" > }, > { > "name": "ZOOKEEPER_SERVER" > } > ], > "cardinality": "1" > }, > ... > ], > "Blueprints": { > "blueprint_name": "multi-simple-yarn", > "stack_name": "HDP", > "stack_version": "2.2", > "security" : { > "type" : "KERBEROS", > "kerberos_descriptor_reference" : "kd1", > "kerberos_descriptor" : { > ... > } > } > } > } > {code} > In the example above, the "type" field is included in the "security" map = section of the Blueprint document, embedded within the "Blueprints" map. T= his is the most natural place for the Blueprint itself, since it contains t= he metadata that should be associated with the Blueprint deployment, outsid= e of the configuration and components.=20 > h2. Priority Ordering > Since the Kerberos setting will be supported in either the Blueprint or t= he Cluster Creation template, this new support will need to handle the case= s where the setting is chosen in both documents.=20 > # If a security type of "KERBEROS" is not selected in a Blueprint, then t= he Cluster Creation template used by override this setting by including "ty= pe" : "KERBEROS" in the template. This allows us to support deploying a Bl= ueprint in both Kerberized and non-Kerberized environments. This implies t= hat any Kerberos-specific configuration would need to be included in the Cl= uster Creation template, but this is already supported by the Blueprints co= nfiguration overrides.=20 > # If a security type of "KERBEROS" is selected, then the Cluster Creation= template should not be able to override this setting to less-secure mode. = If the Cluster Creation template is configured to use a different security= mechanism, (For example: "type" : "OFF"), then the Blueprints processor sh= ould treat this as an error condition. If the Cluster creation template do= es not specify a "security" tag, then the "security" setting in the Bluepri= nt should be honored. In general, we should allow overrides to a more-secu= re cluster, and forbid overrides for a less-secure cluster. =20 > h2. Blueprint Database Table Changes > These additions to the Blueprint .json and Cluster Creation Template .jso= n structure will likely require changes to the Blueprint entity database ta= bles, already defined in ambari-server. =20 > This current task will encompass any Database table changes needed to mak= e these additions, and will also likely require some ambari-server Upgrade = handling. This will involve using the existing Ambari Upgrade utilities to= support moving from older Ambari installs to Ambari 2.2. The main work he= re will be updating existing database tables to support the new structure. = =20 > h2. Backwards compatibility > Any Blueprints that worked in previous versions of Ambari (non-Kerberized= ) should work as-is in Ambari 2.2, in order to preserve backwards compatibi= lity. This means that these new configuration tags must not be required in= a non-Kerberized environment. =20 > h2. Blueprint Validation > The Blueprint validator should be updated to check on the value of the se= curity "type" field, when it is present. Once we determine the accepted se= t of possible values ("OFF" and "KERBEROS", for now), the validator should = check this, and return a reasonable error to the REST client if an invalid = value is set. =20 > The kerberos.json (either referenced or embedded) descriptor must be save= d to the cluster=E2=80=99s artifacts resource prior to Kerberization.=20 -- This message was sent by Atlassian JIRA (v6.3.4#6332)