ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sandor Magyari" <smagy...@hortonworks.com>
Subject Re: Review Request 41796: Failed to deploy Kerberized cluster via blueprint with custom principal name
Date Mon, 04 Jan 2016 15:14:19 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41796/#review112580
-----------------------------------------------------------

Ship it!


Ship It!

- Sandor Magyari


On Dec. 30, 2015, 6:03 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/41796/
> -----------------------------------------------------------
> 
> (Updated Dec. 30, 2015, 6:03 p.m.)
> 
> 
> Review request for Ambari, Robert Nettleton and Sandor Magyari.
> 
> 
> Bugs: AMBARI-14516
>     https://issues.apache.org/jira/browse/AMBARI-14516
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Failed to deploy Kerberized cluster via Blueprint with custom principal name set in Kerberos
descriptor declared in _Cluster Creation Template_ like 
> 
> ```
> ...
>   "security": {
>     "type": "KERBEROS",
>     "kerberos_descriptor": {
>       "identities": [
>         {
>           "name": "smokeuser",
>           "principal": {
>             "value": "smokeuser9jJevBQAYGQWnRkuapSEp@${realm}"			
>           }
>         }
>       ]
>     }
>   },
> ...
> ```
> 
> The following error (shown in ambari-server.log) was encountered while the cluster was
being built: 
> ```
> Failed to create keytab for smokeuser9jJevBQAYGQWnRkuapSEp@EXAMPLE.COM, missing cached
file
> ```
> 
> # Cause
> This was caused because the Kerberos descriptor in the _Blueprint_ or _Cluster Creation
Template_ did not declare the type property of the principal being updated.  This caused the
logic in Ambari to assume the principal was a _service_ principal rather than a _user_ (or
headless) principal.  Because of this, when merging the updates to the default Kerberos descriptor
(from the stack), the `smokeuser` principal type was changed _user_ to _service_.  Thus it
was skipped over when the _Blueprints_ process executed the phase to ensure (and cache) headless
identities.  
> 
> The bug is in the logic parsing the Kerberos descriptor.  By not specifying a principal
type, the logic assumes the principal type is _service_; however in this case, the principal
type needs to be `null`, so that when the user-specified Kerberos descriptor is merged with
the default Kerberos descriptor, the default principal type is not changed. 
> 
> *NOTE:* This is not limited to _Blueprints_, the issue will cause issues if the specified
Kerberos descriptor artifact is missing `principal/type` properties as well.  See [Set the
Kerberos Descriptor|https://cwiki.apache.org/confluence/display/AMBARI/Automated+Kerberizaton#AutomatedKerberizaton-SettheKerberosDescriptor]
> 
> # Solution
> Change the logic it the Kerberos descriptor parser to allow for the principal type to
be `null`. Handle this value being `null` by consumers of this data such that `null` indicates
the default value of `service`. This will keep the current behavior consistent, and also allow
for the merging facility to properly merge principal updates - like changing the principal
name pattern without needing to specify the principal type as well. 
> 
> # Workaround
> Explicitly set the `type` property of _user_ (or headless) principals in the Kerberos
descriptor:
> ```
> ...
>   "security": {
>     "type": "KERBEROS",
>     "kerberos_descriptor": {
>       "identities": [
>         {
>           "name": "smokeuser",
>           "principal": {
>             "type" : "USER",
>             "value": "smokeuser9jJevBQAYGQWnRkuapSEp@${realm}"			
>           }
>         }
>       ]
>     }
>   },
> ...
> ```
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
ef9cab6 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/internal/HostKerberosIdentityResourceProvider.java
c76ae6c 
>   ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosPrincipalDescriptor.java
09f6872 
>   ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosPrincipalType.java
e192be0 
>   ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosPrincipalDescriptorTest.java
9a4a042 
> 
> Diff: https://reviews.apache.org/r/41796/diff/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> # Local test results:
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 1:00:52.786s
> [INFO] Finished at: Wed Dec 30 06:23:51 EST 2015
> [INFO] Final Memory: 69M/1754M
> [INFO] ------------------------------------------------------------------------
> 
> # Jenkins test results: 
> 
> INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:29 h
> [INFO] Finished at: 2015-12-30T17:00:07+00:00
> [INFO] Final Memory: 132M/588M
> [INFO] ------------------------------------------------------------------------
> 
> 
> Thanks,
> 
> Robert Levas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message