ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bolke de Bruin <bdbr...@gmail.com>
Subject Re: Review Request 44148: Add FreeIPA support to Ambari.
Date Tue, 01 Mar 2016 07:53:05 GMT


> On mrt 1, 2016, 1:51 a.m., Robert Levas wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java,
line 865
> > <https://reviews.apache.org/r/44148/diff/4/?file=1274675#file1274675line865>
> >
> >     Why not use the default implemenation of this?  It appears you are using the
Ambari-generated password when creating the account, so the default impl should work fine.

A couple of reasons why not to use the default implementation

1) BLOCKING: In case not using the ambari-generated password, which can happen if using the
"krbPasswordExpiry' attribute setting, this won't work per comments
2) I think it is better to use the supplied mechanisms for creating a keytab instead of rolling
your own (see also point 1) and yes I have seen faulty keytabs being generated by Ambari due
to assumptions not being correct.


> On mrt 1, 2016, 1:51 a.m., Robert Levas wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java,
line 500
> > <https://reviews.apache.org/r/44148/diff/4/?file=1274675#file1274675line500>
> >
> >     When executing kinit for this purpose, is the credential cache being storing
in an alternate location, else will it overwrite the credential cache for Ambari itself?

Good point. I will fix this.


- Bolke


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44148/#review121368
-----------------------------------------------------------


On feb 29, 2016, 9:49 p.m., Bolke de Bruin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/44148/
> -----------------------------------------------------------
> 
> (Updated feb 29, 2016, 9:49 p.m.)
> 
> 
> Review request for Ambari and Robert Levas.
> 
> 
> Bugs: AMBARI-6432
>     https://issues.apache.org/jira/browse/AMBARI-6432
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> FreeIPA is the active directory equivalent for Linux. This patch adds support for FreeIPA.
It requires ipa-admintools to be installed on the ambari host. In addition it either requires
wite access to the krbPasswordPassword attribute or a suitable password policy needs to be
in place (ipa pwpolicy).
> 
> It has been requested to have this implemented in several tickets.
> 
> To test.
> 
> * Have a working IPA server available
> * Create a group "ambari-managed-principals" (configurable)
> * Create a password policy for this group or make the krb5PasswordExpiry attribute writable
(not per se required for testing)
> * Enroll all hosts into ipa
> * make sure the ipa-admintools are available on the ambari host
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
be6edc9 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java
PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KDCType.java
5b1372a 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
4cd050e 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerFactory.java
bfd45b7 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
a03dea6 
>   ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandlerTest.java
PRE-CREATION 
>   ambari-web/app/controllers/main/admin/kerberos.js c021c89 
>   ambari-web/app/controllers/main/admin/kerberos/step1_controller.js b9056ed 
>   ambari-web/app/controllers/main/admin/kerberos/step2_controller.js 9b411c6 
>   ambari-web/app/controllers/main/admin/kerberos/step5_controller.js 5aa4b8c 
>   ambari-web/app/controllers/main/service/info/configs.js a22bb48 
>   ambari-web/app/data/HDP2/site_properties.js 3ea6c68 
>   ambari-web/app/messages.js 1cefce2 
>   ambari-web/app/views/common/controls_view.js d355ffe 
> 
> Diff: https://reviews.apache.org/r/44148/diff/
> 
> 
> Testing
> -------
> 
> FreeIPA 4.2 on CentOS 7. Multiple times kerberization and de-kerberization.
> 
> 
> Thanks,
> 
> Bolke de Bruin
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message