ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sandor Magyari (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-15561) Automate creation of Ambari Server proxy users (secure/non-secure clusters), principal and keytab, setup of JAAS (secure clusters)
Date Wed, 30 Mar 2016 15:52:25 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-15561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sandor Magyari updated AMBARI-15561:
------------------------------------
    Status: Patch Available  (was: Open)

> Automate creation of Ambari Server proxy users (secure/non-secure clusters), principal
and keytab, setup of JAAS (secure clusters)
> ----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-15561
>                 URL: https://issues.apache.org/jira/browse/AMBARI-15561
>             Project: Ambari
>          Issue Type: Improvement
>          Components: ambari-server
>            Reporter: Sandor Magyari
>            Assignee: Sandor Magyari
>            Priority: Critical
>             Fix For: ambari-2.4.0
>
>         Attachments: AMBARI-15561-v2.patch
>
>
> 	The aim of this improvement is to automate the following: 
> - creation of proxy users for Ambari server necessary for views (Files, Hive, Pig, Tez
etc) 
> - creation of Ambari Server principal and keytab, and setup of JAAS which is currently
a manual step documented here: 
> http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_optional_set_up_kerberos_for_ambari_server.html
> In case of a non secure cluster, Ambari proxy user will be set up for the user account
Ambari Server is running as. This is specified in *ambari-server.properties* by *ambari-server.user*
and can be adjusted by running 'ambari-server setup'. 
> Stackadvisor is responsible for configuring proxy users, both for secure / non-secure
cluster, wizard or blueprint based deployments. 
> Therefore in case of blueprint based deployments proxy users will be only created if
"config_recommendation_strategy": "ALWAYS_APPLY" in Cluster template. 
> The following proxy users will be configured by stackadvisor: 
> {code} 
> hadoop.proxyuser.${ambari_proxy_user}.groups=* 
> hadoop.proxyuser.${ambari_proxy_user}.hosts=* 
> hadoop.proxyuser.hcat.groups=* 
> hadoop.proxyuser.hcat.hosts=* 
> webhcat.proxyuser.${ambari_proxy_user}.groups=* 
> webhcat.proxyuser.${ambari_proxy_user}.hosts=* 
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.hosts=* 
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.users=* 
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.groups=* 
> {code} 
> For a secure (eg. securityType=KERBEROS) cluster proxy user will be setup based on Ambari
Server principal. 
> A new identity 'ambari-server' will be added to default kerberos descriptor where principal
name is specified which can be modified either in Kerberos Setup wizard screen, or by submitting
a custom kerberos descriptor in Blueprint case. 
> By default, principal name is: {code}ambari-server-${cluster_name}@${realm}{code} 
> Generate principal & keytab is set in JAAS configuration file. 
> Generation of Ambari Server principal and keytab can be enabled / disabled by setting
config property *create_ambari_principal* = true / false in kerberos-env config. ('Create
Ambari Principal & Keytab' on Keberos Setup wizard screen). This is enabled by default.
> There is a new functionality in Kerberos related handling of configurations recommended
by StackAdvisor, properties marked with delete flag by StackAdvisor are removed from configuration
when running Enable Kerberos wizard. This is necessary to be able to remove old Ambari proxy
users in non-secure mode.
> In a scenario where multiple Ambari servers are managing a single cluster, only the _operation
master_ Ambari server will be affected. All other Ambari server instances will need to be
manually updated. Meaning, the Ambari server keytab file will need to be manually distributed
to the _other_ Ambari server hosts. Also, the _other_ Ambari servers' JAAS files will need
to be manually updated either by editing the {{/etc/ambari-server/conf/krb5JAASLogin.conf}}
file or by executing {{ambari-server setup-security}} and selecting option #3, {{Setup Ambari
kerberos JAAS configuration}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message