Return-Path: 
 <issues-return-2422-apmail-ambari-issues-archive=ambari.apache.org@ambari.apache.org>
X-Original-To: apmail-ambari-issues-archive@minotaur.apache.org
Delivered-To: apmail-ambari-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 34C1D18959
	for <apmail-ambari-issues-archive@minotaur.apache.org>;
 Thu, 24 Mar 2016 21:23:31 +0000 (UTC)
Received: (qmail 50165 invoked by uid 500); 24 Mar 2016 21:23:26 -0000
Delivered-To: apmail-ambari-issues-archive@ambari.apache.org
Received: (qmail 49978 invoked by uid 500); 24 Mar 2016 21:23:26 -0000
Mailing-List: contact issues-help@ambari.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@ambari.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@ambari.apache.org>
List-Post: <mailto:issues@ambari.apache.org>
List-Id: <issues.ambari.apache.org>
Reply-To: dev@ambari.apache.org
Delivered-To: mailing list issues@ambari.apache.org
Received: (qmail 49962 invoked by uid 99); 24 Mar 2016 21:23:26 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Mar 2016 21:23:25 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id E38FE2C14F8
	for <issues@ambari.apache.org>; Thu, 24 Mar 2016 21:23:25 +0000 (UTC)
Date: Thu, 24 Mar 2016 21:23:25 +0000 (UTC)
From: "Sandor Magyari (JIRA)" <jira@apache.org>
To: issues@ambari.apache.org
Message-ID: <JIRA.12953263.1458835242000.45385.1458854605928@Atlassian.JIRA>
In-Reply-To: <JIRA.12953263.1458835242000@Atlassian.JIRA>
References: <JIRA.12953263.1458835242000@Atlassian.JIRA>
 <JIRA.12953263.1458835242519@arcas>
Subject: [jira] [Updated] (AMBARI-15561) Automate creation of Ambari Server
 proxy users (secure/non-secure clusters), principal and keytab, setup of
 JAAS (secure clusters)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/AMBARI-15561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sandor Magyari updated AMBARI-15561:
------------------------------------
    Description: 
The aim of this improvement is to automate the following:

- creation of proxy users for Ambari server necessary for views (Files, Hive, Pig, Tez etc)
- creation of Ambari Server principal and keytab, and setup of JAAS which is currently a manual step documented here:

http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_optional_set_up_kerberos_for_ambari_server.html

In case of a non secure cluster, Ambari proxy user will be set up for the user account Ambari Server is running as. This is specified in *ambari-server.properties* by *ambari-server.user* and can be adjusted by running 'ambari-server setup'.
Stackadvisor is responsible for configuring proxy users, both for secure / non-secure cluster, wizard or blueprint based deployments.
Therefore in case of blueprint based deployments proxy users will be only created if "config_recommendation_strategy": "ALWAYS_APPLY" in Cluster template.
The following proxy users will be configured by stackadvisor:

{code}
hadoop.proxyuser.${ambari_proxy_user}.groups=*
hadoop.proxyuser.${ambari_proxy_user}.hosts=*

hadoop.proxyuser.hcat.groups=*
hadoop.proxyuser.hcat.hosts=*

webhcat.proxyuser.${ambari_proxy_user}.groups=*
webhcat.proxyuser.${ambari_proxy_user}.hosts=*

yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.hosts=*
yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.users=*
yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.groups=*
{code}

For a secure (eg. securityType=KERBEROS) cluster proxy user will be setup based on Ambari Server principal.
A new identity 'ambari-server' will be added to default kerberos descriptor where principal name is specified which can be modified either in Kerberos Setup wizard screen, or by submitting a custom kerberos descriptor in Blueprint case.
By default, principal name is: {code}ambari-server-${cluster_name}@${realm}{code}

Generate principal & keytab is set in JAAS configuration file.

Generation of Ambari Server principal and keytab can be enabled / disabled by setting config property *create_ambari_principal* = true / false in kerberos-env config. ('Create Ambari Principal & Keytab' on Keberos Setup wizard screen).

In a scenario where multiple Ambari servers are managing a single cluster, only the _operation master_ Ambari server will be affected.  All other Ambari server instances will need to be manually updated.  Meaning, the Ambari server keytab file will need to be manually distributed to the _other_ Ambari server hosts.  Also, the _other_ Ambari servers' JAAS files will need to be manually updated either by editing the {{/etc/ambari-server/conf/krb5JAASLogin.conf}} file or by executing {{ambari-server setup-security}} and selecting option #3, {{Setup Ambari kerberos JAAS configuration}}.

  was:
The aim of this improvement is to automate the following:

- creation of proxy users for Ambari server necessary for views (Files, Hive, Pig, Tez etc)
- creation of Ambari Server principal and keytab, and setup of JAAS which is currently a manual step documented here:

http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_optional_set_up_kerberos_for_ambari_server.html

In case of a non secure cluster, Ambari proxy user will be set up for the user account Ambari Server is running as. This is specified in *ambari-server.properties* by *ambari-server.user* and can be adjusted by running 'ambari-server setup'.
Stackadvisor is responsible for configuring proxy users, both for secure / non-secure cluster, wizard or blueprint based deployments.
Therefore in case of blueprint based deployments proxy users will be only created if "config_recommendation_strategy": "ALWAYS_APPLY" in Cluster template.
The following proxy users will be configured by stackadvisor:

{code}
hadoop.proxyuser.${ambari_proxy_user}.groups=*
hadoop.proxyuser.${ambari_proxy_user}.hosts=*

hadoop.proxyuser.hcat.groups=*
hadoop.proxyuser.hcat.hosts=*

webhcat.proxyuser.${ambari_proxy_user}.groups=*
webhcat.proxyuser.${ambari_proxy_user}.hosts=*

yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.hosts=*
yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.users=*
yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.groups=*
{code}

For a secure (eg. securityType=KERBEROS) cluster proxy user will be setup based on Ambari Server principal.
A new identity 'ambari-server' will be added to default kerberos descriptor where principal name is specified which can be modified either in Kerberos Setup wizard screen, or by submitting a custom kerberos descriptor in Blueprint case.
By default principal name is:
{code}
ambari-server-${cluster_name}@${realm}
{code}

Generation of Ambari Server principal and keytab can be enabled / disabled by setting config property *create_ambari_principal* = true / false in kerberos-env config. ('Create Ambari Principal & Keytab' on Keberos Setup wizard screen).

In a scenario where multiple Ambari servers are managing a single cluster, only the _operation master_ Ambari server will be affected.  All other Ambari server instances will need to be manually updated.  Meaning, the Ambari server keytab file will need to be manually distributed to the _other_ Ambari server hosts.  Also, the _other_ Ambari servers' JAAS files will need to be manually updated either by editing the {{/etc/ambari-server/conf/krb5JAASLogin.conf}} file or by executing {{ambari-server setup-security}} and selecting option #3, {{Setup Ambari kerberos JAAS configuration}}.


> Automate creation of Ambari Server proxy users (secure/non-secure clusters), principal and keytab, setup of JAAS (secure clusters)
> ----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-15561
>                 URL: https://issues.apache.org/jira/browse/AMBARI-15561
>             Project: Ambari
>          Issue Type: Improvement
>          Components: ambari-server
>            Reporter: Sandor Magyari
>            Assignee: Sandor Magyari
>            Priority: Critical
>             Fix For: ambari-2.4.0
>
>
> The aim of this improvement is to automate the following:
> - creation of proxy users for Ambari server necessary for views (Files, Hive, Pig, Tez etc)
> - creation of Ambari Server principal and keytab, and setup of JAAS which is currently a manual step documented here:
> http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_optional_set_up_kerberos_for_ambari_server.html
> In case of a non secure cluster, Ambari proxy user will be set up for the user account Ambari Server is running as. This is specified in *ambari-server.properties* by *ambari-server.user* and can be adjusted by running 'ambari-server setup'.
> Stackadvisor is responsible for configuring proxy users, both for secure / non-secure cluster, wizard or blueprint based deployments.
> Therefore in case of blueprint based deployments proxy users will be only created if "config_recommendation_strategy": "ALWAYS_APPLY" in Cluster template.
> The following proxy users will be configured by stackadvisor:
> {code}
> hadoop.proxyuser.${ambari_proxy_user}.groups=*
> hadoop.proxyuser.${ambari_proxy_user}.hosts=*
> hadoop.proxyuser.hcat.groups=*
> hadoop.proxyuser.hcat.hosts=*
> webhcat.proxyuser.${ambari_proxy_user}.groups=*
> webhcat.proxyuser.${ambari_proxy_user}.hosts=*
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.hosts=*
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.users=*
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.groups=*
> {code}
> For a secure (eg. securityType=KERBEROS) cluster proxy user will be setup based on Ambari Server principal.
> A new identity 'ambari-server' will be added to default kerberos descriptor where principal name is specified which can be modified either in Kerberos Setup wizard screen, or by submitting a custom kerberos descriptor in Blueprint case.
> By default, principal name is: {code}ambari-server-${cluster_name}@${realm}{code}
> Generate principal & keytab is set in JAAS configuration file.
> Generation of Ambari Server principal and keytab can be enabled / disabled by setting config property *create_ambari_principal* = true / false in kerberos-env config. ('Create Ambari Principal & Keytab' on Keberos Setup wizard screen).
> In a scenario where multiple Ambari servers are managing a single cluster, only the _operation master_ Ambari server will be affected.  All other Ambari server instances will need to be manually updated.  Meaning, the Ambari server keytab file will need to be manually distributed to the _other_ Ambari server hosts.  Also, the _other_ Ambari servers' JAAS files will need to be manually updated either by editing the {{/etc/ambari-server/conf/krb5JAASLogin.conf}} file or by executing {{ambari-server setup-security}} and selecting option #3, {{Setup Ambari kerberos JAAS configuration}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)