Return-Path: X-Original-To: apmail-ambari-issues-archive@minotaur.apache.org Delivered-To: apmail-ambari-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AA61019E39 for ; Fri, 25 Mar 2016 09:07:25 +0000 (UTC) Received: (qmail 72626 invoked by uid 500); 25 Mar 2016 09:07:25 -0000 Delivered-To: apmail-ambari-issues-archive@ambari.apache.org Received: (qmail 72597 invoked by uid 500); 25 Mar 2016 09:07:25 -0000 Mailing-List: contact issues-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list issues@ambari.apache.org Received: (qmail 72584 invoked by uid 99); 25 Mar 2016 09:07:25 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Mar 2016 09:07:25 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 724D02C14DC for ; Fri, 25 Mar 2016 09:07:25 +0000 (UTC) Date: Fri, 25 Mar 2016 09:07:25 +0000 (UTC) From: "Sandor Magyari (JIRA)" To: issues@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (AMBARI-15561) Automate creation of Ambari Server proxy users (secure/non-secure clusters), principal and keytab, setup of JAAS (secure clusters) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AMBARI-15561?page=3Dcom.atlass= ian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sandor Magyari updated AMBARI-15561: ------------------------------------ Description:=20 =09The aim of this improvement is to automate the following:=20 - creation of proxy users for Ambari server necessary for views (Files, Hiv= e, Pig, Tez etc)=20 - creation of Ambari Server principal and keytab, and setup of JAAS which i= s currently a manual step documented here:=20 http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_= Guide/content/_optional_set_up_kerberos_for_ambari_server.html In case of a non secure cluster, Ambari proxy user will be set up for the u= ser account Ambari Server is running as. This is specified in *ambari-serve= r.properties* by *ambari-server.user* and can be adjusted by running 'ambar= i-server setup'.=20 Stackadvisor is responsible for configuring proxy users, both for secure / = non-secure cluster, wizard or blueprint based deployments.=20 Therefore in case of blueprint based deployments proxy users will be only c= reated if "config_recommendation_strategy": "ALWAYS_APPLY" in Cluster templ= ate.=20 The following proxy users will be configured by stackadvisor:=20 {code}=20 hadoop.proxyuser.${ambari_proxy_user}.groups=3D*=20 hadoop.proxyuser.${ambari_proxy_user}.hosts=3D*=20 hadoop.proxyuser.hcat.groups=3D*=20 hadoop.proxyuser.hcat.hosts=3D*=20 webhcat.proxyuser.${ambari_proxy_user}.groups=3D*=20 webhcat.proxyuser.${ambari_proxy_user}.hosts=3D*=20 yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.ho= sts=3D*=20 yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.us= ers=3D*=20 yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.gr= oups=3D*=20 {code}=20 For a secure (eg. securityType=3DKERBEROS) cluster proxy user will be setup= based on Ambari Server principal.=20 A new identity 'ambari-server' will be added to default kerberos descriptor= where principal name is specified which can be modified either in Kerberos= Setup wizard screen, or by submitting a custom kerberos descriptor in Blue= print case.=20 By default, principal name is: {code}ambari-server-${cluster_name}@${realm}= {code}=20 Generate principal & keytab is set in JAAS configuration file.=20 Generation of Ambari Server principal and keytab can be enabled / disabled = by setting config property *create_ambari_principal* =3D true / false in ke= rberos-env config. ('Create Ambari Principal & Keytab' on Keberos Setup wiz= ard screen). This is enabled by default. In a scenario where multiple Ambari servers are managing a single cluster, = only the _operation master_ Ambari server will be affected. All other Ambar= i server instances will need to be manually updated. Meaning, the Ambari se= rver keytab file will need to be manually distributed to the _other_ Ambari= server hosts. Also, the _other_ Ambari servers' JAAS files will need to be= manually updated either by editing the {{/etc/ambari-server/conf/krb5JAASL= ogin.conf}} file or by executing {{ambari-server setup-security}} and selec= ting option #3, {{Setup Ambari kerberos JAAS configuration}}. was:The aim of this improvement is to automate the following: - creation = of proxy users for Ambari server necessary for views (Files, Hive, Pig, Tez= etc) - creation of Ambari Server principal and keytab, and setup of JAAS w= hich is currently a manual step documented here: http://docs.hortonworks.co= m/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_optional_se= t_up_kerberos_for_ambari_server.html In case of a non secure cluster, Ambar= i proxy user will be set up for the user account Ambari Server is running a= s. This is specified in *ambari-server.properties* by *ambari-server.user* = and can be adjusted by running 'ambari-server setup'. Stackadvisor is respo= nsible for configuring proxy users, both for secure / non-secure cluster, w= izard or blueprint based deployments. Therefore in case of blueprint based = deployments proxy users will be only created if "config_recommendation_stra= tegy": "ALWAYS_APPLY" in Cluster template. The following proxy users will b= e configured by stackadvisor: {code} hadoop.proxyuser.${ambari_proxy_user}.= groups=3D* hadoop.proxyuser.${ambari_proxy_user}.hosts=3D* hadoop.proxyuser= .hcat.groups=3D* hadoop.proxyuser.hcat.hosts=3D* webhcat.proxyuser.${ambari= _proxy_user}.groups=3D* webhcat.proxyuser.${ambari_proxy_user}.hosts=3D* ya= rn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.host= s=3D* yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_us= er}.users=3D* yarn.timeline-service.http-authentication.proxyuser.${ambari_= proxy_user}.groups=3D* {code} For a secure (eg. securityType=3DKERBEROS) cl= uster proxy user will be setup based on Ambari Server principal. A new iden= tity 'ambari-server' will be added to default kerberos descriptor where pri= ncipal name is specified which can be modified either in Kerberos Setup wiz= ard screen, or by submitting a custom kerberos descriptor in Blueprint case= . By default, principal name is: {code}ambari-server-${cluster_name}@${real= m}{code} Generate principal & keytab is set in JAAS configuration file for = Ambari server. Generation of Ambari Server principal and keytab can be enab= led / disabled by setting config property *create_ambari_principal* =3D tru= e / false in kerberos-env config. ('Create Ambari Principal & Keytab' on Ke= beros Setup wizard screen). By default is set to true. In a scenario where = multiple Ambari servers are managing a single cluster, only the _operation = master_ Ambari server will be affected. All other Ambari server instances w= ill need to be manually updated. Meaning, the Ambari server keytab file wil= l need to be manually distributed to the _other_ Ambari server hosts. Also,= the _other_ Ambari servers' JAAS files will need to be manually updated ei= ther by editing the {{/etc/ambari-server/conf/krb5JAASLogin.conf}} file or = by executing {{ambari-server setup-security}} and selecting option #3, {{Se= tup Ambari kerberos JAAS configuration}}. > Automate creation of Ambari Server proxy users (secure/non-secure cluster= s), principal and keytab, setup of JAAS (secure clusters) > -------------------------------------------------------------------------= --------------------------------------------------------- > > Key: AMBARI-15561 > URL: https://issues.apache.org/jira/browse/AMBARI-15561 > Project: Ambari > Issue Type: Improvement > Components: ambari-server > Reporter: Sandor Magyari > Assignee: Sandor Magyari > Priority: Critical > Fix For: ambari-2.4.0 > > > =09The aim of this improvement is to automate the following:=20 > - creation of proxy users for Ambari server necessary for views (Files, H= ive, Pig, Tez etc)=20 > - creation of Ambari Server principal and keytab, and setup of JAAS which= is currently a manual step documented here:=20 > http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Securit= y_Guide/content/_optional_set_up_kerberos_for_ambari_server.html > In case of a non secure cluster, Ambari proxy user will be set up for the= user account Ambari Server is running as. This is specified in *ambari-ser= ver.properties* by *ambari-server.user* and can be adjusted by running 'amb= ari-server setup'.=20 > Stackadvisor is responsible for configuring proxy users, both for secure = / non-secure cluster, wizard or blueprint based deployments.=20 > Therefore in case of blueprint based deployments proxy users will be only= created if "config_recommendation_strategy": "ALWAYS_APPLY" in Cluster tem= plate.=20 > The following proxy users will be configured by stackadvisor:=20 > {code}=20 > hadoop.proxyuser.${ambari_proxy_user}.groups=3D*=20 > hadoop.proxyuser.${ambari_proxy_user}.hosts=3D*=20 > hadoop.proxyuser.hcat.groups=3D*=20 > hadoop.proxyuser.hcat.hosts=3D*=20 > webhcat.proxyuser.${ambari_proxy_user}.groups=3D*=20 > webhcat.proxyuser.${ambari_proxy_user}.hosts=3D*=20 > yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.= hosts=3D*=20 > yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.= users=3D*=20 > yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.= groups=3D*=20 > {code}=20 > For a secure (eg. securityType=3DKERBEROS) cluster proxy user will be set= up based on Ambari Server principal.=20 > A new identity 'ambari-server' will be added to default kerberos descript= or where principal name is specified which can be modified either in Kerber= os Setup wizard screen, or by submitting a custom kerberos descriptor in Bl= ueprint case.=20 > By default, principal name is: {code}ambari-server-${cluster_name}@${real= m}{code}=20 > Generate principal & keytab is set in JAAS configuration file.=20 > Generation of Ambari Server principal and keytab can be enabled / disable= d by setting config property *create_ambari_principal* =3D true / false in = kerberos-env config. ('Create Ambari Principal & Keytab' on Keberos Setup w= izard screen). This is enabled by default. > In a scenario where multiple Ambari servers are managing a single cluster= , only the _operation master_ Ambari server will be affected. All other Amb= ari server instances will need to be manually updated. Meaning, the Ambari = server keytab file will need to be manually distributed to the _other_ Amba= ri server hosts. Also, the _other_ Ambari servers' JAAS files will need to = be manually updated either by editing the {{/etc/ambari-server/conf/krb5JAA= SLogin.conf}} file or by executing {{ambari-server setup-security}} and sel= ecting option #3, {{Setup Ambari kerberos JAAS configuration}}. -- This message was sent by Atlassian JIRA (v6.3.4#6332)