ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-16171) Changes to Phoenix QueryServer Kerberos configuration
Date Fri, 29 Apr 2016 12:17:12 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-16171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15263968#comment-15263968
] 

Robert Levas commented on AMBARI-16171:
---------------------------------------

[~elserj],

For upgrade scenarios, I have used the _UpgradeCatalog_ classes to do the work. This is where
we typically make changes to the existing data in the database.  I assume the target for this
patch is Ambari 2.4.0.  If so, then you will want to edit the UpgradeCatalog240 class ({{org.apache.ambari.server.upgrade.UpgradeCatalog240}})
and add your logic there.

Essentially you are looking to change the following properties in the active version of the
{{hbase-site}} config:
* {{hbase-site/phoenix.queryserver.kerberos.principal}}
* {{hbase-site/phoenix.queryserver.keytab.file}}

I do a similar thing (sort of) in this class when renaming {{kerberos-env/kdc_host}} to {{kerberos-env//kdc_hosts}}.
 See {{org.apache.ambari.server.upgrade.UpgradeCatalog240#updateKerberosConfigs}} for an example
of what you might need to do. 

Please feel free to contact me via Skype, HipChat, or this JIRA if you want to go over this
in more detail. 


> Changes to Phoenix QueryServer Kerberos configuration
> -----------------------------------------------------
>
>                 Key: AMBARI-16171
>                 URL: https://issues.apache.org/jira/browse/AMBARI-16171
>             Project: Ambari
>          Issue Type: Improvement
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>         Attachments: AMBARI-16171.001.patch
>
>
> The up-coming version of Phoenix will contain some new functionality to support Kerberos
authentication of clients via SPNEGO with the Phoenix Query Server (PQS).
> Presently, Ambari will configure PQS to use the hbase service keytab which will result
in the SPNEGO authentication failing as the RFC requires that the "primary" component of the
Kerberos principal for the server is "HTTP". Thus, we need to ensure that we switch PQS over
to use the spnego.service.keytab as the keytab and "HTTP/_HOST@REALM" as the principal.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message