ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <>
Subject [jira] [Commented] (AMBARI-16171) Changes to Phoenix QueryServer Kerberos configuration
Date Fri, 29 Apr 2016 19:21:12 GMT


Robert Levas commented on AMBARI-16171:


Yikes  I missed something.  So far you seem to be doing it correctly. However, rather than
checking to see of the KERBEROS service is installed (It may not be if the user chooses the
manual option) you should check to see if the cluster's security type is Kerberos:

cluster.getSecurityType() == SecurityType.KERBEROS

As for the item I missed, you need to update the stored Kerberos descriptor as well as the

So before doing all the property work, you will want to 
# Get the Kerberos descriptor artifact
# See if it has an entry for the PQS
# Update the value for both the principal and keytab items to the value you have specified
in updated {{kerberos.json}} file

Then, you get the value, you will want to perform the routines to replace the variables in
the relevant Kerberos identity descriptor items.

*To update the Kerberos descriptor*, see {{org.apache.ambari.server.upgrade.UpgradeCatalog220#updateKerberosDescriptorArtifact}}.
 Apparently you need to add {{updateKerberosDescriptorArtifacts()}} to {{org.apache.ambari.server.upgrade.UpgradeCatalog240#executeDMLUpdates}}
to invoke your implementation of {{updateKerberosDescriptorArtifact}}.

*To generate the values you* need for filling in the properties.  You will want to invoke
{{org.apache.ambari.server.state.kerberos.VariableReplacementHelper#replaceVariables}}.  You
should be able to create an instance of {{org.apache.ambari.server.state.kerberos.VariableReplacementHelper}}
and then call {{replaceVariables}} any number of times. The trick is feeding the method. The
first argument is the value you want to perform the replacement on (for example, "HTTP/_HOST@$\{realm\}")
and the second is a map of config types to property maps representing the configuration of
the cluster.  You might be able to cheat here if you know which values will be needed for
replacement, but I would not assume anything. 

*To get the Kerberos identity properties for the /spnego identitiy*, you need to build the
Kerberos descriptor and query it for the data you want.  This can be done by doing the following:
KerberosHelper kerberosHelper = injector.getInstance(KerberosHelper.class);
KerberosDescriptor defaultDescriptor = KerberosHelper.getKerberosDescriptor(cluster);

This may or may not work, depending on how much of the infrastructure is available at the
time you make the call.  However, lets try this first since it is easier than manually building
the descriptor yourself. 

Once you get the Kerberos descriptor, you can get the /spnego Kerberos Identity Descriptor
There is no need to use the "/" since you are already at the top of the Kerberos descriptor

>From here, you can get the principal and keytab descriptors, and then their values.  For
    KerberosIdentityDescriptor identityDescriptor = defaultDescriptor.getIdentity("spnego");
    if(identityDescriptor != null) {
      KerberosPrincipalDescriptor principalDescriptor = identityDescriptor.getPrincipalDescriptor();
      if(principalDescriptor != null) {
        value = principalDescriptor.getValue();

Finally, *creating the config type to properties map*, can be done by calling {{org.apache.ambari.server.controller.KerberosHelperImpl#calculateConfigurations}}.
 The first parameter is the cluster object, the next should be {{null}} since we don't care
about host-specific configurations at this time, finally the last parameter is the value from

I think this should do the trick.  Let me know if I left something out. 

> Changes to Phoenix QueryServer Kerberos configuration
> -----------------------------------------------------
>                 Key: AMBARI-16171
>                 URL:
>             Project: Ambari
>          Issue Type: Improvement
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>         Attachments: AMBARI-16171.001.patch
> The up-coming version of Phoenix will contain some new functionality to support Kerberos
authentication of clients via SPNEGO with the Phoenix Query Server (PQS).
> Presently, Ambari will configure PQS to use the hbase service keytab which will result
in the SPNEGO authentication failing as the RFC requires that the "primary" component of the
Kerberos principal for the server is "HTTP". Thus, we need to ensure that we switch PQS over
to use the spnego.service.keytab as the keytab and "HTTP/_HOST@REALM" as the principal.

This message was sent by Atlassian JIRA

View raw message