ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-17968) Changed oozie.authentication.kerberos.principal and oozie.authentication.kerberos.keytab are reverted while regenerating keytab files
Date Mon, 01 Aug 2016 01:52:20 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-17968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-17968:
----------------------------------
    Description: 
Changed {{oozie-site/oozie.authentication.kerberos.principal}} and {{oozie-site/oozie.authentication.kerberos.keytab}}
properties are reverted while regenerating keytab files.

The changed properties are needed to support Oozie in high availability (HA) mode with failover
enabled via a load balancing proxy server.

*Cause*
The relevant part of the Kerberos descriptor for Oozie is:
{code}
            {
              "name": "/spnego",
              "principal": {
                "configuration": "oozie-site/oozie.authentication.kerberos.principal"
              },
              "keytab": {
                "configuration": "oozie-site/oozie.authentication.kerberos.keytab"
              }
            }
{code}

Because of this, certain Kerberos-related operations (like Regenerate Keytabs) resets the
values of {{oozie-site/oozie.authentication.kerberos.principal}} and {{oozie-site/oozie.authentication.kerberos.keytab}}
to match the principal name and keytab file of the Kerberos identity definition for {{/spnego}}.

However, in HA, the properties need to be something like:
{noformat}
oozie.authentication.kerberos.prinipal= "*"
oozie.authentication.kerberos.keytab = "/path/to/oozie_ha.keytab"
{noformat}

*Solution*
After enabling HA and eitehr before or after enabling Kerberos, the following {{oozie-site}}
properties may be set:
* {{oozie.ha.authentication.kerberos.principal}}
* {{oozie.ha.authentication.kerberos.keytab}}

If either exist when configuring Oozie, the value of the property will be used to update the
relevant {{oozie.authentication.kerberos.*}} property.

For example:
* if {{oozie.ha.authentication.kerberos.principal}} is set, its value will set used to set
{{oozie.authentication.kerberos.principal}}
* if {{oozie.ha.authentication.kerberos.keytab}} is set, its value will set used to set {{oozie.authentication.kerberos.keytab}}
Note: One or both may be set. 

So even though {{oozie.authentication.kerberos.principal}} will contain a principal name like
{{HTTP/_HOST@SOME.REALM}}, when writing the oozie-site.xml file, the value for {{oozie.authentication.kerberos.principal}}
will be written out as the value set for {{oozie.ha.authentication.kerberos.principal}}, which
would typically be "\*", when HA is enabled for Oozie. 

  was:
Changed {{oozie-site/oozie.authentication.kerberos.principal}} and {{oozie-site/oozie.authentication.kerberos.keytab}}
properties are reverted while regenerating keytab files.

The changed properties are needed to support Oozie in high availability (HA) mode with failover
enabled via a load balancing proxy server.

*Cause*
The relevant part of the Kerberos descriptor for Oozie is:
{code}
            {
              "name": "/spnego",
              "principal": {
                "configuration": "oozie-site/oozie.authentication.kerberos.principal"
              },
              "keytab": {
                "configuration": "oozie-site/oozie.authentication.kerberos.keytab"
              }
            }
{code}

Because of this, certain Kerberos-related operations (like Regenerate Keytabs) resets the
values of {{oozie-site/oozie.authentication.kerberos.principal}} and {{oozie-site/oozie.authentication.kerberos.keytab}}
to match the principal name and keytab file of the Kerberos identity definition for {{/spnego}}.

However, in HA, the properties need to be something like:
{noformat}
oozie.authentication.kerberos.prinipal= "*"
oozie.authentication.kerberos.keytab = "/path/to/oozie_ha.keytab"
{noformat}

*Solution*
Rather that have the {{oozie.authentication.kerberos.prinipal}} and {{oozie.authentication.kerberos.keytab}}
set when processing the Kerberos descriptor, set _placeholder_ properties_ that can be used
to populate the _real_ properties if needed.  

{code}
            {
              "name": "/spnego",
              "principal": {
                "configuration": "oozie-site/oozie_authentication_kerberos_principal_placeholder"
              },
              "keytab": {
                "configuration": "oozie-site/oozie_authentication_kerberos_keytab_placeholder"
              }
            }
{code}

Then, by default the following values will be set:

{noformat}
oozie.authentication.kerberos.prinipal= "{{oozie_site.oozie_authentication_kerberos_prinipal_placeholder}}"
oozie.authentication.kerberos.keytab = "{{oozie_site.oozie_authentication_kerberos_keytab_placeholder}}"
{noformat}

This will cause a replacement to happen on the ambari-agent side to set the properties as
they are today. 

However if the user changes the value of the properties, from the Python template values,
then those _static_ values will be used instead. 

So without changes, the values on the agent-side will effectively be the same as the _placeholder_
values.  If changed, from the Python template values to some concrete value, than no change
will be performed on the agent-side, keeping the values of {{oozie.authentication.kerberos.prinipal}}
and {{oozie.authentication.kerberos.keytab}} as set by the user. 






> Changed oozie.authentication.kerberos.principal and oozie.authentication.kerberos.keytab
are reverted while regenerating keytab files
> -------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-17968
>                 URL: https://issues.apache.org/jira/browse/AMBARI-17968
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Blocker
>             Fix For: 2.4.0
>
>
> Changed {{oozie-site/oozie.authentication.kerberos.principal}} and {{oozie-site/oozie.authentication.kerberos.keytab}}
properties are reverted while regenerating keytab files.
> The changed properties are needed to support Oozie in high availability (HA) mode with
failover enabled via a load balancing proxy server.
> *Cause*
> The relevant part of the Kerberos descriptor for Oozie is:
> {code}
>             {
>               "name": "/spnego",
>               "principal": {
>                 "configuration": "oozie-site/oozie.authentication.kerberos.principal"
>               },
>               "keytab": {
>                 "configuration": "oozie-site/oozie.authentication.kerberos.keytab"
>               }
>             }
> {code}
> Because of this, certain Kerberos-related operations (like Regenerate Keytabs) resets
the values of {{oozie-site/oozie.authentication.kerberos.principal}} and {{oozie-site/oozie.authentication.kerberos.keytab}}
to match the principal name and keytab file of the Kerberos identity definition for {{/spnego}}.
> However, in HA, the properties need to be something like:
> {noformat}
> oozie.authentication.kerberos.prinipal= "*"
> oozie.authentication.kerberos.keytab = "/path/to/oozie_ha.keytab"
> {noformat}
> *Solution*
> After enabling HA and eitehr before or after enabling Kerberos, the following {{oozie-site}}
properties may be set:
> * {{oozie.ha.authentication.kerberos.principal}}
> * {{oozie.ha.authentication.kerberos.keytab}}
> If either exist when configuring Oozie, the value of the property will be used to update
the relevant {{oozie.authentication.kerberos.*}} property.
> For example:
> * if {{oozie.ha.authentication.kerberos.principal}} is set, its value will set used to
set {{oozie.authentication.kerberos.principal}}
> * if {{oozie.ha.authentication.kerberos.keytab}} is set, its value will set used to set
{{oozie.authentication.kerberos.keytab}}
> Note: One or both may be set. 
> So even though {{oozie.authentication.kerberos.principal}} will contain a principal name
like {{HTTP/_HOST@SOME.REALM}}, when writing the oozie-site.xml file, the value for {{oozie.authentication.kerberos.principal}}
will be written out as the value set for {{oozie.ha.authentication.kerberos.principal}}, which
would typically be "\*", when HA is enabled for Oozie. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message