ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-17968) Changed oozie.authentication.kerberos.principal and oozie.authentication.kerberos.keytab are reverted while regenerating keytab files
Date Mon, 01 Aug 2016 18:35:20 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-17968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15402596#comment-15402596
] 

Hudson commented on AMBARI-17968:
---------------------------------

SUCCESS: Integrated in Ambari-trunk-Commit #5431 (See [https://builds.apache.org/job/Ambari-trunk-Commit/5431/])
AMBARI-17968. Changed oozie.authentication.kerberos.principal and (rlevas: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=c5d32b81b4b83d39c9b96f5703e9b2e03b8bd1d4])
* ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java
* ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py
* ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py


> Changed oozie.authentication.kerberos.principal and oozie.authentication.kerberos.keytab
are reverted while regenerating keytab files
> -------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-17968
>                 URL: https://issues.apache.org/jira/browse/AMBARI-17968
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Blocker
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-17968_branch-2.4_01.patch, AMBARI-17968_trunk_01.patch
>
>
> Changed {{oozie-site/oozie.authentication.kerberos.principal}} and {{oozie-site/oozie.authentication.kerberos.keytab}}
properties are reverted while regenerating keytab files.
> The changed properties are needed to support Oozie in high availability (HA) mode with
failover enabled via a load balancing proxy server.
> *Cause*
> The relevant part of the Kerberos descriptor for Oozie is:
> {code}
>             {
>               "name": "/spnego",
>               "principal": {
>                 "configuration": "oozie-site/oozie.authentication.kerberos.principal"
>               },
>               "keytab": {
>                 "configuration": "oozie-site/oozie.authentication.kerberos.keytab"
>               }
>             }
> {code}
> Because of this, certain Kerberos-related operations (like Regenerate Keytabs) resets
the values of {{oozie-site/oozie.authentication.kerberos.principal}} and {{oozie-site/oozie.authentication.kerberos.keytab}}
to match the principal name and keytab file of the Kerberos identity definition for {{/spnego}}.
> However, in HA, the properties need to be something like:
> {noformat}
> oozie.authentication.kerberos.prinipal= "*"
> oozie.authentication.kerberos.keytab = "/path/to/oozie_ha.keytab"
> {noformat}
> *Solution*
> After enabling HA and either before or after enabling Kerberos, the following {{oozie-site}}
properties may be set:
> * {{oozie.ha.authentication.kerberos.principal}}
> * {{oozie.ha.authentication.kerberos.keytab}}
> If either exist when configuring Oozie, the value of the property will be used to update
the relevant {{oozie.authentication.kerberos.*}} property.
> For example:
> * if {{oozie.ha.authentication.kerberos.principal}} is set, its value will set used to
set {{oozie.authentication.kerberos.principal}}
> * if {{oozie.ha.authentication.kerberos.keytab}} is set, its value will set used to set
{{oozie.authentication.kerberos.keytab}}
> Note: One or both may be set. 
> So even though {{oozie.authentication.kerberos.principal}} will contain a principal name
like {{HTTP/_HOST@SOME.REALM}}, when writing the oozie-site.xml file, the value for {{oozie.authentication.kerberos.principal}}
will be written out as the value set for {{oozie.ha.authentication.kerberos.principal}}, which
would typically be "\*", when HA is enabled for Oozie. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message