ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-22293) Improve KDC integration
Date Tue, 31 Oct 2017 20:47:00 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-22293?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-22293:
----------------------------------
    Description: 
Improve KDC integration by making the interfaces more consistent with each other.

*Notes:*
* When using the MIT KDC or IPA options, the {{kerberos-env/admin_server_host}} value *must
be the fully qualified domain name* (FQDN) of the host were the KDC administrator service
is. 
* When connecting to the MIT KDC and IPA server, a username a password is not used to authenticate
using the kadmin utility.  A Kerberos ticket is first acquired and that is used for authentication.
* When creating Kerberos identities using the MIT KDC and IPA handlers, the Ambari-generated
password is not used.  All password's for principals in the MIT KDC and IP server are generated
randomly by the KDC.
* Removed {{kerberos-env/set_password_expiry}} and {{kerberos-env/password_chat_timeout}}
properties since they are no longer needed
* Changed {{kerberos-env/groups}} to {{kerberos-env/ipa_user_groups}} to be more explicit
in how the property is used.
* The setPassword implementation for the MIT KDC and IPA handlers do nothing except check
to see if the relevant principal exists. This is to maintain backward compatibility with previous
implementations.  



  was:
Improve KDC integration by making the interfaces more consistent with each other.

*Notes:*
* When using the MIT KDC or IPA options, the {{kerberos-env/admin_server_host}} value *must
be the fully qualified domain name* (FQDN) of the host were the KDC administrator service
is. 
* When connecting to the MIT KDC, a username a password is not used to authenticate using
the kadmin utility.  A Kerberos ticket is first acquired and that is used for authentication.
* When creating Kerberos identities using the MIT KDC handler, the Ambari-generated password
is no longer used.  All password's for principals in the MIT KDC are generated randomly by
the KDC.
* Removed {{kerberos-env/set_password_expiry}} and {{kerberos-env/password_chat_timeout}}
properties since they are no longer needed
* Changed {{kerberos-env/groups}} to {{kerberos-env/ipa_user_groups}} to be more explicit
in how the property is used.
* The setPassword implementation for the MIT KDC and IPA handlers do nothing except check
to see if the relevant principal exists. This is to maintain backward compatibility with previous
implementations.  




> Improve KDC integration
> -----------------------
>
>                 Key: AMBARI-22293
>                 URL: https://issues.apache.org/jira/browse/AMBARI-22293
>             Project: Ambari
>          Issue Type: Task
>          Components: ambari-server
>    Affects Versions: 3.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: kerberos
>             Fix For: 3.0.0
>
>
> Improve KDC integration by making the interfaces more consistent with each other.
> *Notes:*
> * When using the MIT KDC or IPA options, the {{kerberos-env/admin_server_host}} value
*must be the fully qualified domain name* (FQDN) of the host were the KDC administrator service
is. 
> * When connecting to the MIT KDC and IPA server, a username a password is not used to
authenticate using the kadmin utility.  A Kerberos ticket is first acquired and that is used
for authentication.
> * When creating Kerberos identities using the MIT KDC and IPA handlers, the Ambari-generated
password is not used.  All password's for principals in the MIT KDC and IP server are generated
randomly by the KDC.
> * Removed {{kerberos-env/set_password_expiry}} and {{kerberos-env/password_chat_timeout}}
properties since they are no longer needed
> * Changed {{kerberos-env/groups}} to {{kerberos-env/ipa_user_groups}} to be more explicit
in how the property is used.
> * The setPassword implementation for the MIT KDC and IPA handlers do nothing except check
to see if the relevant principal exists. This is to maintain backward compatibility with previous
implementations.  



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message