ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-22356) Ambari changing kafka config upon regenerating keytabs
Date Thu, 02 Nov 2017 19:11:00 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-22356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16236406#comment-16236406
] 

Robert Levas commented on AMBARI-22356:
---------------------------------------

[~arpitkhare04], This is appears to be incorrect behavior for you, this is expected behavior.
  

In the Kafka kerberos.json file, the following exists:

{code}
...
      "configurations": [
        {
          "kafka-broker": {
              "authorizer.class.name": "kafka.security.auth.SimpleAclAuthorizer",
              "principal.to.local.class":"kafka.security.auth.KerberosPrincipalToLocal",
              "super.users": "user:${kafka-env/kafka_user}",
              "security.inter.broker.protocol": "PLAINTEXTSASL",
              "zookeeper.set.acl": "true",
              "listeners": "${kafka-broker/listeners|replace(\\bPLAINTEXT\\b, PLAINTEXTSASL)}"
          }
        },
...
{code}

Here to see {{"security.inter.broker.protocol": "PLAINTEXTSASL"}}.  This is what is causing
the change.

When enabling Kerberos and Regenerating keytab files, Ambari looks to the Kerberos descriptor
(and stack advisor) to get the expected configurations.  This is done when you Regenerate
keytab files in the event something has changed requiring some configuration to be updated.
Since Ambari is not smart enough to know that you manually changed {{security.inter.broker.protocol}}
for a reason, it did its job to make sure that {{security.inter.broker.protocol}} matched
what was expected according to the configuration information it had.  

If you want to force {{security.inter.broker.protocol}} to be "SASL_SSL", you can manually
change the user-supplied Kerberos descriptor and your issue will go away. If you did no manually
change the value back, you can regenerate keytab files to have Ambari do it. 

See this article on updating the user-supplied Kerberos descriptor - https://community.hortonworks.com/content/kbentry/89713/updating-the-user-sepecified-kerberos-descriptor.html.

cc: [~omkreddy]


> Ambari changing kafka config upon regenerating keytabs
> ------------------------------------------------------
>
>                 Key: AMBARI-22356
>                 URL: https://issues.apache.org/jira/browse/AMBARI-22356
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.5.2
>         Environment: Operating System: CentOS-7 (64 Bit)
> Ambari Version: 2.5.2.0
>            Reporter: Arpit Khare
>            Priority: Major
>         Attachments: compare_config.png
>
>
> In a Kerberos secure environment, when we add a property *security.inter.broker.protocol*
in custom kafka-broker from Ambari:
> {code}security.inter.broker.protocol = SASL_SSL{code}
> and we regenerate the keytabs for missing hosts and components, then Ambari overrides
this custom property and set it to the default value: 
> {code}security.inter.broker.protocol = PLAINTEXTSASL{code}
> Attachments:
> 1. Kafka Config compare screenshot: [^compare_config.png]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message