ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject Re: 答复: 答复: User Management with kerboes
Date Thu, 17 Aug 2017 12:49:43 GMT
Xinen,

I do not believe that a front end to an identity management system is an appropriate feature
for Ambari, or maybe I am still missing you point; however, feel free to see what other members
of the team think by either emailing dev@ambari.apache.org<mailto:dev@ambari.apache.org>
or creating a JIRA at https://issues.apache.org/jira.

Ambari currently has an API to manage user accounts local to Ambari. The docs are, unfortunately,
not in the main branches of the repository.  I added docs to a feature branch that will eventually
be merged into the trunk for Ambari 3.0.0; but it documents a future version of the API. Feel
free to take a look at https://github.com/apache/ambari/blob/branch-feature-AMBARI-20859/ambari-server/docs/api/v1/user-resources.md.
 I do not think that there is a decent guide on using the API to create and manage users within
Ambari.  Keep in mind, this API is used to create and manage user account within Ambari, only.
 Using this API will not trigger logic to create accounts in a remote system (like an Active
Directory), nor to generate accounts in some KDC (like FreeIPA or the MIT KDC).

Ambari does not have a way to support custom API handlers at runtime.  The facility needs
to know beforehand what the URLs are to be handled by the API logic.  So if you wanted to
add something, it would need to be added to the Ambari code itself. If you wish to take this
route, come up with a design and let the developers comment on it by emailing it to dev@ambari.apache.org<mailto:dev@ambari.apache.org>
or by creating a JIRA at https://issues.apache.org/jira.

Rob

From: Yuanxinen <yuanxinen@huawei.com>
Reply-To: "user@ambari.apache.org" <user@ambari.apache.org>
Date: Wednesday, August 16, 2017 at 10:01 PM
To: "user@ambari.apache.org" <user@ambari.apache.org>
Subject: 答复: 答复: User Management with kerboes

Hi Rob
Thank you very much.

If I implement user identity management system in ambari ,and add some REST API in ambari,
is there any custom API to implement this in ambari?
I mean if Ambari support to customize REST API,and I only configure some properties and put
the jar in env,then it will work,no need to replace the ambari code.
Can I do like this?




Regards
Xinen Yuan
发件人: Robert Levas [mailto:rlevas@hortonworks.com]
发送时间: 2017年8月16日 20:46
收件人: user@ambari.apache.org
主题: Re: 答复: User Management with kerboes

Xinen…

Since Ambari is not meant to be an identity management system, you will need to manually create
the account for that user in your identity management system.  If you do not have one… for
example an Active Directory or some LDAP server… then I assume Ambari is set to use some
local MIT KDC and the Ambari users will be manually entered as _local_ users. If this is the
case, you will need to perform (some of all) of these steps manually:


1)       Create a principal for your user(s) in the MIT KDC using the KDC’s kadmin utility

2)       Create the local user account(s) on the hosts in the cluster

3)       Add the user(s) to Ambari as local user account(s).

If using Ambari views, then there is no need to create a Kerberos ticket for the user.  Ambari
will handle issue commands as the logged in user.

If using the services’ command-line tools, you will need to obtain Kerberos tickets, using
kinit, before issuing the commands.

Since Ambari is not meant to be used as a front end to a user identity management system,
there is no API for this.  There are also no plans to implement one.

Rob


From: Yuanxinen <yuanxinen@huawei.com<mailto:yuanxinen@huawei.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Date: Wednesday, August 16, 2017 at 2:12 AM
To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: 答复: User Management with kerboes

Hi Rob
Thank you for your replying.

I installed one Hdp 2.6,and other application want to use hdp service,lile hdfs filesystem
,hbase database and hive database.So this application need one Kerberos user pricinple and
its keytab.
But now there are not REST APIs for creating the Kerberos user pricinple and downing  its
keytabs by ambary UI or REST APIS,and I do this manuly by Kerberos client.
So I want to check if  there is  any REST API to create/get username and keytab..?

If not, if I want to impement this apis,is there any custom API to implement this in ambari?

Or is there a plan to support for ambary?


Regards
Xinen Yuan

发件人: Robert Levas [mailto:rlevas@hortonworks.com]
发送时间: 2017年8月15日 20:30
收件人: user@ambari.apache.org<mailto:user@ambari.apache.org>
主题: Re: User Management with kerboes

Hi Xinen

Can you clarify what you are trying to (or work like to) do?

Ambari is not a general identity management system. Therefore, it does not have facilities
to create just any identity (usernames, passwords, keytabs).  It really only knows how to
create the identities that it needs for the installed services when Kerberos is enabled.

If you are trying to get around using some LDAP or Active Directory interface, you can try
the steps in the following article that shows how to create accounts using the OpenLDAP command
line utilities - https://community.hortonworks.com/articles/82544/how-to-create-ad-principal-accounts-using-openldap.html.

If you are looking to get information on what identities Ambari will create you can issue
one of a few API calls.  If Kerberos has not yet been enabled, you can get the stack-level
Kerberos descriptor (which serves as the base set of instructions for enabling Kerberos) by
issuing the following API call:

http://AMBARI_SERVER_HOST:PORT/api/v1/stacks/HDP/versions/2.6/artifacts/kerberos_descriptor
replacing AMBARI_SERVER_HOST and PORT as well as the relevant stack information.

Or more simply, if a cluster has been installed:

http://AMBARI_SERVER_HOST:PORT/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/STACK
replacing AMBARI_SERVER_HOST, PORT, and CLUSTER_NAME.

If Kerberos has already been enabled, you can get the composite Kerberos descriptor (a combination
of the base instructions with the user-suppled changes to it) by issuing the following API
call:

http://AMBARI_SERVER_HOST:PORT/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/COMPOSITE
replacing AMBARI_SERVER_HOST, PORT, and CLUSTER_NAME.

Finally, if you want to see just the user-suppled changes, you can do:

http://AMBARI_SERVER_HOST:PORT/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/USER
replacing AMBARI_SERVER_HOST, PORT, and CLUSTER_NAME.

For more information on the Kerberos descriptor, you can take a look at https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/kerberos_descriptor.md.

For manually updating the user-supplied Kerberos descriptor, you can take a look at https://community.hortonworks.com/content/kbentry/89713/updating-the-user-sepecified-kerberos-descriptor.html.

I hope this helps,

Rob


From: Yuanxinen <yuanxinen@huawei.com<mailto:yuanxinen@huawei.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Date: Tuesday, August 15, 2017 at 4:05 AM
To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: User Management with kerboes

Hi

I would like to know about following, can somebody direct me..?


1.       is there any REST API to create/get username and keytab..?
2.       Or is there any custom API to implement this..?

Is it already available o going to develop in future..?



Regards
Xinen Yuan

Mime
View raw message