ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject [NOTICE] FQDN is needed for MIT KDC admin_server_host value
Date Mon, 06 Nov 2017 17:08:33 GMT
Team…

I wanted to alert to you a change that was added to the trunk via AMBARI-22293 (https://issues.apache.org/jira/browse/AMBARI-22293).
   As of this change, when enabling Kerberos using either the existing MIT KDC or IPA server
options, it is required that the kerberos_env/admin_server_host value is set to the fully
qualified domain name (FQDN) of the host were the KDC administrator service is.

Whether you are using this version or any previous version, the FQDN should be used for this
value; however, before the patch for AMBARI-22293 was committed, a short name or IP address
worked for the MIT KDC option (but probably not for the IPA option).

The reason the FDQN is now needed is due to the new way we will be authenticating with the
MIT KDC when calling kdamin to manage principals.  Historically we called kadmin and passed
in the username and password for authentication.  The password was supplied to the command
via a pipe to STDIN when executing the call.  This was relatively slow since this needed to
be done for each call to kadmin and I believe may have been a cause of authentication failures
under heavy load.

As of this patch, authenticating with kdamin is done using a Kerberos ticket.  Therefore,
at the beginning of a session, kinit is called. The username and password are passed in as
we previously did for kinit, but this is now needed to be done once per session.  For example,
a session may be as short as

                kinit
                kadmin
                kdestroy

or as long as

                kinit
                kadmin
                kadmin
…
                kadmin
                kdestroy

depending on what the operation is doing.

For the MIT KDC’s kadmin server, we need to provide a service ticket for the kadmin admin
server.  To obtain the service ticket while authenticating, we need to issue a kinit call
like

                kinit -S kadmin/<KDC_FQDN> <ADMIN_PRINCIPAL >

The KDC_FQDN value is taken from the kerberos_env/admin_server_host value. This is why it
must be a FQDN.

I hope this change does not cause too much inconvenience, especially during upgrade scenarios;
but I believe that it is a better model and helps with code reuse for KDC server implementations
(like FreeIPA).

Thanks,
Rob
Mime
View raw message