Robert Levas created AMBARI-8542:
------------------------------------
Summary: Provide a way to parse and handle Kerberos descriptors
Key: AMBARI-8542
URL: https://issues.apache.org/jira/browse/AMBARI-8542
Project: Ambari
Issue Type: Task
Components: ambari-server, stacks
Affects Versions: 2.0.0
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 2.0.0
Provide the ability to read in Kerberos descriptor files (kerberos.json) from
the stack at various levels (stack-level, service-level) and to merge them into
a single hierarchy. The composite Kerberos descriptor data will be used to
control the UI (Kerberos Wizard - see AMBARI-7450).
An example stack-level Kerberos Descriptor:
{code}
{
"properties": {
"realm": "${cluster-env/kerberos_domain}",
"keytab_dir": "/etc/security/keytabs"
},
"identities": [
{
"name": "spnego",
"principal": {
"value": "HTTP/_HOST@${realm}"
},
"keytab": {
"file": "${keytab_dir}/spnego.service.keytab",
"owner": {
"name": "root",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": "r"
}
}
}
],
"configurations": [
]
}
{code}
An example service-level Kerberos Descriptor - HDFS:
{code}
{
"configurations": [
{
"core-site": {
"hadoop.security.authentication": "kerberos",
"hadoop.rpc.protection": "authentication; integrity; privacy",
"hadoop.security.authorization": "true"
}
}
],
"components": [
{
"name": "NAMENODE",
"identities": [
{
"name" : "namenode_nn",
"principal": {
"value": "nn/_HOST@${realm}",
"configuration": "hdfs-site/dfs.namenode.kerberos.principal"
},
"keytab": {
"file": "${keytab_dir}/nn.service.keytab",
"owner": {
"name": "${hadoop-env/hdfs_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": ""
},
"configuration": "hdfs-site/dfs.namenode.keytab.file"
}
},
{
"name" : "namenode_host",
"principal": {
"value": "host/_HOST@${realm}",
"configuration": "hdfs-site/dfs.namenode.kerberos.https.principal"
},
"keytab": {
"file": "${keytab_dir}/host.keytab",
"owner": {
"name": "${hadoop-env/hdfs_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": ""
},
"configuration": "hdfs-site/dfs.namenode.keytab.file"
}
},
{
"name" : "/spnego",
"principal": {
"configuration":
"hdfs-site/dfs.web.authentication.kerberos.principal"
},
"keytab": {
"configuration": "hdfs/dfs.web.authentication.kerberos.keytab"
}
}
]
},
{
"name": "DATANODE",
"identities": [
{
"name" : "datanode_dn",
"principal": {
"value": "dn/_HOST@${realm}",
"configuration": "hdfs-site/dfs.namenode.kerberos.principal"
},
"keytab": {
"file": "${keytab_dir}/dn.service.keytab",
"owner": {
"name": "${hadoop-env/hdfs_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": ""
},
"configuration": "hdfs-site/dfs.namenode.keytab.file"
}
},
{
"name" : "datanode_host",
"principal": {
"value": "host/_HOST@${realm}",
"configuration": "hdfs-site/dfs.datanode.kerberos.https.principal"
},
"keytab": {
"file": "${keytab_dir}/host.keytab.file",
"owner": {
"name": "${hadoop-env/hdfs_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": ""
},
"configuration": "hdfs-site/dfs.namenode.secondary.keytab.file"
}
}
]
},
{
"name": "SECONDARY_NAMENODE",
"identities": [
{
"name" : "secondary_namenode_nn",
"principal": {
"value": "nn/_HOST@${realm}",
"configuration":
"hdfs-site/dfs.namenode.secondary.kerberos.principal"
},
"keytab": {
"file": "${keytab_dir}/snn.service.keytab",
"owner": {
"name": "${hadoop-env/hdfs_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": ""
},
"configuration": "hdfs-site/dfs.namenode.secondary.keytab.file"
}
},
{
"name" : "secondary_namenode_host",
"principal": {
"value": "host/_HOST@${realm}",
"configuration":
"hdfs-site/dfs.namenode.secondary.kerberos.https.principal"
},
"keytab": {
"file": "${keytab_dir}/host.keytab.file",
"owner": {
"name": "${hadoop-env/hdfs_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": ""
},
"configuration": "hdfs-site/dfs.namenode.secondary.keytab.file"
}
},
{
"name" : "/spnego",
"principal": {
"configuration":
"hdfs-site/dfs.web.authentication.kerberos.principal"
},
"keytab": {
"configuration": "hdfs/dfs.web.authentication.kerberos.keytab"
}
}
]
}
]
}
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
