[jira] [Updated] (AMBARI-10305) Kerberos: during disable, need option skip if unable to access KDC to remove principals

Fri, 03 Apr 2015 08:45:33 -0700 

     [ 
https://issues.apache.org/jira/browse/AMBARI-10305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Levas updated AMBARI-10305:
----------------------------------
    Attachment: AMBARI-10305_01.patch

* Added the ability for Ambari to manage Kerberos identities or not.  If 
managing Kerberos identities, Ambari will create accounts in the relavant KDC, 
generate keytab files, and distribute keytabs files as needed.  If _not_ 
managing identities, Ambari will expected those operations to be performed 
manually.
* Added {{kerberos-env/manage_identities}} to indicate whether Ambari is to 
manage Kerberos identities or not.  
* Added the ability to set a directive, _manage_kerberos_identities_, when 
setting the security type for a cluster to alter the behavior when disabling 
Kerberos so that operations requiring access to a KDC can be skipped. 

Patch File [^AMBARI-10305_01.patch]

> Kerberos: during disable, need option skip if unable to access KDC to remove 
> principals
> ---------------------------------------------------------------------------------------
>
>                 Key: AMBARI-10305
>                 URL: https://issues.apache.org/jira/browse/AMBARI-10305
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>              Labels: kerberos
>             Fix For: 2.1.0
>
>         Attachments: AMBARI-10305_01.patch
>
>
> Attempted to disable kerb, fails on step to unkerberize because KDC admin is 
> locked out.
> Click retry, can't make it past that.
> Need option to skip and finish "disable kerberos" even if Ambari cannot get 
> the principals cleaned up (i.e. cannot access the KDC) Losing access to the 
> KDC and attempting to disable where ambari can't clean-up the principals 
> should be a skip'able step. User should still be able to get to a clean, 
> not-enabled-kerberos-ambari-state w/o accessing the KDC.
> *Solution*
> Add a flag to the kerberos-env configuration to specify whether Kerberos 
> identities should be managed by Ambari (true, default) or not (false).  This 
> flag is to be overridable via a _directive_ like {{manage_identities=false}} 
> when disabling Kerberos, which will skip over any KDC administrative 
> processes. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to