> On April 8, 2015, 3:28 p.m., Robert Levas wrote: > > Ping...
What is the root cause that leads to the KDC admin being locked out? It seems like a security risk that disabling kerberos is still allowed even if Ambari doesn't have access. If a user is already in this state, how do they proceed? - Alejandro ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/32815/#review79356 ----------------------------------------------------------- On April 3, 2015, 3:57 p.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/32815/ > ----------------------------------------------------------- > > (Updated April 3, 2015, 3:57 p.m.) > > > Review request for Ambari, Jaimin Jetly, John Speidel, Robert Nettleton, Tom > Beerbower, and Yusaku Sako. > > > Bugs: AMBARI-10305 > https://issues.apache.org/jira/browse/AMBARI-10305 > > > Repository: ambari > > > Description > ------- > > Attempted to disable kerb, fails on step to unkerberize because KDC admin is > locked out. > > Click retry, can't make it past that. > > Need option to skip and finish "disable kerberos" even if Ambari cannot get > the principals cleaned up (i.e. cannot access the KDC) Losing access to the > KDC and attempting to disable where ambari can't clean-up the principals > should be a skip'able step. User should still be able to get to a clean, > not-enabled-kerberos-ambari-state w/o accessing the KDC. > > **Solution** > Add a flag to the kerberos-env configuration to specify whether Kerberos > identities should be managed by Ambari (true, default) or not (false). The > behavior declared by this value is to be overridden using the _directive_ > {{manage_kerberos_identities=false}} when disabling Kerberos, which will skip > over any KDC administrative processes. > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/api/resources/ClusterResourceDefinition.java > 94f2711 > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java > a3ede22 > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java > e8a6c0a > > ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml > 9c12b34 > > ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java > f7144b8 > > ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java > 524c511 > ambari-web/app/data/HDP2/site_properties.js 205aead > > Diff: https://reviews.apache.org/r/32815/diff/ > > > Testing > ------- > > Manually tested in cluster > > **Local test results** > > Running org.apache.ambari.server.controller.KerberosHelperTest > Tests run: 28, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 2.117 sec > > Running org.apache.ambari.server.controller.AmbariManagementControllerImplTest > Tests run: 34, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.729 sec > > Tests run: 2818, Failures: 0, Errors: 0, Skipped: 16 > > **Jenkins test results: PENDING** > > > Thanks, > > Robert Levas > >
