> On April 8, 2015, 11:28 a.m., Robert Levas wrote: > > Ping... > > Alejandro Fernandez wrote: > What is the root cause that leads to the KDC admin being locked out? > It seems like a security risk that disabling kerberos is still allowed > even if Ambari doesn't have access. If a user is already in this state, how > do they proceed?
I am not sure why this would be a security risk, since all of the configurations can be changed manually. In any case, we have seen at least one instance where the KDC was not available when disabling Kerberos - maybe due to maintenance or being locked out of the KDC (due to too many failed attempts logging attempts). Technically Ambari only needs to contact the KDC when disabling Kerberos to clean up orphaned managed identities. One thing to note, the solution for this helps pave the way for future work where Kerberos is enabled but allowing the user to manually manage the necessary Kerberos identities. - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/32815/#review79356 ----------------------------------------------------------- On April 3, 2015, 11:57 a.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/32815/ > ----------------------------------------------------------- > > (Updated April 3, 2015, 11:57 a.m.) > > > Review request for Ambari, Jaimin Jetly, John Speidel, Robert Nettleton, Tom > Beerbower, and Yusaku Sako. > > > Bugs: AMBARI-10305 > https://issues.apache.org/jira/browse/AMBARI-10305 > > > Repository: ambari > > > Description > ------- > > Attempted to disable kerb, fails on step to unkerberize because KDC admin is > locked out. > > Click retry, can't make it past that. > > Need option to skip and finish "disable kerberos" even if Ambari cannot get > the principals cleaned up (i.e. cannot access the KDC) Losing access to the > KDC and attempting to disable where ambari can't clean-up the principals > should be a skip'able step. User should still be able to get to a clean, > not-enabled-kerberos-ambari-state w/o accessing the KDC. > > **Solution** > Add a flag to the kerberos-env configuration to specify whether Kerberos > identities should be managed by Ambari (true, default) or not (false). The > behavior declared by this value is to be overridden using the _directive_ > {{manage_kerberos_identities=false}} when disabling Kerberos, which will skip > over any KDC administrative processes. > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/api/resources/ClusterResourceDefinition.java > 94f2711 > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java > a3ede22 > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java > e8a6c0a > > ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml > 9c12b34 > > ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java > f7144b8 > > ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java > 524c511 > ambari-web/app/data/HDP2/site_properties.js 205aead > > Diff: https://reviews.apache.org/r/32815/diff/ > > > Testing > ------- > > Manually tested in cluster > > **Local test results** > > Running org.apache.ambari.server.controller.KerberosHelperTest > Tests run: 28, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 2.117 sec > > Running org.apache.ambari.server.controller.AmbariManagementControllerImplTest > Tests run: 34, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.729 sec > > Tests run: 2818, Failures: 0, Errors: 0, Skipped: 16 > > **Jenkins test results: PENDING** > > > Thanks, > > Robert Levas > >
