> On April 8, 2015, 11:28 a.m., Robert Levas wrote:
> > Ping...
>
> Alejandro Fernandez wrote:
> What is the root cause that leads to the KDC admin being locked out?
> It seems like a security risk that disabling kerberos is still allowed
> even if Ambari doesn't have access. If a user is already in this state, how
> do they proceed?
>
> Robert Levas wrote:
> I am not sure why this would be a security risk, since all of the
> configurations can be changed manually.
>
> In any case, we have seen at least one instance where the KDC was not
> available when disabling Kerberos - maybe due to maintenance or being locked
> out of the KDC (due to too many failed attempts logging attempts).
> Technically Ambari only needs to contact the KDC when disabling Kerberos to
> clean up orphaned managed identities.
>
> One thing to note, the solution for this helps pave the way for future
> work where Kerberos is enabled but allowing the user to manually manage the
> necessary Kerberos identities.
|If a user is already in this state, how do they proceed?
Once this code is in place and a failure is encountered due to the inability to
communicate with the KDC, a second API call to disable Kerberos can be made,
but it will need to have the `manage_kerberos_identities` directive set to
false:
```
PUT /api/v1/clusters/c1?manage_kerberos_identities=false
{"Clusters": {"security_type" : "NONE"}}
```
There will be a separate JIRA tracking the UI code updates to handle this
- Robert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/32815/#review79356
-----------------------------------------------------------
On April 3, 2015, 11:57 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/32815/
> -----------------------------------------------------------
>
> (Updated April 3, 2015, 11:57 a.m.)
>
>
> Review request for Ambari, Jaimin Jetly, John Speidel, Robert Nettleton, Tom
> Beerbower, and Yusaku Sako.
>
>
> Bugs: AMBARI-10305
> https://issues.apache.org/jira/browse/AMBARI-10305
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Attempted to disable kerb, fails on step to unkerberize because KDC admin is
> locked out.
>
> Click retry, can't make it past that.
>
> Need option to skip and finish "disable kerberos" even if Ambari cannot get
> the principals cleaned up (i.e. cannot access the KDC) Losing access to the
> KDC and attempting to disable where ambari can't clean-up the principals
> should be a skip'able step. User should still be able to get to a clean,
> not-enabled-kerberos-ambari-state w/o accessing the KDC.
>
> **Solution**
> Add a flag to the kerberos-env configuration to specify whether Kerberos
> identities should be managed by Ambari (true, default) or not (false). The
> behavior declared by this value is to be overridden using the _directive_
> {{manage_kerberos_identities=false}} when disabling Kerberos, which will skip
> over any KDC administrative processes.
>
>
> Diffs
> -----
>
>
> ambari-server/src/main/java/org/apache/ambari/server/api/resources/ClusterResourceDefinition.java
> 94f2711
>
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
> a3ede22
>
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
> e8a6c0a
>
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
> 9c12b34
>
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java
> f7144b8
>
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
> 524c511
> ambari-web/app/data/HDP2/site_properties.js 205aead
>
> Diff: https://reviews.apache.org/r/32815/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster
>
> **Local test results**
>
> Running org.apache.ambari.server.controller.KerberosHelperTest
> Tests run: 28, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 2.117 sec
>
> Running org.apache.ambari.server.controller.AmbariManagementControllerImplTest
> Tests run: 34, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.729 sec
>
> Tests run: 2818, Failures: 0, Errors: 0, Skipped: 16
>
> **Jenkins test results: PENDING**
>
>
> Thanks,
>
> Robert Levas
>
>
