[
https://issues.apache.org/jira/browse/AMBARI-12772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Levas updated AMBARI-12772:
----------------------------------
Description:
*STR*
Install cluster via blueprints
Enable Kerberos security
Add host via blueprints
*Result*
Adding hosts freeze forever
In ambari-server.log:
{code}
The KDC administrator credentials must be set in session by updating the
relevant Cluster resource.This may be done by issuing a PUT to the
api/v1/clusters/(cluster name) API entry point with the following payload:
{
"session_attributes" : {
"kerberos_admin" : {"principal" : "(PRINCIPAL)", "password" : "(PASSWORD)"}
}
{code}
*Cause*
This is caused because the KDC administrative credentials are not available
when needed during the add host process. If set in the HTTP session, the
credentials are not accessible since the Kerberos logic is executed outside the
scope of that HTTP session.
*Solution*
Store the KDC credentials to a _more secure_ global credential store that is
accessible no matter what the context is. This storage facility is in-memory
and has a retention period of 90 minutes. This solution refactors the current
CredentialStoreService and MasterKeyService classes to allow for file-based and
in-memory implementations. It also paves the way for future changes to allow
for the KDC administrative credentials to be persisted indefinitely.
was:
*STR*
Install cluster via blueprints
Enable Kerberos security
Add host via blueprints
*Result*
Adding hosts freeze forever
In ambari-server.log:
{code}
The KDC administrator credentials must be set in session by updating the
relevant Cluster resource.This may be done by issuing a PUT to the
api/v1/clusters/(cluster name) API entry point with the following payload:
{
"session_attributes" : {
"kerberos_admin" : {"principal" : "(PRINCIPAL)", "password" : "(PASSWORD)"}
}
{code}
> Adding host via blueprint fails on secure cluster
> -------------------------------------------------
>
> Key: AMBARI-12772
> URL: https://issues.apache.org/jira/browse/AMBARI-12772
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.0.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Critical
> Labels: blueprints, kerberos
> Fix For: 2.1.2
>
>
> *STR*
> Install cluster via blueprints
> Enable Kerberos security
> Add host via blueprints
> *Result*
> Adding hosts freeze forever
> In ambari-server.log:
> {code}
> The KDC administrator credentials must be set in session by updating the
> relevant Cluster resource.This may be done by issuing a PUT to the
> api/v1/clusters/(cluster name) API entry point with the following payload:
> {
> "session_attributes" : {
> "kerberos_admin" : {"principal" : "(PRINCIPAL)", "password" :
> "(PASSWORD)"}
> }
> {code}
> *Cause*
> This is caused because the KDC administrative credentials are not available
> when needed during the add host process. If set in the HTTP session, the
> credentials are not accessible since the Kerberos logic is executed outside
> the scope of that HTTP session.
> *Solution*
> Store the KDC credentials to a _more secure_ global credential store that is
> accessible no matter what the context is. This storage facility is in-memory
> and has a retention period of 90 minutes. This solution refactors the
> current CredentialStoreService and MasterKeyService classes to allow for
> file-based and in-memory implementations. It also paves the way for future
> changes to allow for the KDC administrative credentials to be persisted
> indefinitely.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
