[
https://issues.apache.org/jira/browse/AMBARI-13425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14958928#comment-14958928
]
Hadoop QA commented on AMBARI-13425:
------------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12766769/AMBARI-13425_trunk_01.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 2 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in
ambari-server:
org.apache.ambari.server.state.UpgradeHelperTest
org.apache.ambari.server.controller.metrics.timeline.cache.TimelineMetricCacheTest
Test results:
https://builds.apache.org/job/Ambari-trunk-test-patch/3971//testReport/
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/3971//console
This message is automatically generated.
> Ambari 1.7 to 2.1.x upgrade with existing Kerberos, keytab files fail to be
> distributed to some hosts
> -----------------------------------------------------------------------------------------------------
>
> Key: AMBARI-13425
> URL: https://issues.apache.org/jira/browse/AMBARI-13425
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.1.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Labels: kerberos, upgrade
> Fix For: 2.1.3
>
> Attachments: AMBARI-13425_branch-2.1_01.patch,
> AMBARI-13425_trunk_01.patch
>
>
> When upgrading from Ambari 1.7 to 2.1.x, where the source cluster has been
> Kerberized, keytab files fail to distribute to some hosts.
> *Steps to reproduce*
> # Create cluster with Ambari 1.7.0 (multiple nodes, required)
> # Enable Kerberos (manually)
> # Upgrade to Ambari 2.1.2
> # Enable Kerberos (automated)
> # Not all hosts will receive keytab files
> *Cause*
> This is due to the way Ambari keeps track of which components (on each host)
> are properly Kerberized. So if Kerberos was enabled before the upgrade to
> 2.x, at some point the agents will report back to Ambari that its components
> are secured with Kerberos. Ambari will then use this data to determine which
> hosts need to be processed when enabling Kerberos. If some of the hosts have
> reported back before the determination of which hosts need to be process,
> those hosts will most-likely be skipped and thus, the new keytab files will
> not be distributed to them.
> *Solution*
> The solution is to remove outdated code previously used to determine how to
> handle scenarios where new services are added to a Kerberized cluster. This
> code compared the existing services' security state with some desired
> security state. If they matched, then no work needed to be done. The state
> in particular is {{SECURED_KERBEROS}} and can be seen in the
> {{security_state}} column of the {{hostcomponentstate}} table.
> The code in question is outdated since new services being added to a
> Kerberized cluster no longer requires the invocation of the
> {{KerberosHelper.toggleKerberos}} method. The current implementing invokes
> more granular code to configure the relevant service(s) and generate the
> Kerberos identities in a more granular fashion during state changes rather
> then after the fact.
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
