> On Feb. 10, 2016, 8:15 p.m., Robert Levas wrote: > > ambari-server/src/main/resources/common-services/HAWQ/2.0.0/kerberos.json, > > lines 5-8 > > <https://reviews.apache.org/r/43465/diff/1/?file=1240075#file1240075line5> > > > > Is this identity used by both the `HAWKMASTER` and `HAWQSTANDBY` > > components? If not, this block should be moved into the appropriate > > component since we want to use it sparingly. Esentially the > > `/HDFS/NAMENODE/hdfs` is the _root_ user for HDFS. So we need to becareful > > where it gets put. > > jun aoki wrote: > @robert Levas, thank you for your comment and sharing the knowledge. hdfs > identity is indeed used by both HAWQMASTER and HAWQSTANDBY, thus I drop this > issue.
Thanks for the clarification. > On Feb. 10, 2016, 8:15 p.m., Robert Levas wrote: > > ambari-server/src/main/resources/common-services/HAWQ/2.0.0/kerberos.json, > > lines 27-53 > > <https://reviews.apache.org/r/43465/diff/1/?file=1240075#file1240075line27> > > > > This identitiy seems to be duplicated in both components. You should > > probably move this to the service level and reference it in the component > > if component-specific changes need to be made. > > jun aoki wrote: > Robert, thank you for telling me this. I saw the duplicate but had no > idea I could define once and refers to it. > > https://cwiki.apache.org/confluence/display/AMBARI/Automated+Kerberizaton#AutomatedKerberizaton-Service-levelIdentities > for anybody who wants to know the detail of this. Essentially you used the same mechanism when including the HDFS identity. :) > On Feb. 10, 2016, 8:15 p.m., Robert Levas wrote: > > ambari-server/src/main/resources/common-services/HAWQ/2.0.0/kerberos.json, > > line 31 > > <https://reviews.apache.org/r/43465/diff/1/?file=1240075#file1240075line31> > > > > This is an interesting principal name choice. Why not use a principal > > name that helps to identify is use. Like, `hawq@${realm}` or better yet > > something like `${hawq-env/hawk_user}@${realm}`. > > jun aoki wrote: > I agree Robert. this should've been hawq/_HOST${realm}. Currently this is > a HAWQ limitation (it won't take any other principal name) > https://issues.apache.org/jira/browse/HAWQ-406 Thanks for clarification, hopefully HAWQ is fixed soon since using `postgres` can be confusing an potentally problematic. My big issue with this is how the auth-to-local rules get generated. In this case, since no `local_username` property is set for the identity, a specific auth-to-local rule will not be created. Thus, the mapping will fall to the default rule with does a one-for-one mapping and will associate this identity with the local `postgres` account - which may or may not exist. This scenario happens with HDFS when it maps a Kerberos identity to a local user account. So maybe if there is a local user created for HAWQ (`hawq-env/hawq-user` maybe?) use that as the `local_username` for the identity. For example: ``` { ..., "principal": { "value": "postgres@${realm}", "type" : "service", "local_username" : "${hawq-env/hawq-user}" }, ... } ``` - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/43465/#review118794 ----------------------------------------------------------- On Feb. 10, 2016, 8 p.m., jun aoki wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/43465/ > ----------------------------------------------------------- > > (Updated Feb. 10, 2016, 8 p.m.) > > > Review request for Ambari. > > > Bugs: AMBARI-15001 > https://issues.apache.org/jira/browse/AMBARI-15001 > > > Repository: ambari > > > Description > ------- > > This is to add hdfs keytab for hawq nodes. > Currently HAWQ's service check fails due to data clean up after service check > is completed and causes a false negative. > > > Diffs > ----- > > ambari-server/src/main/resources/common-services/HAWQ/2.0.0/kerberos.json > cc11c15 > > Diff: https://reviews.apache.org/r/43465/diff/ > > > Testing > ------- > > Locally teted. > > > Thanks, > > jun aoki > >
