----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/44148/#review121368 -----------------------------------------------------------
@Yusaku Sako or @Jaimin Jetly should review the UI updates. We need to ensure that the internal kinits do not cause collisions with Ambari's credential cache. Has this been tested when JAAS is configured for Ambari? ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java (line 65) <https://reviews.apache.org/r/44148/#comment183040> This should be calculated rather than hard coded. Also the naming convention indicates that this is a `static` `final` member but is not indicated as such ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java (line 236) <https://reviews.apache.org/r/44148/#comment183041> `MIT` --> `IPA` ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java (line 500) <https://reviews.apache.org/r/44148/#comment183044> When executing kinit for this purpose, is the credential cache being storing in an alternate location, else will it overwrite the credential cache for Ambari itself? ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java (line 575) <https://reviews.apache.org/r/44148/#comment183045> When executing kinit for this purpose, is the credential cache being storing in an alternate location, else will it overwrite the credential cache for Ambari itself? ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java (line 865) <https://reviews.apache.org/r/44148/#comment183052> Why not use the default implemenation of this? It appears you are using the Ambari-generated password when creating the account, so the default impl should work fine. - Robert Levas On Feb. 29, 2016, 4:49 p.m., Bolke de Bruin wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/44148/ > ----------------------------------------------------------- > > (Updated Feb. 29, 2016, 4:49 p.m.) > > > Review request for Ambari and Robert Levas. > > > Bugs: AMBARI-6432 > https://issues.apache.org/jira/browse/AMBARI-6432 > > > Repository: ambari > > > Description > ------- > > FreeIPA is the active directory equivalent for Linux. This patch adds support > for FreeIPA. It requires ipa-admintools to be installed on the ambari host. > In addition it either requires wite access to the krbPasswordPassword > attribute or a suitable password policy needs to be in place (ipa pwpolicy). > > It has been requested to have this implemented in several tickets. > > To test. > > * Have a working IPA server available > * Create a group "ambari-managed-principals" (configurable) > * Create a password policy for this group or make the krb5PasswordExpiry > attribute writable (not per se required for testing) > * Enroll all hosts into ipa > * make sure the ipa-admintools are available on the ambari host > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java > be6edc9 > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KDCType.java > 5b1372a > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java > 4cd050e > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerFactory.java > bfd45b7 > > ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml > a03dea6 > > ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandlerTest.java > PRE-CREATION > ambari-web/app/controllers/main/admin/kerberos.js c021c89 > ambari-web/app/controllers/main/admin/kerberos/step1_controller.js b9056ed > ambari-web/app/controllers/main/admin/kerberos/step2_controller.js 9b411c6 > ambari-web/app/controllers/main/admin/kerberos/step5_controller.js 5aa4b8c > ambari-web/app/controllers/main/service/info/configs.js a22bb48 > ambari-web/app/data/HDP2/site_properties.js 3ea6c68 > ambari-web/app/messages.js 1cefce2 > ambari-web/app/views/common/controls_view.js d355ffe > > Diff: https://reviews.apache.org/r/44148/diff/ > > > Testing > ------- > > FreeIPA 4.2 on CentOS 7. Multiple times kerberization and de-kerberization. > > > Thanks, > > Bolke de Bruin > >
