Because it simply queries the DB (where we have no information about the Kerberos descriptor unless the user submitted one) based on the service filter we passed (i.e HDFS): ``` SELECT kkp.*, h.host_name, kkpm.service_name, kkpm.component_name FROM kerberos_keytab_principal kkp, hosts h, kkp_mapping_service kkpm WHERE kkp.host_id = h.host_id AND kkp.kkp_id = kkpm.kkp_id AND kkpm.service_name = 'HDFS' AND h.host_name = 'c7403.ambari.apache.org' ORDER BY h.host_name, kkpm.service_name, kkpm.component_name; ``` Returns:
kkp_id|keytab_path|principal_name|host_id|is_distributed|host_name|service_name|component_name -|-|-|-|-|-|-|- 6|/etc/security/keytabs/spnego.service.keytab|HTTP/[email protected]|3|1|c7403.ambari.apache.org|HDFS|DATANODE 30|/etc/security/keytabs/smokeuser.headless.keytab|[email protected]|3|1|c7403.ambari.apache.org|HDFS|DATANODE 37|/etc/security/keytabs/dn.service.keytab|dn/[email protected]|3|1|c7403.ambari.apache.org|HDFS|DATANODE This is why it would only regenerate DN's keytab. However we know that other service components needs the headless keytab: ``` SELECT kkp.*, h.host_name, kkpm.service_name, kkpm.component_name FROM kerberos_keytab_principal kkp, hosts h, kkp_mapping_service kkpm WHERE kkp.host_id = h.host_id AND kkp.kkp_id = kkpm.kkp_id AND kkp.principal_name = '[email protected]' AND h.host_name = 'c7403.ambari.apache.org' ORDER BY h.host_name, kkpm.service_name, kkpm.component_name ``` Returns: kkp_id|keytab_path|principal_name|host_id|is_distributed|host_name|service_name|component_name -|-|-|-|-|-|-|- 15|/etc/security/keytabs/hdfs.headless.keytab|[email protected]|3|1|c7403.ambari.apache.org|TEZ|TEZ_CLIENT 15|/etc/security/keytabs/hdfs.headless.keytab|[email protected]|3|1|c7403.ambari.apache.org|AMBARI_METRICS|METRICS_COLLECTOR This is why we need to add other services; let me think it over again; there may be a more elegant and easy way to solve this issue. [ Full content available at: https://github.com/apache/ambari/pull/2359 ] This message was relayed via gitbox.apache.org for [email protected]
