[
https://issues.apache.org/jira/browse/AMBARI-15561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15218517#comment-15218517
]
Hadoop QA commented on AMBARI-15561:
------------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12796098/AMBARI-15561-v2.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 5 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in
ambari-server:
org.apache.ambari.server.state.cluster.ClustersDeadlockTest
Test results:
https://builds.apache.org/job/Ambari-trunk-test-patch/6100//testReport/
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/6100//console
This message is automatically generated.
> Automate creation of Ambari Server proxy users (secure/non-secure clusters),
> principal and keytab, setup of JAAS (secure clusters)
> ----------------------------------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-15561
> URL: https://issues.apache.org/jira/browse/AMBARI-15561
> Project: Ambari
> Issue Type: Improvement
> Components: ambari-server
> Reporter: Sandor Magyari
> Assignee: Sandor Magyari
> Priority: Critical
> Fix For: ambari-2.4.0
>
> Attachments: AMBARI-15561-v2.patch
>
>
> The aim of this improvement is to automate the following:
> - creation of proxy users for Ambari server necessary for views (Files, Hive,
> Pig, Tez etc)
> - creation of Ambari Server principal and keytab, and setup of JAAS which is
> currently a manual step documented here:
> http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_optional_set_up_kerberos_for_ambari_server.html
> In case of a non secure cluster, Ambari proxy user will be set up for the
> user account Ambari Server is running as. This is specified in
> *ambari-server.properties* by *ambari-server.user* and can be adjusted by
> running 'ambari-server setup'.
> Stackadvisor is responsible for configuring proxy users, both for secure /
> non-secure cluster, wizard or blueprint based deployments.
> Therefore in case of blueprint based deployments proxy users will be only
> created if "config_recommendation_strategy": "ALWAYS_APPLY" in Cluster
> template.
> The following proxy users will be configured by stackadvisor:
> {code}
> hadoop.proxyuser.${ambari_proxy_user}.groups=*
> hadoop.proxyuser.${ambari_proxy_user}.hosts=*
> hadoop.proxyuser.hcat.groups=*
> hadoop.proxyuser.hcat.hosts=*
> webhcat.proxyuser.${ambari_proxy_user}.groups=*
> webhcat.proxyuser.${ambari_proxy_user}.hosts=*
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.hosts=*
>
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.users=*
>
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.groups=*
>
> {code}
> For a secure (eg. securityType=KERBEROS) cluster proxy user will be setup
> based on Ambari Server principal.
> A new identity 'ambari-server' will be added to default kerberos descriptor
> where principal name is specified which can be modified either in Kerberos
> Setup wizard screen, or by submitting a custom kerberos descriptor in
> Blueprint case.
> By default, principal name is:
> {code}ambari-server-${cluster_name}@${realm}{code}
> Generate principal & keytab is set in JAAS configuration file.
> Generation of Ambari Server principal and keytab can be enabled / disabled by
> setting config property *create_ambari_principal* = true / false in
> kerberos-env config. ('Create Ambari Principal & Keytab' on Keberos Setup
> wizard screen). This is enabled by default.
> There is a new functionality in Kerberos related handling of configurations
> recommended by StackAdvisor, properties marked with delete flag by
> StackAdvisor are removed from configuration when running Enable Kerberos
> wizard. This is necessary to be able to remove old Ambari proxy users in
> non-secure mode.
> In a scenario where multiple Ambari servers are managing a single cluster,
> only the _operation master_ Ambari server will be affected. All other Ambari
> server instances will need to be manually updated. Meaning, the Ambari server
> keytab file will need to be manually distributed to the _other_ Ambari server
> hosts. Also, the _other_ Ambari servers' JAAS files will need to be manually
> updated either by editing the {{/etc/ambari-server/conf/krb5JAASLogin.conf}}
> file or by executing {{ambari-server setup-security}} and selecting option
> #3, {{Setup Ambari kerberos JAAS configuration}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
