[
https://issues.apache.org/jira/browse/AMBARI-15561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15218735#comment-15218735
]
Hudson commented on AMBARI-15561:
---------------------------------
FAILURE: Integrated in Ambari-trunk-Commit #4565 (See
[https://builds.apache.org/job/Ambari-trunk-Commit/4565/])
AMBARI-15561. Automate creation of Ambari Server proxy users (smagyari:
[http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=6c008c83d1fa069d9a4fe30c7b2928dbaad86242])
* ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py
* ambari-server/src/main/resources/stacks/HDP/2.0.6/services/stack_advisor.py
* ambari-server/src/test/python/stacks/2.1/common/test_stack_advisor.py
*
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
*
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
*
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/PrepareDisableKerberosServerAction.java
*
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/PrepareEnableKerberosServerAction.java
* ambari-server/src/main/resources/stacks/HDP/2.1/services/stack_advisor.py
*
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/PrepareKerberosIdentitiesServerAction.java
*
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
*
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
* ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py
*
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
* ambari-server/src/test/python/stacks/2.0.6/common/test_stack_advisor.py
*
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java
*
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
*
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIndetityServerAction.java
* ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json
*
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
*
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
> Automate creation of Ambari Server proxy users (secure/non-secure clusters),
> principal and keytab, setup of JAAS (secure clusters)
> ----------------------------------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-15561
> URL: https://issues.apache.org/jira/browse/AMBARI-15561
> Project: Ambari
> Issue Type: Improvement
> Components: ambari-server
> Reporter: Sandor Magyari
> Assignee: Sandor Magyari
> Priority: Critical
> Fix For: ambari-2.4.0
>
> Attachments: AMBARI-15561-v2.patch
>
>
> The aim of this improvement is to automate the following:
> - creation of proxy users for Ambari server necessary for views (Files, Hive,
> Pig, Tez etc)
> - creation of Ambari Server principal and keytab, and setup of JAAS which is
> currently a manual step documented here:
> http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_optional_set_up_kerberos_for_ambari_server.html
> In case of a non secure cluster, Ambari proxy user will be set up for the
> user account Ambari Server is running as. This is specified in
> *ambari-server.properties* by *ambari-server.user* and can be adjusted by
> running 'ambari-server setup'.
> Stackadvisor is responsible for configuring proxy users, both for secure /
> non-secure cluster, wizard or blueprint based deployments.
> Therefore in case of blueprint based deployments proxy users will be only
> created if "config_recommendation_strategy": "ALWAYS_APPLY" in Cluster
> template.
> The following proxy users will be configured by stackadvisor:
> {code}
> hadoop.proxyuser.${ambari_proxy_user}.groups=*
> hadoop.proxyuser.${ambari_proxy_user}.hosts=*
> hadoop.proxyuser.hcat.groups=*
> hadoop.proxyuser.hcat.hosts=*
> webhcat.proxyuser.${ambari_proxy_user}.groups=*
> webhcat.proxyuser.${ambari_proxy_user}.hosts=*
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.hosts=*
>
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.users=*
>
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.groups=*
>
> {code}
> For a secure (eg. securityType=KERBEROS) cluster proxy user will be setup
> based on Ambari Server principal.
> A new identity 'ambari-server' will be added to default kerberos descriptor
> where principal name is specified which can be modified either in Kerberos
> Setup wizard screen, or by submitting a custom kerberos descriptor in
> Blueprint case.
> By default, principal name is:
> {code}ambari-server-${cluster_name}@${realm}{code}
> Generate principal & keytab is set in JAAS configuration file.
> Generation of Ambari Server principal and keytab can be enabled / disabled by
> setting config property *create_ambari_principal* = true / false in
> kerberos-env config. ('Create Ambari Principal & Keytab' on Keberos Setup
> wizard screen). This is enabled by default.
> There is a new functionality in Kerberos related handling of configurations
> recommended by StackAdvisor, properties marked with delete flag by
> StackAdvisor are removed from configuration when running Enable Kerberos
> wizard. This is necessary to be able to remove old Ambari proxy users in
> non-secure mode.
> In a scenario where multiple Ambari servers are managing a single cluster,
> only the _operation master_ Ambari server will be affected. All other Ambari
> server instances will need to be manually updated. Meaning, the Ambari server
> keytab file will need to be manually distributed to the _other_ Ambari server
> hosts. Also, the _other_ Ambari servers' JAAS files will need to be manually
> updated either by editing the {{/etc/ambari-server/conf/krb5JAASLogin.conf}}
> file or by executing {{ambari-server setup-security}} and selecting option
> #3, {{Setup Ambari kerberos JAAS configuration}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
