[jira] [Commented] (AMBARI-16171) Changes to Phoenix QueryServer Kerberos configuration

Fri, 29 Apr 2016 05:17:33 -0700 

    [ 
https://issues.apache.org/jira/browse/AMBARI-16171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15263968#comment-15263968
 ] 

Robert Levas commented on AMBARI-16171:
---------------------------------------

[~elserj],

For upgrade scenarios, I have used the _UpgradeCatalog_ classes to do the work. 
This is where we typically make changes to the existing data in the database.  
I assume the target for this patch is Ambari 2.4.0.  If so, then you will want 
to edit the UpgradeCatalog240 class 
({{org.apache.ambari.server.upgrade.UpgradeCatalog240}}) and add your logic 
there.

Essentially you are looking to change the following properties in the active 
version of the {{hbase-site}} config:
* {{hbase-site/phoenix.queryserver.kerberos.principal}}
* {{hbase-site/phoenix.queryserver.keytab.file}}

I do a similar thing (sort of) in this class when renaming 
{{kerberos-env/kdc_host}} to {{kerberos-env//kdc_hosts}}.  See 
{{org.apache.ambari.server.upgrade.UpgradeCatalog240#updateKerberosConfigs}} 
for an example of what you might need to do. 

Please feel free to contact me via Skype, HipChat, or this JIRA if you want to 
go over this in more detail. 


> Changes to Phoenix QueryServer Kerberos configuration
> -----------------------------------------------------
>
>                 Key: AMBARI-16171
>                 URL: https://issues.apache.org/jira/browse/AMBARI-16171
>             Project: Ambari
>          Issue Type: Improvement
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>         Attachments: AMBARI-16171.001.patch
>
>
> The up-coming version of Phoenix will contain some new functionality to 
> support Kerberos authentication of clients via SPNEGO with the Phoenix Query 
> Server (PQS).
> Presently, Ambari will configure PQS to use the hbase service keytab which 
> will result in the SPNEGO authentication failing as the RFC requires that the 
> "primary" component of the Kerberos principal for the server is "HTTP". Thus, 
> we need to ensure that we switch PQS over to use the spnego.service.keytab as 
> the keytab and "HTTP/_HOST@REALM" as the principal.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to