[
https://issues.apache.org/jira/browse/AMBARI-16171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15264477#comment-15264477
]
Josh Elser commented on AMBARI-16171:
-------------------------------------
{code}
/**
* Update Phoenix Query Server Kerberos configurations. 2.4 will move the
Phoenix Query Server to
* supporting SPNEGO authentication which requires that the "HTTP/_HOST"
principal and corresponding
* keytab file instead of the generic HBase service keytab it previously had.
*/
protected void updatePhoenixConfigs() throws AmbariException {
AmbariManagementController controller =
injector.getInstance(AmbariManagementController.class);
Clusters clusters = controller.getClusters();
if (null != clusters) {
Map<String, Cluster> clusterMap = clusters.getClusters();
if (null != clusterMap && !clusterMap.isEmpty()) {
for (final Cluster cluster : clusterMap.values()) {
Set<String> installedServices = cluster.getServices().keySet();
// HBase and Kerberos are both installed/enabled
if (installedServices.contains("HBASE") &&
installedServices.contains("KERBEROS")) {
Config hbaseSite =
cluster.getDesiredConfigByType(HBASE_SITE_CONFIG);
if (null != hbaseSite) {
Map<String, String> hbaseSiteProperties =
hbaseSite.getProperties();
// Get Phoenix Query Server kerberos config properties
String pqsKrbPrincipal =
hbaseSiteProperties.get(PHOENIX_QUERY_SERVER_PRINCIPAL_KEY);
String pqsKrbKeytab =
hbaseSiteProperties.get(PHOENIX_QUERY_SERVER_KEYTAB_KEY);
// Principal and Keytab are set
if (null != pqsKrbPrincipal && null != pqsKrbKeytab) {
Map<String, String> updatedKerberosProperties = new HashMap<>();
// TODO Values?
updatedKerberosProperties.put(PHOENIX_QUERY_SERVER_PRINCIPAL_KEY,
"HTTP/_HOST@REALM");
updatedKerberosProperties.put(PHOENIX_QUERY_SERVER_KEYTAB_KEY,
"/etc/security/keytabs/spnego.service.keytab");
updateConfigurationProperties(HBASE_SITE_CONFIG,
updatedKerberosProperties, true, false);
}
}
}
}
}
}
}
{code}
[~rlevas] the above is what I presently have worked out. The only confusion I
have is how to determine what values should be placed in
{{updatedKerberosProperties}} (by the TODO). Can you point me at some examples
of how to get the location of the spnego keytab and how to get the proper
principal name (I could probably just modify the existing principal, but I'm
not sure if that would work as I'd hope).
> Changes to Phoenix QueryServer Kerberos configuration
> -----------------------------------------------------
>
> Key: AMBARI-16171
> URL: https://issues.apache.org/jira/browse/AMBARI-16171
> Project: Ambari
> Issue Type: Improvement
> Reporter: Josh Elser
> Assignee: Josh Elser
> Attachments: AMBARI-16171.001.patch
>
>
> The up-coming version of Phoenix will contain some new functionality to
> support Kerberos authentication of clients via SPNEGO with the Phoenix Query
> Server (PQS).
> Presently, Ambari will configure PQS to use the hbase service keytab which
> will result in the SPNEGO authentication failing as the RFC requires that the
> "primary" component of the Kerberos principal for the server is "HTTP". Thus,
> we need to ensure that we switch PQS over to use the spnego.service.keytab as
> the keytab and "HTTP/_HOST@REALM" as the principal.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
