[jira] [Commented] (AMBARI-16171) Changes to Phoenix QueryServer Kerberos configuration

[Robert Levas (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AMBARI-16171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15264589#comment-15264589
 ] 

Robert Levas commented on AMBARI-16171:
---------------------------------------

[~elserj]...

Yikes  I missed something.  So far you seem to be doing it correctly. However, 
rather than checking to see of the KERBEROS service is installed (It may not be 
if the user chooses the manual option) you should check to see if the cluster's 
security type is Kerberos:

{code}
cluster.getSecurityType() == SecurityType.KERBEROS
{code}

As for the item I missed, you need to update the stored Kerberos descriptor as 
well as the properties.

So before doing all the property work, you will want to 
# Get the Kerberos descriptor artifact
# See if it has an entry for the PQS
# Update the value for both the principal and keytab items to the value you 
have specified in updated {{kerberos.json}} file

Then, you get the value, you will want to perform the routines to replace the 
variables in the relevant Kerberos identity descriptor items.

*To update the Kerberos descriptor*, see 
{{org.apache.ambari.server.upgrade.UpgradeCatalog220#updateKerberosDescriptorArtifact}}.
  Apparently you need to add {{updateKerberosDescriptorArtifacts()}} to 
{{org.apache.ambari.server.upgrade.UpgradeCatalog240#executeDMLUpdates}} to 
invoke your implementation of {{updateKerberosDescriptorArtifact}}.

*To generate the values you* need for filling in the properties.  You will want 
to invoke 
{{org.apache.ambari.server.state.kerberos.VariableReplacementHelper#replaceVariables}}.
  You should be able to create an instance of 
{{org.apache.ambari.server.state.kerberos.VariableReplacementHelper}} and then 
call {{replaceVariables}} any number of times. The trick is feeding the method. 
The first argument is the value you want to perform the replacement on (for 
example, "HTTP/_HOST@$\{realm\}") and the second is a map of config types to 
property maps representing the configuration of the cluster.  You might be able 
to cheat here if you know which values will be needed for replacement, but I 
would not assume anything. 

*To get the Kerberos identity properties for the /spnego identitiy*, you need 
to build the Kerberos descriptor and query it for the data you want.  This can 
be done by doing the following:
{code}
KerberosHelper kerberosHelper = injector.getInstance(KerberosHelper.class);
KerberosDescriptor defaultDescriptor = 
KerberosHelper.getKerberosDescriptor(cluster);
{code}

This may or may not work, depending on how much of the infrastructure is 
available at the time you make the call.  However, lets try this first since it 
is easier than manually building the descriptor yourself. 

Once you get the Kerberos descriptor, you can get the /spnego Kerberos Identity 
Descriptor by 
{code}
kerberosDescriptor.getIdentity("spnego")
{code}
There is no need to use the "/" since you are already at the top of the 
Kerberos descriptor tree. 

>From here, you can get the principal and keytab descriptors, and then their 
>values.  For example:
{code}
    KerberosIdentityDescriptor identityDescriptor = 
defaultDescriptor.getIdentity("spnego");
    if(identityDescriptor != null) {
      KerberosPrincipalDescriptor principalDescriptor = 
identityDescriptor.getPrincipalDescriptor();
      if(principalDescriptor != null) {
        value = principalDescriptor.getValue();
      }
    }
{code}

Finally, *creating the config type to properties map*, can be done by calling 
{{org.apache.ambari.server.controller.KerberosHelperImpl#calculateConfigurations}}.
  The first parameter is the cluster object, the next should be {{null}} since 
we don't care about host-specific configurations at this time, finally the last 
parameter is the value from {{kerberosDescriptor.getProperties()}}.

I think this should do the trick.  Let me know if I left something out. 







> Changes to Phoenix QueryServer Kerberos configuration
> -----------------------------------------------------
>
>                 Key: AMBARI-16171
>                 URL: https://issues.apache.org/jira/browse/AMBARI-16171
>             Project: Ambari
>          Issue Type: Improvement
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>         Attachments: AMBARI-16171.001.patch
>
>
> The up-coming version of Phoenix will contain some new functionality to 
> support Kerberos authentication of clients via SPNEGO with the Phoenix Query 
> Server (PQS).
> Presently, Ambari will configure PQS to use the hbase service keytab which 
> will result in the SPNEGO authentication failing as the RFC requires that the 
> "primary" component of the Kerberos principal for the server is "HTTP". Thus, 
> we need to ensure that we switch PQS over to use the spnego.service.keytab as 
> the keytab and "HTTP/_HOST@REALM" as the principal.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)