[
https://issues.apache.org/jira/browse/AMBARI-17226?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Levas updated AMBARI-17226:
----------------------------------
Description:
When requesting a Kerberos Descriptor via the REST API, 'when' clauses should
optionally be processed. If elected to be processed, identities that contain
{{when}} clauses will be included or excluded from the resulting descriptor
based on the result of the evaluation.
In the event of an _add service_ scenario, the services being added should be
able to be specified so that they can be included in the data used for
{{when}}-clause evaluation.
*Solution*
Add _{{GET}} directives_ to specify whether {{when}} clauses are to be
evaluated (or not) while building the Kerberos Descriptor using the following
API call:
{noformat}
GET
/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/COMPOSITE?evaluate_when=true
{noformat}
If new services are being added, the {{additional_services}} directive should
be added to the request so the evaluation can be preformed on the _future_ set
of services, which may evaluate differently then the _current_ set of services.
{noformat}
GET
/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/COMPOSITE?evaluate_when=true@additional_services=HIVE,TEZ,PIG
{noformat}
was:
1. Deploy ambari cluster with YARN, HDFS, ZOOKEEPER and HBASE
2. enable security (AD)
Expected: On ConfigureIdentities page hive.llap.zk.sm.principal and
hive.llap.zk.sm.keytab.file
should not be present if hive is not deployed on cluster.
Actual: These 2 properties are showing under Ambari Principals panel even when
Hive is not deployed on the cluster.
*Cause*
This is caused when identities that have {{when}} clauses are not filtered out
if the when clause evaluates to {{false}} when the UI queries for the
(composite) Kerberos Descriptor.
*Solution*
Add a {{GET}} directive to specify {{when}} clauses are to be evaluatated while
building the Kerberos Descriptor using the following API call:
{noformat}
GET
/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/COMPOSITE?evaluate_when=true
{noformat}
> When requesting a Kerberos Descriptor via the REST API, 'when' clauses should
> optionally be processed
> -----------------------------------------------------------------------------------------------------
>
> Key: AMBARI-17226
> URL: https://issues.apache.org/jira/browse/AMBARI-17226
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.4.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Fix For: 2.4.0
>
>
> When requesting a Kerberos Descriptor via the REST API, 'when' clauses should
> optionally be processed. If elected to be processed, identities that contain
> {{when}} clauses will be included or excluded from the resulting descriptor
> based on the result of the evaluation.
> In the event of an _add service_ scenario, the services being added should be
> able to be specified so that they can be included in the data used for
> {{when}}-clause evaluation.
> *Solution*
> Add _{{GET}} directives_ to specify whether {{when}} clauses are to be
> evaluated (or not) while building the Kerberos Descriptor using the following
> API call:
> {noformat}
> GET
> /api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/COMPOSITE?evaluate_when=true
> {noformat}
> If new services are being added, the {{additional_services}} directive should
> be added to the request so the evaluation can be preformed on the _future_
> set of services, which may evaluate differently then the _current_ set of
> services.
> {noformat}
> GET
> /api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/COMPOSITE?evaluate_when=true@additional_services=HIVE,TEZ,PIG
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
