[jira] [Updated] (AMBARI-22715) Kafka broken by auth_to_local rules when case_insensitive_username_rules=true

Tue, 02 Jan 2018 05:33:04 -0800 

     [ 
https://issues.apache.org/jira/browse/AMBARI-22715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sean Roberts updated AMBARI-22715:
----------------------------------
    Description: 
https://issues.apache.org/jira/browse/AMBARI-22715

Kafka brokers will fail to start when Kerberos is set with:
case_insensitive_username_rules=true

This is due to Kafka not supporting the lower case (/L) functionality.

How to reproduce:
1. Deploy a cluster which includes Kafka
2. Kerberize cluster
3. Ensure following is set in 'kerberos-env':
{code}
case_insensitive_username_rules=true
manage_auth_to_local=true
{code}
4. Start Kafka brokers
5. They will fail to start.

This is due to Kafka not supporting lowercase rules ("/L)" rules.

Note the /Ls in the configuration which Ambari applied:

{code}
"sasl.kerberos.principal.to.local.rules" : 
"RULE:[1:$1@$0]([email protected])s/.*/ambari-qa/,RULE:[1:$1@$0]([email protected])s/.*/hbase/,RULE:[1:$1@$0]([email protected])s/.*/hdfs/,RULE:[1:$1@$0]([email protected])s/.*/spark/,RULE:[1:$1@$0]([email protected])s/.*/zeppelin/,RULE:[1:$1@$0](.*@CLUSTER.TEST.COM)s/@.*///L,RULE:[2:$1@$0]([email protected])s/.*/activity_analyzer/,RULE:[2:$1@$0]([email protected])s/.*/activity_explorer/,RULE:[2:$1@$0]([email protected])s/.*/ams/,RULE:[2:$1@$0]([email protected])s/.*/ams/,RULE:[2:$1@$0]([email protected])s/.*/atlas/,RULE:[2:$1@$0]([email protected])s/.*/hdfs/,RULE:[2:$1@$0]([email protected])s/.*/hbase/,RULE:[2:$1@$0]([email protected])s/.*/hive/,RULE:[2:$1@$0]([email protected])s/.*/mapred/,RULE:[2:$1@$0]([email protected])s/.*/hdfs/,RULE:[2:$1@$0]([email protected])s/.*/knox/,RULE:[2:$1@$0]([email protected])s/.*/livy/,RULE:[2:$1@$0]([email protected])s/.*/yarn/,RULE:[2:$1@$0]([email protected])s/.*/hdfs/,RULE:[2:$1@$0]([email protected])s/.*/oozie/,RULE:[2:$1@$0]([email protected])s/.*/ranger/,RULE:[2:$1@$0]([email protected])s/.*/keyadmin/,RULE:[2:$1@$0]([email protected])s/.*/rangertagsync/,RULE:[2:$1@$0]([email protected])s/.*/rangerusersync/,RULE:[2:$1@$0]([email protected])s/.*/yarn/,RULE:[2:$1@$0]([email protected])s/.*/yarn/,DEFAULT",
{code}

  was:
Kafka brokers will fail to start when Kerberos is set with:
case_insensitive_username_rules=true

This is due to Kafka not supporting the lower case (/L) functionality.

How to reproduce:
1. Deploy a cluster which includes Kafka
2. Kerberize cluster
3. Ensure following is set in 'kerberos-env':
{code}
case_insensitive_username_rules=true
manage_auth_to_local=true
{code}
4. Start Kafka brokers
5. They will fail due to "/L" rules in 'kafka-broker: 
sasl.kerberos.principal.to.local.rules'



> Kafka broken by auth_to_local rules when case_insensitive_username_rules=true
> -----------------------------------------------------------------------------
>
>                 Key: AMBARI-22715
>                 URL: https://issues.apache.org/jira/browse/AMBARI-22715
>             Project: Ambari
>          Issue Type: Bug
>            Reporter: Sean Roberts
>
> https://issues.apache.org/jira/browse/AMBARI-22715
> Kafka brokers will fail to start when Kerberos is set with:
> case_insensitive_username_rules=true
> This is due to Kafka not supporting the lower case (/L) functionality.
> How to reproduce:
> 1. Deploy a cluster which includes Kafka
> 2. Kerberize cluster
> 3. Ensure following is set in 'kerberos-env':
> {code}
> case_insensitive_username_rules=true
> manage_auth_to_local=true
> {code}
> 4. Start Kafka brokers
> 5. They will fail to start.
> This is due to Kafka not supporting lowercase rules ("/L)" rules.
> Note the /Ls in the configuration which Ambari applied:
> {code}
> "sasl.kerberos.principal.to.local.rules" : 
> "RULE:[1:$1@$0]([email protected])s/.*/ambari-qa/,RULE:[1:$1@$0]([email protected])s/.*/hbase/,RULE:[1:$1@$0]([email protected])s/.*/hdfs/,RULE:[1:$1@$0]([email protected])s/.*/spark/,RULE:[1:$1@$0]([email protected])s/.*/zeppelin/,RULE:[1:$1@$0](.*@CLUSTER.TEST.COM)s/@.*///L,RULE:[2:$1@$0]([email protected])s/.*/activity_analyzer/,RULE:[2:$1@$0]([email protected])s/.*/activity_explorer/,RULE:[2:$1@$0]([email protected])s/.*/ams/,RULE:[2:$1@$0]([email protected])s/.*/ams/,RULE:[2:$1@$0]([email protected])s/.*/atlas/,RULE:[2:$1@$0]([email protected])s/.*/hdfs/,RULE:[2:$1@$0]([email protected])s/.*/hbase/,RULE:[2:$1@$0]([email protected])s/.*/hive/,RULE:[2:$1@$0]([email protected])s/.*/mapred/,RULE:[2:$1@$0]([email protected])s/.*/hdfs/,RULE:[2:$1@$0]([email protected])s/.*/knox/,RULE:[2:$1@$0]([email protected])s/.*/livy/,RULE:[2:$1@$0]([email protected])s/.*/yarn/,RULE:[2:$1@$0]([email protected])s/.*/hdfs/,RULE:[2:$1@$0]([email protected])s/.*/oozie/,RULE:[2:$1@$0]([email protected])s/.*/ranger/,RULE:[2:$1@$0]([email protected])s/.*/keyadmin/,RULE:[2:$1@$0]([email protected])s/.*/rangertagsync/,RULE:[2:$1@$0]([email protected])s/.*/rangerusersync/,RULE:[2:$1@$0]([email protected])s/.*/yarn/,RULE:[2:$1@$0]([email protected])s/.*/yarn/,DEFAULT",
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to