Robert Levas created AMBARI-23628:
-------------------------------------
Summary: Enable Ambari SSO to be enabled without impacting other
service sso configs
Key: AMBARI-23628
URL: https://issues.apache.org/jira/browse/AMBARI-23628
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.7.0
Reporter: santhosh
Assignee: Robert Levas
Fix For: 2.7.0
*Scenario*
Ranger and Atlas are SSO enabled via BP deploys and Ambari is not SSO enabled.
Later Ambari SSO has to be enabled without changing existing configs(so restart
will not be required) for Atlas and Ranger.
Now this is not possible with "Enable for the selected services" option.
This was possible in previous versions but with the latest changes from
AMBARI-23253, even if SSO was enabled for services earlier we still have to opt
SSO for Ranger and Atlas in the list. When services are specified in the list,
this would prompt for service restart.
So,
---If we enable SSO for Ambari and not the other services via the CLI, then any
previous SSO setting for those services will be cleared
---If we enable SSO for Ambari and the other services via the CLI, then any
previous SSO setting for those services will be potentially updated and this
cause services to need to restart. But since data is the same no restart should
be needed for those services
*Solution*
Add new prompts to separate Ambari's SSO configuration from the managed
service's SSO configs so they can be managed separately:
* Use SSO for Ambari ({{--sso-enabled-ambari}})
* Manage SSO configurations for eligible services ({{--sso-manage-services}})
{noformat}
[root@c7401 ~]# ambari-server setup-sso --help
Using python /usr/bin/python
Setting up SSO authentication properties...
Usage: ambari-server.py action [options]
Options:
-h, --help show this help message and exit
-v, --verbose Print verbose status messages
-s, --silent Silently accepts default prompt values. For db-cleanup
command, silent mode will stop ambari server.
--sso-enabled=SSO_ENABLED
Indicates whether to enable/disable SSO
--sso-enabled-ambari=SSO_ENABLED_AMBARI
Indicates whether to enable/disable SSO authentication
for Ambari, itself
--sso-manage-services=SSO_MANAGE_SERVICES
Indicates whether Ambari should manage the SSO
configurations for specified services
--sso-enabled-services=SSO_ENABLED_SERVICES
A comma separated list of services that are expected
to be configured for SSO (you are allowed to use '*'
to indicate ALL services)
--sso-provider-url=SSO_PROVIDER_URL
The URL of SSO provider; this must be provided when
--sso-enabled is set to 'true'
--sso-public-cert-file=SSO_PUBLIC_CERT_FILE
The path where the public certificate PEM is located;
this must be provided when --sso-enabled is set to
'true'
--sso-jwt-cookie-name=SSO_JWT_COOKIE_NAME
The name of the JWT cookie
--sso-jwt-audience-list=SSO_JWT_AUDIENCE_LIST
A comma separated list of JWT audience(s)
--ambari-admin-username=AMBARI_ADMIN_USERNAME
Ambari administrator username for accessing Ambari's
REST API
--ambari-admin-password=AMBARI_ADMIN_PASSWORD
Ambari administrator password for accessing Ambari's
REST API
{noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
