Andrii Tkach created AMBARI-23690:
-------------------------------------
Summary: The UI should ignore Kerberos identity references when
setting the user-supplied Kerberos descriptor
Key: AMBARI-23690
URL: https://issues.apache.org/jira/browse/AMBARI-23690
Project: Ambari
Issue Type: Bug
Components: ambari-web
Affects Versions: 2.7.0
Reporter: Andrii Tkach
Assignee: Andrii Tkach
Fix For: 2.7.0
The UI should ignore Kerberos identity references when setting the
user-supplied Kerberos descriptor.
For example, any Kerberos identity entry that contains a "reference" attribute,
should not be added to the JSON data stored in the cluster artifact table,
which represents the _user-supplied_ Kerberos descriptor.
Currently, there are a few errors in the current process:
*Variables are being replaced*
{code}
{
"keytab": {
"configuration":
"mapred-site/mapreduce.jobhistory.webapp.spnego-keytab-file",
"file": "/etc/security/keytabs/spnego.service.keytab"
},
"name": "mapreduce2_historyserver_spnego",
"principal": {
"configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal",
"local_username": null,
"type": null,
"value": "HTTP/[email protected]"
},
"reference": "/spnego"
}
{code}
This should be
{code}
{
"keytab": {
"configuration":
"mapred-site/mapreduce.jobhistory.webapp.spnego-keytab-file",
"file": "${keytab_dir}/spnego.service.keytab"
},
"name": "mapreduce2_historyserver_spnego",
"principal": {
"configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal",
"local_username": null,
"type": null,
"value": "HTTP/[email protected]"
},
"reference": "/spnego"
}
{code}
But really should be
{code}
{
"keytab": {
"configuration":
"mapred-site/mapreduce.jobhistory.webapp.spnego-keytab-file"
},
"name": "mapreduce2_historyserver_spnego",
"principal": {
"configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal"
},
"reference": "/spnego"
}
{code}
*Incorrect variable replacement*
Some replacement issue has occurred where the keytab _file_ and the principal
_name_ values have been swapped:
{code}
{
"keytab": {
"configuration": "hive-site/hive.server2.authentication.spnego.keytab",
"file": "HTTP/[email protected]"
},
"name": "hive_hive_server_spnego",
"principal": {
"configuration": "hive-site/hive.server2.authentication.spnego.principal",
"local_username": null,
"type": null,
"value": "/etc/security/keytabs/spnego.service.keytab"
},
"reference": "/spnego"
},
{code}
And error that has resulted from this occurred while installing Hive into a
cluster where Kerberos was enabled:
{noformat}
2018-04-18 19:30:24,557 - Failed to create principal,
/etc/security/keytabs/spnego.service.keytab - Failed to create service
principal for /etc/security/keytabs/spnego.service.keytab
STDOUT: Authenticating as principal admin/[email protected] with existing
credentials.
Principal "/etc/security/keytabs/[email protected]" created.
STDERR: WARNING: no policy specified for
/etc/security/keytabs/[email protected]; defaulting to no policy
���Administration credentials NOT DESTROYED.
{noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
