[
https://issues.apache.org/jira/browse/AMBARI-24229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Levas updated AMBARI-24229:
----------------------------------
Description:
Certain configuration changes should be avoided when regenerating keytab files
during different scenarios.
For example, existing non-Kerberos configurations should not be changed during
the regenerate keytabs operation performed during an upgrade. However it is
necessary for Kerberos identity-related configurations (such as keytab file
paths and principal names) to be added and updated; as well as allow for new
Kerberos-related configurations to be added.
To allow for this, a new _update configuration policy_ value has been added to
the set of directives (*_config_update_policy_*) allowed when issuing a call to
regenerate keytab files. This directive replaces the less flexible
*_ignore_config_updates_* directive which only allows a user to enable or
disable the ability for the operation to change configurations. The values
allowed for *_config_update_policy_* are as follows:
* {{none}} - No configurations will be updated</li>
* {{identities_only}} - New and updated configurations related to Kerberos
identity information - principal, keytab file, and auth-to-local rule
properties</li>
* {{new_and_identities}} - Only new configurations declared by the Kerberos
descriptor and stack advisor as well as the identity-related changes</li>
* {{all}} - All configuration changes
During an upgrade, the _update configuration policy_ is set to
{{new_and_identities}}.
was:It's too dangerous to have the {{KerberosHelper}} reach out to the
service advisor during an upgrade and alter configurations. We should prevent
this from happening. It can cause reversions of properties which were
specifically set by the upgrade.
> Prevent Configuration Changes During Keytab Regeneration in an Upgrade
> ----------------------------------------------------------------------
>
> Key: AMBARI-24229
> URL: https://issues.apache.org/jira/browse/AMBARI-24229
> Project: Ambari
> Issue Type: Bug
> Affects Versions: 2.7.0
> Reporter: Kavan Suresh
> Assignee: Robert Levas
> Priority: Blocker
> Labels: pull-request-available
> Fix For: 2.7.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Certain configuration changes should be avoided when regenerating keytab
> files during different scenarios.
> For example, existing non-Kerberos configurations should not be changed
> during the regenerate keytabs operation performed during an upgrade. However
> it is necessary for Kerberos identity-related configurations (such as keytab
> file paths and principal names) to be added and updated; as well as allow for
> new Kerberos-related configurations to be added.
> To allow for this, a new _update configuration policy_ value has been added
> to the set of directives (*_config_update_policy_*) allowed when issuing a
> call to regenerate keytab files. This directive replaces the less flexible
> *_ignore_config_updates_* directive which only allows a user to enable or
> disable the ability for the operation to change configurations. The values
> allowed for *_config_update_policy_* are as follows:
> * {{none}} - No configurations will be updated</li>
> * {{identities_only}} - New and updated configurations related to Kerberos
> identity information - principal, keytab file, and auth-to-local rule
> properties</li>
> * {{new_and_identities}} - Only new configurations declared by the Kerberos
> descriptor and stack advisor as well as the identity-related changes</li>
> * {{all}} - All configuration changes
> During an upgrade, the _update configuration policy_ is set to
> {{new_and_identities}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
