[
https://issues.apache.org/jira/browse/AMBARI-24229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Levas updated AMBARI-24229:
----------------------------------
Description:
Certain configuration changes should be avoided when regenerating keytab files
during different scenarios.
For example, existing non-Kerberos configurations should not be changed during
the regenerate keytabs operation performed during an upgrade. However it is
necessary for Kerberos identity-related configurations (such as keytab file
paths and principal names) to be added and updated; as well as allow for new
Kerberos-related configurations to be added.
To allow for this, a new _update configuration policy_ value has been added to
the set of directives (*_config_update_policy_*) allowed when issuing a call to
regenerate keytab files. This directive replaces the less flexible
*_ignore_config_updates_* directive which only allows a user to enable or
disable the ability for the operation to change configurations. The values
allowed for *_config_update_policy_* are as follows:
* {{none}} - No configurations will be updated
* {{identities_only}} - New and updated configurations related to Kerberos
identity information - principal, keytab file, and auth-to-local rule properties
* {{new_and_identities}} - Only new configurations declared by the Kerberos
descriptor and stack advisor as well as the identity-related changes
* {{all}} - All configuration changes
During an upgrade, the _update configuration policy_ is set to
{{new_and_identities}}.
was:
Certain configuration changes should be avoided when regenerating keytab files
during different scenarios.
For example, existing non-Kerberos configurations should not be changed during
the regenerate keytabs operation performed during an upgrade. However it is
necessary for Kerberos identity-related configurations (such as keytab file
paths and principal names) to be added and updated; as well as allow for new
Kerberos-related configurations to be added.
To allow for this, a new _update configuration policy_ value has been added to
the set of directives (*_config_update_policy_*) allowed when issuing a call to
regenerate keytab files. This directive replaces the less flexible
*_ignore_config_updates_* directive which only allows a user to enable or
disable the ability for the operation to change configurations. The values
allowed for *_config_update_policy_* are as follows:
* {{none}} - No configurations will be updated</li>
* {{identities_only}} - New and updated configurations related to Kerberos
identity information - principal, keytab file, and auth-to-local rule
properties</li>
* {{new_and_identities}} - Only new configurations declared by the Kerberos
descriptor and stack advisor as well as the identity-related changes</li>
* {{all}} - All configuration changes
During an upgrade, the _update configuration policy_ is set to
{{new_and_identities}}.
> Prevent Configuration Changes During Keytab Regeneration in an Upgrade
> ----------------------------------------------------------------------
>
> Key: AMBARI-24229
> URL: https://issues.apache.org/jira/browse/AMBARI-24229
> Project: Ambari
> Issue Type: Bug
> Affects Versions: 2.7.0
> Reporter: Kavan Suresh
> Assignee: Robert Levas
> Priority: Blocker
> Labels: pull-request-available
> Fix For: 2.7.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Certain configuration changes should be avoided when regenerating keytab
> files during different scenarios.
> For example, existing non-Kerberos configurations should not be changed
> during the regenerate keytabs operation performed during an upgrade. However
> it is necessary for Kerberos identity-related configurations (such as keytab
> file paths and principal names) to be added and updated; as well as allow for
> new Kerberos-related configurations to be added.
> To allow for this, a new _update configuration policy_ value has been added
> to the set of directives (*_config_update_policy_*) allowed when issuing a
> call to regenerate keytab files. This directive replaces the less flexible
> *_ignore_config_updates_* directive which only allows a user to enable or
> disable the ability for the operation to change configurations. The values
> allowed for *_config_update_policy_* are as follows:
> * {{none}} - No configurations will be updated
> * {{identities_only}} - New and updated configurations related to Kerberos
> identity information - principal, keytab file, and auth-to-local rule
> properties
> * {{new_and_identities}} - Only new configurations declared by the Kerberos
> descriptor and stack advisor as well as the identity-related changes
> * {{all}} - All configuration changes
> During an upgrade, the _update configuration policy_ is set to
> {{new_and_identities}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
