[jira] [Created] (AMBARI-24390) Filter services eligible for Ambari Single Sign-on Configuration if Kerberos is required but not enabled

Tue, 31 Jul 2018 07:36:12 -0700 

Robert Levas created AMBARI-24390:
-------------------------------------

             Summary: Filter services eligible for Ambari Single Sign-on 
Configuration if Kerberos is required but not enabled
                 Key: AMBARI-24390
                 URL: https://issues.apache.org/jira/browse/AMBARI-24390
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.7.1
            Reporter: Robert Levas
            Assignee: Attila Magyar
             Fix For: 2.7.1


Filter services from Ambari CLI when setting up SSO if not eligible when 
Kerberos is not enabled.  

In Ambari 2.7, services that are eligible for Ambari to manage their SSO 
configurations specify this in their metainfo file using like:

{code}
      <sso>
        <supported>true</supported>
        
<enabledConfiguration>application-properties/atlas.sso.knox.enabled</enabledConfiguration>
      </sso>
{code}

See AMBARI-23253
See [Ambari Single Sign-on 
Configuration|https://github.com/apache/ambari/blob/branch-2.7/ambari-server/docs/security/sso/index.md]
 documentation

However some services require Kerberos to be enabled for SSO to work.  For 
example, HDFS, Yarn, and Oozie.  For this case, the metadata is enhanced 
allowing for the metadata to indicate whether Kerberos is required 
(AMBARI-24335) and whether Kerberos is enabled (AMBARI-24384) for that service.

This information can be found in the service resource data

{code:title=GET /api/v1/clusters/CLUSTERNAME/services/OOZIE}
{
  "href" : "http://ambari_host:8080/api/v1/clusters/CLUSTERNAME/services/OOZIE";,
  "ServiceInfo" : {
    ...
    "kerberos_enabled" : true,
    ...
   "sso_integration_desired": false,
   "sso_integration_enabled": false,
   "sso_integration_requires_kerberos": true,
   "sso_integration_supported": true,
   ...
   },
   ...
}
{code}

Using this information, services may be included in or excluded from the list 
of services a user can choose for enabling SSO integration. 

For example
||sso_integration_supported||sso_integration_requires_kerberos||kerberos_enabled||Can
 Enable SSO||
|true|true|true|yes
|true|true|false|no
|true|false|true|yes
|true|false|false|yes
|false|true|true|no
|false|true|false|no
|false|false|true|no
|false|false|false|no

  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to