[jira] [Resolved] (AMBARI-24390) Filter services eligible for Ambari Single Sign-on Configuration if Kerberos is required but not enabled

[Attila Magyar (JIRA)]

     [ 
https://issues.apache.org/jira/browse/AMBARI-24390?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Magyar resolved AMBARI-24390.
------------------------------------
    Resolution: Fixed

> Filter services eligible for Ambari Single Sign-on Configuration if Kerberos 
> is required but not enabled
> --------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-24390
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24390
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.7.1
>            Reporter: Robert Levas
>            Assignee: Attila Magyar
>            Priority: Critical
>              Labels: pull-request-available
>             Fix For: 2.7.1
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> Filter services from Ambari CLI when setting up SSO if not eligible when 
> Kerberos is not enabled.  
> In Ambari 2.7, services that are eligible for Ambari to manage their SSO 
> configurations specify this in their metainfo file using like:
> {code}
>       <sso>
>         <supported>true</supported>
>         
> <enabledConfiguration>application-properties/atlas.sso.knox.enabled</enabledConfiguration>
>       </sso>
> {code}
> See AMBARI-23253
> See [Ambari Single Sign-on 
> Configuration|https://github.com/apache/ambari/blob/branch-2.7/ambari-server/docs/security/sso/index.md]
>  documentation
> However some services require Kerberos to be enabled for SSO to work.  For 
> example, HDFS, Yarn, and Oozie.  For this case, the metadata is enhanced 
> allowing for the metadata to indicate whether Kerberos is required 
> (AMBARI-24335) and whether Kerberos is enabled (AMBARI-24384) for that 
> service.
> This information can be found in the service resource data
> {code:title=GET /api/v1/clusters/CLUSTERNAME/services/OOZIE}
> {
>   "href" : 
> "http://ambari_host:8080/api/v1/clusters/CLUSTERNAME/services/OOZIE";,
>   "ServiceInfo" : {
>     ...
>     "kerberos_enabled" : true,
>     ...
>    "sso_integration_desired": false,
>    "sso_integration_enabled": false,
>    "sso_integration_requires_kerberos": true,
>    "sso_integration_supported": true,
>    ...
>    },
>    ...
> }
> {code}
> Using this information, services may be included in or excluded from the list 
> of services a user can choose for enabling SSO integration. 
> For example
> ||sso_integration_supported||sso_integration_requires_kerberos||kerberos_enabled||Can
>  Enable SSO||
> |true|true|true|yes
> |true|true|false|no
> |true|false|true|yes
> |true|false|false|yes
> |false|true|true|no
> |false|true|false|no
> |false|false|true|no
> |false|false|false|no
>   



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)