[
https://issues.apache.org/jira/browse/AMBARI-24528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16590207#comment-16590207
]
Robert Levas commented on AMBARI-24528:
---------------------------------------
[~seano]... I agree with this, however Ambari is not yet smart enough to know
when a particular change requires the Kerberos identities to be updated, so we
need to do it when any Kerberos-related change is made.
My goal is to one day make the Kerberos feature a first-class feature of Ambari
and then we will have more control over this.
> Kerberos "Additional Realms" should not require keytab re-generation and
> cluster restart
> ----------------------------------------------------------------------------------------
>
> Key: AMBARI-24528
> URL: https://issues.apache.org/jira/browse/AMBARI-24528
> Project: Ambari
> Issue Type: Bug
> Components: ambari-admin, security
> Affects Versions: 2.5.0, 2.6.0
> Reporter: Sean Roberts
> Priority: Major
> Labels: auth_to_local, kerberos
>
> "Admin -> Kerberos -> Additonal Realms"
> * Currently requires keytab re-generation which in turn requires restarting
> the cluster. *But it is completely unrelated to keytabs*.
> Fix:
> * Move "Additional Realms" to the "Kerberos" service configs where it
> belongs, along with the "auth_to_local" setting which is what it is used for.
> * When it is changed:
> ** No keytab re-generation is then required.
> ** Instead of silently altering "auth_to_local" rules, they should come up
> as "Recommendations".
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
