[
https://issues.apache.org/jira/browse/AMBARI-23026?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16604794#comment-16604794
]
Hudson commented on AMBARI-23026:
---------------------------------
FAILURE: Integrated in Jenkins build Ambari-branch-2.7 #225 (See
[https://builds.apache.org/job/Ambari-branch-2.7/225/])
AMBARI-23026. Using smoke user's principal/keytab within alerts in a (github:
[https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=fd252bf31142a768d691f009bc281f17f1a42323])
* (edit)
ambari-server/src/main/resources/common-services/AMBARI_INFRA_SOLR/0.1.0/alerts.json
* (edit)
ambari-server/src/main/resources/common-services/STORM/0.9.1/alerts.json
* (edit)
ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/alerts.json
* (edit)
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/HDFS/alerts.json
* (edit)
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/YARN/alerts.json
* (edit)
ambari-server/src/main/resources/common-services/FALCON/0.5.0.2.1/alerts.json
* (edit)
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/alerts.json
* (edit)
ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/alerts.json
> WEB type alerts authentication in Kerberos secured cluster
> ----------------------------------------------------------
>
> Key: AMBARI-23026
> URL: https://issues.apache.org/jira/browse/AMBARI-23026
> Project: Ambari
> Issue Type: Bug
> Components: alerts
> Affects Versions: 2.5.2, trunk, 2.6.2
> Environment: Ambari 2.5.2
> Hortonworks HDP-2.5.3.0-37
> Reporter: David F. Quiroga
> Assignee: Sandor Molnar
> Priority: Minor
> Labels: pull-request-available
> Fix For: 2.7.2
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> In a Kerberized cluster some web endpoints (App Timeline Web UI,
> ResourceManger Web UI, etc.) require authentication. Any Ambari alerts
> checking those endpoints must then be able to authenticate.
> This was addressed in AMBARI-9586, however the default principal and keytab
> used in the alerts.json is that of the "bare" SPNEGO principal
> HTTP/_HOST@REALM.
> My understanding is that the HTTP service principal is used to authenticate
> users to a service, not used to authenticate to another service.
> 1. Since most endpoints involved are Web UI, would it be more appropriate to
> use the smokeuser in the alerts?
> 2. This was first observed in Ranger Audit, the YARN Ranger Plug-in showed
> many access denied from HTTP user. [This
> post|https://community.hortonworks.com/content/supportkb/150206/ranger-audit-logs-refers-to-access-denied-for-http.html]
> provided some direction as to where those requests were coming from. We have
> updated the ResourceManger Web UI alert definition to use
> cluster-env/smokeuser_keytab and cluster-env/smokeuser_principal_name and
> this has resolved the initial HTTP access denied.
> Would it also be advisable to make the change in the other secure Web UI
> alert definitions?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
