Robert Levas created AMBARI-25013:
-------------------------------------
Summary: Ambari should optionally generate auth-to-local rules for
the Kerberos identities of all components of installed services
Key: AMBARI-25013
URL: https://issues.apache.org/jira/browse/AMBARI-25013
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.8.0
Reporter: Rohith Sharma K S
Assignee: Robert Levas
Fix For: 2.8.0
Ambari should optionally generate auth-to-local rules for the Kerberos
identities of all components of installed services.
Currently Ambari will generate auth-to-local rules for the installed components
of installed services. This is generally the accepted behavior. However, there
may be cases where identities from remote clusters (using the same Kerberos
realm) need to be translated to local names.
A use case may be that some slave component for a service is installed on a
remote cluster, but that component is not installed on the local cluster.
However a master component of that service is installed on the local cluster
and the slave component from the remote cluster needs to communicate with it.
The solution is to add a new property to {{kerberos-env}}, maybe named
something like {{include_all_components_in_auth_to_local_rules}}, where the
default value is {{false}}. If set to {{true}}, when building the
auth-to-local rules, Ambari should add the rules for all components of
installed services, not just the installed components (which is what it does
today).
The relevant code to change is in
{{org.apache.ambari.server.controller.KerberosHelperImpl#setAuthToLocalRules}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
