[jira] [Resolved] (AMBARI-25013) Ambari should optionally generate auth-to-local rules for the Kerberos identities of all components of installed services

Sandor Molnar (JIRA) Thu, 13 Dec 2018 09:55:27 -0800


     [ 
https://issues.apache.org/jira/browse/AMBARI-25013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Sandor Molnar resolved AMBARI-25013.
------------------------------------
    Resolution: Fixed

> Ambari should optionally generate auth-to-local rules for the Kerberos 
> identities of all components of installed services
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-25013
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25013
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.8.0
>            Reporter: Rohith Sharma K S
>            Assignee: Sandor Molnar
>            Priority: Major
>              Labels: kerberos, pull-request-available
>             Fix For: 2.8.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Ambari should optionally generate auth-to-local rules for the Kerberos 
> identities of all components of installed services.  
> Currently Ambari will generate auth-to-local rules for the installed 
> components of installed services.  This is generally the accepted behavior. 
> However, there may be cases where identities from remote clusters (using the 
> same Kerberos realm) need to be translated to local names.  
> A use case may be that some slave component for a service is installed on a 
> remote cluster, but that component is not installed on the local cluster.  
> However a master component of that service is installed on the local cluster 
> and the slave component from the remote cluster needs to communicate with it. 
> The solution is to add a new property to {{kerberos-env}}, maybe named 
> something like {{include_all_components_in_auth_to_local_rules}}, where the 
> default value is {{false}}.  If set to {{true}}, when building the 
> auth-to-local rules, Ambari should add the rules for all components of 
> installed services, not just the installed components (which is what it does 
> today).  
> The relevant code to change is in 
> {{org.apache.ambari.server.controller.KerberosHelperImpl#setAuthToLocalRules}}.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (AMBARI-25013) Ambari should optionally generate auth-to-local rules for the Kerberos identities of all components of installed services

Reply via email to