[jira] [Commented] (HAWQ-845) Parameterize kerberos principal name for HAWQ

Wed, 07 Sep 2016 10:58:20 -0700 

    [ 
https://issues.apache.org/jira/browse/HAWQ-845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15471317#comment-15471317
 ] 

Matt commented on HAWQ-845:
---------------------------

[~wlin] 

We have some dependent code in Ambari here: 
https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/common.py#L284-#L296

We have this problem, which we got around using the above code:
HAWQ exists in a non-kerberized cluster - HDFS data directory is owned by 
*gpadmin*
After kerberizing the cluster, HAWQ Master fails to start because it expects 
the directory to be owned by *postgres*
Our code in the current Ambari release (2.4) does a check of HDFS data 
directory owner before HAWQ Master starts:
- If secure cluster, ensure that HDFS data directory is owned by postgres
- If non secure cluster, ensure that HDFS data directory is owned by gpadmin


*My question:*
On a new install of HAWQ with the latest version (after fix of HAWQ-845), if I 
set krb_srvname to *secureduser* will HAWQ require HDFS data directory to be 
owned by *secureduser*?
If yes, this would lead to potential errors in Ambari 2.4 (in case user goes 
with a custom krb_srvname), because our code (link above) switches the HDFS 
data directory owner to *postgres* if cluster is secured.

> Parameterize kerberos principal name for HAWQ
> ---------------------------------------------
>
>                 Key: HAWQ-845
>                 URL: https://issues.apache.org/jira/browse/HAWQ-845
>             Project: Apache HAWQ
>          Issue Type: Improvement
>            Reporter: bhuvnesh chaudhary
>            Assignee: Lei Chang
>            Priority: Minor
>             Fix For: 2.0.1.0-incubating
>
>
> Currently HAWQ only accepts the principle 'postgres' for kerberos settings.
> This is because it is hardcoded in gpcheckhdfs, we should ensure that it can 
> be parameterized.
> Also, it's better to change the default principal name postgres to gpadmin. 
> It will avoid the need of changing the the hdfs directory during securing the 
> cluster to postgres and will avoid the need of maintaining postgres user. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to