-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44148/
-----------------------------------------------------------

(Updated mrt 10, 2016, 8:52 p.m.)


Review request for Ambari, Jaimin Jetly, Robert Levas, and Yusaku Sako.


Changes
-------

This latest version is an intermediate update. A couple of things have been 
updated.

1. toLower() Function has been implemented and applied to make sure to generate 
lowercase principal names for user principals. This affects generation for 
other KDCs as well
2. A cache for keytabs was added to createKeytab - this is the workaround the 
fact that this function gets called mutiple times for the same principal and 
thus generates a new keytab with a new kvno. I tried working with Ambari's 
internal createKeytab, but that did not generate valid keytabs ("password 
incorrect") (see also the commented out code).
3. Some smaller bugs have been squashed (using principal names instead of 
primary for example)
4. It should now work on IPA 3 (not tested)

The "experimental" flag has not been implemented yet.


Bugs: AMBARI-6432
    https://issues.apache.org/jira/browse/AMBARI-6432


Repository: ambari


Description
-------

FreeIPA is the active directory equivalent for Linux. This patch adds support 
for FreeIPA. It requires ipa-admintools to be installed on the ambari host. In 
addition it either requires wite access to the krbPasswordPassword attribute or 
a suitable password policy needs to be in place (ipa pwpolicy).

It has been requested to have this implemented in several tickets.

To test.

* Have a working IPA server available
* Create a group "ambari-managed-principals" (configurable)
* Create a password policy for this group or make the krb5PasswordExpiry 
attribute writable (not per se required for testing)
* Enroll all hosts into ipa
* make sure the ipa-admintools are available on the ambari host


Diffs (updated)
-----

  
ambari-funtest/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json 
c285234 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
 be6edc9 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
 cadfe28 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KDCType.java
 5b1372a 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
 4cd050e 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerFactory.java
 bfd45b7 
  
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java
 42eea14 
  
ambari-server/src/main/java/org/apache/ambari/server/utils/ShellCommandUtil.java
 947b336 
  
ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/kerberos.json
 e76f809 
  
ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json 
dc5ef2e 
  ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json 
c9c738e 
  
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
 a03dea6 
  
ambari-server/src/main/resources/common-services/SPARK/1.2.0.2.2/kerberos.json 
5354f69 
  
ambari-server/src/main/resources/common-services/SPARK/1.4.1.2.3/kerberos.json 
90d9090 
  
ambari-server/src/main/resources/common-services/STORM/0.9.1.2.1/kerberos.json 
5c2133c 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json 52e7ee0 
  
ambari-server/src/main/resources/stacks/HDP/2.3.ECS/services/ECS/kerberos.json 
213c964 
  
ambari-server/src/main/resources/stacks/HDP/2.3.ECS/services/HBASE/kerberos.json
 1db82a3 
  
ambari-server/src/main/resources/stacks/HDP/2.3.GlusterFS/services/ACCUMULO/kerberos.json
 d621e05 
  
ambari-server/src/main/resources/stacks/HDP/2.3/services/ACCUMULO/kerberos.json 
61fe31e 
  
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandlerTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java
 cbfa4a3 
  ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_1_3.json 
09d1d0c 
  
ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_no_hdfs.json 
8f1d075 
  
ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_simple.json 
292ad25 
  ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json 
c285234 
  ambari-web/app/controllers/main/admin/kerberos.js c021c89 
  ambari-web/app/controllers/main/admin/kerberos/step1_controller.js b9056ed 
  ambari-web/app/controllers/main/admin/kerberos/step2_controller.js 9b411c6 
  ambari-web/app/controllers/main/admin/kerberos/step5_controller.js 5aa4b8c 
  ambari-web/app/controllers/main/service/info/configs.js a22bb48 
  ambari-web/app/data/HDP2/site_properties.js 5ad24fc 
  ambari-web/app/messages.js 8e69dd0 
  ambari-web/app/views/common/controls_view.js d355ffe 
  ambari-web/test/utils/object_utils_test.js 0f9723b 

Diff: https://reviews.apache.org/r/44148/diff/


Testing
-------

FreeIPA 4.2 on CentOS 7. Multiple times kerberization and de-kerberization.


Thanks,

Bolke de Bruin

Reply via email to