> On Sept. 19, 2016, 9:18 a.m., Robert Levas wrote: > > I think this is incorrect. The Metrics Monitor should authenticate with > > its own service principal, not the SPNEGO principal. That is used for > > web-based services, like Ambari's web-based interface. There should be an > > `ams/_HOST` principal for this, instead.
Thanks Robert! I replaced the spnego principal with ams principle in the new patch. > On Sept. 19, 2016, 9:18 a.m., Robert Levas wrote: > > ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/config_reader.py, > > line 112 > > <https://reviews.apache.org/r/51724/diff/1/?file=1494372#file1494372line112> > > > > The path to the SPNEGO keytab file and the SPNEGO principal name must > > not be hard coded. There should be a relevant config property for this and > > it should be set via the Kerberos descriptor. > > Sid Wagle wrote: > Ahh thanks Robert for pointing out the keytab, I missed that part. @Qin: > This should be easy to add by editing > common-services/AMBARI_METRICS/0.1.0/kerberos.json. Thanks Sid! I added keytab/principal for the ams monitor to kerberos.json in the new patch. In addition, for hardcode issue raised by Robert, the "kinit_cmd = /usr/bin/kinit -kt ..." in config_reader.py is just a comment/example (with new change, it will be kinit_cmd = /usr/bin/kinit -kt /etc/security/keytabs/ams.monitor.keytab amsmon/localhost). It won't take any effect. The real kinit_cmd will be obtained from the API in config_reader.py: class Configuration: ... def get_kinit_cmd(self): return self.get("emitter", "kinit_cmd") and "kinit_cmd" will be obtained from params.py below in the new patch: kinit_cmd = '%s -kt %s %s' % (kinit_path_local, config['configurations']['ams-hbase-security-site']['ams.monitor.keytab'], config['configurations']['ams-hbase-security-site']['ams.monitor.principal'].replace('_HOST',_hostname_lowercase)) - Qin ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/51724/#review149443 ----------------------------------------------------------- On Sept. 22, 2016, 10:14 a.m., Qin Liu wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/51724/ > ----------------------------------------------------------- > > (Updated Sept. 22, 2016, 10:14 a.m.) > > > Review request for Ambari, Di Li, Dmytro Sen, and Sid Wagle. > > > Bugs: AMBARI-17898 > https://issues.apache.org/jira/browse/AMBARI-17898 > > > Repository: ambari > > > Description > ------- > > ()This is a subtask of AMBARI-14384 "Ambari Metrics doesn't use SPNEGO to > authenticate". > > In a Kerberos enabled cluster with SPNEGO enabled on Hadoop APIs, Ambari > Metrics Collector (in AMS distributed mode) web-console will be Kerberos HTTP > SPNEGO enabled too. But Ambari Metrics Monitor, a client of Ambari Metrics > Collector, currently does not support Kerberos HTTP SPNEGO authentication. > > /var/log/ambari-metrics-monitor/ambari-metrics-monitor.out: > 2015-12-15 13:26:30,663 [INFO] emitter.py:101 - server: > http://metrics-collector:6188/ws/v1/timeline/metrics > 2015-12-15 13:26:30,671 [WARNING] emitter.py:84 - Error sending metrics to > server. HTTP Error 401: Authentication required > 2015-12-15 13:26:30,671 [WARNING] emitter.py:90 - Retrying after 5 ... > > > Diffs > ----- > > ambari-metrics/ambari-metrics-assembly/pom.xml d73a0af > ambari-metrics/ambari-metrics-host-monitoring/conf/unix/metric_monitor.ini > e98c65c > > ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/config_reader.py > 3ca3a31 > > ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/emitter.py > 050af16 > > ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/faked_kerberos.py > PRE-CREATION > > ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/spnego_kerberos_auth.py > PRE-CREATION > > ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/kerberos.json > 51f541f > > ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py > 22024bb > > ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/metric_monitor.ini.j2 > 3823912 > > Diff: https://reviews.apache.org/r/51724/diff/ > > > Testing > ------- > > 1. passed existing unittest cases. > 2. manually tested with HDP-2.5.0.0/trunk > 1) Non http spnego enabled clusters > 2) http spnego enabled cluster - tested the trunk's monitor code against a > http spnego enabled cluster > http spnego enabled cluster is currently broken in trunk: the > distributed metrics collector's http server currently will not started with > http spnego enabled. so I had to manually test the trunk's monitor code with > http spnego enabled collector on a branch2.4 cluster. Need to mention that > the testing should be valid because the code change area is monitor code and > the trunk and branch2.4's collectors are same. > > > Thanks, > > Qin Liu > >
