> On Sept. 19, 2016, 9:18 a.m., Robert Levas wrote:
> > I think this is incorrect.  The Metrics Monitor should authenticate with 
> > its own service principal, not the SPNEGO principal.  That is used for 
> > web-based services, like Ambari's web-based interface.  There should be an 
> > `ams/_HOST` principal for this, instead.

Thanks Robert! I replaced the spnego principal with ams principle in the new 
patch.


> On Sept. 19, 2016, 9:18 a.m., Robert Levas wrote:
> > ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/config_reader.py,
> >  line 112
> > <https://reviews.apache.org/r/51724/diff/1/?file=1494372#file1494372line112>
> >
> >     The path to the SPNEGO keytab file and the SPNEGO principal name must 
> > not be hard coded.  There should be a relevant config property for this and 
> > it should be set via the Kerberos descriptor.
> 
> Sid Wagle wrote:
>     Ahh thanks Robert for pointing out the keytab, I missed that part. @Qin: 
> This should be easy to add by editing 
> common-services/AMBARI_METRICS/0.1.0/kerberos.json.

Thanks Sid! I added keytab/principal for the ams monitor to kerberos.json in 
the new patch.


In addition, for hardcode issue raised by Robert, the "kinit_cmd = 
/usr/bin/kinit -kt ..." in config_reader.py is just a comment/example (with new 
change, it will be kinit_cmd = /usr/bin/kinit -kt 
/etc/security/keytabs/ams.monitor.keytab amsmon/localhost). It won't take any 
effect. The real kinit_cmd will be obtained from the API in config_reader.py:
class Configuration:
...
  def get_kinit_cmd(self):
    return self.get("emitter", "kinit_cmd")

and "kinit_cmd" will be obtained from params.py below in the new patch:
  kinit_cmd = '%s -kt %s %s' % (kinit_path_local, 
config['configurations']['ams-hbase-security-site']['ams.monitor.keytab'], 
config['configurations']['ams-hbase-security-site']['ams.monitor.principal'].replace('_HOST',_hostname_lowercase))


- Qin


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51724/#review149443
-----------------------------------------------------------


On Sept. 22, 2016, 10:14 a.m., Qin Liu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/51724/
> -----------------------------------------------------------
> 
> (Updated Sept. 22, 2016, 10:14 a.m.)
> 
> 
> Review request for Ambari, Di Li, Dmytro Sen, and Sid Wagle.
> 
> 
> Bugs: AMBARI-17898
>     https://issues.apache.org/jira/browse/AMBARI-17898
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> ()This is a subtask of AMBARI-14384 "Ambari Metrics doesn't use SPNEGO to 
> authenticate".
> 
> In a Kerberos enabled cluster with SPNEGO enabled on Hadoop APIs, Ambari 
> Metrics Collector (in AMS distributed mode) web-console will be Kerberos HTTP 
> SPNEGO enabled too. But Ambari Metrics Monitor, a client of Ambari Metrics 
> Collector, currently does not support Kerberos HTTP SPNEGO authentication.
> 
> /var/log/ambari-metrics-monitor/ambari-metrics-monitor.out:
> 2015-12-15 13:26:30,663 [INFO] emitter.py:101 - server: 
> http://metrics-collector:6188/ws/v1/timeline/metrics
> 2015-12-15 13:26:30,671 [WARNING] emitter.py:84 - Error sending metrics to 
> server. HTTP Error 401: Authentication required
> 2015-12-15 13:26:30,671 [WARNING] emitter.py:90 - Retrying after 5 ...
> 
> 
> Diffs
> -----
> 
>   ambari-metrics/ambari-metrics-assembly/pom.xml d73a0af 
>   ambari-metrics/ambari-metrics-host-monitoring/conf/unix/metric_monitor.ini 
> e98c65c 
>   
> ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/config_reader.py
>  3ca3a31 
>   
> ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/emitter.py 
> 050af16 
>   
> ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/faked_kerberos.py
>  PRE-CREATION 
>   
> ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/spnego_kerberos_auth.py
>  PRE-CREATION 
>   
> ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/kerberos.json
>  51f541f 
>   
> ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
>  22024bb 
>   
> ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/metric_monitor.ini.j2
>  3823912 
> 
> Diff: https://reviews.apache.org/r/51724/diff/
> 
> 
> Testing
> -------
> 
> 1. passed existing unittest cases.
> 2. manually tested with HDP-2.5.0.0/trunk 
>    1) Non http spnego enabled clusters
>    2) http spnego enabled cluster - tested the trunk's monitor code against a 
> http spnego enabled cluster 
>       http spnego enabled cluster is currently broken in trunk: the 
> distributed metrics collector's http server currently will not started with 
> http spnego enabled. so I had to manually test the trunk's monitor code with 
> http spnego enabled collector on a branch2.4 cluster. Need to mention that 
> the testing should be valid because the code change area is monitor code and 
> the trunk and branch2.4's collectors are same.
> 
> 
> Thanks,
> 
> Qin Liu
> 
>

Reply via email to