> On Sept. 8, 2016, 6:13 p.m., Sid Wagle wrote: > > ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/spnego_kerberos_auth.py, > > line 25 > > <https://reviews.apache.org/r/51724/diff/1/?file=1494375#file1494375line25> > > > > I do not see a "import kerberos" anywhere in Ambari deployed cluster > > under: /usr/lib/python2.6/site-packages/ > > > > Where does this dependency get fulfiled ? > > Qin Liu wrote: > It is in /usr/lib/python2.6/site-packages/ipalib/plugins on all of my > clusters. I will include ipa-python in ambari-metrics-assembly/pom.xml. > Thanks Sid! > > Sid Wagle wrote: > This seems to be ipa only dependency, does addinig it as component build > dep make sense? > What about MIT kereberos? > > Qin Liu wrote: > Hi Sid, > Yes, ipa is the only dependency for metrics monitor code. I think it > makes sense to include ipa in ambari-metrics component build deployment. > MIT kerberos is outside of this JIRA. > > Sid Wagle wrote: > In that case we should also log error on the import if module not found. > Additionally, open a Jira for getting this to work with MIT Kerberos so > someone can take it up. As far as this patch is concerened we are good > contingent on the small logging change and making sure we have a Jira to > track MIT Kerberos won't work the same way. > > Qin Liu wrote: > Hi Sid, > I updated the code to log error on the import if kerberos module is not > found. On a deployed cluster, the exception should never occur because > kerberos module should always be included in ipa lib. The gss API in kerberos > module is used to authenticate using kerberos. The kerberos to be used is MIT > kerberos because an existing MIT KDC should be chosen at cluster kerberos > enabling.
Hi Sid, Forgot to mention that there is no extra work required on the AMS side to have things work with MIT kerberos because MIT kerberos already exists. To enable MIT kerberos on a cluster, just need to install MIT KDC on a host that can be reached by the ambari server. - Qin ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/51724/#review148224 ----------------------------------------------------------- On Sept. 22, 2016, 12:44 p.m., Qin Liu wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/51724/ > ----------------------------------------------------------- > > (Updated Sept. 22, 2016, 12:44 p.m.) > > > Review request for Ambari, Di Li, Dmytro Sen, and Sid Wagle. > > > Bugs: AMBARI-17898 > https://issues.apache.org/jira/browse/AMBARI-17898 > > > Repository: ambari > > > Description > ------- > > ()This is a subtask of AMBARI-14384 "Ambari Metrics doesn't use SPNEGO to > authenticate". > > In a Kerberos enabled cluster with SPNEGO enabled on Hadoop APIs, Ambari > Metrics Collector (in AMS distributed mode) web-console will be Kerberos HTTP > SPNEGO enabled too. But Ambari Metrics Monitor, a client of Ambari Metrics > Collector, currently does not support Kerberos HTTP SPNEGO authentication. > > /var/log/ambari-metrics-monitor/ambari-metrics-monitor.out: > 2015-12-15 13:26:30,663 [INFO] emitter.py:101 - server: > http://metrics-collector:6188/ws/v1/timeline/metrics > 2015-12-15 13:26:30,671 [WARNING] emitter.py:84 - Error sending metrics to > server. HTTP Error 401: Authentication required > 2015-12-15 13:26:30,671 [WARNING] emitter.py:90 - Retrying after 5 ... > > > Diffs > ----- > > ambari-metrics/ambari-metrics-assembly/pom.xml d73a0af > ambari-metrics/ambari-metrics-host-monitoring/conf/unix/metric_monitor.ini > e98c65c > > ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/config_reader.py > 3ca3a31 > > ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/emitter.py > 050af16 > > ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/faked_kerberos.py > PRE-CREATION > > ambari-metrics/ambari-metrics-host-monitoring/src/main/python/core/spnego_kerberos_auth.py > PRE-CREATION > > ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/kerberos.json > 51f541f > > ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py > 6934924 > > ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/templates/metric_monitor.ini.j2 > 3823912 > > Diff: https://reviews.apache.org/r/51724/diff/ > > > Testing > ------- > > 1. passed existing unittest cases. > 2. manually tested with HDP-2.5.0.0/trunk > 1) Non http spnego enabled clusters > 2) http spnego enabled cluster - tested the trunk's monitor code against a > http spnego enabled cluster > http spnego enabled cluster is currently broken in trunk: the > distributed metrics collector's http server currently will not started with > http spnego enabled. so I had to manually test the trunk's monitor code with > http spnego enabled collector on a branch2.4 cluster. Need to mention that > the testing should be valid because the code change area is monitor code and > the trunk and branch2.4's collectors are same. > > > Thanks, > > Qin Liu > >
