Re: Review Request 55680: On secure NN HA clusters ZKFC connects to zookeeper securely

Wed, 18 Jan 2017 09:17:45 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/
-----------------------------------------------------------

(Updated Jan. 18, 2017, 5:17 p.m.)


Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.


Changes
-------

Added changes to the stack 3.0


Bugs: AMBARI-19613
    https://issues.apache.org/jira/browse/AMBARI-19613


Repository: ambari


Description
-------

On secure namenode HA clusters the ZKFC component needs to access the zookeeper 
securely.
On enabling security appropriate settings are configured to secure this 
connection.


Diffs (updated)
-----

  
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml
 c2f37c1 
  ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json 
f30c9e4 
  
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py
 3270430 
  
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py
 f1891a5 
  
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2
 PRE-CREATION 
  
ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py
 783f811 
  
ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml
 5be2b74 
  
ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml
 24e0193 
  
ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml
 24e0193 
  ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 
9000e95 
  
ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py
 f70c8e9 
  
ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml
 e680c1b 

Diff: https://reviews.apache.org/r/55680/diff/


Testing
-------

Testing done manually:

Created an unsecure NN HA cluster

* checked the configuration entry: ha.zookeeper.acl - doesn't exist
* checked the hadoop-env.sh - doesn't contain the variable export 
HADOOP_ZKFC_OPTS
* checked the hdfs_jaas.conf - doesn't exist
* connected to zookeeper, listed znode acls - no limitations set

Kerberized the NN HA cluster

* checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
* checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS 
with proper value, points to the correct jaas file
* checked the hdfs_jaas.conf - OK

Disabled Kerberos on the NN HA cluster

* checked the configuration entry: ha.zookeeper.acl - removed
* checked the hadoop-env.sh - doesn't contain the variable export 
HADOOP_ZKFC_OPTS

Unit tests running.


Thanks,

Laszlo Puskas

Reply via email to