> On Feb. 24, 2017, 4:40 a.m., Mugdha Varadkar wrote: > > ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json, > > line 109 > > <https://reviews.apache.org/r/56997/diff/1/?file=1646442#file1646442line109> > > > > Will this property be updated after ambari upgrade to use > > storm_components principal ? > > Oliver Szabo wrote: > as in other examples, keytabs should be regenerated after upgrade > > Oliver Szabo wrote: > also these kerberos metadta will change anyway after ambari restart. as > storm used its own user in the past, that means we do not really need to do > anything in the future. (of course regenerate keytabs could not harm...that > will be a manual post ambari upgrade step in 2.5)
After an Ambari upgrade, the user-defined Kerberos Descriptor will not automatically be updated. Currnetly when the UI is used to enabled Kerberos, the entire Kerberos Descriptor is stored as the user-defined value. This value will need to be updated. If a user-defined Kerberos Descriptor was set a different way, it is possible that only the user changes were posted. In anycase, updating the the user-defined Kerberos Descriptor will need to be done in the appropriate UpgradeCatalog class. Nice call @Mugdha. Also, after an Ambari upgrade, new principals or keytab files are not created. And associated configurations are not created or updated. The configuration updates will need to be done via the approprate UpgradeCatalog and the new principals and keytab files will need to be created using Ambari's Regenerate Keytabs facility. If this were to be done as part of an stack upgrade, the Kerberos Descriptor would be automatcially updated. Any config changes would need to be done via the upgrade pack. Missing principals and keytab files need to be created via Ambari's Regenerate Keytabs facility - however this will hopefully change in the near future. - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56997/#review166665 ----------------------------------------------------------- On Feb. 23, 2017, 3:49 p.m., Oliver Szabo wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56997/ > ----------------------------------------------------------- > > (Updated Feb. 23, 2017, 3:49 p.m.) > > > Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and > Robert Nettleton. > > > Bugs: AMBARI-20152 > https://issues.apache.org/jira/browse/AMBARI-20152 > > > Repository: ambari > > > Description > ------- > > Use storm principal and keytab for ranger plugin instead of nimbus ones. > In storm code, storm user will be used globally anyway, ranger plugin will > use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr > authorization is supported, that can cause if storm is authenticated with the > worng user, it wont be able to access the ranger audit collection. > > > Diffs > ----- > > ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json > fecef7c > > Diff: https://reviews.apache.org/r/56997/diff/ > > > Testing > ------- > > done. > > > Thanks, > > Oliver Szabo > >