----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/57610/#review169191 -----------------------------------------------------------
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java Lines 839 (patched) <https://reviews.apache.org/r/57610/#comment241530> This is rather dangerous. What if my cluster name is "A". Then all `a`'s will be replaced with `CLUSTER_NAME`. For example: ``` RULE:[1:$1@$0]([email protected])s/.*/ambari-qa/ ``` Will become ``` RULE:[1:$1@$0](CLUSTER_NAMEmbCLUSTER_NAMEri-qCLUSTER_NAME-CLUSTER_NAME@REALM)s/.*/CLUSTER_NAMEmbCLUSTER_NAMEri-qCLUSTER_NAME/ ``` ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java Lines 929 (patched) <https://reviews.apache.org/r/57610/#comment241531> There are more auth-to-local rule sets than `core-site/hadoop.security.auth_to_local` and `oozie-size/oozie.authentication.kerberos.name.rules`. For example `application-properties/atlas.http.authentication.kerberos.name.rules`. FOr this to be effective, the method would need to traverse the Kerberos Descriptor and get the configuration specifications from the "auth_to_local_properties" values. See `org.apache.ambari.server.state.kerberos.KerberosDescriptor#getAllAuthToLocalProperties`. ambari-server/src/test/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessorTest.java Line 230 (original), 230 (patched) <https://reviews.apache.org/r/57610/#comment241533> `clusetrName` ==> `clusterName` - Robert Levas On March 14, 2017, 1:21 p.m., Amruta Borkar wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/57610/ > ----------------------------------------------------------- > > (Updated March 14, 2017, 1:21 p.m.) > > > Review request for Ambari, Di Li, Robert Nettleton, and Sandor Magyari. > > > Bugs: AMBARI-20366 > https://issues.apache.org/jira/browse/AMBARI-20366 > > > Repository: ambari > > > Description > ------- > > If blueprint is exported from a kerberos enabled cluster Kerberos rules > export principal names which contain cluster name and Realm, this exports > existing cluster name and realm name as tokens and replaces those tokens with > new values of cluster name and realm during successive cluster deployments. > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRenderer.java > 5e19a6c > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java > 5732a1c > > ambari-server/src/main/java/org/apache/ambari/server/topology/ClusterConfigurationRequest.java > e29417b > > ambari-server/src/test/java/org/apache/ambari/server/api/query/render/ClusterBlueprintRendererTest.java > 75ffd31 > > ambari-server/src/test/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessorTest.java > d160050 > > ambari-server/src/test/java/org/apache/ambari/server/topology/ClusterConfigurationRequestTest.java > c97c568 > > > Diff: https://reviews.apache.org/r/57610/diff/1/ > > > Testing > ------- > > Tested manually. > Modified test cases. > > > Thanks, > > Amruta Borkar > >
