----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/59520/#review176270 -----------------------------------------------------------
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java Lines 428 (patched) <https://reviews.apache.org/r/59520/#comment249641> The map that is returned should have keys that indicate the _path_ to the Kerberos identitiy rather than just the simple name of the Kerberos identity. By using just the name, you run the risk of collisions since names do not need to be unique, but _paths_ do. For example: `resource_manager_rm` -> `/YARN/RESOURCEMANAGER/resource_manager_rm` `smokeuser` --> `/smokeuser' - Robert Levas On May 29, 2017, 9:53 a.m., Attila Magyar wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/59520/ > ----------------------------------------------------------- > > (Updated May 29, 2017, 9:53 a.m.) > > > Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, > Robert Levas, and Sebastian Toader. > > > Bugs: AMBARI-20877 > https://issues.apache.org/jira/browse/AMBARI-20877 > > > Repository: ambari > > > Description > ------- > > HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA > state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set > to `rm`. > If this user name does not match the primary component of the Yarn RM > Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn > is unable to access the state store and RM will stop immediately after start. > During the Kerberos wizard there needs to be a check to see if these settings > are out of sync. Or, the zk-acl setting needs to somehow reference the > principal and extract the primary root through a variable. > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java > 6a403c6 > > ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java > a1b9e5c > > ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java > b9e2841 > > ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json > ae4db4f > ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json > ae4db4f > > ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java > e654c72 > > ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java > f00f694 > > > Diff: https://reviews.apache.org/r/59520/diff/3/ > > > Testing > ------- > > - Create a cluster with yarn, hdfs > - enabled kerberos using custom principal names > - checked custom principal names in hadoop.registry.system.accounts and > yarn.resourcemanager.zk-acl properties in yarn config > > > Tests: PENDING > > > Thanks, > > Attila Magyar > >
