Re: Review Request 60431: Cleanup relevant Kerberos identities when a component is removed

Tue, 27 Jun 2017 05:35:35 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60431/
-----------------------------------------------------------

(Updated June 27, 2017, 12:35 p.m.)


Review request for Ambari, Balázs Bence Sári, Jaimin Jetly, Laszlo Puskas, 
Robert Levas, and Sebastian Toader.


Changes
-------

don not try to update the owner and group of keytab files in finalize step


Bugs: AMBARI-21343
    https://issues.apache.org/jira/browse/AMBARI-21343


Repository: ambari


Description
-------

Upon removing a component from a host, the relevant Kerberos identities should 
be removed as well. This includes any principals and keytab files. Care must be 
taken not to remove any principals or keytab files that are still in use in the 
cluster.


Entry point is KerberosIdentityCleaner>>componentRemoved. It removes all of the 
identities of the uninstalled component, except the ones that are still used by 
other services/components.


Diffs (updated)
-----

  
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
 e8c986b 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/DeleteIdentityHandler.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
 d000571 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
 e4b70fd 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/OrderedRequestStageContainer.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/utilities/KerberosIdentityCleaner.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java
 7824019 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/Component.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/FinalizeKerberosServerAction.java
 0b845d9 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
 9755bd6 
  
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/AbstractKerberosDescriptor.java
 2112fcc 
  
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosComponentDescriptor.java
 ca9f013 
  
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java
 86a5e01 
  
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosIdentityDescriptor.java
 a606954 
  
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosServiceDescriptor.java
 0f14ca6 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/utilities/KerberosIdentityCleanerTest.java
 PRE-CREATION 
  ambari-web/app/controllers/main/service/item.js 09c7a9c 


Diff: https://reviews.apache.org/r/60431/diff/3/

Changes: https://reviews.apache.org/r/60431/diff/2-3/


Testing
-------

Added new unittests
End to end tested manually:

before all:
 - created a cluster with oozie
 - enabled kerberos
1.
 - removed oozie
 - checked if oozie_server principal and keytab was removed, and other 
identites weren't touched
2.
 - made the kdc admin credentials expired
 - removed oozie
 - supplied kdc admin credentials on the ui
 - checked if oozie_server principal and keytab was removed
3.
 - added oozie_server principal to a kerberos.json of an other service (so that 
the principal was shared)
 - removed oozie
 - checked if the oozie_server principal and keytab was NOT removed
4.
 - disabled kerberos
 - removed oozie
 - checked that there was no identity deletion attempt


Existing Tests: PENDING


Thanks,

Attila Magyar

Reply via email to