Re: Review Request 61251: Dynamically determine what keytab files have been distributed

Tue, 01 Aug 2017 05:48:11 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61251/#review181891
-----------------------------------------------------------



This looks great. I like the concept.


ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
Lines 145 (patched)
<https://reviews.apache.org/r/61251/#comment257680>

    How about renaming this to something like `CHECK_KEYTAB`.  It is more like 
an actions like... SET and REMOVE.



ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
Lines 3047 (patched)
<https://reviews.apache.org/r/61251/#comment257683>

    `addGettingMisingKeytabsStage` --> `addGettingMissingKeytabsStage`  
(spelling issue: Mising)
    
    Also, missing JavaDoc.



ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_common.py
Lines 456-457 (patched)
<https://reviews.apache.org/r/61251/#comment257687>

    In the (not so distanct) future we may want to place multiple principals in 
the same keytab file, or at least allow the user to set the configurations for 
this.
    
    It appears that the input and output structures should support this, 
however the test is not checking for principal. It only checks for the 
existance of the keytab file.  It would be nice to make sure the specifiec 
principal exists in the specified keytab file. Additional work will be needed 
if we want to verify that the requied keytabs are in the keytab file.  For 
example AES256, RC4, etc... 
    
    However, for now, maybe a `klist` needs to be performed on the keytab file 
to ensure at least one keytab entry for the requested principal exists. 
    
    Sonehow this should be done via sudo in the event the agent is not running 
as root.  Maybe a KeytabFile resource can be created for this? See 
`resource_management.core.providers.system.FileProvider` and 
`resource_management.core.resources.system.File`.


- Robert Levas


On Aug. 1, 2017, 5:58 a.m., Attila Magyar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61251/
> -----------------------------------------------------------
> 
> (Updated Aug. 1, 2017, 5:58 a.m.)
> 
> 
> Review request for Ambari, Balázs Bence Sári, Robert Levas, and Sebastian 
> Toader.
> 
> 
> Bugs: AMBARI-21613
>     https://issues.apache.org/jira/browse/AMBARI-21613
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Dynamically determine what keytab files have been distributed to hosts. A 
> custom command should be available via the KERBEROS_CLIENT to query for the 
> keytab files installed on the relevant host. The communication between the 
> Ambari server and the agents should generate data needed to determine what 
> keytab files exist.
> 
> 
> Diffs
> -----
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java
>  1bc4c36 
>   
> ambari-server/src/main/java/org/apache/ambari/server/agent/HeartbeatProcessor.java
>  a08abab 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
>  e5b7afd 
>   
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/metainfo.xml
>  6a2dd09 
>   
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py
>  39fdcf5 
>   
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py
>  fcd57af 
>   
> ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/metainfo.xml
>  0e42bda 
>   
> ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_client.py
>  b2cdaa6 
>   
> ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/package/scripts/kerberos_common.py
>  abf58ee 
>   
> ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java
>  baa9bae 
>   
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
>  4508527 
>   ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_client.py 
> f638845 
> 
> 
> Diff: https://reviews.apache.org/r/61251/diff/1/
> 
> 
> Testing
> -------
> 
> 1.
> - created a cluster with kerberos enabled
> - deleted a keytab file from a host
> - regenerated missing keytabs
> - checked that the deleted keytab file was recreated
> 
> 2.
> - regenerated missing keytabs when no keytab files were missing
> - checked that no keytab file was regenerated
> 
> 3.
> - created a 15 nodes cluster on openstack with services: HDFS, YARN, 
> ZOOKEEPER, SPARK1, SPARK2, HIVE
> - measured the time taken to regenerate all keytabs and only missing keytabs:
> 
>   regenerate missing keytabs only: 12.84 seconds (?=2.33)
>   regenerate all keytabs: 39.1 seconds (?=5.37)
> 
> existing tests: pending
> 
> 
> Thanks,
> 
> Attila Magyar
> 
>

Reply via email to