Re: Review Request 63450: Improve KDC integration

Robert Levas Tue, 31 Oct 2017 14:01:08 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63450/
-----------------------------------------------------------


(Updated Oct. 31, 2017, 5 p.m.)


Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene Chekanskiy, 
Jonathan Hurley, Laszlo Puskas, Nate Cole, Robert Nettleton, and Sebastian 
Toader.


Changes
-------

Replaced bad diff file.


Bugs: AMBARI-22293
    https://issues.apache.org/jira/browse/AMBARI-22293


Repository: ambari


Description
-------

Improve KDC integration by making the interfaces more consistent with each 
other.

#Notes:
- When using the MIT KDC or IPA options, the `kerberos-env/admin_server_host` 
value *must be the fully qualified domain name* (FQDN) of the host were the KDC 
administrator service is. 
- When connecting to the MIT KDC and IPA server, a username a password is not 
used to authenticate using the kadmin utility.  A Kerberos ticket is first 
acquired and that is used for authentication.
- When creating Kerberos identities using the MIT KDC and IPA handlers, the 
Ambari-generated password is not used.  All password's for principals in the 
MIT KDC and IP server are generated randomly by the KDC.
- Removed `kerberos-env/set_password_expiry` and 
`kerberos-env/password_chat_timeout` properties since they are no longer needed
- Changed `kerberos-env/groups` to `kerberos-env/ipa_user_groups` to be more 
explicit in how the property is used.
- The setPassword implementation for the MIT KDC and IPA handlers do nothing 
except check to see if the relevant principal exists. This is to maintain 
backward compatibility with previous implementations.


Diffs (updated)
-----

  ambari-server/docs/security/kerberos/kerberos_service.md 65e312b866 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
 f7d6060710 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java
 1c0853b98e 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java
 2b3a0ca40d 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java
 9a6a07e4d3 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KDCKerberosOperationHandler.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
 8749f81068 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
 0997f650f8 
  
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog300.java
 bfe2a1346e 
  
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
 0a081215ec 
  
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-30/configuration/kerberos-env.xml
 0a081215ec 
  
ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/configuration/kerberos-env.xml
 66e81dbb00 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
 7ed52d2782 
  
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
 483cc0aed2 
  
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandlerTest.java
 f2a09bafb9 
  
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KDCKerberosOperationHandlerTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java
 88c841c3a1 
  
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java
 a43db4d12c 
  
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java
 04d03bebb5 
  
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog300Test.java
 25e9dbf739 
  ambari-server/src/test/python/stacks/2.5/configs/ranger-admin-secured.json 
288d155c47 
  ambari-server/src/test/python/stacks/2.5/configs/ranger-kms-secured.json 
f7f054a0db 
  ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-secured.json 
38b59061b4 
  ambari-server/src/test/resources/PreconfigureActionTest_cluster_config.json 
2a744c70be 
  ambari-web/app/controllers/main/admin/kerberos/step2_controller.js 05b0b31e3b 


Diff: https://reviews.apache.org/r/63450/diff/2/

Changes: https://reviews.apache.org/r/63450/diff/1-2/


Testing
-------

Manually tested new and upgraded clusters using AD, MIT KDC, and IPA options. 

# Local test results: 
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 26:09 min
[INFO] Finished at: 2017-10-31T16:24:49-04:00
[INFO] Final Memory: 99M/2148M
[INFO] ------------------------------------------------------------------------
```

# Jenkins test results: PENDING


Thanks,

Robert Levas

Re: Review Request 63450: Improve KDC integration

Reply via email to