subject:"Re\: Review Request 57350\: Kerberos identity reference not working for ranger\-audit property in hbase"

Re: Review Request 57350: Kerberos identity reference not working for ranger-audit property in hbase

2017-03-07 Thread Mugdha Varadkar



> On March 7, 2017, 1:24 p.m., Mugdha Varadkar wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
> > Lines 583 (patched)
> > 
> >
> > Just curious to know whether principal/keytab descriptor should be 
> > mapped to hbase principal/keytab rather than null ?
> 
> Robert Levas wrote:
> Setting the principal value and the keytab file to `null` indicates that 
> this Kerberos identitiy descriptor is to inherit the value from the reference 
> identitiy - which is what we want in this case.   For exampe, looking at 
> https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json#L68,
>  the principal value will become `hbase/_HOST@${realm}`.

Okay, Thank you.


- Mugdha


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57350/#review168122
---


On March 7, 2017, 12:13 a.m., Robert Levas wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57350/
> ---
> 
> (Updated March 7, 2017, 12:13 a.m.)
> 
> 
> Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene 
> Chekanskiy, Laszlo Puskas, Mugdha Varadkar, and Sebastian Toader.
> 
> 
> Bugs: AMBARI-20335
> https://issues.apache.org/jira/browse/AMBARI-20335
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> From stack 2.5 onwards 
> `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` needs to 
> have principal value available under 
> `hbase.master.kerberos.principal/hbase-site`
> 
> To achieve that added below block of code under hbase 
> [kerberos.json|https://github.com/apache/ambari/blob/branch-2.5/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json]
> ```
> {
>   "name": "/HBASE/HBASE_MASTER/hbase_master_hbase",
>   "principal": {
> "configuration": 
> "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal"
>   },
>   "keytab": {
> "configuration": 
> "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab"
>   }
> }
> ```
> 
> But on test cluster, 
> `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` property is 
> not showing the expected value. It is showing the principal/keytab values of 
> `ams_hbase_master_hbase` identity. 
> 
> Because of wrong reference of principal audit to solr is not working in 
> kerberos environment, as security.json have below entry instead of 
> `hb...@example.com`
> ```
> "amshb...@example.com":[
> "ranger_audit_user",
> "dev"]
> ```
> 
> 
> Diffs
> -
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
>  141e9cd 
>   
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json 
> f510770 
>   
> ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json
>  b053779 
>   
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java
>  2a59ccc 
>   
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json
>  0c2723e 
> 
> 
> Diff: https://reviews.apache.org/r/57350/diff/1/
> 
> 
> Testing
> ---
> 
> Manually tested in Ambari 2.5.0 cluster and upgrade from Ambari 2.4.2.
> 
> # Local test results:
> 
> ```
> [INFO] 
> 
> [INFO] BUILD SUCCESS
> [INFO] 
> 
> [INFO] Total time: 23:53.766s
> [INFO] Finished at: Mon Mar 06 16:55:35 EST 2017
> [INFO] Final Memory: 71M/772M
> [INFO] 
> 
> ```
> 
> # Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 57350: Kerberos identity reference not working for ranger-audit property in hbase

2017-03-07 Thread Mugdha Varadkar


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57350/#review168126
---


Ship it!




Ship It!

- Mugdha Varadkar


On March 7, 2017, 12:13 a.m., Robert Levas wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57350/
> ---
> 
> (Updated March 7, 2017, 12:13 a.m.)
> 
> 
> Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene 
> Chekanskiy, Laszlo Puskas, Mugdha Varadkar, and Sebastian Toader.
> 
> 
> Bugs: AMBARI-20335
> https://issues.apache.org/jira/browse/AMBARI-20335
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> From stack 2.5 onwards 
> `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` needs to 
> have principal value available under 
> `hbase.master.kerberos.principal/hbase-site`
> 
> To achieve that added below block of code under hbase 
> [kerberos.json|https://github.com/apache/ambari/blob/branch-2.5/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json]
> ```
> {
>   "name": "/HBASE/HBASE_MASTER/hbase_master_hbase",
>   "principal": {
> "configuration": 
> "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal"
>   },
>   "keytab": {
> "configuration": 
> "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab"
>   }
> }
> ```
> 
> But on test cluster, 
> `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` property is 
> not showing the expected value. It is showing the principal/keytab values of 
> `ams_hbase_master_hbase` identity. 
> 
> Because of wrong reference of principal audit to solr is not working in 
> kerberos environment, as security.json have below entry instead of 
> `hb...@example.com`
> ```
> "amshb...@example.com":[
> "ranger_audit_user",
> "dev"]
> ```
> 
> 
> Diffs
> -
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
>  141e9cd 
>   
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json 
> f510770 
>   
> ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json
>  b053779 
>   
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java
>  2a59ccc 
>   
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json
>  0c2723e 
> 
> 
> Diff: https://reviews.apache.org/r/57350/diff/1/
> 
> 
> Testing
> ---
> 
> Manually tested in Ambari 2.5.0 cluster and upgrade from Ambari 2.4.2.
> 
> # Local test results:
> 
> ```
> [INFO] 
> 
> [INFO] BUILD SUCCESS
> [INFO] 
> 
> [INFO] Total time: 23:53.766s
> [INFO] Finished at: Mon Mar 06 16:55:35 EST 2017
> [INFO] Final Memory: 71M/772M
> [INFO] 
> 
> ```
> 
> # Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 57350: Kerberos identity reference not working for ranger-audit property in hbase

2017-03-07 Thread Mugdha Varadkar


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57350/#review168122
---




ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
Lines 583 (patched)


Just curious to know whether principal/keytab descriptor should be mapped 
to hbase principal/keytab rather than null ?


- Mugdha Varadkar


On March 7, 2017, 12:13 a.m., Robert Levas wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57350/
> ---
> 
> (Updated March 7, 2017, 12:13 a.m.)
> 
> 
> Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene 
> Chekanskiy, Laszlo Puskas, Mugdha Varadkar, and Sebastian Toader.
> 
> 
> Bugs: AMBARI-20335
> https://issues.apache.org/jira/browse/AMBARI-20335
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> From stack 2.5 onwards 
> `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` needs to 
> have principal value available under 
> `hbase.master.kerberos.principal/hbase-site`
> 
> To achieve that added below block of code under hbase 
> [kerberos.json|https://github.com/apache/ambari/blob/branch-2.5/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json]
> ```
> {
>   "name": "/HBASE/HBASE_MASTER/hbase_master_hbase",
>   "principal": {
> "configuration": 
> "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal"
>   },
>   "keytab": {
> "configuration": 
> "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab"
>   }
> }
> ```
> 
> But on test cluster, 
> `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` property is 
> not showing the expected value. It is showing the principal/keytab values of 
> `ams_hbase_master_hbase` identity. 
> 
> Because of wrong reference of principal audit to solr is not working in 
> kerberos environment, as security.json have below entry instead of 
> `hb...@example.com`
> ```
> "amshb...@example.com":[
> "ranger_audit_user",
> "dev"]
> ```
> 
> 
> Diffs
> -
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
>  141e9cd 
>   
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json 
> f510770 
>   
> ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json
>  b053779 
>   
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java
>  2a59ccc 
>   
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json
>  0c2723e 
> 
> 
> Diff: https://reviews.apache.org/r/57350/diff/1/
> 
> 
> Testing
> ---
> 
> Manually tested in Ambari 2.5.0 cluster and upgrade from Ambari 2.4.2.
> 
> # Local test results:
> 
> ```
> [INFO] 
> 
> [INFO] BUILD SUCCESS
> [INFO] 
> 
> [INFO] Total time: 23:53.766s
> [INFO] Finished at: Mon Mar 06 16:55:35 EST 2017
> [INFO] Final Memory: 71M/772M
> [INFO] 
> 
> ```
> 
> # Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 57350: Kerberos identity reference not working for ranger-audit property in hbase

2017-03-06 Thread Sebastian Toader


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57350/#review168100
---


Ship it!




Ship It!

- Sebastian Toader


On March 7, 2017, 1:13 a.m., Robert Levas wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57350/
> ---
> 
> (Updated March 7, 2017, 1:13 a.m.)
> 
> 
> Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene 
> Chekanskiy, Laszlo Puskas, Mugdha Varadkar, and Sebastian Toader.
> 
> 
> Bugs: AMBARI-20335
> https://issues.apache.org/jira/browse/AMBARI-20335
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> From stack 2.5 onwards 
> `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` needs to 
> have principal value available under 
> `hbase.master.kerberos.principal/hbase-site`
> 
> To achieve that added below block of code under hbase 
> [kerberos.json|https://github.com/apache/ambari/blob/branch-2.5/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json]
> ```
> {
>   "name": "/HBASE/HBASE_MASTER/hbase_master_hbase",
>   "principal": {
> "configuration": 
> "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal"
>   },
>   "keytab": {
> "configuration": 
> "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab"
>   }
> }
> ```
> 
> But on test cluster, 
> `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` property is 
> not showing the expected value. It is showing the principal/keytab values of 
> `ams_hbase_master_hbase` identity. 
> 
> Because of wrong reference of principal audit to solr is not working in 
> kerberos environment, as security.json have below entry instead of 
> `hb...@example.com`
> ```
> "amshb...@example.com":[
> "ranger_audit_user",
> "dev"]
> ```
> 
> 
> Diffs
> -
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
>  141e9cd 
>   
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json 
> f510770 
>   
> ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json
>  b053779 
>   
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java
>  2a59ccc 
>   
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json
>  0c2723e 
> 
> 
> Diff: https://reviews.apache.org/r/57350/diff/1/
> 
> 
> Testing
> ---
> 
> Manually tested in Ambari 2.5.0 cluster and upgrade from Ambari 2.4.2.
> 
> # Local test results:
> 
> ```
> [INFO] 
> 
> [INFO] BUILD SUCCESS
> [INFO] 
> 
> [INFO] Total time: 23:53.766s
> [INFO] Finished at: Mon Mar 06 16:55:35 EST 2017
> [INFO] Final Memory: 71M/772M
> [INFO] 
> 
> ```
> 
> # Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 57350: Kerberos identity reference not working for ranger-audit property in hbase

Re: Review Request 57350: Kerberos identity reference not working for ranger-audit property in hbase

Re: Review Request 57350: Kerberos identity reference not working for ranger-audit property in hbase

Re: Review Request 57350: Kerberos identity reference not working for ranger-audit property in hbase

4 matches

Site Navigation

Mail list logo

Footer information