[jira] [Commented] (HAWQ-845) Parameterize kerberos principal name for HAWQ
[ https://issues.apache.org/jira/browse/HAWQ-845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15483191#comment-15483191 ] Matt commented on HAWQ-845: --- Thanks for clarifying [~wlin] We'll make necessary changes in Ambari targeting the 2.4.2 release. > Parameterize kerberos principal name for HAWQ > - > > Key: HAWQ-845 > URL: https://issues.apache.org/jira/browse/HAWQ-845 > Project: Apache HAWQ > Issue Type: Improvement >Reporter: bhuvnesh chaudhary >Assignee: Lei Chang >Priority: Minor > Fix For: 2.0.1.0-incubating > > > Currently HAWQ only accepts the principle 'postgres' for kerberos settings. > This is because it is hardcoded in gpcheckhdfs, we should ensure that it can > be parameterized. > Also, it's better to change the default principal name postgres to gpadmin. > It will avoid the need of changing the the hdfs directory during securing the > cluster to postgres and will avoid the need of maintaining postgres user. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HAWQ-845) Parameterize kerberos principal name for HAWQ
[ https://issues.apache.org/jira/browse/HAWQ-845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15483193#comment-15483193 ] Matt commented on HAWQ-845: --- Thanks for clarifying [~wlin] We'll make necessary changes in Ambari targeting the 2.4.2 release. > Parameterize kerberos principal name for HAWQ > - > > Key: HAWQ-845 > URL: https://issues.apache.org/jira/browse/HAWQ-845 > Project: Apache HAWQ > Issue Type: Improvement >Reporter: bhuvnesh chaudhary >Assignee: Lei Chang >Priority: Minor > Fix For: 2.0.1.0-incubating > > > Currently HAWQ only accepts the principle 'postgres' for kerberos settings. > This is because it is hardcoded in gpcheckhdfs, we should ensure that it can > be parameterized. > Also, it's better to change the default principal name postgres to gpadmin. > It will avoid the need of changing the the hdfs directory during securing the > cluster to postgres and will avoid the need of maintaining postgres user. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HAWQ-845) Parameterize kerberos principal name for HAWQ
[ https://issues.apache.org/jira/browse/HAWQ-845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15483123#comment-15483123 ] Lin Wen commented on HAWQ-845: -- Hi, Matt, HAWQ doesn't require HDFS owned by secured user in secure mode. But, the secureduser must have read/write permission on HDFS data directory. > Parameterize kerberos principal name for HAWQ > - > > Key: HAWQ-845 > URL: https://issues.apache.org/jira/browse/HAWQ-845 > Project: Apache HAWQ > Issue Type: Improvement >Reporter: bhuvnesh chaudhary >Assignee: Lei Chang >Priority: Minor > Fix For: 2.0.1.0-incubating > > > Currently HAWQ only accepts the principle 'postgres' for kerberos settings. > This is because it is hardcoded in gpcheckhdfs, we should ensure that it can > be parameterized. > Also, it's better to change the default principal name postgres to gpadmin. > It will avoid the need of changing the the hdfs directory during securing the > cluster to postgres and will avoid the need of maintaining postgres user. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HAWQ-845) Parameterize kerberos principal name for HAWQ
[ https://issues.apache.org/jira/browse/HAWQ-845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15471317#comment-15471317 ] Matt commented on HAWQ-845: --- [~wlin] We have some dependent code in Ambari here: https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/common.py#L284-#L296 We have this problem, which we got around using the above code: HAWQ exists in a non-kerberized cluster - HDFS data directory is owned by *gpadmin* After kerberizing the cluster, HAWQ Master fails to start because it expects the directory to be owned by *postgres* Our code in the current Ambari release (2.4) does a check of HDFS data directory owner before HAWQ Master starts: - If secure cluster, ensure that HDFS data directory is owned by postgres - If non secure cluster, ensure that HDFS data directory is owned by gpadmin *My question:* On a new install of HAWQ with the latest version (after fix of HAWQ-845), if I set krb_srvname to *secureduser* will HAWQ require HDFS data directory to be owned by *secureduser*? If yes, this would lead to potential errors in Ambari 2.4 (in case user goes with a custom krb_srvname), because our code (link above) switches the HDFS data directory owner to *postgres* if cluster is secured. > Parameterize kerberos principal name for HAWQ > - > > Key: HAWQ-845 > URL: https://issues.apache.org/jira/browse/HAWQ-845 > Project: Apache HAWQ > Issue Type: Improvement >Reporter: bhuvnesh chaudhary >Assignee: Lei Chang >Priority: Minor > Fix For: 2.0.1.0-incubating > > > Currently HAWQ only accepts the principle 'postgres' for kerberos settings. > This is because it is hardcoded in gpcheckhdfs, we should ensure that it can > be parameterized. > Also, it's better to change the default principal name postgres to gpadmin. > It will avoid the need of changing the the hdfs directory during securing the > cluster to postgres and will avoid the need of maintaining postgres user. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HAWQ-845) Parameterize kerberos principal name for HAWQ
[ https://issues.apache.org/jira/browse/HAWQ-845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15451291#comment-15451291 ] Lin Wen commented on HAWQ-845: -- For now I think we can keep 'postgres' as default kerberos service name, but customers should be able to parameterize it with other name. If user want to use a different name, below property/value should be added into hawq-site.xml krb_srvname gpadmin > Parameterize kerberos principal name for HAWQ > - > > Key: HAWQ-845 > URL: https://issues.apache.org/jira/browse/HAWQ-845 > Project: Apache HAWQ > Issue Type: Improvement >Reporter: bhuvnesh chaudhary >Assignee: Lei Chang >Priority: Minor > Fix For: backlog > > > Currently HAWQ only accepts the principle 'postgres' for kerberos settings. > This is because it is hardcoded in gpcheckhdfs, we should ensure that it can > be parameterized. > Also, it's better to change the default principal name postgres to gpadmin. > It will avoid the need of changing the the hdfs directory during securing the > cluster to postgres and will avoid the need of maintaining postgres user. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
