You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2017/03/07 00:13:42 UTC
Review Request 57350: Kerberos identity reference not working for
ranger-audit property in hbase
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57350/
-----------------------------------------------------------
Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, Mugdha Varadkar, and Sebastian Toader.
Bugs: AMBARI-20335
https://issues.apache.org/jira/browse/AMBARI-20335
Repository: ambari
Description
-------
From stack 2.5 onwards `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` needs to have principal value available under `hbase.master.kerberos.principal/hbase-site`
To achieve that added below block of code under hbase [kerberos.json|https://github.com/apache/ambari/blob/branch-2.5/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json]
```
{
"name": "/HBASE/HBASE_MASTER/hbase_master_hbase",
"principal": {
"configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal"
},
"keytab": {
"configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab"
}
}
```
But on test cluster, `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` property is not showing the expected value. It is showing the principal/keytab values of `ams_hbase_master_hbase` identity.
Because of wrong reference of principal audit to solr is not working in kerberos environment, as security.json have below entry instead of `hbase@EXAMPLE.COM`
```
"amshbase@EXAMPLE.COM":[
"ranger_audit_user",
"dev"]
```
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java 141e9cd
ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json f510770
ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json b053779
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java 2a59ccc
ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json 0c2723e
Diff: https://reviews.apache.org/r/57350/diff/1/
Testing
-------
Manually tested in Ambari 2.5.0 cluster and upgrade from Ambari 2.4.2.
# Local test results:
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 23:53.766s
[INFO] Finished at: Mon Mar 06 16:55:35 EST 2017
[INFO] Final Memory: 71M/772M
[INFO] ------------------------------------------------------------------------
```
# Jenkins test results: PENDING
Thanks,
Robert Levas
Re: Review Request 57350: Kerberos identity reference not working for
ranger-audit property in hbase
Posted by Mugdha Varadkar <mu...@freestoneinfotech.com>.
> On March 7, 2017, 1:24 p.m., Mugdha Varadkar wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
> > Lines 583 (patched)
> > <https://reviews.apache.org/r/57350/diff/1/?file=1656837#file1656837line588>
> >
> > Just curious to know whether principal/keytab descriptor should be mapped to hbase principal/keytab rather than null ?
>
> Robert Levas wrote:
> Setting the principal value and the keytab file to `null` indicates that this Kerberos identitiy descriptor is to inherit the value from the reference identitiy - which is what we want in this case. For exampe, looking at https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json#L68, the principal value will become `hbase/_HOST@${realm}`.
Okay, Thank you.
- Mugdha
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57350/#review168122
-----------------------------------------------------------
On March 7, 2017, 12:13 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57350/
> -----------------------------------------------------------
>
> (Updated March 7, 2017, 12:13 a.m.)
>
>
> Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, Mugdha Varadkar, and Sebastian Toader.
>
>
> Bugs: AMBARI-20335
> https://issues.apache.org/jira/browse/AMBARI-20335
>
>
> Repository: ambari
>
>
> Description
> -------
>
> From stack 2.5 onwards `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` needs to have principal value available under `hbase.master.kerberos.principal/hbase-site`
>
> To achieve that added below block of code under hbase [kerberos.json|https://github.com/apache/ambari/blob/branch-2.5/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json]
> ```
> {
> "name": "/HBASE/HBASE_MASTER/hbase_master_hbase",
> "principal": {
> "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal"
> },
> "keytab": {
> "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab"
> }
> }
> ```
>
> But on test cluster, `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` property is not showing the expected value. It is showing the principal/keytab values of `ams_hbase_master_hbase` identity.
>
> Because of wrong reference of principal audit to solr is not working in kerberos environment, as security.json have below entry instead of `hbase@EXAMPLE.COM`
> ```
> "amshbase@EXAMPLE.COM":[
> "ranger_audit_user",
> "dev"]
> ```
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java 141e9cd
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json f510770
> ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json b053779
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java 2a59ccc
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json 0c2723e
>
>
> Diff: https://reviews.apache.org/r/57350/diff/1/
>
>
> Testing
> -------
>
> Manually tested in Ambari 2.5.0 cluster and upgrade from Ambari 2.4.2.
>
> # Local test results:
>
> ```
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 23:53.766s
> [INFO] Finished at: Mon Mar 06 16:55:35 EST 2017
> [INFO] Final Memory: 71M/772M
> [INFO] ------------------------------------------------------------------------
> ```
>
> # Jenkins test results: PENDING
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 57350: Kerberos identity reference not working for
ranger-audit property in hbase
Posted by Robert Levas <rl...@hortonworks.com>.
> On March 7, 2017, 8:24 a.m., Mugdha Varadkar wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
> > Lines 583 (patched)
> > <https://reviews.apache.org/r/57350/diff/1/?file=1656837#file1656837line588>
> >
> > Just curious to know whether principal/keytab descriptor should be mapped to hbase principal/keytab rather than null ?
Setting the principal value and the keytab file to `null` indicates that this Kerberos identitiy descriptor is to inherit the value from the reference identitiy - which is what we want in this case. For exampe, looking at https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json#L68, the principal value will become `hbase/_HOST@${realm}`.
- Robert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57350/#review168122
-----------------------------------------------------------
On March 6, 2017, 7:13 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57350/
> -----------------------------------------------------------
>
> (Updated March 6, 2017, 7:13 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, Mugdha Varadkar, and Sebastian Toader.
>
>
> Bugs: AMBARI-20335
> https://issues.apache.org/jira/browse/AMBARI-20335
>
>
> Repository: ambari
>
>
> Description
> -------
>
> From stack 2.5 onwards `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` needs to have principal value available under `hbase.master.kerberos.principal/hbase-site`
>
> To achieve that added below block of code under hbase [kerberos.json|https://github.com/apache/ambari/blob/branch-2.5/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json]
> ```
> {
> "name": "/HBASE/HBASE_MASTER/hbase_master_hbase",
> "principal": {
> "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal"
> },
> "keytab": {
> "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab"
> }
> }
> ```
>
> But on test cluster, `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` property is not showing the expected value. It is showing the principal/keytab values of `ams_hbase_master_hbase` identity.
>
> Because of wrong reference of principal audit to solr is not working in kerberos environment, as security.json have below entry instead of `hbase@EXAMPLE.COM`
> ```
> "amshbase@EXAMPLE.COM":[
> "ranger_audit_user",
> "dev"]
> ```
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java 141e9cd
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json f510770
> ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json b053779
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java 2a59ccc
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json 0c2723e
>
>
> Diff: https://reviews.apache.org/r/57350/diff/1/
>
>
> Testing
> -------
>
> Manually tested in Ambari 2.5.0 cluster and upgrade from Ambari 2.4.2.
>
> # Local test results:
>
> ```
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 23:53.766s
> [INFO] Finished at: Mon Mar 06 16:55:35 EST 2017
> [INFO] Final Memory: 71M/772M
> [INFO] ------------------------------------------------------------------------
> ```
>
> # Jenkins test results: PENDING
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 57350: Kerberos identity reference not working for
ranger-audit property in hbase
Posted by Mugdha Varadkar <mu...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57350/#review168122
-----------------------------------------------------------
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java
Lines 583 (patched)
<https://reviews.apache.org/r/57350/#comment240254>
Just curious to know whether principal/keytab descriptor should be mapped to hbase principal/keytab rather than null ?
- Mugdha Varadkar
On March 7, 2017, 12:13 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57350/
> -----------------------------------------------------------
>
> (Updated March 7, 2017, 12:13 a.m.)
>
>
> Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, Mugdha Varadkar, and Sebastian Toader.
>
>
> Bugs: AMBARI-20335
> https://issues.apache.org/jira/browse/AMBARI-20335
>
>
> Repository: ambari
>
>
> Description
> -------
>
> From stack 2.5 onwards `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` needs to have principal value available under `hbase.master.kerberos.principal/hbase-site`
>
> To achieve that added below block of code under hbase [kerberos.json|https://github.com/apache/ambari/blob/branch-2.5/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json]
> ```
> {
> "name": "/HBASE/HBASE_MASTER/hbase_master_hbase",
> "principal": {
> "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal"
> },
> "keytab": {
> "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab"
> }
> }
> ```
>
> But on test cluster, `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` property is not showing the expected value. It is showing the principal/keytab values of `ams_hbase_master_hbase` identity.
>
> Because of wrong reference of principal audit to solr is not working in kerberos environment, as security.json have below entry instead of `hbase@EXAMPLE.COM`
> ```
> "amshbase@EXAMPLE.COM":[
> "ranger_audit_user",
> "dev"]
> ```
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java 141e9cd
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json f510770
> ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json b053779
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java 2a59ccc
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json 0c2723e
>
>
> Diff: https://reviews.apache.org/r/57350/diff/1/
>
>
> Testing
> -------
>
> Manually tested in Ambari 2.5.0 cluster and upgrade from Ambari 2.4.2.
>
> # Local test results:
>
> ```
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 23:53.766s
> [INFO] Finished at: Mon Mar 06 16:55:35 EST 2017
> [INFO] Final Memory: 71M/772M
> [INFO] ------------------------------------------------------------------------
> ```
>
> # Jenkins test results: PENDING
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 57350: Kerberos identity reference not working for
ranger-audit property in hbase
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57350/#review168100
-----------------------------------------------------------
Ship it!
Ship It!
- Sebastian Toader
On March 7, 2017, 1:13 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57350/
> -----------------------------------------------------------
>
> (Updated March 7, 2017, 1:13 a.m.)
>
>
> Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, Mugdha Varadkar, and Sebastian Toader.
>
>
> Bugs: AMBARI-20335
> https://issues.apache.org/jira/browse/AMBARI-20335
>
>
> Repository: ambari
>
>
> Description
> -------
>
> From stack 2.5 onwards `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` needs to have principal value available under `hbase.master.kerberos.principal/hbase-site`
>
> To achieve that added below block of code under hbase [kerberos.json|https://github.com/apache/ambari/blob/branch-2.5/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json]
> ```
> {
> "name": "/HBASE/HBASE_MASTER/hbase_master_hbase",
> "principal": {
> "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal"
> },
> "keytab": {
> "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab"
> }
> }
> ```
>
> But on test cluster, `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` property is not showing the expected value. It is showing the principal/keytab values of `ams_hbase_master_hbase` identity.
>
> Because of wrong reference of principal audit to solr is not working in kerberos environment, as security.json have below entry instead of `hbase@EXAMPLE.COM`
> ```
> "amshbase@EXAMPLE.COM":[
> "ranger_audit_user",
> "dev"]
> ```
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java 141e9cd
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json f510770
> ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json b053779
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java 2a59ccc
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json 0c2723e
>
>
> Diff: https://reviews.apache.org/r/57350/diff/1/
>
>
> Testing
> -------
>
> Manually tested in Ambari 2.5.0 cluster and upgrade from Ambari 2.4.2.
>
> # Local test results:
>
> ```
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 23:53.766s
> [INFO] Finished at: Mon Mar 06 16:55:35 EST 2017
> [INFO] Final Memory: 71M/772M
> [INFO] ------------------------------------------------------------------------
> ```
>
> # Jenkins test results: PENDING
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 57350: Kerberos identity reference not working for
ranger-audit property in hbase
Posted by Mugdha Varadkar <mu...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57350/#review168126
-----------------------------------------------------------
Ship it!
Ship It!
- Mugdha Varadkar
On March 7, 2017, 12:13 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57350/
> -----------------------------------------------------------
>
> (Updated March 7, 2017, 12:13 a.m.)
>
>
> Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, Mugdha Varadkar, and Sebastian Toader.
>
>
> Bugs: AMBARI-20335
> https://issues.apache.org/jira/browse/AMBARI-20335
>
>
> Repository: ambari
>
>
> Description
> -------
>
> From stack 2.5 onwards `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` needs to have principal value available under `hbase.master.kerberos.principal/hbase-site`
>
> To achieve that added below block of code under hbase [kerberos.json|https://github.com/apache/ambari/blob/branch-2.5/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json]
> ```
> {
> "name": "/HBASE/HBASE_MASTER/hbase_master_hbase",
> "principal": {
> "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal"
> },
> "keytab": {
> "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab"
> }
> }
> ```
>
> But on test cluster, `xasecure.audit.jaas.Client.option.principal/ranger-hbase-audit` property is not showing the expected value. It is showing the principal/keytab values of `ams_hbase_master_hbase` identity.
>
> Because of wrong reference of principal audit to solr is not working in kerberos environment, as security.json have below entry instead of `hbase@EXAMPLE.COM`
> ```
> "amshbase@EXAMPLE.COM":[
> "ranger_audit_user",
> "dev"]
> ```
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java 141e9cd
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json f510770
> ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json b053779
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java 2a59ccc
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json 0c2723e
>
>
> Diff: https://reviews.apache.org/r/57350/diff/1/
>
>
> Testing
> -------
>
> Manually tested in Ambari 2.5.0 cluster and upgrade from Ambari 2.4.2.
>
> # Local test results:
>
> ```
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 23:53.766s
> [INFO] Finished at: Mon Mar 06 16:55:35 EST 2017
> [INFO] Final Memory: 71M/772M
> [INFO] ------------------------------------------------------------------------
> ```
>
> # Jenkins test results: PENDING
>
>
> Thanks,
>
> Robert Levas
>
>