You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/01/25 22:09:42 UTC

Review Request 30260: Kerberos: host/@REALM principals are created (should not be created)

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30260/
-----------------------------------------------------------

Review request for Ambari, Emil Anca and Yusaku Sako.


Bugs: AMBARI-9323
    https://issues.apache.org/jira/browse/AMBARI-9323


Repository: ambari


Description
-------

While generating principals, `host/<hostname>@REALM` principals are created.  These should not be created.

And they are ending-up in the resulting keytab. For example:

```
[root@c6402 keytabs]# klist -kt nn.service.keytab 
Keytab name: FILE:nn.service.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
   1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
```

The solution is to remove _identities_ from all `kerberos.json` files that lead to the generation of the `host/<hostname>@<realm>` entries.


Diffs
-----

  ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/kerberos.json 8b7979e 
  ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/kerberos.json 596d607 
  ambari-server/src/test/java/org/apache/ambari/server/stack/KerberosDescriptorTest.java 0abb2f3 
  ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json 99a4227 

Diff: https://reviews.apache.org/r/30260/diff/


Testing
-------

Manually tested in test cluster.

Verified `host/<hostname>@<realm>` are no longer created.  Example (does not indicate all of the keytab files that were fixed):

```
[root@c6503 keytabs]# klist -kt nn.service.keytab
Keytab name: FILE:nn.service.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
   1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
   1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
   1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
```

Since the solution is to remove entries from Kerberos descritptor files from the stack no unit tests were updated or added.

# Jenkins test results

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:02 h
[INFO] Finished at: 2015-01-25T20:43:13+00:00
[INFO] Final Memory: 44M/508M
[INFO] ------------------------------------------------------------------------


Thanks,

Robert Levas

Re: Review Request 30260: Kerberos: host/@REALM principals are created (should not be created)

Posted by Yusaku Sako <yu...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30260/#review69658
-----------------------------------------------------------

Ship it!


Ship It!

- Yusaku Sako


On Jan. 25, 2015, 9:09 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30260/
> -----------------------------------------------------------
> 
> (Updated Jan. 25, 2015, 9:09 p.m.)
> 
> 
> Review request for Ambari, Emil Anca and Yusaku Sako.
> 
> 
> Bugs: AMBARI-9323
>     https://issues.apache.org/jira/browse/AMBARI-9323
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> While generating principals, `host/<hostname>@REALM` principals are created.  These should not be created.
> 
> And they are ending-up in the resulting keytab. For example:
> 
> ```
> [root@c6402 keytabs]# klist -kt nn.service.keytab 
> Keytab name: FILE:nn.service.keytab
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>    1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
>    1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
>    1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
>    1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
>    1 01/24/15 18:07:51 nn/c6402.ambari.apache.org@EXAMPLE.COM
>    1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
>    1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
>    1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
>    1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
>    1 01/24/15 18:07:51 host/c6402.ambari.apache.org@EXAMPLE.COM
> ```
> 
> The solution is to remove _identities_ from all `kerberos.json` files that lead to the generation of the `host/<hostname>@<realm>` entries.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/kerberos.json 8b7979e 
>   ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/kerberos.json 596d607 
>   ambari-server/src/test/java/org/apache/ambari/server/stack/KerberosDescriptorTest.java 0abb2f3 
>   ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json 99a4227 
> 
> Diff: https://reviews.apache.org/r/30260/diff/
> 
> 
> Testing
> -------
> 
> Manually tested in test cluster.
> 
> Verified `host/<hostname>@<realm>` are no longer created.  Example (does not indicate all of the keytab files that were fixed):
> 
> ```
> [root@c6503 keytabs]# klist -kt nn.service.keytab
> Keytab name: FILE:nn.service.keytab
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>    1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
>    1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
>    1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
>    1 01/25/15 19:14:49 nn/c6503.ambari.apache.org@EXAMPLE.COM
> ```
> 
> Since the solution is to remove entries from Kerberos descritptor files from the stack no unit tests were updated or added.
> 
> # Jenkins test results
> 
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:02 h
> [INFO] Finished at: 2015-01-25T20:43:13+00:00
> [INFO] Final Memory: 44M/508M
> [INFO] ------------------------------------------------------------------------
> 
> 
> Thanks,
> 
> Robert Levas
> 
>