You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/02/09 21:21:56 UTC
Review Request 30805: Kerberos: Do not validate host health or
maintenance state when enabling Kerberos
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30805/
-----------------------------------------------------------
Review request for Ambari, John Speidel and Robert Nettleton.
Bugs: AMBARI-9439
https://issues.apache.org/jira/browse/AMBARI-9439
Repository: ambari
Description
-------
Do not validate host health or maintenance state when enabling Kerberos.
The solution for is requires a set of database tables to maintain which principals were created and to which host the keytabs have been distributed. Using the persisted data on principals nad keytabs, only principals and keytabs that have not been created are created and distributed. This ensures that existing principals arent updated, requiring the need to genreate new keytabs and redistribute them to hosts that were already properly configured.
As a side-effect, this fixes (potential) issues when adding new hosts and services to a previously Kerberized cluster.
One part of the solution required and update to the Heartbeat handler to capture a "responses" from the hosts indicating which keytabs were installed. The data is then stored in the Ambari database for future reference.
While implemening this solution at least (not fully discoved) bug was fixed. This is realated to the Keberos client service check. Also, added a needed feature to destroy previously created principals.
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java 80ef542
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 3606199
ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalDAO.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalHostDAO.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalEntity.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntity.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntityPK.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java 1f6dc7f
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java 0a9304b
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java e2cb384
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog200.java a83d26d
ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql 3e0d39e
ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql 2c33b37
ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql ff42074
ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql 8f7a6ea
ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql 7c72037
ambari-server/src/main/resources/META-INF/persistence.xml 07bd67d
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py 8e171c8
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py 6af6d05
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py c624dd5
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/status_params.py PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/agent/HeartBeatHandlerInjectKeytabTest.java d613669
ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java 3140128
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 472178b
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog200Test.java b935c29
Diff: https://reviews.apache.org/r/30805/diff/
Testing
-------
Manually tested various scenarios in a test cluster:
* enabling Kerberos while a host was done and then bringing the host back up
* adding a new host
* adding a new service
#Jenkins test results: _PENDING_
Thanks,
Robert Levas
Re: Review Request 30805: Kerberos: Do not validate host health or
maintenance state when enabling Kerberos
Posted by John Speidel <js...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30805/#review71750
-----------------------------------------------------------
Ship it!
Ship It!
- John Speidel
On Feb. 9, 2015, 8:21 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30805/
> -----------------------------------------------------------
>
> (Updated Feb. 9, 2015, 8:21 p.m.)
>
>
> Review request for Ambari, John Speidel and Robert Nettleton.
>
>
> Bugs: AMBARI-9439
> https://issues.apache.org/jira/browse/AMBARI-9439
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Do not validate host health or maintenance state when enabling Kerberos.
>
> The solution for is requires a set of database tables to maintain which principals were created and to which host the keytabs have been distributed. Using the persisted data on principals nad keytabs, only principals and keytabs that have not been created are created and distributed. This ensures that existing principals arent updated, requiring the need to genreate new keytabs and redistribute them to hosts that were already properly configured.
>
> As a side-effect, this fixes (potential) issues when adding new hosts and services to a previously Kerberized cluster.
>
> One part of the solution required and update to the Heartbeat handler to capture a "responses" from the hosts indicating which keytabs were installed. The data is then stored in the Ambari database for future reference.
>
> While implemening this solution at least (not fully discoved) bug was fixed. This is realated to the Keberos client service check. Also, added a needed feature to destroy previously created principals.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java 80ef542
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 3606199
> ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalDAO.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalHostDAO.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalEntity.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntity.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntityPK.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java 1f6dc7f
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java 0a9304b
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java e2cb384
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog200.java a83d26d
> ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql 3e0d39e
> ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql 2c33b37
> ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql ff42074
> ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql 8f7a6ea
> ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql 7c72037
> ambari-server/src/main/resources/META-INF/persistence.xml 07bd67d
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py 8e171c8
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py 6af6d05
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py c624dd5
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/status_params.py PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/agent/HeartBeatHandlerInjectKeytabTest.java d613669
> ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java 3140128
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 472178b
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog200Test.java b935c29
>
> Diff: https://reviews.apache.org/r/30805/diff/
>
>
> Testing
> -------
>
> Manually tested various scenarios in a test cluster:
>
> * enabling Kerberos while a host was done and then bringing the host back up
> * adding a new host
> * adding a new service
>
> #Jenkins test results: _PENDING_
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 30805: Kerberos: Do not validate host health or
maintenance state when enabling Kerberos
Posted by Robert Nettleton <rn...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30805/#review71712
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Nettleton
On Feb. 9, 2015, 8:21 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30805/
> -----------------------------------------------------------
>
> (Updated Feb. 9, 2015, 8:21 p.m.)
>
>
> Review request for Ambari, John Speidel and Robert Nettleton.
>
>
> Bugs: AMBARI-9439
> https://issues.apache.org/jira/browse/AMBARI-9439
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Do not validate host health or maintenance state when enabling Kerberos.
>
> The solution for is requires a set of database tables to maintain which principals were created and to which host the keytabs have been distributed. Using the persisted data on principals nad keytabs, only principals and keytabs that have not been created are created and distributed. This ensures that existing principals arent updated, requiring the need to genreate new keytabs and redistribute them to hosts that were already properly configured.
>
> As a side-effect, this fixes (potential) issues when adding new hosts and services to a previously Kerberized cluster.
>
> One part of the solution required and update to the Heartbeat handler to capture a "responses" from the hosts indicating which keytabs were installed. The data is then stored in the Ambari database for future reference.
>
> While implemening this solution at least (not fully discoved) bug was fixed. This is realated to the Keberos client service check. Also, added a needed feature to destroy previously created principals.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java 80ef542
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 3606199
> ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalDAO.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalHostDAO.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalEntity.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntity.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntityPK.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java 1f6dc7f
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java 0a9304b
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java e2cb384
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog200.java a83d26d
> ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql 3e0d39e
> ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql 2c33b37
> ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql ff42074
> ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql 8f7a6ea
> ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql 7c72037
> ambari-server/src/main/resources/META-INF/persistence.xml 07bd67d
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py 8e171c8
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py 6af6d05
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py c624dd5
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/status_params.py PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/agent/HeartBeatHandlerInjectKeytabTest.java d613669
> ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java 3140128
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 472178b
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog200Test.java b935c29
>
> Diff: https://reviews.apache.org/r/30805/diff/
>
>
> Testing
> -------
>
> Manually tested various scenarios in a test cluster:
>
> * enabling Kerberos while a host was done and then bringing the host back up
> * adding a new host
> * adding a new service
>
> #Jenkins test results: _PENDING_
>
>
> Thanks,
>
> Robert Levas
>
>