You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/02/09 21:21:56 UTC

Review Request 30805: Kerberos: Do not validate host health or maintenance state when enabling Kerberos

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30805/
-----------------------------------------------------------

Review request for Ambari, John Speidel and Robert Nettleton.


Bugs: AMBARI-9439
    https://issues.apache.org/jira/browse/AMBARI-9439


Repository: ambari


Description
-------

Do not validate host health or maintenance state when enabling Kerberos.  

The solution for is requires a set of database tables to maintain which principals were created and to which host the keytabs have been distributed. Using the persisted data on principals nad keytabs, only principals and keytabs that have not been created are created and distributed.  This ensures that existing principals arent updated, requiring the need to genreate new keytabs and redistribute them to hosts that were already properly configured.

As a side-effect, this fixes (potential) issues when adding new hosts and services to a previously Kerberized cluster.  

One part of the solution required and update to the Heartbeat handler to capture a "responses" from the hosts indicating which keytabs were installed. The data is then stored in the Ambari database for future reference. 

While implemening this solution at least (not fully discoved) bug was fixed. This is realated to the Keberos client service check. Also, added a needed feature to destroy previously created principals.


Diffs
-----

  ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java 80ef542 
  ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 3606199 
  ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalDAO.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalHostDAO.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalEntity.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntity.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntityPK.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java 1f6dc7f 
  ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java 0a9304b 
  ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java e2cb384 
  ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog200.java a83d26d 
  ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql 3e0d39e 
  ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql 2c33b37 
  ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql ff42074 
  ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql 8f7a6ea 
  ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql 7c72037 
  ambari-server/src/main/resources/META-INF/persistence.xml 07bd67d 
  ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py 8e171c8 
  ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py 6af6d05 
  ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py c624dd5 
  ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/status_params.py PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/agent/HeartBeatHandlerInjectKeytabTest.java d613669 
  ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java 3140128 
  ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 472178b 
  ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog200Test.java b935c29 

Diff: https://reviews.apache.org/r/30805/diff/


Testing
-------

Manually tested various scenarios in a test cluster:

* enabling Kerberos while a host was done and then bringing the host back up
* adding a new host
* adding a new service

#Jenkins test results: _PENDING_


Thanks,

Robert Levas

Re: Review Request 30805: Kerberos: Do not validate host health or maintenance state when enabling Kerberos

Posted by John Speidel <js...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30805/#review71750
-----------------------------------------------------------

Ship it!


Ship It!

- John Speidel


On Feb. 9, 2015, 8:21 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30805/
> -----------------------------------------------------------
> 
> (Updated Feb. 9, 2015, 8:21 p.m.)
> 
> 
> Review request for Ambari, John Speidel and Robert Nettleton.
> 
> 
> Bugs: AMBARI-9439
>     https://issues.apache.org/jira/browse/AMBARI-9439
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Do not validate host health or maintenance state when enabling Kerberos.  
> 
> The solution for is requires a set of database tables to maintain which principals were created and to which host the keytabs have been distributed. Using the persisted data on principals nad keytabs, only principals and keytabs that have not been created are created and distributed.  This ensures that existing principals arent updated, requiring the need to genreate new keytabs and redistribute them to hosts that were already properly configured.
> 
> As a side-effect, this fixes (potential) issues when adding new hosts and services to a previously Kerberized cluster.  
> 
> One part of the solution required and update to the Heartbeat handler to capture a "responses" from the hosts indicating which keytabs were installed. The data is then stored in the Ambari database for future reference. 
> 
> While implemening this solution at least (not fully discoved) bug was fixed. This is realated to the Keberos client service check. Also, added a needed feature to destroy previously created principals.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java 80ef542 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 3606199 
>   ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalDAO.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalHostDAO.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalEntity.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntity.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntityPK.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java 1f6dc7f 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java 0a9304b 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java e2cb384 
>   ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog200.java a83d26d 
>   ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql 3e0d39e 
>   ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql 2c33b37 
>   ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql ff42074 
>   ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql 8f7a6ea 
>   ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql 7c72037 
>   ambari-server/src/main/resources/META-INF/persistence.xml 07bd67d 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py 8e171c8 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py 6af6d05 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py c624dd5 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/status_params.py PRE-CREATION 
>   ambari-server/src/test/java/org/apache/ambari/server/agent/HeartBeatHandlerInjectKeytabTest.java d613669 
>   ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java 3140128 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 472178b 
>   ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog200Test.java b935c29 
> 
> Diff: https://reviews.apache.org/r/30805/diff/
> 
> 
> Testing
> -------
> 
> Manually tested various scenarios in a test cluster:
> 
> * enabling Kerberos while a host was done and then bringing the host back up
> * adding a new host
> * adding a new service
> 
> #Jenkins test results: _PENDING_
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 30805: Kerberos: Do not validate host health or maintenance state when enabling Kerberos

Posted by Robert Nettleton <rn...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30805/#review71712
-----------------------------------------------------------

Ship it!


Ship It!

- Robert Nettleton


On Feb. 9, 2015, 8:21 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30805/
> -----------------------------------------------------------
> 
> (Updated Feb. 9, 2015, 8:21 p.m.)
> 
> 
> Review request for Ambari, John Speidel and Robert Nettleton.
> 
> 
> Bugs: AMBARI-9439
>     https://issues.apache.org/jira/browse/AMBARI-9439
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Do not validate host health or maintenance state when enabling Kerberos.  
> 
> The solution for is requires a set of database tables to maintain which principals were created and to which host the keytabs have been distributed. Using the persisted data on principals nad keytabs, only principals and keytabs that have not been created are created and distributed.  This ensures that existing principals arent updated, requiring the need to genreate new keytabs and redistribute them to hosts that were already properly configured.
> 
> As a side-effect, this fixes (potential) issues when adding new hosts and services to a previously Kerberized cluster.  
> 
> One part of the solution required and update to the Heartbeat handler to capture a "responses" from the hosts indicating which keytabs were installed. The data is then stored in the Ambari database for future reference. 
> 
> While implemening this solution at least (not fully discoved) bug was fixed. This is realated to the Keberos client service check. Also, added a needed feature to destroy previously created principals.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/agent/HeartBeatHandler.java 80ef542 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 3606199 
>   ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalDAO.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/orm/dao/KerberosPrincipalHostDAO.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalEntity.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntity.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/orm/entities/KerberosPrincipalHostEntityPK.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java 1f6dc7f 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java 0a9304b 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java e2cb384 
>   ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog200.java a83d26d 
>   ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql 3e0d39e 
>   ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql 2c33b37 
>   ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql ff42074 
>   ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql 8f7a6ea 
>   ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql 7c72037 
>   ambari-server/src/main/resources/META-INF/persistence.xml 07bd67d 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py 8e171c8 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py 6af6d05 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py c624dd5 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/status_params.py PRE-CREATION 
>   ambari-server/src/test/java/org/apache/ambari/server/agent/HeartBeatHandlerInjectKeytabTest.java d613669 
>   ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java 3140128 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 472178b 
>   ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog200Test.java b935c29 
> 
> Diff: https://reviews.apache.org/r/30805/diff/
> 
> 
> Testing
> -------
> 
> Manually tested various scenarios in a test cluster:
> 
> * enabling Kerberos while a host was done and then bringing the host back up
> * adding a new host
> * adding a new service
> 
> #Jenkins test results: _PENDING_
> 
> 
> Thanks,
> 
> Robert Levas
> 
>