You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2015/01/22 20:46:34 UTC

[jira] [Updated] (AMBARI-9261) Ensure enable/disable Kerberos logic should invoke only when state of security flag is changed

     [ https://issues.apache.org/jira/browse/AMBARI-9261?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Levas updated AMBARI-9261:
---------------------------------
    Attachment: AMBARI-9261_01.patch

Updated org.apache.ambari.server.controller.AmbariManagementControllerImpl#updateCluster todetermine if the security_enabled flag is being changed and if the value is different than the old value.  If so, then toggleKerberos will be invoked.

Patch File [^AMBARI-9261_01.patch]

> Ensure enable/disable Kerberos logic should invoke only when state of security flag is changed
> ----------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-9261
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9261
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Blocker
>              Labels: kerberos, security
>             Fix For: 2.0.0
>
>         Attachments: AMBARI-9261_01.patch
>
>
> The logic to enable or disable Kerberos is typically invoked when the Cluster resource is updated. This occurs for several reasons, not all of them indicate the state of Kerberos should be altered.  
> By processing all updated to the Cluster resource, the enable/disable Kerberos may get invoked when not necessary causing _noise_ on the task list and potentially generating an error condition if the KDC administrator credentials are not available.  Certain states of the system will trigger the enable/disable Kerberos logic to perform tasks requiring the KDC administrator credentials. If not explicitly handing the security state change, this behavior is not desired. 
> To solve the issue, test the request on the update Cluster resource to see if the security state property (cluster-env/security_enabled) has been altered, if so invoke enable/disable Kerberos logic; else do not invoke enable/disable Kerberos logic. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)