You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@ambari.apache.org by Oliver Szabo <os...@hortonworks.com> on 2017/02/23 20:49:38 UTC

Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/
-----------------------------------------------------------

Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.


Bugs: AMBARI-20152
    https://issues.apache.org/jira/browse/AMBARI-20152


Repository: ambari


Description
-------

Use storm principal and keytab for ranger plugin instead of nimbus ones.
In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.


Diffs
-----

  ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 

Diff: https://reviews.apache.org/r/56997/diff/


Testing
-------

done.


Thanks,

Oliver Szabo

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Robert Levas <rl...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166753
-----------------------------------------------------------


Ship it!




Ship It!

- Robert Levas


On Feb. 24, 2017, 2:28 p.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 24, 2017, 2:28 p.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java bfab0fe 
>   ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json 0c25c95 
>   ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json d024146 
>   ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json 60c8afb 
>   ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json c5b3201 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Oliver Szabo <os...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/
-----------------------------------------------------------

(Updated Feb. 25, 2017, 10:12 p.m.)


Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.


Changes
-------

put back infra solr reference upgrades


Bugs: AMBARI-20152
    https://issues.apache.org/jira/browse/AMBARI-20152


Repository: ambari


Description
-------

Use storm principal and keytab for ranger plugin instead of nimbus ones.
In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.


Diffs (updated)
-----

  ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java b0243b7 
  ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json 0c25c95 
  ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json d024146 
  ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json 60c8afb 
  ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json c5b3201 
  ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
  ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java 274d7eb 
  ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json PRE-CREATION 

Diff: https://reviews.apache.org/r/56997/diff/


Testing
-------

done.


Thanks,

Oliver Szabo

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Oliver Szabo <os...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/
-----------------------------------------------------------

(Updated Feb. 25, 2017, 4:34 p.m.)


Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.


Changes
-------

remove infra-solr additions from logsearch/ranger/atlas, as I tested out, newly added identities are added during ambari server start


Bugs: AMBARI-20152
    https://issues.apache.org/jira/browse/AMBARI-20152


Repository: ambari


Description
-------

Use storm principal and keytab for ranger plugin instead of nimbus ones.
In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.


Diffs (updated)
-----

  ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java bfab0fe 
  ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json 0c25c95 
  ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json d024146 
  ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json 60c8afb 
  ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json c5b3201 
  ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
  ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java a08b38b 
  ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_storm.json PRE-CREATION 

Diff: https://reviews.apache.org/r/56997/diff/


Testing
-------

done.


Thanks,

Oliver Szabo

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Oliver Szabo <os...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/
-----------------------------------------------------------

(Updated Feb. 25, 2017, 2:59 a.m.)


Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.


Changes
-------

- added UpgradeCatalog tests
- small fixes


Bugs: AMBARI-20152
    https://issues.apache.org/jira/browse/AMBARI-20152


Repository: ambari


Description
-------

Use storm principal and keytab for ranger plugin instead of nimbus ones.
In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.


Diffs (updated)
-----

  ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java bfab0fe 
  ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json 0c25c95 
  ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json d024146 
  ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json 60c8afb 
  ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json c5b3201 
  ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
  ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java a08b38b 
  ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json PRE-CREATION 

Diff: https://reviews.apache.org/r/56997/diff/


Testing
-------

done.


Thanks,

Oliver Szabo

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Oliver Szabo <os...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/
-----------------------------------------------------------

(Updated Feb. 24, 2017, 7:28 p.m.)


Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.


Changes
-------

added when conditions for infra-solr service identity references


Bugs: AMBARI-20152
    https://issues.apache.org/jira/browse/AMBARI-20152


Repository: ambari


Description
-------

Use storm principal and keytab for ranger plugin instead of nimbus ones.
In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.


Diffs (updated)
-----

  ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java bfab0fe 
  ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json 0c25c95 
  ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json d024146 
  ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json 60c8afb 
  ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json c5b3201 
  ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 

Diff: https://reviews.apache.org/r/56997/diff/


Testing
-------

done.


Thanks,

Oliver Szabo

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Oliver Szabo <os...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/
-----------------------------------------------------------

(Updated Feb. 24, 2017, 4:08 p.m.)


Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.


Changes
-------

add upgradeCatalog changes.
- added storm identity upgrade
- include adding infra-solr references as well (those were added in an other patch for ambari 2.5)
- upgrade catalog test changes will be added later


Bugs: AMBARI-20152
    https://issues.apache.org/jira/browse/AMBARI-20152


Repository: ambari


Description
-------

Use storm principal and keytab for ranger plugin instead of nimbus ones.
In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.


Diffs (updated)
-----

  ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java bfab0fe 
  ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 

Diff: https://reviews.apache.org/r/56997/diff/


Testing
-------

done.


Thanks,

Oliver Szabo

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Robert Levas <rl...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166695
-----------------------------------------------------------


Ship it!




Ship It!

- Robert Levas


On Feb. 23, 2017, 3:49 p.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 23, 2017, 3:49 p.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Robert Nettleton <rn...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166574
-----------------------------------------------------------


Ship it!




Ship It!

- Robert Nettleton


On Feb. 23, 2017, 8:49 p.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 23, 2017, 8:49 p.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Robert Levas <rl...@hortonworks.com>.

> On Feb. 24, 2017, 4:40 a.m., Mugdha Varadkar wrote:
> > ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json, line 109
> > <https://reviews.apache.org/r/56997/diff/1/?file=1646442#file1646442line109>
> >
> >     Will this property be updated after ambari upgrade to use storm_components principal ?
> 
> Oliver Szabo wrote:
>     as in other examples, keytabs should be regenerated after upgrade
> 
> Oliver Szabo wrote:
>     also these kerberos metadta will change anyway after ambari restart. as storm used its own user in the past, that means we do not really need to do anything in the future. (of course regenerate keytabs could not harm...that will be a manual post ambari upgrade step in 2.5)

After an Ambari upgrade, the user-defined Kerberos Descriptor will not automatically be updated.  Currnetly when the UI is used to enabled Kerberos, the entire Kerberos Descriptor is stored as the user-defined value.  This value will need to be updated.  If a user-defined Kerberos Descriptor was set a different way, it is possible that only the user changes were posted.  In anycase, updating the the user-defined Kerberos Descriptor will need to be done in the appropriate UpgradeCatalog class.  Nice call @Mugdha. 

Also, after an Ambari upgrade, new principals or keytab files are not created. And associated configurations are not created or updated.  The configuration updates will need to be done via the approprate UpgradeCatalog and the new principals and keytab files will need to be created using Ambari's Regenerate Keytabs facility. 

If this were to be done as part of an stack upgrade, the Kerberos Descriptor would be automatcially updated.  Any config changes would need to be done via the upgrade pack. Missing principals and keytab files need to be created via Ambari's Regenerate Keytabs facility - however this will hopefully change in the near future.

- Robert

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166665
-----------------------------------------------------------

On Feb. 23, 2017, 3:49 p.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 23, 2017, 3:49 p.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Oliver Szabo <os...@hortonworks.com>.


> On Feb. 24, 2017, 9:40 a.m., Mugdha Varadkar wrote:
> > ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json, line 109
> > <https://reviews.apache.org/r/56997/diff/1/?file=1646442#file1646442line109>
> >
> >     Will this property be updated after ambari upgrade to use storm_components principal ?
> 
> Oliver Szabo wrote:
>     as in other examples, keytabs should be regenerated after upgrade

also these kerberos metadta will change anyway after ambari restart. as storm used its own user in the past, that means we do not really need to do anything in the future. (of course regenerate keytabs could not harm...that will be a manual post ambari upgrade step in 2.5)


- Oliver


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166665
-----------------------------------------------------------


On Feb. 23, 2017, 8:49 p.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 23, 2017, 8:49 p.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Oliver Szabo <os...@hortonworks.com>.


> On Feb. 24, 2017, 9:40 a.m., Mugdha Varadkar wrote:
> > ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json, line 109
> > <https://reviews.apache.org/r/56997/diff/1/?file=1646442#file1646442line109>
> >
> >     Will this property be updated after ambari upgrade to use storm_components principal ?

as in other examples, keytabs should be regenerated after upgrade


- Oliver


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166665
-----------------------------------------------------------


On Feb. 23, 2017, 8:49 p.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 23, 2017, 8:49 p.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Mugdha Varadkar <mu...@freestoneinfotech.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166665
-----------------------------------------------------------




ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json (line 109)
<https://reviews.apache.org/r/56997/#comment238697>

    Will this property be updated after ambari upgrade to use storm_components principal ?


- Mugdha Varadkar


On Feb. 23, 2017, 8:49 p.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 23, 2017, 8:49 p.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Mugdha Varadkar <mu...@freestoneinfotech.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166697
-----------------------------------------------------------


Ship it!




Ship It!

- Mugdha Varadkar


On Feb. 23, 2017, 8:49 p.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 23, 2017, 8:49 p.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Robert Levas <rl...@hortonworks.com>.


> On Feb. 24, 2017, 8:25 a.m., Robert Levas wrote:
> > ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json, line 109
> > <https://reviews.apache.org/r/56997/diff/1/?file=1646442#file1646442line109>
> >
> >     Make sure the user-defined (artifacts/kerberos_descriptor) is updated and any configuration changes are performed using the appropriate UpgradeCatalog class.

For example see `org.apache.ambari.server.upgrade.UpgradeCatalog240#updateKerberosDescriptorArtifact`


- Robert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166699
-----------------------------------------------------------


On Feb. 23, 2017, 3:49 p.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 23, 2017, 3:49 p.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Robert Levas <rl...@hortonworks.com>.


> On Feb. 24, 2017, 8:25 a.m., Robert Levas wrote:
> > ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json, line 109
> > <https://reviews.apache.org/r/56997/diff/1/?file=1646442#file1646442line109>
> >
> >     Make sure the user-defined (artifacts/kerberos_descriptor) is updated and any configuration changes are performed using the appropriate UpgradeCatalog class.
> 
> Robert Levas wrote:
>     For example see `org.apache.ambari.server.upgrade.UpgradeCatalog240#updateKerberosDescriptorArtifact`
> 
> Oliver Szabo wrote:
>     thanks, somehow we should check as well which HDP is used, because these kerberos descriptor updates only needed if a specific HDP is installed

Your changes in revision 2 look good.  Since /STORM/NIMBUS/nimbus_server is not in the older stacks (`common-services/STORM/0.9.1/kerberos.json`), this will work ok.  However if you wanted to be really sure, checking that the stack would be nice... but that is problematic since we don't really have a good idea of all the stacks that could be out there.  Maybe there is a way to identitiy which version of STORM is being used instead.


- Robert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166699
-----------------------------------------------------------


On Feb. 24, 2017, 11:08 a.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 24, 2017, 11:08 a.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java bfab0fe 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Oliver Szabo <os...@hortonworks.com>.


> On Feb. 24, 2017, 1:25 p.m., Robert Levas wrote:
> > ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json, line 109
> > <https://reviews.apache.org/r/56997/diff/1/?file=1646442#file1646442line109>
> >
> >     Make sure the user-defined (artifacts/kerberos_descriptor) is updated and any configuration changes are performed using the appropriate UpgradeCatalog class.
> 
> Robert Levas wrote:
>     For example see `org.apache.ambari.server.upgrade.UpgradeCatalog240#updateKerberosDescriptorArtifact`

thanks, somehow we should check as well which HDP is used, because these kerberos descriptor updates only needed if a specific HDP is installed


- Oliver


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166699
-----------------------------------------------------------


On Feb. 23, 2017, 8:49 p.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 23, 2017, 8:49 p.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 56997: Use storm user principal instead of nimbus user principal for ranger audit

Posted by Robert Levas <rl...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56997/#review166699
-----------------------------------------------------------




ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json (line 109)
<https://reviews.apache.org/r/56997/#comment238722>

    Make sure the user-defined (artifacts/kerberos_descriptor) is updated and any configuration changes are performed using the appropriate UpgradeCatalog class.


- Robert Levas


On Feb. 23, 2017, 3:49 p.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56997/
> -----------------------------------------------------------
> 
> (Updated Feb. 23, 2017, 3:49 p.m.)
> 
> 
> Review request for Ambari, Miklos Gergely, Mugdha Varadkar, Robert Levas, and Robert Nettleton.
> 
> 
> Bugs: AMBARI-20152
>     https://issues.apache.org/jira/browse/AMBARI-20152
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Use storm principal and keytab for ranger plugin instead of nimbus ones.
> In storm code, storm user will be used globally anyway, ranger plugin will use that. In Ambari 2.4 that not caused any issues, but from Ambari 2.5, Solr authorization is supported, that can cause if storm is authenticated with the worng user, it wont be able to access the ranger audit collection.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json fecef7c 
> 
> Diff: https://reviews.apache.org/r/56997/diff/
> 
> 
> Testing
> -------
> 
> done.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>