You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2015/02/14 01:51:13 UTC
[jira] [Commented] (AMBARI-9640) Allow the KDC admin credentials
stored in session to be validated via the REST API
[ https://issues.apache.org/jira/browse/AMBARI-9640?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14321069#comment-14321069 ]
Robert Levas commented on AMBARI-9640:
--------------------------------------
[~jspeidel], That seems like great solution for this.
> Allow the KDC admin credentials stored in session to be validated via the REST API
> ----------------------------------------------------------------------------------
>
> Key: AMBARI-9640
> URL: https://issues.apache.org/jira/browse/AMBARI-9640
> Project: Ambari
> Issue Type: Task
> Components: ambari-server, security
> Reporter: John Speidel
> Assignee: John Speidel
> Priority: Critical
> Fix For: 2.0.0
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Based on my conversation with [~rlevas] I understand that the UI wants an api that indicates whether the kdc admin credentials are set in session at the time of the call and that they are valid.
> Based on this requirement I am proposing adding this information as part of the kerberos service.
> Specifically, the properties, "Services/attributes/kdc_validation_result" and "Services/attributes/kdc_validation_failure_details" will be added to the response.
> GET api/v1/clusters/c1/services/KERBEROS
> {code}
> {
> "href" : "http://172.18.192.1:8080/api/v1/clusters/c1/services/KERBEROS",
> "ServiceInfo" : {
> "cluster_name" : "c1",
> "maintenance_state" : "OFF",
> "service_name" : "KERBEROS",
> "state" : "INSTALLED"
> },
> "Services" : {
> "attributes" : {
> "kdc_validation_result" : "OK"
> }
> }
> }
> {code}
> In the case of missing credentials:
> {code}
> {
> ...
> "Services" : {
> "attributes" : {
> "kdc_validation_result" : "MISSING_CREDENTIALS",
> "kdc_validation_failure_details" : "Missing KDC administrator credentials.\nThe KDC administrator credentials must be set in session by updating the relevant Cluster resource.This may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry point with the following payload:\n{\n \"session_attributes\" : {\n \"kerberos_admin\" : {\"principal\" : \"(PRINCIPAL)\", \"password\" : \"(PASSWORD)\"}\n }\n}"
> }
> }
> }
> {code}
> For invalid credentials:
> {code}
> {
> ...
> "Services" : {
> "attributes" : {
> "kdc_validation_result" : "INVALID_CREDENTIALS",
> "kdc_validation_failure_details" : "Invalid KDC administrator credentials.\nThe KDC administrator credentials must be set in session by updating the relevant Cluster resource.This may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry point with the following payload:\n{\n \"session_attributes\" : {\n \"kerberos_admin\" : {\"principal\" : \"(PRINCIPAL)\", \"password\" : \"(PASSWORD)\"}\n }\n}"
> }
> }
> }
> {code}
> For bad configuration:
> {code}
> {
> ...
> "Services" : {
> "attributes" : {
> "kdc_validation_result" : "INVALID_CONFIGURATION",
> "kdc_validation_failure_details" : "The 'kerberos-env/kdc_type' value must be set to a valid KDC type"
> }
> }
> }
> {code}
> And for all other errors:
> {code}
> {
> ...
> "Services" : {
> "attributes" : {
> "kdc_validation_result" : "VALIDATION_ERROR",
> "kdc_validation_failure_details" : "..."
> }
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)