You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2015/09/02 07:38:46 UTC
[jira] [Commented] (AMBARI-12772) Adding host via blueprint fails
on secure cluster
[ https://issues.apache.org/jira/browse/AMBARI-12772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14726781#comment-14726781 ]
Hadoop QA commented on AMBARI-12772:
------------------------------------
{color:green}+1 overall{color}. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12753635/AMBARI-12772_trunk_02.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author tags.
{color:green}+1 tests included{color}. The patch appears to include 10 new or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings.
{color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in ambari-server.
Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3697//testReport/
Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3697//console
This message is automatically generated.
> Adding host via blueprint fails on secure cluster
> -------------------------------------------------
>
> Key: AMBARI-12772
> URL: https://issues.apache.org/jira/browse/AMBARI-12772
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.0.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Critical
> Labels: blueprints, kerberos
> Fix For: 2.1.2
>
> Attachments: AMBARI-12772_branch-2.1_01.patch, AMBARI-12772_trunk_01.patch, AMBARI-12772_trunk_02.patch
>
>
> *STR*
> Install cluster via blueprints
> Enable Kerberos security
> Add host via blueprints
> *Result*
> Adding hosts freeze forever
> In ambari-server.log:
> {code}
> The KDC administrator credentials must be set in session by updating the relevant Cluster resource.This may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry point with the following payload:
> {
> "session_attributes" : {
> "kerberos_admin" : {"principal" : "(PRINCIPAL)", "password" : "(PASSWORD)"}
> }
> {code}
> *Cause*
> This is caused because the KDC administrative credentials are not available when needed during the add host process. If set in the HTTP session, the credentials are not accessible since the Kerberos logic is executed outside the scope of that HTTP session.
> *Solution*
> Store the KDC credentials to a _more secure_ global credential store that is accessible no matter what the context is. This storage facility is in-memory and has a retention period of 90 minutes. This solution refactors the current CredentialStoreService and MasterKeyService classes to allow for file-based and in-memory implementations. It also paves the way for future changes to allow for the KDC administrative credentials to be persisted indefinitely.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)