You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/02/23 03:09:03 UTC
Review Request 31292: Kerberos: fails when entering admin principal
with blank password
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31292/
-----------------------------------------------------------
Review request for Ambari, John Speidel and Robert Nettleton.
Bugs: AMBARI-9742
https://issues.apache.org/jira/browse/AMBARI-9742
Repository: ambari
Description
-------
Note: I don't believe the below is specific to add host, but related to the prompting and how the set admin cred works in case of a blank password. I hit this during testing of add host though.
- install cluster, kerberize
- add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
- got to the review part of add host, click deploy
- prompted for admin creds (as expected)
- tried messing around by putting in bad creds and that seemed to work...
- expect when I put in the right admin cred principal name (admin/admin) but a blank password. I was surprised it allowed me to click save (because the password field was blank)
- so I click save, dialog disappears and I am cannot get it to re-prompt.
- this is what it PUT and the response was blank...
```
[{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
Response Headersview source
```
in ambari-server.log, nothing
```
17:58:05,860 INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null, hosts=[] }
```
- back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again
The overall issue is how the credentials are being validated. If no password is being set, the command to test the credentials when using a MIT KDC generates the following command:
```
kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
```
The empty password (`-w ""`) in the command creates an interactive session where the command is waiting for data on STDIN, thus hanging the process.
An empty password should not cause the same behavior when using Active Directory.
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java 9d41691
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java f4551d2
Diff: https://reviews.apache.org/r/31292/diff/
Testing
-------
Manually tested in cluster
#Jenkins test results:
Running org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandlerTest
Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.838 sec
Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 1.131 sec
Ambari server test suite
Tests run: 2734, Failures: 0, Errors: 0, Skipped: 15
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:07 h
[INFO] Finished at: 2015-02-23T01:58:43+00:00
[INFO] Final Memory: 43M/473M
[INFO] ------------------------------------------------------------------------
Thanks,
Robert Levas
Re: Review Request 31292: Kerberos: fails when entering admin
principal with blank password
Posted by Robert Nettleton <rn...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31292/#review73582
-----------------------------------------------------------
Ship it!
Looks fine to me, just a minor issue below in one of the unit tests.
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java
<https://reviews.apache.org/r/31292/#comment119977>
Minor issue, just figured I'd mention it to make sure I understand the intent of the test:
Test looks identical to the one above. Shouldn't the "isEmptyPrincipal" test use an empty string for the principal argument to the constructor?
- Robert Nettleton
On Feb. 23, 2015, 2:09 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31292/
> -----------------------------------------------------------
>
> (Updated Feb. 23, 2015, 2:09 a.m.)
>
>
> Review request for Ambari, John Speidel and Robert Nettleton.
>
>
> Bugs: AMBARI-9742
> https://issues.apache.org/jira/browse/AMBARI-9742
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Note: I don't believe the below is specific to add host, but related to the prompting and how the set admin cred works in case of a blank password. I hit this during testing of add host though.
>
> - install cluster, kerberize
> - add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
> - got to the review part of add host, click deploy
> - prompted for admin creds (as expected)
> - tried messing around by putting in bad creds and that seemed to work...
> - expect when I put in the right admin cred principal name (admin/admin) but a blank password. I was surprised it allowed me to click save (because the password field was blank)
> - so I click save, dialog disappears and I am cannot get it to re-prompt.
> - this is what it PUT and the response was blank...
>
> ```
> [{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
> Response Headersview source
> ```
>
> in ambari-server.log, nothing
>
> ```
> 17:58:05,860 INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null, hosts=[] }
> ```
>
> - back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again
>
> The overall issue is how the credentials are being validated. If no password is being set, the command to test the credentials when using a MIT KDC generates the following command:
> ```
> kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
> ```
>
> The empty password (`-w ""`) in the command creates an interactive session where the command is waiting for data on STDIN, thus hanging the process.
>
> An empty password should not cause the same behavior when using Active Directory.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java 9d41691
> ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java f4551d2
>
> Diff: https://reviews.apache.org/r/31292/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster
>
> #Jenkins test results:
> Running org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandlerTest
> Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.838 sec
>
> Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
> Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 1.131 sec
>
> Ambari server test suite
> Tests run: 2734, Failures: 0, Errors: 0, Skipped: 15
>
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:07 h
> [INFO] Finished at: 2015-02-23T01:58:43+00:00
> [INFO] Final Memory: 43M/473M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 31292: Kerberos: fails when entering admin
principal with blank password
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31292/
-----------------------------------------------------------
(Updated Feb. 23, 2015, 1:03 p.m.)
Review request for Ambari, John Speidel and Robert Nettleton.
Changes
-------
Fixed copy/paste issue
Bugs: AMBARI-9742
https://issues.apache.org/jira/browse/AMBARI-9742
Repository: ambari
Description
-------
Note: I don't believe the below is specific to add host, but related to the prompting and how the set admin cred works in case of a blank password. I hit this during testing of add host though.
- install cluster, kerberize
- add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
- got to the review part of add host, click deploy
- prompted for admin creds (as expected)
- tried messing around by putting in bad creds and that seemed to work...
- expect when I put in the right admin cred principal name (admin/admin) but a blank password. I was surprised it allowed me to click save (because the password field was blank)
- so I click save, dialog disappears and I am cannot get it to re-prompt.
- this is what it PUT and the response was blank...
```
[{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
Response Headersview source
```
in ambari-server.log, nothing
```
17:58:05,860 INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null, hosts=[] }
```
- back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again
The overall issue is how the credentials are being validated. If no password is being set, the command to test the credentials when using a MIT KDC generates the following command:
```
kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
```
The empty password (`-w ""`) in the command creates an interactive session where the command is waiting for data on STDIN, thus hanging the process.
An empty password should not cause the same behavior when using Active Directory.
Diffs (updated)
-----
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java 9d41691
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java f4551d2
Diff: https://reviews.apache.org/r/31292/diff/
Testing
-------
Manually tested in cluster
#Jenkins test results:
Running org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandlerTest
Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.838 sec
Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 1.131 sec
Ambari server test suite
Tests run: 2734, Failures: 0, Errors: 0, Skipped: 15
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:07 h
[INFO] Finished at: 2015-02-23T01:58:43+00:00
[INFO] Final Memory: 43M/473M
[INFO] ------------------------------------------------------------------------
Thanks,
Robert Levas
Re: Review Request 31292: Kerberos: fails when entering admin
principal with blank password
Posted by John Speidel <js...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31292/#review73595
-----------------------------------------------------------
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
<https://reviews.apache.org/r/31292/#comment119996>
Is this the correct message here or is this a copy/paste error?
- John Speidel
On Feb. 23, 2015, 5:50 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31292/
> -----------------------------------------------------------
>
> (Updated Feb. 23, 2015, 5:50 p.m.)
>
>
> Review request for Ambari, John Speidel and Robert Nettleton.
>
>
> Bugs: AMBARI-9742
> https://issues.apache.org/jira/browse/AMBARI-9742
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Note: I don't believe the below is specific to add host, but related to the prompting and how the set admin cred works in case of a blank password. I hit this during testing of add host though.
>
> - install cluster, kerberize
> - add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
> - got to the review part of add host, click deploy
> - prompted for admin creds (as expected)
> - tried messing around by putting in bad creds and that seemed to work...
> - expect when I put in the right admin cred principal name (admin/admin) but a blank password. I was surprised it allowed me to click save (because the password field was blank)
> - so I click save, dialog disappears and I am cannot get it to re-prompt.
> - this is what it PUT and the response was blank...
>
> ```
> [{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
> Response Headersview source
> ```
>
> in ambari-server.log, nothing
>
> ```
> 17:58:05,860 INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null, hosts=[] }
> ```
>
> - back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again
>
> The overall issue is how the credentials are being validated. If no password is being set, the command to test the credentials when using a MIT KDC generates the following command:
> ```
> kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
> ```
>
> The empty password (`-w ""`) in the command creates an interactive session where the command is waiting for data on STDIN, thus hanging the process.
>
> An empty password should not cause the same behavior when using Active Directory.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java 9d41691
> ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java f4551d2
>
> Diff: https://reviews.apache.org/r/31292/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster
>
> #Jenkins test results:
> Running org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandlerTest
> Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.838 sec
>
> Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
> Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 1.131 sec
>
> Ambari server test suite
> Tests run: 2734, Failures: 0, Errors: 0, Skipped: 15
>
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:07 h
> [INFO] Finished at: 2015-02-23T01:58:43+00:00
> [INFO] Final Memory: 43M/473M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 31292: Kerberos: fails when entering admin
principal with blank password
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31292/
-----------------------------------------------------------
(Updated Feb. 23, 2015, 12:50 p.m.)
Review request for Ambari, John Speidel and Robert Nettleton.
Changes
-------
Address reviewer concerns
Bugs: AMBARI-9742
https://issues.apache.org/jira/browse/AMBARI-9742
Repository: ambari
Description
-------
Note: I don't believe the below is specific to add host, but related to the prompting and how the set admin cred works in case of a blank password. I hit this during testing of add host though.
- install cluster, kerberize
- add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
- got to the review part of add host, click deploy
- prompted for admin creds (as expected)
- tried messing around by putting in bad creds and that seemed to work...
- expect when I put in the right admin cred principal name (admin/admin) but a blank password. I was surprised it allowed me to click save (because the password field was blank)
- so I click save, dialog disappears and I am cannot get it to re-prompt.
- this is what it PUT and the response was blank...
```
[{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
Response Headersview source
```
in ambari-server.log, nothing
```
17:58:05,860 INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null, hosts=[] }
```
- back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again
The overall issue is how the credentials are being validated. If no password is being set, the command to test the credentials when using a MIT KDC generates the following command:
```
kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
```
The empty password (`-w ""`) in the command creates an interactive session where the command is waiting for data on STDIN, thus hanging the process.
An empty password should not cause the same behavior when using Active Directory.
Diffs (updated)
-----
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java 9d41691
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java f4551d2
Diff: https://reviews.apache.org/r/31292/diff/
Testing
-------
Manually tested in cluster
#Jenkins test results:
Running org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandlerTest
Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.838 sec
Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 1.131 sec
Ambari server test suite
Tests run: 2734, Failures: 0, Errors: 0, Skipped: 15
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:07 h
[INFO] Finished at: 2015-02-23T01:58:43+00:00
[INFO] Final Memory: 43M/473M
[INFO] ------------------------------------------------------------------------
Thanks,
Robert Levas
Re: Review Request 31292: Kerberos: fails when entering admin
principal with blank password
Posted by Robert Levas <rl...@hortonworks.com>.
> On Feb. 23, 2015, 10:35 a.m., John Speidel wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java, line 432
> > <https://reviews.apache.org/r/31292/diff/1/?file=872494#file872494line432>
> >
> > is it valid for the admin credentials to be null?
> > Seems that this should result in an exception being thrown.
I thought that there may be the need to clear the administative credentials from a handler, but maybe that isnt useful
- Robert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31292/#review73571
-----------------------------------------------------------
On Feb. 22, 2015, 9:09 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31292/
> -----------------------------------------------------------
>
> (Updated Feb. 22, 2015, 9:09 p.m.)
>
>
> Review request for Ambari, John Speidel and Robert Nettleton.
>
>
> Bugs: AMBARI-9742
> https://issues.apache.org/jira/browse/AMBARI-9742
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Note: I don't believe the below is specific to add host, but related to the prompting and how the set admin cred works in case of a blank password. I hit this during testing of add host though.
>
> - install cluster, kerberize
> - add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
> - got to the review part of add host, click deploy
> - prompted for admin creds (as expected)
> - tried messing around by putting in bad creds and that seemed to work...
> - expect when I put in the right admin cred principal name (admin/admin) but a blank password. I was surprised it allowed me to click save (because the password field was blank)
> - so I click save, dialog disappears and I am cannot get it to re-prompt.
> - this is what it PUT and the response was blank...
>
> ```
> [{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
> Response Headersview source
> ```
>
> in ambari-server.log, nothing
>
> ```
> 17:58:05,860 INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null, hosts=[] }
> ```
>
> - back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again
>
> The overall issue is how the credentials are being validated. If no password is being set, the command to test the credentials when using a MIT KDC generates the following command:
> ```
> kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
> ```
>
> The empty password (`-w ""`) in the command creates an interactive session where the command is waiting for data on STDIN, thus hanging the process.
>
> An empty password should not cause the same behavior when using Active Directory.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java 9d41691
> ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java f4551d2
>
> Diff: https://reviews.apache.org/r/31292/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster
>
> #Jenkins test results:
> Running org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandlerTest
> Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.838 sec
>
> Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
> Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 1.131 sec
>
> Ambari server test suite
> Tests run: 2734, Failures: 0, Errors: 0, Skipped: 15
>
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:07 h
> [INFO] Finished at: 2015-02-23T01:58:43+00:00
> [INFO] Final Memory: 43M/473M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 31292: Kerberos: fails when entering admin
principal with blank password
Posted by John Speidel <js...@hortonworks.com>.
> On Feb. 23, 2015, 3:35 p.m., John Speidel wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java, line 432
> > <https://reviews.apache.org/r/31292/diff/1/?file=872494#file872494line432>
> >
> > is it valid for the admin credentials to be null?
> > Seems that this should result in an exception being thrown.
>
> Robert Levas wrote:
> I thought that there may be the need to clear the administative credentials from a handler, but maybe that isnt useful
then perhaps a new clearAdminCredentials() method should be added for this case so that you can validate the the admin credentials are not null when they shouldn't be?
- John
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31292/#review73571
-----------------------------------------------------------
On Feb. 23, 2015, 2:09 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31292/
> -----------------------------------------------------------
>
> (Updated Feb. 23, 2015, 2:09 a.m.)
>
>
> Review request for Ambari, John Speidel and Robert Nettleton.
>
>
> Bugs: AMBARI-9742
> https://issues.apache.org/jira/browse/AMBARI-9742
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Note: I don't believe the below is specific to add host, but related to the prompting and how the set admin cred works in case of a blank password. I hit this during testing of add host though.
>
> - install cluster, kerberize
> - add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
> - got to the review part of add host, click deploy
> - prompted for admin creds (as expected)
> - tried messing around by putting in bad creds and that seemed to work...
> - expect when I put in the right admin cred principal name (admin/admin) but a blank password. I was surprised it allowed me to click save (because the password field was blank)
> - so I click save, dialog disappears and I am cannot get it to re-prompt.
> - this is what it PUT and the response was blank...
>
> ```
> [{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
> Response Headersview source
> ```
>
> in ambari-server.log, nothing
>
> ```
> 17:58:05,860 INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null, hosts=[] }
> ```
>
> - back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again
>
> The overall issue is how the credentials are being validated. If no password is being set, the command to test the credentials when using a MIT KDC generates the following command:
> ```
> kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
> ```
>
> The empty password (`-w ""`) in the command creates an interactive session where the command is waiting for data on STDIN, thus hanging the process.
>
> An empty password should not cause the same behavior when using Active Directory.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java 9d41691
> ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java f4551d2
>
> Diff: https://reviews.apache.org/r/31292/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster
>
> #Jenkins test results:
> Running org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandlerTest
> Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.838 sec
>
> Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
> Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 1.131 sec
>
> Ambari server test suite
> Tests run: 2734, Failures: 0, Errors: 0, Skipped: 15
>
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:07 h
> [INFO] Finished at: 2015-02-23T01:58:43+00:00
> [INFO] Final Memory: 43M/473M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 31292: Kerberos: fails when entering admin
principal with blank password
Posted by John Speidel <js...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31292/#review73571
-----------------------------------------------------------
Ship it!
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
<https://reviews.apache.org/r/31292/#comment119969>
is it valid for the admin credentials to be null?
Seems that this should result in an exception being thrown.
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
<https://reviews.apache.org/r/31292/#comment119968>
misleading error message.
Should say something like, "Must specify either a password or a keytab but both are null"
- John Speidel
On Feb. 23, 2015, 2:09 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31292/
> -----------------------------------------------------------
>
> (Updated Feb. 23, 2015, 2:09 a.m.)
>
>
> Review request for Ambari, John Speidel and Robert Nettleton.
>
>
> Bugs: AMBARI-9742
> https://issues.apache.org/jira/browse/AMBARI-9742
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Note: I don't believe the below is specific to add host, but related to the prompting and how the set admin cred works in case of a blank password. I hit this during testing of add host though.
>
> - install cluster, kerberize
> - add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
> - got to the review part of add host, click deploy
> - prompted for admin creds (as expected)
> - tried messing around by putting in bad creds and that seemed to work...
> - expect when I put in the right admin cred principal name (admin/admin) but a blank password. I was surprised it allowed me to click save (because the password field was blank)
> - so I click save, dialog disappears and I am cannot get it to re-prompt.
> - this is what it PUT and the response was blank...
>
> ```
> [{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
> Response Headersview source
> ```
>
> in ambari-server.log, nothing
>
> ```
> 17:58:05,860 INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null, hosts=[] }
> ```
>
> - back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again
>
> The overall issue is how the credentials are being validated. If no password is being set, the command to test the credentials when using a MIT KDC generates the following command:
> ```
> kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
> ```
>
> The empty password (`-w ""`) in the command creates an interactive session where the command is waiting for data on STDIN, thus hanging the process.
>
> An empty password should not cause the same behavior when using Active Directory.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java 9d41691
> ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java f4551d2
>
> Diff: https://reviews.apache.org/r/31292/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster
>
> #Jenkins test results:
> Running org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandlerTest
> Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.838 sec
>
> Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
> Tests run: 24, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 1.131 sec
>
> Ambari server test suite
> Tests run: 2734, Failures: 0, Errors: 0, Skipped: 15
>
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:07 h
> [INFO] Finished at: 2015-02-23T01:58:43+00:00
> [INFO] Final Memory: 43M/473M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>