You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Attila Magyar (JIRA)" <ji...@apache.org> on 2018/08/02 11:24:00 UTC

[jira] [Resolved] (AMBARI-24390) Filter services eligible for Ambari Single Sign-on Configuration if Kerberos is required but not enabled

     [ https://issues.apache.org/jira/browse/AMBARI-24390?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Attila Magyar resolved AMBARI-24390.
------------------------------------
    Resolution: Fixed

> Filter services eligible for Ambari Single Sign-on Configuration if Kerberos is required but not enabled
> --------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-24390
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24390
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.7.1
>            Reporter: Robert Levas
>            Assignee: Attila Magyar
>            Priority: Critical
>              Labels: pull-request-available
>             Fix For: 2.7.1
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> Filter services from Ambari CLI when setting up SSO if not eligible when Kerberos is not enabled.  
> In Ambari 2.7, services that are eligible for Ambari to manage their SSO configurations specify this in their metainfo file using like:
> {code}
>       <sso>
>         <supported>true</supported>
>         <enabledConfiguration>application-properties/atlas.sso.knox.enabled</enabledConfiguration>
>       </sso>
> {code}
> See AMBARI-23253
> See [Ambari Single Sign-on Configuration|https://github.com/apache/ambari/blob/branch-2.7/ambari-server/docs/security/sso/index.md] documentation
> However some services require Kerberos to be enabled for SSO to work.  For example, HDFS, Yarn, and Oozie.  For this case, the metadata is enhanced allowing for the metadata to indicate whether Kerberos is required (AMBARI-24335) and whether Kerberos is enabled (AMBARI-24384) for that service.
> This information can be found in the service resource data
> {code:title=GET /api/v1/clusters/CLUSTERNAME/services/OOZIE}
> {
>   "href" : "http://ambari_host:8080/api/v1/clusters/CLUSTERNAME/services/OOZIE",
>   "ServiceInfo" : {
>     ...
>     "kerberos_enabled" : true,
>     ...
>    "sso_integration_desired": false,
>    "sso_integration_enabled": false,
>    "sso_integration_requires_kerberos": true,
>    "sso_integration_supported": true,
>    ...
>    },
>    ...
> }
> {code}
> Using this information, services may be included in or excluded from the list of services a user can choose for enabling SSO integration. 
> For example
> ||sso_integration_supported||sso_integration_requires_kerberos||kerberos_enabled||Can Enable SSO||
> |true|true|true|yes
> |true|true|false|no
> |true|false|true|yes
> |true|false|false|yes
> |false|true|true|no
> |false|true|false|no
> |false|false|true|no
> |false|false|false|no
>   



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)