You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2015/02/03 21:48:36 UTC

[jira] [Updated] (AMBARI-9385) Implement Keytab regeneration

     [ https://issues.apache.org/jira/browse/AMBARI-9385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Levas updated AMBARI-9385:
---------------------------------
    Description: 
Create API entry point to initiate Kerberos keytab regeneration for the cluster:
{code}
PUT /api/v1/clusters/{clustername}?regenerate_keytabs=true
{
  "Clusters" : {
    "security_type" : "KERBEROS"
  }
}
{code}

The entry point should invoke code to determine which principals need to be updated and then generate the following stages:
# Update Principal Passwords
# Generate Keytabs
# Distribute Keytab

This could be done in a method within {{org.apache.ambari.server.controller.KerberosHelper}} named {{regenerateKeytabs}} and flow similarly to {{org.apache.ambari.server.controller.KerberosHelper#toggleKerberos}}

A Server-side action implementation already exists for generating keytabs - see {{org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction}}.
A process is already in place to distribute keytabs - {{org/apache/ambari/server/controller/KerberosHelper.java:1192}}
A new Server-side action _may_ need to be created to update relavant principal passwords, however {{org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction}} may work for this, unaltered.



  was:
Create API entry point to initiate Kerberos keytab regeneration for the cluster:
{code}
PUT /api/v1/clusters/{clustername}?kerberos_regenerate_keytabs="true"
{code}

The entry point should invoke code to determine which principals need to be updated and then generate the following stages:
# Update Principal Passwords
# Generate Keytabs
# Distribute Keytab

This could be done in a method within {{org.apache.ambari.server.controller.KerberosHelper}} named {{regenerateKeytabs}} and flow similarly to {{org.apache.ambari.server.controller.KerberosHelper#toggleKerberos}}

A Server-side action implementation already exists for generating keytabs - see {{org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction}}.
A process is already in place to distribute keytabs - {{org/apache/ambari/server/controller/KerberosHelper.java:1192}}
A new Server-side action _may_ need to be created to update relavant principal passwords, however {{org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction}} may work for this, unaltered.




> Implement Keytab regeneration
> -----------------------------
>
>                 Key: AMBARI-9385
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9385
>             Project: Ambari
>          Issue Type: Task
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: kerberos, keytabs
>             Fix For: 2.0.0
>
>         Attachments: AMBARI-9385_01.patch, AMBARI-9385_02.patch
>
>
> Create API entry point to initiate Kerberos keytab regeneration for the cluster:
> {code}
> PUT /api/v1/clusters/{clustername}?regenerate_keytabs=true
> {
>   "Clusters" : {
>     "security_type" : "KERBEROS"
>   }
> }
> {code}
> The entry point should invoke code to determine which principals need to be updated and then generate the following stages:
> # Update Principal Passwords
> # Generate Keytabs
> # Distribute Keytab
> This could be done in a method within {{org.apache.ambari.server.controller.KerberosHelper}} named {{regenerateKeytabs}} and flow similarly to {{org.apache.ambari.server.controller.KerberosHelper#toggleKerberos}}
> A Server-side action implementation already exists for generating keytabs - see {{org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction}}.
> A process is already in place to distribute keytabs - {{org/apache/ambari/server/controller/KerberosHelper.java:1192}}
> A new Server-side action _may_ need to be created to update relavant principal passwords, however {{org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction}} may work for this, unaltered.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)