You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2018/07/31 14:36:00 UTC

[jira] [Created] (AMBARI-24390) Filter services eligible for Ambari Single Sign-on Configuration if Kerberos is required but not enabled

Robert Levas created AMBARI-24390:
-------------------------------------

             Summary: Filter services eligible for Ambari Single Sign-on Configuration if Kerberos is required but not enabled
                 Key: AMBARI-24390
                 URL: https://issues.apache.org/jira/browse/AMBARI-24390
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.7.1
            Reporter: Robert Levas
            Assignee: Attila Magyar
             Fix For: 2.7.1


Filter services from Ambari CLI when setting up SSO if not eligible when Kerberos is not enabled.  

In Ambari 2.7, services that are eligible for Ambari to manage their SSO configurations specify this in their metainfo file using like:

{code}
      <sso>
        <supported>true</supported>
        <enabledConfiguration>application-properties/atlas.sso.knox.enabled</enabledConfiguration>
      </sso>
{code}

See AMBARI-23253
See [Ambari Single Sign-on Configuration|https://github.com/apache/ambari/blob/branch-2.7/ambari-server/docs/security/sso/index.md] documentation

However some services require Kerberos to be enabled for SSO to work.  For example, HDFS, Yarn, and Oozie.  For this case, the metadata is enhanced allowing for the metadata to indicate whether Kerberos is required (AMBARI-24335) and whether Kerberos is enabled (AMBARI-24384) for that service.

This information can be found in the service resource data

{code:title=GET /api/v1/clusters/CLUSTERNAME/services/OOZIE}
{
  "href" : "http://ambari_host:8080/api/v1/clusters/CLUSTERNAME/services/OOZIE",
  "ServiceInfo" : {
    ...
    "kerberos_enabled" : true,
    ...
   "sso_integration_desired": false,
   "sso_integration_enabled": false,
   "sso_integration_requires_kerberos": true,
   "sso_integration_supported": true,
   ...
   },
   ...
}
{code}

Using this information, services may be included in or excluded from the list of services a user can choose for enabling SSO integration. 

For example
||sso_integration_supported||sso_integration_requires_kerberos||kerberos_enabled||Can Enable SSO||
|true|true|true|yes
|true|true|false|no
|true|false|true|yes
|true|false|false|yes
|false|true|true|no
|false|true|false|no
|false|false|true|no
|false|false|false|no

  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)