You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2018/07/31 14:36:00 UTC
[jira] [Created] (AMBARI-24390) Filter services eligible for Ambari
Single Sign-on Configuration if Kerberos is required but not enabled
Robert Levas created AMBARI-24390:
-------------------------------------
Summary: Filter services eligible for Ambari Single Sign-on Configuration if Kerberos is required but not enabled
Key: AMBARI-24390
URL: https://issues.apache.org/jira/browse/AMBARI-24390
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.7.1
Reporter: Robert Levas
Assignee: Attila Magyar
Fix For: 2.7.1
Filter services from Ambari CLI when setting up SSO if not eligible when Kerberos is not enabled.
In Ambari 2.7, services that are eligible for Ambari to manage their SSO configurations specify this in their metainfo file using like:
{code}
<sso>
<supported>true</supported>
<enabledConfiguration>application-properties/atlas.sso.knox.enabled</enabledConfiguration>
</sso>
{code}
See AMBARI-23253
See [Ambari Single Sign-on Configuration|https://github.com/apache/ambari/blob/branch-2.7/ambari-server/docs/security/sso/index.md] documentation
However some services require Kerberos to be enabled for SSO to work. For example, HDFS, Yarn, and Oozie. For this case, the metadata is enhanced allowing for the metadata to indicate whether Kerberos is required (AMBARI-24335) and whether Kerberos is enabled (AMBARI-24384) for that service.
This information can be found in the service resource data
{code:title=GET /api/v1/clusters/CLUSTERNAME/services/OOZIE}
{
"href" : "http://ambari_host:8080/api/v1/clusters/CLUSTERNAME/services/OOZIE",
"ServiceInfo" : {
...
"kerberos_enabled" : true,
...
"sso_integration_desired": false,
"sso_integration_enabled": false,
"sso_integration_requires_kerberos": true,
"sso_integration_supported": true,
...
},
...
}
{code}
Using this information, services may be included in or excluded from the list of services a user can choose for enabling SSO integration.
For example
||sso_integration_supported||sso_integration_requires_kerberos||kerberos_enabled||Can Enable SSO||
|true|true|true|yes
|true|true|false|no
|true|false|true|yes
|true|false|false|yes
|false|true|true|no
|false|true|false|no
|false|false|true|no
|false|false|false|no
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)