You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/05/23 13:38:13 UTC
Review Request 34629: Kerberos FE: during disable,
need option skip if unable to access KDC to remove principals
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34629/
-----------------------------------------------------------
Review request for Ambari, Aleksandr Kovalenko, Andrii Tkach, Jaimin Jetly, and Yusaku Sako.
Bugs: AMBARI-11360
https://issues.apache.org/jira/browse/AMBARI-11360
Repository: ambari
Description
-------
Attempted to disable kerb, fails on step to unkerberize because KDC admin is locked out.
Click retry, can't make it past that.
Need option to skip and finish "disable kerberos" even if Ambari cannot get the principals cleaned up (i.e. cannot access the KDC) Losing access to the KDC and attempting to disable where ambari can't clean-up the principals should be a skip'able step. User should still be able to get to a clean, not-enabled-kerberos-ambari-state w/o accessing the KDC.
*Solution*
Based on user input, execute API call to disable Kerberos with the *manage_kerberos_identities* _directive_ set to *false*. Example:
```
PUT /api/v1/clusters/c1?manage_kerberos_identities=false
{
"Clusters": {
"security_type" : "NONE"
}
}
```
Diffs
-----
ambari-web/app/controllers/main/admin/kerberos/disable_controller.js 358f922
ambari-web/app/mixins/wizard/wizardProgressPageController.js 28e8f41
ambari-web/app/utils/ajax/ajax.js 254e2a9
Diff: https://reviews.apache.org/r/34629/diff/
Testing
-------
Manually tested with downed KDC.
Thanks,
Robert Levas
Re: Review Request 34629: Kerberos FE: during disable,
need option skip if unable to access KDC to remove principals
Posted by Yusaku Sako <yu...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34629/#review85070
-----------------------------------------------------------
ambari-web/app/controllers/main/admin/kerberos/disable_controller.js
<https://reviews.apache.org/r/34629/#comment136534>
What does this do?
It seems misspelled and I can't find other references to it in the code.
- Yusaku Sako
On May 23, 2015, 11:38 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34629/
> -----------------------------------------------------------
>
> (Updated May 23, 2015, 11:38 a.m.)
>
>
> Review request for Ambari, Aleksandr Kovalenko, Andrii Tkach, Jaimin Jetly, and Yusaku Sako.
>
>
> Bugs: AMBARI-11360
> https://issues.apache.org/jira/browse/AMBARI-11360
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Attempted to disable kerb, fails on step to unkerberize because KDC admin is locked out.
>
> Click retry, can't make it past that.
>
> Need option to skip and finish "disable kerberos" even if Ambari cannot get the principals cleaned up (i.e. cannot access the KDC) Losing access to the KDC and attempting to disable where ambari can't clean-up the principals should be a skip'able step. User should still be able to get to a clean, not-enabled-kerberos-ambari-state w/o accessing the KDC.
>
> *Solution*
> Based on user input, execute API call to disable Kerberos with the *manage_kerberos_identities* _directive_ set to *false*. Example:
> ```
> PUT /api/v1/clusters/c1?manage_kerberos_identities=false
> {
> "Clusters": {
> "security_type" : "NONE"
> }
> }
> ```
>
>
> Diffs
> -----
>
> ambari-web/app/controllers/main/admin/kerberos/disable_controller.js 358f922
> ambari-web/app/mixins/wizard/wizardProgressPageController.js 28e8f41
> ambari-web/app/utils/ajax/ajax.js 254e2a9
>
> Diff: https://reviews.apache.org/r/34629/diff/
>
>
> Testing
> -------
>
> Manually tested with downed KDC.
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 34629: Kerberos FE: during disable,
need option skip if unable to access KDC to remove principals
Posted by Yusaku Sako <yu...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34629/#review85292
-----------------------------------------------------------
Ship it!
Ship It!
- Yusaku Sako
On May 25, 2015, 10:04 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34629/
> -----------------------------------------------------------
>
> (Updated May 25, 2015, 10:04 p.m.)
>
>
> Review request for Ambari, Aleksandr Kovalenko, Andrii Tkach, Jaimin Jetly, and Yusaku Sako.
>
>
> Bugs: AMBARI-11360
> https://issues.apache.org/jira/browse/AMBARI-11360
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Attempted to disable kerb, fails on step to unkerberize because KDC admin is locked out.
>
> Click retry, can't make it past that.
>
> Need option to skip and finish "disable kerberos" even if Ambari cannot get the principals cleaned up (i.e. cannot access the KDC) Losing access to the KDC and attempting to disable where ambari can't clean-up the principals should be a skip'able step. User should still be able to get to a clean, not-enabled-kerberos-ambari-state w/o accessing the KDC.
>
> *Solution*
> Based on user input, execute API call to disable Kerberos with the *manage_kerberos_identities* _directive_ set to *false*. Example:
> ```
> PUT /api/v1/clusters/c1?manage_kerberos_identities=false
> {
> "Clusters": {
> "security_type" : "NONE"
> }
> }
> ```
>
>
> Diffs
> -----
>
> ambari-web/app/controllers/main/admin/kerberos/disable_controller.js 358f922
> ambari-web/app/mixins/wizard/wizardProgressPageController.js 28e8f41
> ambari-web/app/utils/ajax/ajax.js 254e2a9
>
> Diff: https://reviews.apache.org/r/34629/diff/
>
>
> Testing
> -------
>
> Manually tested with downed KDC.
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 34629: Kerberos FE: during disable,
need option skip if unable to access KDC to remove principals
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34629/
-----------------------------------------------------------
(Updated May 25, 2015, 6:04 p.m.)
Review request for Ambari, Aleksandr Kovalenko, Andrii Tkach, Jaimin Jetly, and Yusaku Sako.
Changes
-------
Removed `candSkipOnError: true,`
Bugs: AMBARI-11360
https://issues.apache.org/jira/browse/AMBARI-11360
Repository: ambari
Description
-------
Attempted to disable kerb, fails on step to unkerberize because KDC admin is locked out.
Click retry, can't make it past that.
Need option to skip and finish "disable kerberos" even if Ambari cannot get the principals cleaned up (i.e. cannot access the KDC) Losing access to the KDC and attempting to disable where ambari can't clean-up the principals should be a skip'able step. User should still be able to get to a clean, not-enabled-kerberos-ambari-state w/o accessing the KDC.
*Solution*
Based on user input, execute API call to disable Kerberos with the *manage_kerberos_identities* _directive_ set to *false*. Example:
```
PUT /api/v1/clusters/c1?manage_kerberos_identities=false
{
"Clusters": {
"security_type" : "NONE"
}
}
```
Diffs (updated)
-----
ambari-web/app/controllers/main/admin/kerberos/disable_controller.js 358f922
ambari-web/app/mixins/wizard/wizardProgressPageController.js 28e8f41
ambari-web/app/utils/ajax/ajax.js 254e2a9
Diff: https://reviews.apache.org/r/34629/diff/
Testing
-------
Manually tested with downed KDC.
Thanks,
Robert Levas