You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Jaimin Jetly <ja...@hortonworks.com> on 2014/10/23 04:46:39 UTC
Review Request 27064: Add Knox kerberos setup to the existing Ambari
security capabilities
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/27064/
-----------------------------------------------------------
Review request for Ambari, Mahadev Konar, Srimanth Gunturi, and Yusaku Sako.
Bugs: AMBARI-7799
https://issues.apache.org/jira/browse/AMBARI-7799
Repository: ambari
Description
-------
Documentation for setting up Knox to use kerberos can be found here:
http://knox.apache.org/books/knox-0-5-0/knox-0-5-0.html#Secure+Clusters
To summarize some of the things that need to be done besides the keytab creation:
1. the krb5 conf files need to be created and templated to work with the cluster setup.
2. gateway-site.xml needs to be modified to enable security and point to the krb5 conf files
3. Other services that Knox is configured to work with may also need some configuration changes. Specifically, core-site.xml, webhcat-site.xml and oozie-site.xml all need to be modified to setup Knox as a trusted proxy
Diffs
-----
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/files/validateKnoxStatus.py PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/knox.py 70f8b53
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/params.py 978b60b
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/service_check.py 1505ff3
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/templates/krb5JAASLogin.conf.j2 PRE-CREATION
ambari-web/app/app.js c92e0ac
ambari-web/app/assets/test/tests.js 65082ab
ambari-web/app/controllers/main/admin/security.js d5dd543
ambari-web/app/controllers/main/admin/security/add/step2.js 531f101
ambari-web/app/controllers/main/admin/security/add/step3.js d967018
ambari-web/app/data/HDP2/secure_configs.js 421ba54
ambari-web/app/data/HDP2/secure_mapping.js 23a89e0
ambari-web/app/data/HDP2/secure_properties.js 9a1dfc6
ambari-web/app/data/HDP2/site_properties.js 541a6d0
ambari-web/app/data/secure_mapping.js c4bd6a4
ambari-web/app/messages.js 2ef3ffa
ambari-web/app/mixins/wizard/addSecurityConfigs.js 1defe9c
ambari-web/test/controllers/main/admin/security/add/addSecurity_controller_test.js cd4f4a2
ambari-web/test/data/HDP2/secure_mapping_test.js a08d0cb
ambari-web/test/data/secure_mapping_test.js PRE-CREATION
Diff: https://reviews.apache.org/r/27064/diff/
Testing
-------
tested e2e by securing a cluster.
After knox service check is executed
su ambari-qa -c 'klist' shows the smokeuser credentials implying ambari-qa kinits before executing smoke test.
Thanks,
Jaimin Jetly
Re: Review Request 27064: Add Knox kerberos setup to the existing
Ambari security capabilities
Posted by Yusaku Sako <yu...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/27064/#review58084
-----------------------------------------------------------
Ship it!
Ship It!
- Yusaku Sako
On Oct. 23, 2014, 6:03 p.m., Jaimin Jetly wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/27064/
> -----------------------------------------------------------
>
> (Updated Oct. 23, 2014, 6:03 p.m.)
>
>
> Review request for Ambari, Mahadev Konar, Srimanth Gunturi, and Yusaku Sako.
>
>
> Bugs: AMBARI-7799
> https://issues.apache.org/jira/browse/AMBARI-7799
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Documentation for setting up Knox to use kerberos can be found here:
> http://knox.apache.org/books/knox-0-5-0/knox-0-5-0.html#Secure+Clusters
> To summarize some of the things that need to be done besides the keytab creation:
> 1. the krb5 conf files need to be created and templated to work with the cluster setup.
> 2. gateway-site.xml needs to be modified to enable security and point to the krb5 conf files
> 3. Other services that Knox is configured to work with may also need some configuration changes. Specifically, core-site.xml, webhcat-site.xml and oozie-site.xml all need to be modified to setup Knox as a trusted proxy
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/files/validateKnoxStatus.py PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/knox.py 70f8b53
> ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/params.py 978b60b
> ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/service_check.py 1505ff3
> ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/templates/krb5JAASLogin.conf.j2 PRE-CREATION
> ambari-web/app/app.js c92e0ac
> ambari-web/app/assets/test/tests.js 8682af3
> ambari-web/app/controllers/main/admin/security.js d5dd543
> ambari-web/app/controllers/main/admin/security/add/step2.js 531f101
> ambari-web/app/controllers/main/admin/security/add/step3.js d967018
> ambari-web/app/data/HDP2/secure_configs.js 421ba54
> ambari-web/app/data/HDP2/secure_mapping.js 23a89e0
> ambari-web/app/data/HDP2/secure_properties.js 9a1dfc6
> ambari-web/app/data/secure_mapping.js c4bd6a4
> ambari-web/app/messages.js e1c2aee
> ambari-web/app/mixins/wizard/addSecurityConfigs.js 1defe9c
> ambari-web/test/controllers/main/admin/security/add/addSecurity_controller_test.js cd4f4a2
> ambari-web/test/data/HDP2/secure_mapping_test.js a08d0cb
> ambari-web/test/data/secure_mapping_test.js PRE-CREATION
>
> Diff: https://reviews.apache.org/r/27064/diff/
>
>
> Testing
> -------
>
> tested e2e by securing a cluster.
> After knox service check is executed
> su ambari-qa -c 'klist' shows the smokeuser credentials implying ambari-qa kinits before executing smoke test.
>
>
> Thanks,
>
> Jaimin Jetly
>
>
Re: Review Request 27064: Add Knox kerberos setup to the existing
Ambari security capabilities
Posted by Jaimin Jetly <ja...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/27064/
-----------------------------------------------------------
(Updated Oct. 23, 2014, 6:03 p.m.)
Review request for Ambari, Mahadev Konar, Srimanth Gunturi, and Yusaku Sako.
Bugs: AMBARI-7799
https://issues.apache.org/jira/browse/AMBARI-7799
Repository: ambari
Description
-------
Documentation for setting up Knox to use kerberos can be found here:
http://knox.apache.org/books/knox-0-5-0/knox-0-5-0.html#Secure+Clusters
To summarize some of the things that need to be done besides the keytab creation:
1. the krb5 conf files need to be created and templated to work with the cluster setup.
2. gateway-site.xml needs to be modified to enable security and point to the krb5 conf files
3. Other services that Knox is configured to work with may also need some configuration changes. Specifically, core-site.xml, webhcat-site.xml and oozie-site.xml all need to be modified to setup Knox as a trusted proxy
Diffs (updated)
-----
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/files/validateKnoxStatus.py PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/knox.py 70f8b53
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/params.py 978b60b
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/service_check.py 1505ff3
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/templates/krb5JAASLogin.conf.j2 PRE-CREATION
ambari-web/app/app.js c92e0ac
ambari-web/app/assets/test/tests.js 8682af3
ambari-web/app/controllers/main/admin/security.js d5dd543
ambari-web/app/controllers/main/admin/security/add/step2.js 531f101
ambari-web/app/controllers/main/admin/security/add/step3.js d967018
ambari-web/app/data/HDP2/secure_configs.js 421ba54
ambari-web/app/data/HDP2/secure_mapping.js 23a89e0
ambari-web/app/data/HDP2/secure_properties.js 9a1dfc6
ambari-web/app/data/secure_mapping.js c4bd6a4
ambari-web/app/messages.js e1c2aee
ambari-web/app/mixins/wizard/addSecurityConfigs.js 1defe9c
ambari-web/test/controllers/main/admin/security/add/addSecurity_controller_test.js cd4f4a2
ambari-web/test/data/HDP2/secure_mapping_test.js a08d0cb
ambari-web/test/data/secure_mapping_test.js PRE-CREATION
Diff: https://reviews.apache.org/r/27064/diff/
Testing
-------
tested e2e by securing a cluster.
After knox service check is executed
su ambari-qa -c 'klist' shows the smokeuser credentials implying ambari-qa kinits before executing smoke test.
Thanks,
Jaimin Jetly
Re: Review Request 27064: Add Knox kerberos setup to the existing
Ambari security capabilities
Posted by Jaimin Jetly <ja...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/27064/
-----------------------------------------------------------
(Updated Oct. 23, 2014, 5:53 p.m.)
Review request for Ambari, Mahadev Konar, Srimanth Gunturi, and Yusaku Sako.
Changes
-------
Patch addresses the concerns raised by yusaku
Bugs: AMBARI-7799
https://issues.apache.org/jira/browse/AMBARI-7799
Repository: ambari
Description
-------
Documentation for setting up Knox to use kerberos can be found here:
http://knox.apache.org/books/knox-0-5-0/knox-0-5-0.html#Secure+Clusters
To summarize some of the things that need to be done besides the keytab creation:
1. the krb5 conf files need to be created and templated to work with the cluster setup.
2. gateway-site.xml needs to be modified to enable security and point to the krb5 conf files
3. Other services that Knox is configured to work with may also need some configuration changes. Specifically, core-site.xml, webhcat-site.xml and oozie-site.xml all need to be modified to setup Knox as a trusted proxy
Diffs (updated)
-----
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/files/validateKnoxStatus.py PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/knox.py 70f8b53
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/params.py 978b60b
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/service_check.py 1505ff3
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/templates/krb5JAASLogin.conf.j2 PRE-CREATION
ambari-web/app/app.js c92e0ac
ambari-web/app/assets/test/tests.js 8682af3
ambari-web/app/controllers/main/admin/security.js d5dd543
ambari-web/app/controllers/main/admin/security/add/step2.js 531f101
ambari-web/app/controllers/main/admin/security/add/step3.js d967018
ambari-web/app/data/HDP2/secure_configs.js 421ba54
ambari-web/app/data/HDP2/secure_mapping.js 23a89e0
ambari-web/app/data/HDP2/secure_properties.js 9a1dfc6
ambari-web/app/data/HDP2/site_properties.js 541a6d0
ambari-web/app/data/secure_mapping.js c4bd6a4
ambari-web/app/messages.js e1c2aee
ambari-web/app/mixins/wizard/addSecurityConfigs.js 1defe9c
ambari-web/test/controllers/main/admin/security/add/addSecurity_controller_test.js cd4f4a2
ambari-web/test/data/HDP2/secure_mapping_test.js a08d0cb
ambari-web/test/data/secure_mapping_test.js PRE-CREATION
Diff: https://reviews.apache.org/r/27064/diff/
Testing
-------
tested e2e by securing a cluster.
After knox service check is executed
su ambari-qa -c 'klist' shows the smokeuser credentials implying ambari-qa kinits before executing smoke test.
Thanks,
Jaimin Jetly
Re: Review Request 27064: Add Knox kerberos setup to the existing
Ambari security capabilities
Posted by Yusaku Sako <yu...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/27064/#review58008
-----------------------------------------------------------
ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/files/validateKnoxStatus.py
<https://reviews.apache.org/r/27064/#comment98919>
Should we specify a timeout value?
If the host is not reachable, this could hang for a long time.
ambari-web/app/data/HDP2/site_properties.js
<https://reviews.apache.org/r/27064/#comment98918>
Looks like a typo was introduced.
- Yusaku Sako
On Oct. 23, 2014, 2:46 a.m., Jaimin Jetly wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/27064/
> -----------------------------------------------------------
>
> (Updated Oct. 23, 2014, 2:46 a.m.)
>
>
> Review request for Ambari, Mahadev Konar, Srimanth Gunturi, and Yusaku Sako.
>
>
> Bugs: AMBARI-7799
> https://issues.apache.org/jira/browse/AMBARI-7799
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Documentation for setting up Knox to use kerberos can be found here:
> http://knox.apache.org/books/knox-0-5-0/knox-0-5-0.html#Secure+Clusters
> To summarize some of the things that need to be done besides the keytab creation:
> 1. the krb5 conf files need to be created and templated to work with the cluster setup.
> 2. gateway-site.xml needs to be modified to enable security and point to the krb5 conf files
> 3. Other services that Knox is configured to work with may also need some configuration changes. Specifically, core-site.xml, webhcat-site.xml and oozie-site.xml all need to be modified to setup Knox as a trusted proxy
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/files/validateKnoxStatus.py PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/knox.py 70f8b53
> ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/params.py 978b60b
> ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/scripts/service_check.py 1505ff3
> ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/package/templates/krb5JAASLogin.conf.j2 PRE-CREATION
> ambari-web/app/app.js c92e0ac
> ambari-web/app/assets/test/tests.js 65082ab
> ambari-web/app/controllers/main/admin/security.js d5dd543
> ambari-web/app/controllers/main/admin/security/add/step2.js 531f101
> ambari-web/app/controllers/main/admin/security/add/step3.js d967018
> ambari-web/app/data/HDP2/secure_configs.js 421ba54
> ambari-web/app/data/HDP2/secure_mapping.js 23a89e0
> ambari-web/app/data/HDP2/secure_properties.js 9a1dfc6
> ambari-web/app/data/HDP2/site_properties.js 541a6d0
> ambari-web/app/data/secure_mapping.js c4bd6a4
> ambari-web/app/messages.js 2ef3ffa
> ambari-web/app/mixins/wizard/addSecurityConfigs.js 1defe9c
> ambari-web/test/controllers/main/admin/security/add/addSecurity_controller_test.js cd4f4a2
> ambari-web/test/data/HDP2/secure_mapping_test.js a08d0cb
> ambari-web/test/data/secure_mapping_test.js PRE-CREATION
>
> Diff: https://reviews.apache.org/r/27064/diff/
>
>
> Testing
> -------
>
> tested e2e by securing a cluster.
> After knox service check is executed
> su ambari-qa -c 'klist' shows the smokeuser credentials implying ambari-qa kinits before executing smoke test.
>
>
> Thanks,
>
> Jaimin Jetly
>
>