You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2018/08/01 14:43:07 UTC
[ambari] branch branch-2.7 updated: [AMBARI-24389] Update Ambari
Single Sign-on Configuration documentatIon to include Kerberos options
This is an automated email from the ASF dual-hosted git repository.
rlevas pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push:
new 33ffc14 [AMBARI-24389] Update Ambari Single Sign-on Configuration documentatIon to include Kerberos options
33ffc14 is described below
commit 33ffc14d2616f6987ed8203c728f42182cca0dac
Author: Robert Levas <rl...@users.noreply.github.com>
AuthorDate: Wed Aug 1 10:43:03 2018 -0400
[AMBARI-24389] Update Ambari Single Sign-on Configuration documentatIon to include Kerberos options
* [AMBARI-24389] Update Ambari Single Sign-on Configuration documentation to include Kerberos options
* [AMBARI-24389] Update Ambari Single Sign-on Configuration documentation to include Kerberos options
---
ambari-server/docs/security/sso/index.md | 77 ++++++++++++++++++++++++++++----
1 file changed, 69 insertions(+), 8 deletions(-)
diff --git a/ambari-server/docs/security/sso/index.md b/ambari-server/docs/security/sso/index.md
index 9e3a5bc..e478299 100644
--- a/ambari-server/docs/security/sso/index.md
+++ b/ambari-server/docs/security/sso/index.md
@@ -80,7 +80,14 @@ definition's `metainfo.xml` file. The declaration is as follows:
...
<sso>
<supported>true</supported>
- <enabledConfiguration>config-type/property_name</enabledConfiguration>
+ <ssoEnabledTest>
+ {
+ "equals": [
+ "service-properties/sso.knox.enabled",
+ "true"
+ ]
+ }
+ <ssoEnabledTest>
</sso>
...
</service>
@@ -89,11 +96,35 @@ definition's `metainfo.xml` file. The declaration is as follows:
```
Inside the `<sso>` block, the `<supported>` element with the value of "true" tells Ambari that this
-service is eligible to be configured for SSO. The `enabledConfiguration` is a property specification
-that indicates a boolean property to check to tell whether the service has been configured for SSO
-or not.
+service is eligible to be configured for SSO. The `<ssoEnabledTest>` element contains a JSON structure
+that describes a Boolean expression indicating whether the service has been configured for SSO or
+not. For backwards compatibility with Ambari 2.7.0, the `<enabledConfiguration>` element
+remains supported. It contains a property specification (`config-type`/`property_name`) that
+indicates the boolean property to check to tell whether the service has been configured for SSO or
+not.
-For example, in the `metainfo.xml` file for Atlas:
+For example, the `metainfo.xml` file for Atlas:
+
+```
+ <sso>
+ <supported>true</supported>
+ <ssoEnabledTest>
+ {
+ "equals": [
+ "application-properties/atlas.sso.knox.enabled",
+ "true"
+ ]
+ }
+ <ssoEnabledTest>
+ </sso>
+```
+
+This indicates automated SSO configuration by Ambari is enabled. It also declares how to test the
+service configurations for the SSO integration status. If the property value for
+`atlas.sso.knox.enabled` in the `application-properties` configuration type is "true", then SSO has
+been enabled for Atlas; else SSO has not yet been enabled.
+
+For backwards compatibility, the following is accepted as well:
```
<sso>
@@ -102,11 +133,41 @@ For example, in the `metainfo.xml` file for Atlas:
</sso>
```
-Support is enabled and the property value for `atlas.sso.knox.enabled` in the `application-properties`
-configuration type is used to tell if SSO has been enabled for Atlas or not.
+##### Kerberos
+Some services require that Kerberos is enabled in order to allow SSO to be enabled. If this is the
+case, the service is to declare it by setting `<kerberosRequired>` to "true" inside the `<sso>` block.
+If Kerberos is required, then a `<kerberosEnabledTest>` block is needed, as well, to tell Ambari
+how to calculate whether Kerberos is enabled for that service or not. It must be noted that the
+`<kerberosEnabledTest>` block is a sibling to the `<sso>` block. The Kerberos test can be used for
+SSO calculations, but is not directly related to the SSO facility. For example:
+
+```
+ <sso>
+ <supported>true</supported>
+ <kerberosRequired>true</kerberosRequired>
+ <ssoEnabledTest>
+ {
+ "equals": [
+ "service-site/knox.sso.enabled",
+ "true"
+ ]
+ }
+ <ssoEnabledTest>
+ </sso>
+
+ <kerberosEnabledTest>
+ {
+ "equals": [
+ "service-site/service.authentication.type",
+ "kerberos"
+ ]
+ }
+ <kerberosEnabledTest>
+```
Once support is declared by a service **and** it is installed, it will be listed as an eligible service
-while selecting services for which to enable SSO via the Ambari Server CLI.
+while selecting services for which to enable SSO via the Ambari Server CLI. However, if Kerberos
+is required and not enabled, the service may be filtered from that list.
Example:
```