You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@ambari.apache.org by Laszlo Puskas <lp...@hortonworks.com> on 2017/01/18 15:43:10 UTC
Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/
-----------------------------------------------------------
Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
Bugs: AMBARI-19613
https://issues.apache.org/jira/browse/AMBARI-19613
Repository: ambari
Description
-------
On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
On enabling security appropriate settings are configured to secure this connection.
Diffs
-----
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
Diff: https://reviews.apache.org/r/55680/diff/
Testing
-------
Testing done manually:
1. Created an unsecure NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - doesn't exist
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
* checked the hdfs_jaas.conf - doesn't exist
* connected to zookeeper, listed znode acls - no limitations set
2. Kerberized the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
* checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
* checked the hdfs_jaas.conf - OK
3. Disabled Kerberos on the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - removed
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
Unit tests running.
Thanks,
Laszlo Puskas
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Robert Levas <rl...@hortonworks.com>.
> On Jan. 18, 2017, 10:57 a.m., Attila Magyar wrote:
> > ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2, line 24
> > <https://reviews.apache.org/r/55680/diff/1/?file=1607730#file1607730line24>
> >
> > is this path always the same?
That path should not be hard-coded. It could change.
- Robert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162123
-----------------------------------------------------------
On Jan. 18, 2017, 10:58 a.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 18, 2017, 10:58 a.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
>
> Unit tests running.
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Laszlo Puskas <lp...@hortonworks.com>.
> On Jan. 18, 2017, 3:57 p.m., Attila Magyar wrote:
> > ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2, line 24
> > <https://reviews.apache.org/r/55680/diff/1/?file=1607730#file1607730line24>
> >
> > is this path always the same?
>
> Robert Levas wrote:
> That path should not be hard-coded. It could change.
Thanks, will fix it.
- Laszlo
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162123
-----------------------------------------------------------
On Jan. 18, 2017, 3:58 p.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 18, 2017, 3:58 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
>
> Unit tests running.
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Attila Magyar <am...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162123
-----------------------------------------------------------
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 (line 24)
<https://reviews.apache.org/r/55680/#comment233384>
is this path always the same?
- Attila Magyar
On Jan. 18, 2017, 3:43 p.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 18, 2017, 3:43 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
> 1. Created an unsecure NN HA cluster
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> 2. Kerberized the NN HA cluster
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
>
> 3. Disabled Kerberos on the NN HA cluster
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
>
> Unit tests running.
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162128
-----------------------------------------------------------
These changes must be added to HDFS 3.0.0 as well.
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py (line 392)
<https://reviews.apache.org/r/55680/#comment233389>
Not the ```cluster``` but the ```NameNode```
- Sebastian Toader
On Jan. 18, 2017, 4:58 p.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 18, 2017, 4:58 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
>
> Unit tests running.
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Alejandro Fernandez <af...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162685
-----------------------------------------------------------
Ship it!
Ship It!
- Alejandro Fernandez
On Jan. 20, 2017, 11:21 a.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 20, 2017, 11:21 a.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json 1cf1603
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/configuration/hadoop-env.xml 24032fa
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/kerberos.json 4fdffcf
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/utils.py f76935a
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 766a014
> ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
> ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
> ambari-server/src/test/python/stacks/2.0.6/HDFS/test_zkfc.py e952108
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
> * connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
>
> Unit tests:
> Running in progress for trunk
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162417
-----------------------------------------------------------
Ship it!
Ship It!
- Sebastian Toader
On Jan. 20, 2017, 12:21 p.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 20, 2017, 12:21 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json 1cf1603
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/configuration/hadoop-env.xml 24032fa
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/kerberos.json 4fdffcf
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/utils.py f76935a
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 766a014
> ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
> ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
> ambari-server/src/test/python/stacks/2.0.6/HDFS/test_zkfc.py e952108
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
> * connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
>
> Unit tests:
> Running in progress for trunk
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162637
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Levas
On Jan. 20, 2017, 6:21 a.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 20, 2017, 6:21 a.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json 1cf1603
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/configuration/hadoop-env.xml 24032fa
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/kerberos.json 4fdffcf
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/utils.py f76935a
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 766a014
> ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
> ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
> ambari-server/src/test/python/stacks/2.0.6/HDFS/test_zkfc.py e952108
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
> * connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
>
> Unit tests:
> Running in progress for trunk
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Laszlo Puskas <lp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/
-----------------------------------------------------------
(Updated Jan. 24, 2017, 9:41 a.m.)
Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
Bugs: AMBARI-19613
https://issues.apache.org/jira/browse/AMBARI-19613
Repository: ambari
Description
-------
On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
On enabling security appropriate settings are configured to secure this connection.
Diffs
-----
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json 1cf1603
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/configuration/hadoop-env.xml 24032fa
ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/kerberos.json 4fdffcf
ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/utils.py f76935a
ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/zkfc_slave.py f1891a5
ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 766a014
ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
ambari-server/src/test/python/stacks/2.0.6/HDFS/test_zkfc.py e952108
Diff: https://reviews.apache.org/r/55680/diff/
Testing (updated)
-------
Testing done manually:
Created an unsecure NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - doesn't exist
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
* checked the hdfs_jaas.conf - doesn't exist
* connected to zookeeper, listed znode acls - no limitations set
Kerberized the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
* checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
* checked the hdfs_jaas.conf - OK
* connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
Disabled Kerberos on the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - removed
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
* connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
Unit tests:
Success.
Committed to
trunk:
commit a382bed7f55be632fd03e1b02bb8a01151234b24
Author: Laszlo Puskas <lp...@hortonworks.com>
Date: Fri Jan 20 12:41:02 2017 +0100
AMBARI-19613. ZKFC Zookeper connection is not secure. (Laszlo Puskas via stoader)
branch-2.5
commit 00b2c42ccf6fe68267483a645f6e57e9c921f01b
Author: Laszlo Puskas <lp...@hortonworks.com>
Date: Fri Jan 20 14:04:06 2017 +0100
AMBARI-19613. ZKFC Zookeper connection is not secure (Laszlo Puskas via magyari_sandor)
Thanks,
Laszlo Puskas
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Laszlo Puskas <lp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/
-----------------------------------------------------------
(Updated Jan. 20, 2017, 11:21 a.m.)
Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
Changes
-------
Added changes to hdp 3.0
Fixed tests.
Bugs: AMBARI-19613
https://issues.apache.org/jira/browse/AMBARI-19613
Repository: ambari
Description
-------
On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
On enabling security appropriate settings are configured to secure this connection.
Diffs (updated)
-----
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json 1cf1603
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/configuration/hadoop-env.xml 24032fa
ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/kerberos.json 4fdffcf
ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/utils.py f76935a
ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/scripts/zkfc_slave.py f1891a5
ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 766a014
ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
ambari-server/src/test/python/stacks/2.0.6/HDFS/test_zkfc.py e952108
Diff: https://reviews.apache.org/r/55680/diff/
Testing (updated)
-------
Testing done manually:
Created an unsecure NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - doesn't exist
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
* checked the hdfs_jaas.conf - doesn't exist
* connected to zookeeper, listed znode acls - no limitations set
Kerberized the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
* checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
* checked the hdfs_jaas.conf - OK
* connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
Disabled Kerberos on the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - removed
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
* connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
Unit tests:
Running in progress for trunk
Thanks,
Laszlo Puskas
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162278
-----------------------------------------------------------
Ship it!
Ship It!
- Sebastian Toader
On Jan. 19, 2017, 1:39 p.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 19, 2017, 1:39 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
> ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
> ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
> * connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
>
> Unit tests:
> Successfully ran on local machine / unrelated test failed though.
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Laszlo Puskas <lp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/
-----------------------------------------------------------
(Updated Jan. 19, 2017, 12:39 p.m.)
Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
Bugs: AMBARI-19613
https://issues.apache.org/jira/browse/AMBARI-19613
Repository: ambari
Description
-------
On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
On enabling security appropriate settings are configured to secure this connection.
Diffs
-----
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
Diff: https://reviews.apache.org/r/55680/diff/
Testing (updated)
-------
Testing done manually:
Created an unsecure NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - doesn't exist
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
* checked the hdfs_jaas.conf - doesn't exist
* connected to zookeeper, listed znode acls - no limitations set
Kerberized the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
* checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
* checked the hdfs_jaas.conf - OK
* connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
Disabled Kerberos on the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - removed
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
* connected to zookeeper, listed znode acls - set as required (/hadoop-ha/mycluster/ActiveStandbyElectorLock)
Unit tests:
Successfully ran on local machine / unrelated test failed though.
Thanks,
Laszlo Puskas
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162144
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Levas
On Jan. 18, 2017, 12:18 p.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 18, 2017, 12:18 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
> ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
> ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
>
> Unit tests:
> Successfully ran on local machine / unrelated test failed though.
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Attila Magyar <am...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162151
-----------------------------------------------------------
Ship it!
Ship It!
- Attila Magyar
On Jan. 18, 2017, 5:18 p.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 18, 2017, 5:18 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
> ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
> ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
>
> Unit tests:
> Successfully ran on local machine / unrelated test failed though.
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162153
-----------------------------------------------------------
Ship it!
Ship It!
- Sebastian Toader
On Jan. 18, 2017, 6:18 p.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 18, 2017, 6:18 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
> ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
> ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
>
> Unit tests:
> Successfully ran on local machine / unrelated test failed though.
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Laszlo Puskas <lp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/
-----------------------------------------------------------
(Updated Jan. 18, 2017, 5:18 p.m.)
Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
Bugs: AMBARI-19613
https://issues.apache.org/jira/browse/AMBARI-19613
Repository: ambari
Description
-------
On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
On enabling security appropriate settings are configured to secure this connection.
Diffs
-----
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
Diff: https://reviews.apache.org/r/55680/diff/
Testing (updated)
-------
Testing done manually:
Created an unsecure NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - doesn't exist
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
* checked the hdfs_jaas.conf - doesn't exist
* connected to zookeeper, listed znode acls - no limitations set
Kerberized the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
* checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
* checked the hdfs_jaas.conf - OK
Disabled Kerberos on the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - removed
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
Unit tests:
Successfully ran on local machine / unrelated test failed though.
Thanks,
Laszlo Puskas
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Laszlo Puskas <lp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/
-----------------------------------------------------------
(Updated Jan. 18, 2017, 5:17 p.m.)
Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
Changes
-------
Added changes to the stack 3.0
Bugs: AMBARI-19613
https://issues.apache.org/jira/browse/AMBARI-19613
Repository: ambari
Description
-------
On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
On enabling security appropriate settings are configured to secure this connection.
Diffs (updated)
-----
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
ambari-server/src/main/resources/stacks/HDP/3.0/hooks/before-ANY/scripts/params.py f70c8e9
ambari-server/src/main/resources/stacks/HDP/3.0/services/HDFS/configuration/hadoop-env.xml e680c1b
Diff: https://reviews.apache.org/r/55680/diff/
Testing
-------
Testing done manually:
Created an unsecure NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - doesn't exist
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
* checked the hdfs_jaas.conf - doesn't exist
* connected to zookeeper, listed znode acls - no limitations set
Kerberized the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
* checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
* checked the hdfs_jaas.conf - OK
Disabled Kerberos on the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - removed
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
Unit tests running.
Thanks,
Laszlo Puskas
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Laszlo Puskas <lp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/
-----------------------------------------------------------
(Updated Jan. 18, 2017, 4:35 p.m.)
Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
Bugs: AMBARI-19613
https://issues.apache.org/jira/browse/AMBARI-19613
Repository: ambari
Description
-------
On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
On enabling security appropriate settings are configured to secure this connection.
Diffs (updated)
-----
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
Diff: https://reviews.apache.org/r/55680/diff/
Testing
-------
Testing done manually:
Created an unsecure NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - doesn't exist
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
* checked the hdfs_jaas.conf - doesn't exist
* connected to zookeeper, listed znode acls - no limitations set
Kerberized the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
* checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
* checked the hdfs_jaas.conf - OK
Disabled Kerberos on the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - removed
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
Unit tests running.
Thanks,
Laszlo Puskas
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Laszlo Puskas <lp...@hortonworks.com>.
> On Jan. 18, 2017, 4:12 p.m., Robert Levas wrote:
> > ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2, line 24
> > <https://reviews.apache.org/r/55680/diff/1/?file=1607730#file1607730line24>
> >
> > This should be
> >
> > ```
> > keytab="{{nn_keytab}}"
> > ```
Thanks!
- Laszlo
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162125
-----------------------------------------------------------
On Jan. 18, 2017, 3:58 p.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 18, 2017, 3:58 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
>
> Unit tests running.
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/#review162125
-----------------------------------------------------------
Fix it, then Ship it!
Ship It!
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 (line 24)
<https://reviews.apache.org/r/55680/#comment233386>
This should be
```
keytab="{{nn_keytab}}"
```
- Robert Levas
On Jan. 18, 2017, 10:58 a.m., Laszlo Puskas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55680/
> -----------------------------------------------------------
>
> (Updated Jan. 18, 2017, 10:58 a.m.)
>
>
> Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19613
> https://issues.apache.org/jira/browse/AMBARI-19613
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
> On enabling security appropriate settings are configured to secure this connection.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
> ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
> ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
> ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
>
> Diff: https://reviews.apache.org/r/55680/diff/
>
>
> Testing
> -------
>
> Testing done manually:
>
> Created an unsecure NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - doesn't exist
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
> * checked the hdfs_jaas.conf - doesn't exist
> * connected to zookeeper, listed znode acls - no limitations set
>
> Kerberized the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
> * checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
> * checked the hdfs_jaas.conf - OK
>
> Disabled Kerberos on the NN HA cluster
>
> * checked the configuration entry: ha.zookeeper.acl - removed
> * checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
>
> Unit tests running.
>
>
> Thanks,
>
> Laszlo Puskas
>
>
Re: Review Request 55680: On secure NN HA clusters ZKFC connects to
zookeeper securely
Posted by Laszlo Puskas <lp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55680/
-----------------------------------------------------------
(Updated Jan. 18, 2017, 3:58 p.m.)
Review request for Ambari, Attila Magyar, Robert Levas, and Sebastian Toader.
Bugs: AMBARI-19613
https://issues.apache.org/jira/browse/AMBARI-19613
Repository: ambari
Description
-------
On secure namenode HA clusters the ZKFC component needs to access the zookeeper securely.
On enabling security appropriate settings are configured to secure this connection.
Diffs
-----
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hadoop-env.xml c2f37c1
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json f30c9e4
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/utils.py 3270430
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/zkfc_slave.py f1891a5
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/templates/hdfs_jaas.conf.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py 783f811
ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/hadoop-env.xml 5be2b74
ambari-server/src/main/resources/stacks/HDP/2.3/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.4/services/HDFS/configuration/hadoop-env.xml 24e0193
ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json 9000e95
Diff: https://reviews.apache.org/r/55680/diff/
Testing (updated)
-------
Testing done manually:
Created an unsecure NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - doesn't exist
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
* checked the hdfs_jaas.conf - doesn't exist
* connected to zookeeper, listed znode acls - no limitations set
Kerberized the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - set to sasl:nn:cdrwa
* checked the hadoop-env.sh - contains the variable export HADOOP_ZKFC_OPTS with proper value, points to the correct jaas file
* checked the hdfs_jaas.conf - OK
Disabled Kerberos on the NN HA cluster
* checked the configuration entry: ha.zookeeper.acl - removed
* checked the hadoop-env.sh - doesn't contain the variable export HADOOP_ZKFC_OPTS
Unit tests running.
Thanks,
Laszlo Puskas