You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@ambari.apache.org by Attila Magyar <am...@hortonworks.com> on 2017/01/16 19:07:34 UTC
Review Request 55574: Setup the correct authentication and
authorization between ZooKeeper and oozie
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55574/
-----------------------------------------------------------
Review request for Ambari, Laszlo Puskas, Oliver Szabo, Robert Levas, and Sebastian Toader.
Bugs: AMBARI-19568
https://issues.apache.org/jira/browse/AMBARI-19568
Repository: ambari
Description
-------
The communication between ZooKeeper and Oozie must be secure when kerberos is enabled. This can be achieved setting by oozie.zookeeper.secure property to true in oozie-site.xml. This makes oozie to install secure permissions to its znodes. These permissions should be removed when we disable kerberos.
Diffs
-----
ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py 14a0b23
ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie_server.py e0778da
ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py f9c608e
ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/templates/zkmigrator_jaas.conf.j2 PRE-CREATION
ambari-server/src/main/resources/common-services/OOZIE/4.2.0.2.3/kerberos.json d2e2ab8
ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json fd7fac9
ambari-server/src/main/resources/stacks/HDP/3.0/properties/stack_features.json dd87b72
ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py d24d0b9
contrib/management-packs/hdf-ambari-mpack/src/main/resources/stacks/HDF/2.0/properties/stack_features.json 645e357
Diff: https://reviews.apache.org/r/55574/diff/
Testing
-------
Manual testing:
- created a cluster with oozie
- enabled oozie ha mode
- enabled kerberos
- checked that ACLs on /oozie was sasl:oozie:crdwa
- disabled kerberos
- checked that ACLs on /oozie was world:anyone:crdwa
Run all tests in ambari-server and ambari-agent. Failure was irrelevant.
FAIL: test_start_default (test_kms_server.TestRangerKMS)
Traceback (most recent call last):
File "/Users/amagyar/development/ambari/ambari-common/src/test/python/mock/mock.py", line 1199, in patched
return func(*args, **keywargs)
File "/Users/amagyar/development/ambari/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py", line 73, in test_start_default
mode = 0644
File "/Users/amagyar/development/ambari/ambari-server/src/test/python/stacks/utils/RMFTestCase.py", line 282, in assertResourceCalled
self.assertEquals(kwargs, resource.arguments)
AssertionError: {'owner': 'kms', 'content': '<ranger>\n<enabled>2017-01-16 17:18:35</enabled>\n< [truncated]... != {'content': '<ranger>\n<enabled>2017-01-16 17:18:34</enabled>\n</ranger>', 'owne [truncated]...
- {'content': '<ranger>\n<enabled>2017-01-16 17:18:35</enabled>\n</ranger>',
? ^
+ {'content': '<ranger>\n<enabled>2017-01-16 17:18:34</enabled>\n</ranger>',
?
Thanks,
Attila Magyar
Re: Review Request 55574: Setup the correct authentication and
authorization between ZooKeeper and oozie
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55574/#review161778
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Levas
On Jan. 16, 2017, 2:07 p.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55574/
> -----------------------------------------------------------
>
> (Updated Jan. 16, 2017, 2:07 p.m.)
>
>
> Review request for Ambari, Laszlo Puskas, Oliver Szabo, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19568
> https://issues.apache.org/jira/browse/AMBARI-19568
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The communication between ZooKeeper and Oozie must be secure when kerberos is enabled. This can be achieved setting by oozie.zookeeper.secure property to true in oozie-site.xml. This makes oozie to install secure permissions to its znodes. These permissions should be removed when we disable kerberos.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py 14a0b23
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie_server.py e0778da
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py f9c608e
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/templates/zkmigrator_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/common-services/OOZIE/4.2.0.2.3/kerberos.json d2e2ab8
> ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json fd7fac9
> ambari-server/src/main/resources/stacks/HDP/3.0/properties/stack_features.json dd87b72
> ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py d24d0b9
> contrib/management-packs/hdf-ambari-mpack/src/main/resources/stacks/HDF/2.0/properties/stack_features.json 645e357
>
> Diff: https://reviews.apache.org/r/55574/diff/
>
>
> Testing
> -------
>
> Manual testing:
> - created a cluster with oozie
> - enabled oozie ha mode
> - enabled kerberos
> - checked that ACLs on /oozie was sasl:oozie:crdwa
> - disabled kerberos
> - checked that ACLs on /oozie was world:anyone:crdwa
>
> Run all tests in ambari-server and ambari-agent. Failure was irrelevant.
>
> FAIL: test_start_default (test_kms_server.TestRangerKMS)
> Traceback (most recent call last):
> File "/Users/amagyar/development/ambari/ambari-common/src/test/python/mock/mock.py", line 1199, in patched
> return func(*args, **keywargs)
> File "/Users/amagyar/development/ambari/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py", line 73, in test_start_default
> mode = 0644
> File "/Users/amagyar/development/ambari/ambari-server/src/test/python/stacks/utils/RMFTestCase.py", line 282, in assertResourceCalled
> self.assertEquals(kwargs, resource.arguments)
> AssertionError: {'owner': 'kms', 'content': '<ranger>\n<enabled>2017-01-16 17:18:35</enabled>\n< [truncated]... != {'content': '<ranger>\n<enabled>2017-01-16 17:18:34</enabled>\n</ranger>', 'owne [truncated]...
> - {'content': '<ranger>\n<enabled>2017-01-16 17:18:35</enabled>\n</ranger>',
> ? ^
>
> + {'content': '<ranger>\n<enabled>2017-01-16 17:18:34</enabled>\n</ranger>',
> ?
>
>
> Thanks,
>
> Attila Magyar
>
>
Re: Review Request 55574: Setup the correct authentication and
authorization between ZooKeeper and oozie
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55574/#review161790
-----------------------------------------------------------
Ship it!
Ship It!
- Oliver Szabo
On Jan. 16, 2017, 7:07 p.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55574/
> -----------------------------------------------------------
>
> (Updated Jan. 16, 2017, 7:07 p.m.)
>
>
> Review request for Ambari, Laszlo Puskas, Oliver Szabo, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19568
> https://issues.apache.org/jira/browse/AMBARI-19568
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The communication between ZooKeeper and Oozie must be secure when kerberos is enabled. This can be achieved setting by oozie.zookeeper.secure property to true in oozie-site.xml. This makes oozie to install secure permissions to its znodes. These permissions should be removed when we disable kerberos.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py 14a0b23
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie_server.py e0778da
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py f9c608e
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/templates/zkmigrator_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/common-services/OOZIE/4.2.0.2.3/kerberos.json d2e2ab8
> ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json fd7fac9
> ambari-server/src/main/resources/stacks/HDP/3.0/properties/stack_features.json dd87b72
> ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py d24d0b9
> contrib/management-packs/hdf-ambari-mpack/src/main/resources/stacks/HDF/2.0/properties/stack_features.json 645e357
>
> Diff: https://reviews.apache.org/r/55574/diff/
>
>
> Testing
> -------
>
> Manual testing:
> - created a cluster with oozie
> - enabled oozie ha mode
> - enabled kerberos
> - checked that ACLs on /oozie was sasl:oozie:crdwa
> - disabled kerberos
> - checked that ACLs on /oozie was world:anyone:crdwa
>
> Run all tests in ambari-server and ambari-agent. Failure was irrelevant.
>
> FAIL: test_start_default (test_kms_server.TestRangerKMS)
> Traceback (most recent call last):
> File "/Users/amagyar/development/ambari/ambari-common/src/test/python/mock/mock.py", line 1199, in patched
> return func(*args, **keywargs)
> File "/Users/amagyar/development/ambari/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py", line 73, in test_start_default
> mode = 0644
> File "/Users/amagyar/development/ambari/ambari-server/src/test/python/stacks/utils/RMFTestCase.py", line 282, in assertResourceCalled
> self.assertEquals(kwargs, resource.arguments)
> AssertionError: {'owner': 'kms', 'content': '<ranger>\n<enabled>2017-01-16 17:18:35</enabled>\n< [truncated]... != {'content': '<ranger>\n<enabled>2017-01-16 17:18:34</enabled>\n</ranger>', 'owne [truncated]...
> - {'content': '<ranger>\n<enabled>2017-01-16 17:18:35</enabled>\n</ranger>',
> ? ^
>
> + {'content': '<ranger>\n<enabled>2017-01-16 17:18:34</enabled>\n</ranger>',
> ?
>
>
> Thanks,
>
> Attila Magyar
>
>
Re: Review Request 55574: Setup the correct authentication and
authorization between ZooKeeper and oozie
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55574/#review161779
-----------------------------------------------------------
Ship it!
Ship It!
- Sebastian Toader
On Jan. 16, 2017, 8:07 p.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55574/
> -----------------------------------------------------------
>
> (Updated Jan. 16, 2017, 8:07 p.m.)
>
>
> Review request for Ambari, Laszlo Puskas, Oliver Szabo, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19568
> https://issues.apache.org/jira/browse/AMBARI-19568
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The communication between ZooKeeper and Oozie must be secure when kerberos is enabled. This can be achieved setting by oozie.zookeeper.secure property to true in oozie-site.xml. This makes oozie to install secure permissions to its znodes. These permissions should be removed when we disable kerberos.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py 14a0b23
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie_server.py e0778da
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py f9c608e
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/templates/zkmigrator_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/common-services/OOZIE/4.2.0.2.3/kerberos.json d2e2ab8
> ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json fd7fac9
> ambari-server/src/main/resources/stacks/HDP/3.0/properties/stack_features.json dd87b72
> ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py d24d0b9
> contrib/management-packs/hdf-ambari-mpack/src/main/resources/stacks/HDF/2.0/properties/stack_features.json 645e357
>
> Diff: https://reviews.apache.org/r/55574/diff/
>
>
> Testing
> -------
>
> Manual testing:
> - created a cluster with oozie
> - enabled oozie ha mode
> - enabled kerberos
> - checked that ACLs on /oozie was sasl:oozie:crdwa
> - disabled kerberos
> - checked that ACLs on /oozie was world:anyone:crdwa
>
> Run all tests in ambari-server and ambari-agent. Failure was irrelevant.
>
> FAIL: test_start_default (test_kms_server.TestRangerKMS)
> Traceback (most recent call last):
> File "/Users/amagyar/development/ambari/ambari-common/src/test/python/mock/mock.py", line 1199, in patched
> return func(*args, **keywargs)
> File "/Users/amagyar/development/ambari/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py", line 73, in test_start_default
> mode = 0644
> File "/Users/amagyar/development/ambari/ambari-server/src/test/python/stacks/utils/RMFTestCase.py", line 282, in assertResourceCalled
> self.assertEquals(kwargs, resource.arguments)
> AssertionError: {'owner': 'kms', 'content': '<ranger>\n<enabled>2017-01-16 17:18:35</enabled>\n< [truncated]... != {'content': '<ranger>\n<enabled>2017-01-16 17:18:34</enabled>\n</ranger>', 'owne [truncated]...
> - {'content': '<ranger>\n<enabled>2017-01-16 17:18:35</enabled>\n</ranger>',
> ? ^
>
> + {'content': '<ranger>\n<enabled>2017-01-16 17:18:34</enabled>\n</ranger>',
> ?
>
>
> Thanks,
>
> Attila Magyar
>
>
Re: Review Request 55574: Setup the correct authentication and
authorization between ZooKeeper and oozie
Posted by Laszlo Puskas <lp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55574/#review161782
-----------------------------------------------------------
Ship it!
Ship It!
- Laszlo Puskas
On Jan. 16, 2017, 7:07 p.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55574/
> -----------------------------------------------------------
>
> (Updated Jan. 16, 2017, 7:07 p.m.)
>
>
> Review request for Ambari, Laszlo Puskas, Oliver Szabo, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-19568
> https://issues.apache.org/jira/browse/AMBARI-19568
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The communication between ZooKeeper and Oozie must be secure when kerberos is enabled. This can be achieved setting by oozie.zookeeper.secure property to true in oozie-site.xml. This makes oozie to install secure permissions to its znodes. These permissions should be removed when we disable kerberos.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie.py 14a0b23
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie_server.py e0778da
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py f9c608e
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/templates/zkmigrator_jaas.conf.j2 PRE-CREATION
> ambari-server/src/main/resources/common-services/OOZIE/4.2.0.2.3/kerberos.json d2e2ab8
> ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json fd7fac9
> ambari-server/src/main/resources/stacks/HDP/3.0/properties/stack_features.json dd87b72
> ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py d24d0b9
> contrib/management-packs/hdf-ambari-mpack/src/main/resources/stacks/HDF/2.0/properties/stack_features.json 645e357
>
> Diff: https://reviews.apache.org/r/55574/diff/
>
>
> Testing
> -------
>
> Manual testing:
> - created a cluster with oozie
> - enabled oozie ha mode
> - enabled kerberos
> - checked that ACLs on /oozie was sasl:oozie:crdwa
> - disabled kerberos
> - checked that ACLs on /oozie was world:anyone:crdwa
>
> Run all tests in ambari-server and ambari-agent. Failure was irrelevant.
>
> FAIL: test_start_default (test_kms_server.TestRangerKMS)
> Traceback (most recent call last):
> File "/Users/amagyar/development/ambari/ambari-common/src/test/python/mock/mock.py", line 1199, in patched
> return func(*args, **keywargs)
> File "/Users/amagyar/development/ambari/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py", line 73, in test_start_default
> mode = 0644
> File "/Users/amagyar/development/ambari/ambari-server/src/test/python/stacks/utils/RMFTestCase.py", line 282, in assertResourceCalled
> self.assertEquals(kwargs, resource.arguments)
> AssertionError: {'owner': 'kms', 'content': '<ranger>\n<enabled>2017-01-16 17:18:35</enabled>\n< [truncated]... != {'content': '<ranger>\n<enabled>2017-01-16 17:18:34</enabled>\n</ranger>', 'owne [truncated]...
> - {'content': '<ranger>\n<enabled>2017-01-16 17:18:35</enabled>\n</ranger>',
> ? ^
>
> + {'content': '<ranger>\n<enabled>2017-01-16 17:18:34</enabled>\n</ranger>',
> ?
>
>
> Thanks,
>
> Attila Magyar
>
>