You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2018/12/07 02:35:00 UTC
[jira] [Created] (AMBARI-25013) Ambari should optionally generate
auth-to-local rules for the Kerberos identities of all components of
installed services
Robert Levas created AMBARI-25013:
-------------------------------------
Summary: Ambari should optionally generate auth-to-local rules for the Kerberos identities of all components of installed services
Key: AMBARI-25013
URL: https://issues.apache.org/jira/browse/AMBARI-25013
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.8.0
Reporter: Rohith Sharma K S
Assignee: Robert Levas
Fix For: 2.8.0
Ambari should optionally generate auth-to-local rules for the Kerberos identities of all components of installed services.
Currently Ambari will generate auth-to-local rules for the installed components of installed services. This is generally the accepted behavior. However, there may be cases where identities from remote clusters (using the same Kerberos realm) need to be translated to local names.
A use case may be that some slave component for a service is installed on a remote cluster, but that component is not installed on the local cluster. However a master component of that service is installed on the local cluster and the slave component from the remote cluster needs to communicate with it.
The solution is to add a new property to {{kerberos-env}}, maybe named something like {{include_all_components_in_auth_to_local_rules}}, where the default value is {{false}}. If set to {{true}}, when building the auth-to-local rules, Ambari should add the rules for all components of installed services, not just the installed components (which is what it does today).
The relevant code to change is in {{org.apache.ambari.server.controller.KerberosHelperImpl#setAuthToLocalRules}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)