You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/06/02 04:56:00 UTC

Review Request 34919: Kerberos: provide option to set test account name

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34919/
-----------------------------------------------------------

Review request for Ambari, Emil Anca, Robert Nettleton, and Tom Beerbower.


Bugs: AMBARI-11590
    https://issues.apache.org/jira/browse/AMBARI-11590


Repository: ambari


Description
-------

In many situations with large-scale Active Directory deployments, the krb5.conf is managed outside of Ambari.  This krb5.conf file is configured with all of the DC's in the AD domain, and the outbound requests to the KDC from clients are load balanced across those servers.  In many scenarios the user replication latency causes issues with users not found during the test process.  Due to the fact that we generate a new user every time we test, this can get users to a circular situation in which they can never leave this state because of multi-KDC's in their krb5.conf and delay associated with replication.

1) Expose the option to set the test kerberos client principal name (under Advanced kerberos-env)
2) Default the value to something unique, but less than 20 characters `${cluster_name}-${short_date}`


Diffs
-----

  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ad76ffa 
  ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java dc5fc75 
  ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml ec50f69 
  ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kerberos-env.xml 31833cb 
  ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 684cdd4 

Diff: https://reviews.apache.org/r/34919/diff/


Testing
-------

Manually tested.

#Jenkins test results: PENDING


Thanks,

Robert Levas

Re: Review Request 34919: Kerberos: provide option to set test account name

Posted by Robert Levas <rl...@hortonworks.com>.


> On June 1, 2015, 11:01 p.m., Jeff Sposetti wrote:
> > ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml, line 160
> > <https://reviews.apache.org/r/34919/diff/1/?file=976312#file976312line160>
> >
> >     Why ${date} in here but ${short_date} in gluster?

Nice catch... I switched mid-stream and forgot about Gluster.


- Robert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34919/#review86148
-----------------------------------------------------------


On June 1, 2015, 10:55 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34919/
> -----------------------------------------------------------
> 
> (Updated June 1, 2015, 10:55 p.m.)
> 
> 
> Review request for Ambari, Emil Anca, Robert Nettleton, and Tom Beerbower.
> 
> 
> Bugs: AMBARI-11590
>     https://issues.apache.org/jira/browse/AMBARI-11590
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> In many situations with large-scale Active Directory deployments, the krb5.conf is managed outside of Ambari.  This krb5.conf file is configured with all of the DC's in the AD domain, and the outbound requests to the KDC from clients are load balanced across those servers.  In many scenarios the user replication latency causes issues with users not found during the test process.  Due to the fact that we generate a new user every time we test, this can get users to a circular situation in which they can never leave this state because of multi-KDC's in their krb5.conf and delay associated with replication.
> 
> 1) Expose the option to set the test kerberos client principal name (under Advanced kerberos-env)
> 2) Default the value to something unique, but less than 20 characters `${cluster_name}-${short_date}`
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ad76ffa 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java dc5fc75 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml ec50f69 
>   ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kerberos-env.xml 31833cb 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 684cdd4 
> 
> Diff: https://reviews.apache.org/r/34919/diff/
> 
> 
> Testing
> -------
> 
> Manually tested.
> 
> #Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 34919: Kerberos: provide option to set test account name

Posted by Jeff Sposetti <je...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34919/#review86148
-----------------------------------------------------------



ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
<https://reviews.apache.org/r/34919/#comment138073>

    Why ${date} in here but ${short_date} in gluster?


- Jeff Sposetti


On June 2, 2015, 2:55 a.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34919/
> -----------------------------------------------------------
> 
> (Updated June 2, 2015, 2:55 a.m.)
> 
> 
> Review request for Ambari, Emil Anca, Robert Nettleton, and Tom Beerbower.
> 
> 
> Bugs: AMBARI-11590
>     https://issues.apache.org/jira/browse/AMBARI-11590
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> In many situations with large-scale Active Directory deployments, the krb5.conf is managed outside of Ambari.  This krb5.conf file is configured with all of the DC's in the AD domain, and the outbound requests to the KDC from clients are load balanced across those servers.  In many scenarios the user replication latency causes issues with users not found during the test process.  Due to the fact that we generate a new user every time we test, this can get users to a circular situation in which they can never leave this state because of multi-KDC's in their krb5.conf and delay associated with replication.
> 
> 1) Expose the option to set the test kerberos client principal name (under Advanced kerberos-env)
> 2) Default the value to something unique, but less than 20 characters `${cluster_name}-${short_date}`
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ad76ffa 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java dc5fc75 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml ec50f69 
>   ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kerberos-env.xml 31833cb 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 684cdd4 
> 
> Diff: https://reviews.apache.org/r/34919/diff/
> 
> 
> Testing
> -------
> 
> Manually tested.
> 
> #Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 34919: Kerberos: provide option to set test account name

Posted by Tom Beerbower <tb...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34919/#review86208
-----------------------------------------------------------

Ship it!


Ship It!

- Tom Beerbower


On June 2, 2015, 2:55 a.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34919/
> -----------------------------------------------------------
> 
> (Updated June 2, 2015, 2:55 a.m.)
> 
> 
> Review request for Ambari, Emil Anca, Robert Nettleton, and Tom Beerbower.
> 
> 
> Bugs: AMBARI-11590
>     https://issues.apache.org/jira/browse/AMBARI-11590
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> In many situations with large-scale Active Directory deployments, the krb5.conf is managed outside of Ambari.  This krb5.conf file is configured with all of the DC's in the AD domain, and the outbound requests to the KDC from clients are load balanced across those servers.  In many scenarios the user replication latency causes issues with users not found during the test process.  Due to the fact that we generate a new user every time we test, this can get users to a circular situation in which they can never leave this state because of multi-KDC's in their krb5.conf and delay associated with replication.
> 
> 1) Expose the option to set the test kerberos client principal name (under Advanced kerberos-env)
> 2) Default the value to something unique, but less than 20 characters `${cluster_name}-${short_date}`
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ad76ffa 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java dc5fc75 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml ec50f69 
>   ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kerberos-env.xml 31833cb 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 684cdd4 
> 
> Diff: https://reviews.apache.org/r/34919/diff/
> 
> 
> Testing
> -------
> 
> Manually tested.
> 
> #Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 34919: Kerberos: provide option to set test account name

Posted by Emil Anca <ea...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34919/#review86209
-----------------------------------------------------------

Ship it!


Ship It!

- Emil Anca


On June 2, 2015, 1:10 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34919/
> -----------------------------------------------------------
> 
> (Updated June 2, 2015, 1:10 p.m.)
> 
> 
> Review request for Ambari, Emil Anca, Robert Nettleton, and Tom Beerbower.
> 
> 
> Bugs: AMBARI-11590
>     https://issues.apache.org/jira/browse/AMBARI-11590
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> In many situations with large-scale Active Directory deployments, the krb5.conf is managed outside of Ambari.  This krb5.conf file is configured with all of the DC's in the AD domain, and the outbound requests to the KDC from clients are load balanced across those servers.  In many scenarios the user replication latency causes issues with users not found during the test process.  Due to the fact that we generate a new user every time we test, this can get users to a circular situation in which they can never leave this state because of multi-KDC's in their krb5.conf and delay associated with replication.
> 
> 1) Expose the option to set the test kerberos client principal name (under Advanced kerberos-env)
> 2) Default the value to something unique, but less than 20 characters `${cluster_name}-${short_date}`
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ad76ffa 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java dc5fc75 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml ec50f69 
>   ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kerberos-env.xml 31833cb 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 684cdd4 
> 
> Diff: https://reviews.apache.org/r/34919/diff/
> 
> 
> Testing
> -------
> 
> Manually tested.
> 
> #Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 34919: Kerberos: provide option to set test account name

Posted by Robert Levas <rl...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34919/
-----------------------------------------------------------

(Updated June 2, 2015, 9:10 a.m.)


Review request for Ambari, Emil Anca, Robert Nettleton, and Tom Beerbower.


Changes
-------

Fixed error in Gluster kerberos-env.xml file


Bugs: AMBARI-11590
    https://issues.apache.org/jira/browse/AMBARI-11590


Repository: ambari


Description
-------

In many situations with large-scale Active Directory deployments, the krb5.conf is managed outside of Ambari.  This krb5.conf file is configured with all of the DC's in the AD domain, and the outbound requests to the KDC from clients are load balanced across those servers.  In many scenarios the user replication latency causes issues with users not found during the test process.  Due to the fact that we generate a new user every time we test, this can get users to a circular situation in which they can never leave this state because of multi-KDC's in their krb5.conf and delay associated with replication.

1) Expose the option to set the test kerberos client principal name (under Advanced kerberos-env)
2) Default the value to something unique, but less than 20 characters `${cluster_name}-${short_date}`


Diffs (updated)
-----

  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ad76ffa 
  ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java dc5fc75 
  ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml ec50f69 
  ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/kerberos-env.xml 31833cb 
  ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 684cdd4 

Diff: https://reviews.apache.org/r/34919/diff/


Testing
-------

Manually tested.

#Jenkins test results: PENDING


Thanks,

Robert Levas