You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/01/29 15:55:59 UTC
Review Request 30415: Implement Keytab regeneration
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30415/
-----------------------------------------------------------
Review request for Ambari, John Speidel, Nate Cole, Robert Nettleton, and Tom Beerbower.
Bugs: AMBARI-9385
https://issues.apache.org/jira/browse/AMBARI-9385
Repository: ambari
Description
-------
Create API entry point to initiate Kerberos keytab regeneration for the cluster:
```
PUT /api/v1/clusters/{clustername}?kerberos_regenerate_keytabs=true
```
The entry point should invoke code to determine which principals need to be updated and then generate the following stages:
# Update Principal Passwords
# Generate Keytabs
# Distribute Keytab
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/api/resources/ClusterResourceDefinition.java 9b744d0
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java e867f99
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 6bb9bf1
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java 1a66cd9
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e976d81
Diff: https://reviews.apache.org/r/30415/diff/
Testing
-------
Manually tested in cluster again MIT KDC (Active Directory pending)
Updated unit tests
# Jenkins test results
Running org.apache.ambari.server.controller.AmbariManagementControllerImplTest
Tests run: 30, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.099 sec
Running org.apache.ambari.server.controller.KerberosHelperTest
Tests run: 16, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.626 sec
Ambari-server test results
Tests run: 2631, Failures: 0, Errors: 0, Skipped: 15
**Note: Python tests are broken on the trunk, unrelated to this change**
Thanks,
Robert Levas
Re: Review Request 30415: Implement Keytab regeneration
Posted by Robert Levas <rl...@hortonworks.com>.
> On Jan. 29, 2015, 3:06 p.m., John Speidel wrote:
> > The api should include a body that contains the security_type property.
> >
> > {
> > "Clusters" : {
> > "security_type" : "kerberos"
> > }
> > }
> >
> > The directive only makes sense in this context.
> > Basically the directive is saying that even if this property is already set to "kerberos" that you still want to generate the keytabs.
> > With the context of the body, you can potentially remove "kerberos" from the directive name.
> > Would a user ever want to transition from security_type = "none" -> security_type = "kerberos" and not want to generate keytabs by specifying this directive with a false value? If so, then we should also handle the user specifying this directive with a false value.
> > Based on the call we had yesterday, it seems that we will also need the ability to generate keytabs for all hosts that we were originally unable to distribute to when we first kerberized the cluster or added hosts ...
> > We should keep this in mind when naming the directive.
> > Something like:
> > generate_keytabs = true : regenerate/distribute all keytabs
> > generate_missing_keytabs = true : only for hosts that need it
I assume you are referning to the desciipriton, which I failed to update to match the code. The code ensures that the security_type is being set to KERBEROS. Becuase of this, I thought the "kerbreros" in the directive was redundant as well and it code looks for "regenerate_keytabs".
If transitioning from NONE to KERBEROS, it would not make sense to generate the keytabs... that would just cause problems.
I think we need to handle the hosts that come up after being down when enabling Kerberos in a different JIRA.
- Robert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30415/#review70265
-----------------------------------------------------------
On Jan. 30, 2015, 9:24 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30415/
> -----------------------------------------------------------
>
> (Updated Jan. 30, 2015, 9:24 a.m.)
>
>
> Review request for Ambari, John Speidel, Nate Cole, Robert Nettleton, and Tom Beerbower.
>
>
> Bugs: AMBARI-9385
> https://issues.apache.org/jira/browse/AMBARI-9385
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Create API entry point to initiate Kerberos keytab regeneration for the cluster:
> ```
> PUT /api/v1/clusters/{clustername}?regenerate_keytabs=true
> {
> "Clusters" : {
> "security_type" : "KERBEROS"
> }
> }
> ```
>
> The entry point should invoke code to determine which principals need to be updated and then generate the following stages:
> # Update Principal Passwords
> # Generate Keytabs
> # Distribute Keytab
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/api/resources/ClusterResourceDefinition.java 9b744d0
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java e867f99
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 6bb9bf1
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java 1a66cd9
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e976d81
>
> Diff: https://reviews.apache.org/r/30415/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster again MIT KDC (Active Directory pending)
> Updated unit tests
>
> # Jenkins test results
> Running org.apache.ambari.server.controller.AmbariManagementControllerImplTest
> Tests run: 30, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.099 sec
>
> Running org.apache.ambari.server.controller.KerberosHelperTest
> Tests run: 16, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.626 sec
>
> Ambari-server test results
> Tests run: 2631, Failures: 0, Errors: 0, Skipped: 15
>
> **Note: Python tests are broken on the trunk, unrelated to this change**
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 30415: Implement Keytab regeneration
Posted by John Speidel <js...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30415/#review70265
-----------------------------------------------------------
The api should include a body that contains the security_type property.
{
"Clusters" : {
"security_type" : "kerberos"
}
}
The directive only makes sense in this context.
Basically the directive is saying that even if this property is already set to "kerberos" that you still want to generate the keytabs.
With the context of the body, you can potentially remove "kerberos" from the directive name.
Would a user ever want to transition from security_type = "none" -> security_type = "kerberos" and not want to generate keytabs by specifying this directive with a false value? If so, then we should also handle the user specifying this directive with a false value.
Based on the call we had yesterday, it seems that we will also need the ability to generate keytabs for all hosts that we were originally unable to distribute to when we first kerberized the cluster or added hosts ...
We should keep this in mind when naming the directive.
Something like:
generate_keytabs = true : regenerate/distribute all keytabs
generate_missing_keytabs = true : only for hosts that need it
- John Speidel
On Jan. 29, 2015, 2:55 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30415/
> -----------------------------------------------------------
>
> (Updated Jan. 29, 2015, 2:55 p.m.)
>
>
> Review request for Ambari, John Speidel, Nate Cole, Robert Nettleton, and Tom Beerbower.
>
>
> Bugs: AMBARI-9385
> https://issues.apache.org/jira/browse/AMBARI-9385
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Create API entry point to initiate Kerberos keytab regeneration for the cluster:
> ```
> PUT /api/v1/clusters/{clustername}?kerberos_regenerate_keytabs=true
> ```
>
> The entry point should invoke code to determine which principals need to be updated and then generate the following stages:
> # Update Principal Passwords
> # Generate Keytabs
> # Distribute Keytab
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/api/resources/ClusterResourceDefinition.java 9b744d0
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java e867f99
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 6bb9bf1
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java 1a66cd9
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e976d81
>
> Diff: https://reviews.apache.org/r/30415/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster again MIT KDC (Active Directory pending)
> Updated unit tests
>
> # Jenkins test results
> Running org.apache.ambari.server.controller.AmbariManagementControllerImplTest
> Tests run: 30, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.099 sec
>
> Running org.apache.ambari.server.controller.KerberosHelperTest
> Tests run: 16, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.626 sec
>
> Ambari-server test results
> Tests run: 2631, Failures: 0, Errors: 0, Skipped: 15
>
> **Note: Python tests are broken on the trunk, unrelated to this change**
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 30415: Implement Keytab regeneration
Posted by John Speidel <js...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30415/#review70359
-----------------------------------------------------------
Ship it!
Ship It!
- John Speidel
On Jan. 30, 2015, 2:24 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30415/
> -----------------------------------------------------------
>
> (Updated Jan. 30, 2015, 2:24 p.m.)
>
>
> Review request for Ambari, John Speidel, Nate Cole, Robert Nettleton, and Tom Beerbower.
>
>
> Bugs: AMBARI-9385
> https://issues.apache.org/jira/browse/AMBARI-9385
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Create API entry point to initiate Kerberos keytab regeneration for the cluster:
> ```
> PUT /api/v1/clusters/{clustername}?regenerate_keytabs=true
> {
> "Clusters" : {
> "security_type" : "KERBEROS"
> }
> }
> ```
>
> The entry point should invoke code to determine which principals need to be updated and then generate the following stages:
> # Update Principal Passwords
> # Generate Keytabs
> # Distribute Keytab
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/api/resources/ClusterResourceDefinition.java 9b744d0
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java e867f99
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 6bb9bf1
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java 1a66cd9
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e976d81
>
> Diff: https://reviews.apache.org/r/30415/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster again MIT KDC (Active Directory pending)
> Updated unit tests
>
> # Jenkins test results
> Running org.apache.ambari.server.controller.AmbariManagementControllerImplTest
> Tests run: 30, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.099 sec
>
> Running org.apache.ambari.server.controller.KerberosHelperTest
> Tests run: 16, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.626 sec
>
> Ambari-server test results
> Tests run: 2631, Failures: 0, Errors: 0, Skipped: 15
>
> **Note: Python tests are broken on the trunk, unrelated to this change**
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 30415: Implement Keytab regeneration
Posted by Tom Beerbower <tb...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30415/#review70361
-----------------------------------------------------------
Ship it!
- Tom Beerbower
On Jan. 30, 2015, 2:24 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30415/
> -----------------------------------------------------------
>
> (Updated Jan. 30, 2015, 2:24 p.m.)
>
>
> Review request for Ambari, John Speidel, Nate Cole, Robert Nettleton, and Tom Beerbower.
>
>
> Bugs: AMBARI-9385
> https://issues.apache.org/jira/browse/AMBARI-9385
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Create API entry point to initiate Kerberos keytab regeneration for the cluster:
> ```
> PUT /api/v1/clusters/{clustername}?regenerate_keytabs=true
> {
> "Clusters" : {
> "security_type" : "KERBEROS"
> }
> }
> ```
>
> The entry point should invoke code to determine which principals need to be updated and then generate the following stages:
> # Update Principal Passwords
> # Generate Keytabs
> # Distribute Keytab
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/api/resources/ClusterResourceDefinition.java 9b744d0
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java e867f99
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 6bb9bf1
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java 1a66cd9
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e976d81
>
> Diff: https://reviews.apache.org/r/30415/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster again MIT KDC (Active Directory pending)
> Updated unit tests
>
> # Jenkins test results
> Running org.apache.ambari.server.controller.AmbariManagementControllerImplTest
> Tests run: 30, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.099 sec
>
> Running org.apache.ambari.server.controller.KerberosHelperTest
> Tests run: 16, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.626 sec
>
> Ambari-server test results
> Tests run: 2631, Failures: 0, Errors: 0, Skipped: 15
>
> **Note: Python tests are broken on the trunk, unrelated to this change**
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 30415: Implement Keytab regeneration
Posted by Nate Cole <nc...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30415/#review70358
-----------------------------------------------------------
Ship it!
Ship It!
- Nate Cole
On Jan. 30, 2015, 9:24 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30415/
> -----------------------------------------------------------
>
> (Updated Jan. 30, 2015, 9:24 a.m.)
>
>
> Review request for Ambari, John Speidel, Nate Cole, Robert Nettleton, and Tom Beerbower.
>
>
> Bugs: AMBARI-9385
> https://issues.apache.org/jira/browse/AMBARI-9385
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Create API entry point to initiate Kerberos keytab regeneration for the cluster:
> ```
> PUT /api/v1/clusters/{clustername}?regenerate_keytabs=true
> {
> "Clusters" : {
> "security_type" : "KERBEROS"
> }
> }
> ```
>
> The entry point should invoke code to determine which principals need to be updated and then generate the following stages:
> # Update Principal Passwords
> # Generate Keytabs
> # Distribute Keytab
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/api/resources/ClusterResourceDefinition.java 9b744d0
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java e867f99
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 6bb9bf1
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java 1a66cd9
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e976d81
>
> Diff: https://reviews.apache.org/r/30415/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster again MIT KDC (Active Directory pending)
> Updated unit tests
>
> # Jenkins test results
> Running org.apache.ambari.server.controller.AmbariManagementControllerImplTest
> Tests run: 30, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.099 sec
>
> Running org.apache.ambari.server.controller.KerberosHelperTest
> Tests run: 16, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.626 sec
>
> Ambari-server test results
> Tests run: 2631, Failures: 0, Errors: 0, Skipped: 15
>
> **Note: Python tests are broken on the trunk, unrelated to this change**
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 30415: Implement Keytab regeneration
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30415/
-----------------------------------------------------------
(Updated Jan. 30, 2015, 9:24 a.m.)
Review request for Ambari, John Speidel, Nate Cole, Robert Nettleton, and Tom Beerbower.
Bugs: AMBARI-9385
https://issues.apache.org/jira/browse/AMBARI-9385
Repository: ambari
Description (updated)
-------
Create API entry point to initiate Kerberos keytab regeneration for the cluster:
```
PUT /api/v1/clusters/{clustername}?regenerate_keytabs=true
{
"Clusters" : {
"security_type" : "KERBEROS"
}
}
```
The entry point should invoke code to determine which principals need to be updated and then generate the following stages:
# Update Principal Passwords
# Generate Keytabs
# Distribute Keytab
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/api/resources/ClusterResourceDefinition.java 9b744d0
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java e867f99
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 6bb9bf1
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java 1a66cd9
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e976d81
Diff: https://reviews.apache.org/r/30415/diff/
Testing
-------
Manually tested in cluster again MIT KDC (Active Directory pending)
Updated unit tests
# Jenkins test results
Running org.apache.ambari.server.controller.AmbariManagementControllerImplTest
Tests run: 30, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.099 sec
Running org.apache.ambari.server.controller.KerberosHelperTest
Tests run: 16, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.626 sec
Ambari-server test results
Tests run: 2631, Failures: 0, Errors: 0, Skipped: 15
**Note: Python tests are broken on the trunk, unrelated to this change**
Thanks,
Robert Levas
Re: Review Request 30415: Implement Keytab regeneration
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30415/
-----------------------------------------------------------
(Updated Jan. 30, 2015, 9:20 a.m.)
Review request for Ambari, John Speidel, Nate Cole, Robert Nettleton, and Tom Beerbower.
Bugs: AMBARI-9385
https://issues.apache.org/jira/browse/AMBARI-9385
Repository: ambari
Description (updated)
-------
Create API entry point to initiate Kerberos keytab regeneration for the cluster:
```
PUT /api/v1/clusters/{clustername}?kerberos_regenerate_keytabs=true
{
"Clusters" : {
"security_type" : "KERBEROS"
}
}
```
The entry point should invoke code to determine which principals need to be updated and then generate the following stages:
# Update Principal Passwords
# Generate Keytabs
# Distribute Keytab
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/api/resources/ClusterResourceDefinition.java 9b744d0
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java e867f99
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java 6bb9bf1
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java 1a66cd9
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e976d81
Diff: https://reviews.apache.org/r/30415/diff/
Testing
-------
Manually tested in cluster again MIT KDC (Active Directory pending)
Updated unit tests
# Jenkins test results
Running org.apache.ambari.server.controller.AmbariManagementControllerImplTest
Tests run: 30, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.099 sec
Running org.apache.ambari.server.controller.KerberosHelperTest
Tests run: 16, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.626 sec
Ambari-server test results
Tests run: 2631, Failures: 0, Errors: 0, Skipped: 15
**Note: Python tests are broken on the trunk, unrelated to this change**
Thanks,
Robert Levas