You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Andrii Tkach (JIRA)" <ji...@apache.org> on 2018/05/02 12:36:00 UTC
[jira] [Reopened] (AMBARI-23690) The UI should ignore Kerberos
identity references when setting the user-supplied Kerberos descriptor
[ https://issues.apache.org/jira/browse/AMBARI-23690?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrii Tkach reopened AMBARI-23690:
-----------------------------------
The fix does not seem to work when adding new services.
> The UI should ignore Kerberos identity references when setting the user-supplied Kerberos descriptor
> ----------------------------------------------------------------------------------------------------
>
> Key: AMBARI-23690
> URL: https://issues.apache.org/jira/browse/AMBARI-23690
> Project: Ambari
> Issue Type: Bug
> Components: ambari-web
> Affects Versions: 2.7.0
> Reporter: Andrii Tkach
> Assignee: Andrii Tkach
> Priority: Critical
> Labels: pull-request-available
> Fix For: 2.7.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> The UI should ignore Kerberos identity references when setting the user-supplied Kerberos descriptor.
> For example, any Kerberos identity entry that contains a "reference" attribute, should not be added to the JSON data stored in the cluster artifact table, which represents the _user-supplied_ Kerberos descriptor.
> Currently, there are a few errors in the current process:
> *Variables are being replaced*
> {code}
> {
> "keytab": {
> "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-keytab-file",
> "file": "/etc/security/keytabs/spnego.service.keytab"
> },
> "name": "mapreduce2_historyserver_spnego",
> "principal": {
> "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal",
> "local_username": null,
> "type": null,
> "value": "HTTP/_HOST@EXAMPLE.COM"
> },
> "reference": "/spnego"
> }
> {code}
> This should be
> {code}
> {
> "keytab": {
> "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-keytab-file",
> "file": "${keytab_dir}/spnego.service.keytab"
> },
> "name": "mapreduce2_historyserver_spnego",
> "principal": {
> "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal",
> "local_username": null,
> "type": null,
> "value": "HTTP/_HOST@EXAMPLE.COM"
> },
> "reference": "/spnego"
> }
> {code}
> But really should be
> {code}
> {
> "keytab": {
> "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-keytab-file"
> },
> "name": "mapreduce2_historyserver_spnego",
> "principal": {
> "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal"
> },
> "reference": "/spnego"
> }
> {code}
> *Incorrect variable replacement*
> Some replacement issue has occurred where the keytab _file_ and the principal _name_ values have been swapped:
> {code}
> {
> "keytab": {
> "configuration": "hive-site/hive.server2.authentication.spnego.keytab",
> "file": "HTTP/_HOST@EXAMPLE.COM"
> },
> "name": "hive_hive_server_spnego",
> "principal": {
> "configuration": "hive-site/hive.server2.authentication.spnego.principal",
> "local_username": null,
> "type": null,
> "value": "/etc/security/keytabs/spnego.service.keytab"
> },
> "reference": "/spnego"
> },
> {code}
> And error that has resulted from this occurred while installing Hive into a cluster where Kerberos was enabled:
> {noformat}
> 2018-04-18 19:30:24,557 - Failed to create principal, /etc/security/keytabs/spnego.service.keytab - Failed to create service principal for /etc/security/keytabs/spnego.service.keytab
> STDOUT: Authenticating as principal admin/admin@EXAMPLE.COM with existing credentials.
> Principal "/etc/security/keytabs/spnego.service.keytab@EXAMPLE.COM" created.
> STDERR: WARNING: no policy specified for /etc/security/keytabs/spnego.service.keytab@EXAMPLE.COM; defaulting to no policy
> Administration credentials NOT DESTROYED.
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)