You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "John Speidel (JIRA)" <ji...@apache.org> on 2015/02/14 01:10:11 UTC

[jira] [Created] (AMBARI-9640) Allow the KDC admin credentials stored in session to be validated via the REST API

John Speidel created AMBARI-9640:
------------------------------------

             Summary: Allow the KDC admin credentials stored in session to be validated via the REST API
                 Key: AMBARI-9640
                 URL: https://issues.apache.org/jira/browse/AMBARI-9640
             Project: Ambari
          Issue Type: Task
          Components: ambari-server, security
            Reporter: John Speidel
            Assignee: John Speidel
            Priority: Critical
             Fix For: 2.0.0


Based on my conversation with [~rlevas] I understand that the UI wants an api that indicates whether the kdc admin credentials are set in session at the time of the call and that they are valid.  

Based on this requirement I am proposing adding this information as part of the kerberos service.
Specifically, the properties, "Services/attributes/kdc_validation_result" and "Services/attributes/kdc_validation_failure_details" will be added to the response.

GET api/v1/clusters/c1/services/KERBEROS
{code}
{
  "href" : "http://172.18.192.1:8080/api/v1/clusters/c1/services/KERBEROS",
  "ServiceInfo" : {
    "cluster_name" : "c1",
    "maintenance_state" : "OFF",
    "service_name" : "KERBEROS",
    "state" : "INSTALLED"
  },
  "Services" : {
    "attributes" : {
      "kdc_validation_result" : "OK"
    }
  }
}
{code}

In the case of missing credentials:
{code}
{
   ...
   "Services" : {
    "attributes" : {
      "kdc_validation_result" : "MISSING_CREDENTIALS",
      "kdc_validation_failure_details" : "Missing KDC administrator credentials.\nThe KDC administrator credentials must be set in session by updating the relevant Cluster resource.This may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry point with the following payload:\n{\n  \"session_attributes\" : {\n    \"kerberos_admin\" : {\"principal\" : \"(PRINCIPAL)\", \"password\" : \"(PASSWORD)\"}\n  }\n}"
    }
  }
}
{code}

For invalid credentials:
{code}
{
   ...
   "Services" : {
    "attributes" : {
      "kdc_validation_result" : "INVALID_CREDENTIALS",
      "kdc_validation_failure_details" : "Invalid KDC administrator credentials.\nThe KDC administrator credentials must be set in session by updating the relevant Cluster resource.This may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry point with the following payload:\n{\n  \"session_attributes\" : {\n    \"kerberos_admin\" : {\"principal\" : \"(PRINCIPAL)\", \"password\" : \"(PASSWORD)\"}\n  }\n}"
    }
  }
}
{code}

For bad configuration:
{code}
{
   ...
   "Services" : {
    "attributes" : {
      "kdc_validation_result" : "INVALID_CONFIGURATION",
      "kdc_validation_failure_details" : "The 'kerberos-env/kdc_type' value must be set to a valid KDC type"
    }
  }
}
{code}

And for all other errors:
{code}
{
   ...
   "Services" : {
    "attributes" : {
      "kdc_validation_result" : "VALIDATION_ERROR",
      "kdc_validation_failure_details" : "..."
    }
  }
}
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)