You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by "Yusaku Sako (JIRA)" <ji...@apache.org> on 2015/09/15 00:19:46 UTC

[jira] [Updated] (AMBARI-9981) Ambari storm logviewer in secure mode doesn't work

     [ https://issues.apache.org/jira/browse/AMBARI-9981?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Yusaku Sako updated AMBARI-9981:
--------------------------------
    Assignee: Robert Levas

> Ambari storm logviewer in secure mode doesn't work
> --------------------------------------------------
>
>                 Key: AMBARI-9981
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9981
>             Project: Ambari
>          Issue Type: Bug
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: kerberos
>         Attachments: AMBARI-9981_01.patch
>
>
> Storm logviewer uses the same UI.filter config thats being used for Storm UI.
> In secure mode storm UI uses SPENGO to authenticate user to access the UI.
> Similarly logviewer also does the same .
> But in Ambari 1.7 we advise user to create HTTP/storm-ui@REALM and this gets added to storm.yaml.
> As this is bound to a host storm logviewers which are running one per supervisor won't be able to use this key .
> Solution:
> There is a configuration problem in the {{/etc/storm/conf/storm.yaml}} file.  In particular the issue is here:
> {code:title=/etc/storm/conf/storm.yaml:109}
> ui.filter.params:
>   "type": "kerberos"
>   "kerberos.principal": "HTTP/host-2.internal@EXAMPLE.COM"
>   "kerberos.keytab": "/etc/security/keytabs/spnego.service.keytab"
>   "kerberos.name.rules": "DEFAULT"
> {code}
> The {{kerberos.principal}} value should be the SPNEGO principal for the localhost, not the host where the UI server is running.  In this example, the localhost is *host-4.internal*  so the {{kerberos.principal}} value should be *HTTP/host-4.internal@EXAMPLE.COM* not *HTTP/host-2.internal@EXAMPLE.COM*.  The Storm UI server is running on *host-2.internal*
> The fix for this should be in the code around 
> {code:title=common-services/STORM/0.9.1.2.1/package/scripts/params.py:103} 
>     _storm_ui_jaas_principal_name = config['configurations']['storm-env']['storm_ui_principal_name']
>     storm_ui_host = default("/clusterHostInfo/storm_ui_server_hosts", [])
>     storm_ui_jaas_principal = _storm_ui_jaas_principal_name.replace('_HOST',storm_ui_host[0].lower())
> {code}
> {{storm_ui_jaas_principal}} is then used in the template to build the storm.yaml file.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)