You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Sean Roberts (JIRA)" <ji...@apache.org> on 2018/01/02 13:32:01 UTC
[jira] [Updated] (AMBARI-22715) Kafka broken by auth_to_local rules
when case_insensitive_username_rules=true
[ https://issues.apache.org/jira/browse/AMBARI-22715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Roberts updated AMBARI-22715:
----------------------------------
Description:
https://issues.apache.org/jira/browse/AMBARI-22715
Kafka brokers will fail to start when Kerberos is set with:
case_insensitive_username_rules=true
This is due to Kafka not supporting the lower case (/L) functionality.
How to reproduce:
1. Deploy a cluster which includes Kafka
2. Kerberize cluster
3. Ensure following is set in 'kerberos-env':
{code}
case_insensitive_username_rules=true
manage_auth_to_local=true
{code}
4. Start Kafka brokers
5. They will fail to start.
This is due to Kafka not supporting lowercase rules ("/L)" rules.
Note the /Ls in the configuration which Ambari applied:
{code}
"sasl.kerberos.principal.to.local.rules" : "RULE:[1:$1@$0](ambari-qa-mytestcluster@CLUSTER.TEST.COM)s/.*/ambari-qa/,RULE:[1:$1@$0](hbase-mytestcluster@CLUSTER.TEST.COM)s/.*/hbase/,RULE:[1:$1@$0](hdfs-mytestcluster@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[1:$1@$0](spark-mytestcluster@CLUSTER.TEST.COM)s/.*/spark/,RULE:[1:$1@$0](zeppelin-mytestcluster@CLUSTER.TEST.COM)s/.*/zeppelin/,RULE:[1:$1@$0](.*@CLUSTER.TEST.COM)s/@.*///L,RULE:[2:$1@$0](activity_analyzer@CLUSTER.TEST.COM)s/.*/activity_analyzer/,RULE:[2:$1@$0](activity_explorer@CLUSTER.TEST.COM)s/.*/activity_explorer/,RULE:[2:$1@$0](amshbase@CLUSTER.TEST.COM)s/.*/ams/,RULE:[2:$1@$0](amszk@CLUSTER.TEST.COM)s/.*/ams/,RULE:[2:$1@$0](atlas@CLUSTER.TEST.COM)s/.*/atlas/,RULE:[2:$1@$0](dn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](hbase@CLUSTER.TEST.COM)s/.*/hbase/,RULE:[2:$1@$0](hive@CLUSTER.TEST.COM)s/.*/hive/,RULE:[2:$1@$0](jhs@CLUSTER.TEST.COM)s/.*/mapred/,RULE:[2:$1@$0](jn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](knox@CLUSTER.TEST.COM)s/.*/knox/,RULE:[2:$1@$0](livy@CLUSTER.TEST.COM)s/.*/livy/,RULE:[2:$1@$0](nm@CLUSTER.TEST.COM)s/.*/yarn/,RULE:[2:$1@$0](nn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](oozie@CLUSTER.TEST.COM)s/.*/oozie/,RULE:[2:$1@$0](rangeradmin@CLUSTER.TEST.COM)s/.*/ranger/,RULE:[2:$1@$0](rangerkms@CLUSTER.TEST.COM)s/.*/keyadmin/,RULE:[2:$1@$0](rangertagsync@CLUSTER.TEST.COM)s/.*/rangertagsync/,RULE:[2:$1@$0](rangerusersync@CLUSTER.TEST.COM)s/.*/rangerusersync/,RULE:[2:$1@$0](rm@CLUSTER.TEST.COM)s/.*/yarn/,RULE:[2:$1@$0](yarn@CLUSTER.TEST.COM)s/.*/yarn/,DEFAULT",
{code}
was:
Kafka brokers will fail to start when Kerberos is set with:
case_insensitive_username_rules=true
This is due to Kafka not supporting the lower case (/L) functionality.
How to reproduce:
1. Deploy a cluster which includes Kafka
2. Kerberize cluster
3. Ensure following is set in 'kerberos-env':
{code}
case_insensitive_username_rules=true
manage_auth_to_local=true
{code}
4. Start Kafka brokers
5. They will fail due to "/L" rules in 'kafka-broker: sasl.kerberos.principal.to.local.rules'
> Kafka broken by auth_to_local rules when case_insensitive_username_rules=true
> -----------------------------------------------------------------------------
>
> Key: AMBARI-22715
> URL: https://issues.apache.org/jira/browse/AMBARI-22715
> Project: Ambari
> Issue Type: Bug
> Reporter: Sean Roberts
>
> https://issues.apache.org/jira/browse/AMBARI-22715
> Kafka brokers will fail to start when Kerberos is set with:
> case_insensitive_username_rules=true
> This is due to Kafka not supporting the lower case (/L) functionality.
> How to reproduce:
> 1. Deploy a cluster which includes Kafka
> 2. Kerberize cluster
> 3. Ensure following is set in 'kerberos-env':
> {code}
> case_insensitive_username_rules=true
> manage_auth_to_local=true
> {code}
> 4. Start Kafka brokers
> 5. They will fail to start.
> This is due to Kafka not supporting lowercase rules ("/L)" rules.
> Note the /Ls in the configuration which Ambari applied:
> {code}
> "sasl.kerberos.principal.to.local.rules" : "RULE:[1:$1@$0](ambari-qa-mytestcluster@CLUSTER.TEST.COM)s/.*/ambari-qa/,RULE:[1:$1@$0](hbase-mytestcluster@CLUSTER.TEST.COM)s/.*/hbase/,RULE:[1:$1@$0](hdfs-mytestcluster@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[1:$1@$0](spark-mytestcluster@CLUSTER.TEST.COM)s/.*/spark/,RULE:[1:$1@$0](zeppelin-mytestcluster@CLUSTER.TEST.COM)s/.*/zeppelin/,RULE:[1:$1@$0](.*@CLUSTER.TEST.COM)s/@.*///L,RULE:[2:$1@$0](activity_analyzer@CLUSTER.TEST.COM)s/.*/activity_analyzer/,RULE:[2:$1@$0](activity_explorer@CLUSTER.TEST.COM)s/.*/activity_explorer/,RULE:[2:$1@$0](amshbase@CLUSTER.TEST.COM)s/.*/ams/,RULE:[2:$1@$0](amszk@CLUSTER.TEST.COM)s/.*/ams/,RULE:[2:$1@$0](atlas@CLUSTER.TEST.COM)s/.*/atlas/,RULE:[2:$1@$0](dn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](hbase@CLUSTER.TEST.COM)s/.*/hbase/,RULE:[2:$1@$0](hive@CLUSTER.TEST.COM)s/.*/hive/,RULE:[2:$1@$0](jhs@CLUSTER.TEST.COM)s/.*/mapred/,RULE:[2:$1@$0](jn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](knox@CLUSTER.TEST.COM)s/.*/knox/,RULE:[2:$1@$0](livy@CLUSTER.TEST.COM)s/.*/livy/,RULE:[2:$1@$0](nm@CLUSTER.TEST.COM)s/.*/yarn/,RULE:[2:$1@$0](nn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](oozie@CLUSTER.TEST.COM)s/.*/oozie/,RULE:[2:$1@$0](rangeradmin@CLUSTER.TEST.COM)s/.*/ranger/,RULE:[2:$1@$0](rangerkms@CLUSTER.TEST.COM)s/.*/keyadmin/,RULE:[2:$1@$0](rangertagsync@CLUSTER.TEST.COM)s/.*/rangertagsync/,RULE:[2:$1@$0](rangerusersync@CLUSTER.TEST.COM)s/.*/rangerusersync/,RULE:[2:$1@$0](rm@CLUSTER.TEST.COM)s/.*/yarn/,RULE:[2:$1@$0](yarn@CLUSTER.TEST.COM)s/.*/yarn/,DEFAULT",
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)