You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Sean Roberts (JIRA)" <ji...@apache.org> on 2018/01/02 13:32:01 UTC

[jira] [Updated] (AMBARI-22715) Kafka broken by auth_to_local rules when case_insensitive_username_rules=true

     [ https://issues.apache.org/jira/browse/AMBARI-22715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sean Roberts updated AMBARI-22715:
----------------------------------
    Description: 
https://issues.apache.org/jira/browse/AMBARI-22715

Kafka brokers will fail to start when Kerberos is set with:
case_insensitive_username_rules=true

This is due to Kafka not supporting the lower case (/L) functionality.

How to reproduce:
1. Deploy a cluster which includes Kafka
2. Kerberize cluster
3. Ensure following is set in 'kerberos-env':
{code}
case_insensitive_username_rules=true
manage_auth_to_local=true
{code}
4. Start Kafka brokers
5. They will fail to start.

This is due to Kafka not supporting lowercase rules ("/L)" rules.

Note the /Ls in the configuration which Ambari applied:

{code}
"sasl.kerberos.principal.to.local.rules" : "RULE:[1:$1@$0](ambari-qa-mytestcluster@CLUSTER.TEST.COM)s/.*/ambari-qa/,RULE:[1:$1@$0](hbase-mytestcluster@CLUSTER.TEST.COM)s/.*/hbase/,RULE:[1:$1@$0](hdfs-mytestcluster@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[1:$1@$0](spark-mytestcluster@CLUSTER.TEST.COM)s/.*/spark/,RULE:[1:$1@$0](zeppelin-mytestcluster@CLUSTER.TEST.COM)s/.*/zeppelin/,RULE:[1:$1@$0](.*@CLUSTER.TEST.COM)s/@.*///L,RULE:[2:$1@$0](activity_analyzer@CLUSTER.TEST.COM)s/.*/activity_analyzer/,RULE:[2:$1@$0](activity_explorer@CLUSTER.TEST.COM)s/.*/activity_explorer/,RULE:[2:$1@$0](amshbase@CLUSTER.TEST.COM)s/.*/ams/,RULE:[2:$1@$0](amszk@CLUSTER.TEST.COM)s/.*/ams/,RULE:[2:$1@$0](atlas@CLUSTER.TEST.COM)s/.*/atlas/,RULE:[2:$1@$0](dn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](hbase@CLUSTER.TEST.COM)s/.*/hbase/,RULE:[2:$1@$0](hive@CLUSTER.TEST.COM)s/.*/hive/,RULE:[2:$1@$0](jhs@CLUSTER.TEST.COM)s/.*/mapred/,RULE:[2:$1@$0](jn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](knox@CLUSTER.TEST.COM)s/.*/knox/,RULE:[2:$1@$0](livy@CLUSTER.TEST.COM)s/.*/livy/,RULE:[2:$1@$0](nm@CLUSTER.TEST.COM)s/.*/yarn/,RULE:[2:$1@$0](nn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](oozie@CLUSTER.TEST.COM)s/.*/oozie/,RULE:[2:$1@$0](rangeradmin@CLUSTER.TEST.COM)s/.*/ranger/,RULE:[2:$1@$0](rangerkms@CLUSTER.TEST.COM)s/.*/keyadmin/,RULE:[2:$1@$0](rangertagsync@CLUSTER.TEST.COM)s/.*/rangertagsync/,RULE:[2:$1@$0](rangerusersync@CLUSTER.TEST.COM)s/.*/rangerusersync/,RULE:[2:$1@$0](rm@CLUSTER.TEST.COM)s/.*/yarn/,RULE:[2:$1@$0](yarn@CLUSTER.TEST.COM)s/.*/yarn/,DEFAULT",
{code}

  was:
Kafka brokers will fail to start when Kerberos is set with:
case_insensitive_username_rules=true

This is due to Kafka not supporting the lower case (/L) functionality.

How to reproduce:
1. Deploy a cluster which includes Kafka
2. Kerberize cluster
3. Ensure following is set in 'kerberos-env':
{code}
case_insensitive_username_rules=true
manage_auth_to_local=true
{code}
4. Start Kafka brokers
5. They will fail due to "/L" rules in 'kafka-broker: sasl.kerberos.principal.to.local.rules'



> Kafka broken by auth_to_local rules when case_insensitive_username_rules=true
> -----------------------------------------------------------------------------
>
>                 Key: AMBARI-22715
>                 URL: https://issues.apache.org/jira/browse/AMBARI-22715
>             Project: Ambari
>          Issue Type: Bug
>            Reporter: Sean Roberts
>
> https://issues.apache.org/jira/browse/AMBARI-22715
> Kafka brokers will fail to start when Kerberos is set with:
> case_insensitive_username_rules=true
> This is due to Kafka not supporting the lower case (/L) functionality.
> How to reproduce:
> 1. Deploy a cluster which includes Kafka
> 2. Kerberize cluster
> 3. Ensure following is set in 'kerberos-env':
> {code}
> case_insensitive_username_rules=true
> manage_auth_to_local=true
> {code}
> 4. Start Kafka brokers
> 5. They will fail to start.
> This is due to Kafka not supporting lowercase rules ("/L)" rules.
> Note the /Ls in the configuration which Ambari applied:
> {code}
> "sasl.kerberos.principal.to.local.rules" : "RULE:[1:$1@$0](ambari-qa-mytestcluster@CLUSTER.TEST.COM)s/.*/ambari-qa/,RULE:[1:$1@$0](hbase-mytestcluster@CLUSTER.TEST.COM)s/.*/hbase/,RULE:[1:$1@$0](hdfs-mytestcluster@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[1:$1@$0](spark-mytestcluster@CLUSTER.TEST.COM)s/.*/spark/,RULE:[1:$1@$0](zeppelin-mytestcluster@CLUSTER.TEST.COM)s/.*/zeppelin/,RULE:[1:$1@$0](.*@CLUSTER.TEST.COM)s/@.*///L,RULE:[2:$1@$0](activity_analyzer@CLUSTER.TEST.COM)s/.*/activity_analyzer/,RULE:[2:$1@$0](activity_explorer@CLUSTER.TEST.COM)s/.*/activity_explorer/,RULE:[2:$1@$0](amshbase@CLUSTER.TEST.COM)s/.*/ams/,RULE:[2:$1@$0](amszk@CLUSTER.TEST.COM)s/.*/ams/,RULE:[2:$1@$0](atlas@CLUSTER.TEST.COM)s/.*/atlas/,RULE:[2:$1@$0](dn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](hbase@CLUSTER.TEST.COM)s/.*/hbase/,RULE:[2:$1@$0](hive@CLUSTER.TEST.COM)s/.*/hive/,RULE:[2:$1@$0](jhs@CLUSTER.TEST.COM)s/.*/mapred/,RULE:[2:$1@$0](jn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](knox@CLUSTER.TEST.COM)s/.*/knox/,RULE:[2:$1@$0](livy@CLUSTER.TEST.COM)s/.*/livy/,RULE:[2:$1@$0](nm@CLUSTER.TEST.COM)s/.*/yarn/,RULE:[2:$1@$0](nn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](oozie@CLUSTER.TEST.COM)s/.*/oozie/,RULE:[2:$1@$0](rangeradmin@CLUSTER.TEST.COM)s/.*/ranger/,RULE:[2:$1@$0](rangerkms@CLUSTER.TEST.COM)s/.*/keyadmin/,RULE:[2:$1@$0](rangertagsync@CLUSTER.TEST.COM)s/.*/rangertagsync/,RULE:[2:$1@$0](rangerusersync@CLUSTER.TEST.COM)s/.*/rangerusersync/,RULE:[2:$1@$0](rm@CLUSTER.TEST.COM)s/.*/yarn/,RULE:[2:$1@$0](yarn@CLUSTER.TEST.COM)s/.*/yarn/,DEFAULT",
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)