You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/01/27 23:39:58 UTC

Review Request 30333: Remove toLowerCase() from userPrincipalName in default Kerberos principal create template

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30333/
-----------------------------------------------------------

Review request for Ambari, Jaimin Jetly and Yusaku Sako.


Bugs: AMBARI-9295
    https://issues.apache.org/jira/browse/AMBARI-9295


Repository: ambari


Description
-------

Remove toLowerCase() from userPrincipalName in default Kerberos principal create template. This is creating an issue with principals that have upper-cased characters and Active Directory such that when kinit-ing, authenticating fails:

#kinit -V -k -t /etc/security/keytabs/spnego.service.keytab
```
HTTP/c6501.ambari.apache.org
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/c6501.ambari.apache.org@HDP01.LOCAL
Using keytab: /etc/security/keytabs/spnego.service.keytab
kinit: Preauthentication failed while getting initial credentials
```
An example of the offending template is as follows:
#From kerberos-env.xml
```
{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_name",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal.toLowerCase()",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}
```


Diffs
-----

  ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java 839a82a 
  ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml d37e736 
  ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java 8d2a3c4 

Diff: https://reviews.apache.org/r/30333/diff/


Testing
-------

Manually tested in test cluster using Active Directory as KDC and including Hive.

# Jenkins test results

Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
Tests run: 10, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.731 sec

Ambari server test suite
Tests run: 2616, Failures: 0, Errors: 0, Skipped: 15

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:01 h
[INFO] Finished at: 2015-01-27T22:05:59+00:00
[INFO] Final Memory: 44M/541M
[INFO] ------------------------------------------------------------------------


Thanks,

Robert Levas

Re: Review Request 30333: Remove toLowerCase() from userPrincipalName in default Kerberos principal create template

Posted by Yusaku Sako <yu...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30333/#review70014
-----------------------------------------------------------

Ship it!


Ship It!

- Yusaku Sako


On Jan. 27, 2015, 10:39 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30333/
> -----------------------------------------------------------
> 
> (Updated Jan. 27, 2015, 10:39 p.m.)
> 
> 
> Review request for Ambari, Jaimin Jetly and Yusaku Sako.
> 
> 
> Bugs: AMBARI-9295
>     https://issues.apache.org/jira/browse/AMBARI-9295
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Remove toLowerCase() from userPrincipalName in default Kerberos principal create template. This is creating an issue with principals that have upper-cased characters and Active Directory such that when kinit-ing, authenticating fails:
> 
> #kinit -V -k -t /etc/security/keytabs/spnego.service.keytab
> ```
> HTTP/c6501.ambari.apache.org
> Using default cache: /tmp/krb5cc_0
> Using principal: HTTP/c6501.ambari.apache.org@HDP01.LOCAL
> Using keytab: /etc/security/keytabs/spnego.service.keytab
> kinit: Preauthentication failed while getting initial credentials
> ```
> An example of the offending template is as follows:
> #From kerberos-env.xml
> ```
> {
>   "objectClass": ["top", "person", "organizationalPerson", "user"],
>   "cn": "$principal_name",
>   #if( $is_service )
>   "servicePrincipalName": "$principal_name",
>   #end
>   "userPrincipalName": "$normalized_principal.toLowerCase()",
>   "unicodePwd": "$password",
>   "accountExpires": "0",
>   "userAccountControl": "66048"
> }
> ```
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java 839a82a 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml d37e736 
>   ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java 8d2a3c4 
> 
> Diff: https://reviews.apache.org/r/30333/diff/
> 
> 
> Testing
> -------
> 
> Manually tested in test cluster using Active Directory as KDC and including Hive.
> 
> # Jenkins test results
> 
> Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
> Tests run: 10, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.731 sec
> 
> Ambari server test suite
> Tests run: 2616, Failures: 0, Errors: 0, Skipped: 15
> 
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:01 h
> [INFO] Finished at: 2015-01-27T22:05:59+00:00
> [INFO] Final Memory: 44M/541M
> [INFO] ------------------------------------------------------------------------
> 
> 
> Thanks,
> 
> Robert Levas
> 
>