You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/01/27 23:39:58 UTC
Review Request 30333: Remove toLowerCase() from userPrincipalName in
default Kerberos principal create template
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30333/
-----------------------------------------------------------
Review request for Ambari, Jaimin Jetly and Yusaku Sako.
Bugs: AMBARI-9295
https://issues.apache.org/jira/browse/AMBARI-9295
Repository: ambari
Description
-------
Remove toLowerCase() from userPrincipalName in default Kerberos principal create template. This is creating an issue with principals that have upper-cased characters and Active Directory such that when kinit-ing, authenticating fails:
#kinit -V -k -t /etc/security/keytabs/spnego.service.keytab
```
HTTP/c6501.ambari.apache.org
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/c6501.ambari.apache.org@HDP01.LOCAL
Using keytab: /etc/security/keytabs/spnego.service.keytab
kinit: Preauthentication failed while getting initial credentials
```
An example of the offending template is as follows:
#From kerberos-env.xml
```
{
"objectClass": ["top", "person", "organizationalPerson", "user"],
"cn": "$principal_name",
#if( $is_service )
"servicePrincipalName": "$principal_name",
#end
"userPrincipalName": "$normalized_principal.toLowerCase()",
"unicodePwd": "$password",
"accountExpires": "0",
"userAccountControl": "66048"
}
```
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java 839a82a
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml d37e736
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java 8d2a3c4
Diff: https://reviews.apache.org/r/30333/diff/
Testing
-------
Manually tested in test cluster using Active Directory as KDC and including Hive.
# Jenkins test results
Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
Tests run: 10, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.731 sec
Ambari server test suite
Tests run: 2616, Failures: 0, Errors: 0, Skipped: 15
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:01 h
[INFO] Finished at: 2015-01-27T22:05:59+00:00
[INFO] Final Memory: 44M/541M
[INFO] ------------------------------------------------------------------------
Thanks,
Robert Levas
Re: Review Request 30333: Remove toLowerCase() from userPrincipalName
in default Kerberos principal create template
Posted by Yusaku Sako <yu...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30333/#review70014
-----------------------------------------------------------
Ship it!
Ship It!
- Yusaku Sako
On Jan. 27, 2015, 10:39 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30333/
> -----------------------------------------------------------
>
> (Updated Jan. 27, 2015, 10:39 p.m.)
>
>
> Review request for Ambari, Jaimin Jetly and Yusaku Sako.
>
>
> Bugs: AMBARI-9295
> https://issues.apache.org/jira/browse/AMBARI-9295
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Remove toLowerCase() from userPrincipalName in default Kerberos principal create template. This is creating an issue with principals that have upper-cased characters and Active Directory such that when kinit-ing, authenticating fails:
>
> #kinit -V -k -t /etc/security/keytabs/spnego.service.keytab
> ```
> HTTP/c6501.ambari.apache.org
> Using default cache: /tmp/krb5cc_0
> Using principal: HTTP/c6501.ambari.apache.org@HDP01.LOCAL
> Using keytab: /etc/security/keytabs/spnego.service.keytab
> kinit: Preauthentication failed while getting initial credentials
> ```
> An example of the offending template is as follows:
> #From kerberos-env.xml
> ```
> {
> "objectClass": ["top", "person", "organizationalPerson", "user"],
> "cn": "$principal_name",
> #if( $is_service )
> "servicePrincipalName": "$principal_name",
> #end
> "userPrincipalName": "$normalized_principal.toLowerCase()",
> "unicodePwd": "$password",
> "accountExpires": "0",
> "userAccountControl": "66048"
> }
> ```
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java 839a82a
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml d37e736
> ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java 8d2a3c4
>
> Diff: https://reviews.apache.org/r/30333/diff/
>
>
> Testing
> -------
>
> Manually tested in test cluster using Active Directory as KDC and including Hive.
>
> # Jenkins test results
>
> Running org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandlerTest
> Tests run: 10, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.731 sec
>
> Ambari server test suite
> Tests run: 2616, Failures: 0, Errors: 0, Skipped: 15
>
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:01 h
> [INFO] Finished at: 2015-01-27T22:05:59+00:00
> [INFO] Final Memory: 44M/541M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>