You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/09/11 23:07:33 UTC
Review Request 38318: Kerberos: Allow user to specify additional
realms for auth-to-local rules
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38318/
-----------------------------------------------------------
Review request for Ambari, Jaimin Jetly, Jonathan Hurley, and Robert Nettleton.
Bugs: AMBARI-13060
https://issues.apache.org/jira/browse/AMBARI-13060
Repository: ambari
Description
-------
Allow user to specify additional realms for auth-to-local rules. This will add _default_ rules for the specified realm(s) to the generated auth-to-local rule sets. For example:
```
RULE:[1:$1@$0](.*@USER_REALM.COM)s/@.*//
```
The value should be a (comma) delimited list of realm names set in set of global properties in the Kerberos Descriptor.
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java 00e8291
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 11f578f
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json df99bce
ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json 03198dc
ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java 14c66a2
ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java 9e65b5e
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java f28a19b
ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json cf49786
ambari-web/app/mixins/wizard/addSecurityConfigs.js d14d09e
Diff: https://reviews.apache.org/r/38318/diff/
Testing
-------
Manually tested existing KDC and manual options, both with various additional realm specifications (empty, single, multiple, multiple with random spaces between). Updated realms after enabling Kerberos.
Local test results: PASSED
Jenkins test results: *PENDING*
Thanks,
Robert Levas
Re: Review Request 38318: Kerberos: Allow user to specify additional
realms for auth-to-local rules
Posted by Robert Levas <rl...@hortonworks.com>.
> On Sept. 14, 2015, 12:56 p.m., Robert Nettleton wrote:
> > ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json, line 48
> > <https://reviews.apache.org/r/38318/diff/1/?file=1068807#file1068807line48>
> >
> > Why is this property being removed from the HDFS kerberos.json? Is this related to the support for multiple realms described above?
`hadoop.security.auth_to_local` is being removed from the kerberos.json file becuase it was the reason this issue exists. It's existance was causing confusion on the front-end since it appeared that the auth-to-local propery was to be set to "" rathen than to its actual value (which was to get generated by Ambari). It's use was to set some initial value so that Ambari would include it when generating the `core-site/hadoop.security.auth_to_local` value. Generally that value was default rules for addtional realms needed in a multiple realm scenario - for example, MIT KDC and Active Directory cross-realm-trust. Though this worked fine, it had 2 problems: confusion (as previously mentioned), and it's scope was limited to `core-site/hadoop.security.auth_to_local`.
This patch solves the 2 issues by removing the field in the UI and adding a new property to collect the additional realms. Using the additional realms data, the default rules can be generated and used for any property that is tagged as being an _auth-to-local rule_ (this is done on the Kerberos Descriptor for each service).
- Robert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38318/#review98864
-----------------------------------------------------------
On Sept. 13, 2015, 7:31 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/38318/
> -----------------------------------------------------------
>
> (Updated Sept. 13, 2015, 7:31 a.m.)
>
>
> Review request for Ambari, Jaimin Jetly, Jonathan Hurley, and Robert Nettleton.
>
>
> Bugs: AMBARI-13060
> https://issues.apache.org/jira/browse/AMBARI-13060
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Allow user to specify additional realms for auth-to-local rules. This will add _default_ rules for the specified realm(s) to the generated auth-to-local rule sets. For example:
>
> ```
> RULE:[1:$1@$0](.*@USER_REALM.COM)s/@.*//
> ```
>
> The value should be a (comma) delimited list of realm names set in set of global properties in the Kerberos Descriptor.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java 00e8291
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 11f578f
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json df99bce
> ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json 03198dc
> ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java 14c66a2
> ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java 9e65b5e
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java f28a19b
> ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json cf49786
> ambari-web/app/mixins/wizard/addSecurityConfigs.js d14d09e
>
> Diff: https://reviews.apache.org/r/38318/diff/
>
>
> Testing
> -------
>
> Manually tested existing KDC and manual options, both with various additional realm specifications (empty, single, multiple, multiple with random spaces between). Updated realms after enabling Kerberos.
>
> Local test results: PASSED
>
> Jenkins test results:
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 02:03 h
> [INFO] Finished at: 2015-09-12T00:12:36+00:00
> [INFO] Final Memory: 50M/555M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 38318: Kerberos: Allow user to specify additional
realms for auth-to-local rules
Posted by Robert Nettleton <rn...@hortonworks.com>.
> On Sept. 14, 2015, 4:56 p.m., Robert Nettleton wrote:
> > ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json, line 48
> > <https://reviews.apache.org/r/38318/diff/1/?file=1068807#file1068807line48>
> >
> > Why is this property being removed from the HDFS kerberos.json? Is this related to the support for multiple realms described above?
>
> Robert Levas wrote:
> `hadoop.security.auth_to_local` is being removed from the kerberos.json file becuase it was the reason this issue exists. It's existance was causing confusion on the front-end since it appeared that the auth-to-local propery was to be set to "" rathen than to its actual value (which was to get generated by Ambari). It's use was to set some initial value so that Ambari would include it when generating the `core-site/hadoop.security.auth_to_local` value. Generally that value was default rules for addtional realms needed in a multiple realm scenario - for example, MIT KDC and Active Directory cross-realm-trust. Though this worked fine, it had 2 problems: confusion (as previously mentioned), and it's scope was limited to `core-site/hadoop.security.auth_to_local`.
>
> This patch solves the 2 issues by removing the field in the UI and adding a new property to collect the additional realms. Using the additional realms data, the default rules can be generated and used for any property that is tagged as being an _auth-to-local rule_ (this is done on the Kerberos Descriptor for each service).
Great. Thanks for clarifying this for me. I'll drop this issue.
- Robert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38318/#review98864
-----------------------------------------------------------
On Sept. 13, 2015, 11:31 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/38318/
> -----------------------------------------------------------
>
> (Updated Sept. 13, 2015, 11:31 a.m.)
>
>
> Review request for Ambari, Jaimin Jetly, Jonathan Hurley, and Robert Nettleton.
>
>
> Bugs: AMBARI-13060
> https://issues.apache.org/jira/browse/AMBARI-13060
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Allow user to specify additional realms for auth-to-local rules. This will add _default_ rules for the specified realm(s) to the generated auth-to-local rule sets. For example:
>
> ```
> RULE:[1:$1@$0](.*@USER_REALM.COM)s/@.*//
> ```
>
> The value should be a (comma) delimited list of realm names set in set of global properties in the Kerberos Descriptor.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java 00e8291
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 11f578f
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json df99bce
> ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json 03198dc
> ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java 14c66a2
> ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java 9e65b5e
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java f28a19b
> ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json cf49786
> ambari-web/app/mixins/wizard/addSecurityConfigs.js d14d09e
>
> Diff: https://reviews.apache.org/r/38318/diff/
>
>
> Testing
> -------
>
> Manually tested existing KDC and manual options, both with various additional realm specifications (empty, single, multiple, multiple with random spaces between). Updated realms after enabling Kerberos.
>
> Local test results: PASSED
>
> Jenkins test results:
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 02:03 h
> [INFO] Finished at: 2015-09-12T00:12:36+00:00
> [INFO] Final Memory: 50M/555M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 38318: Kerberos: Allow user to specify additional
realms for auth-to-local rules
Posted by Robert Nettleton <rn...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38318/#review98864
-----------------------------------------------------------
Ship it!
Looks fine to me. Just a minor issue below.
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
<https://reviews.apache.org/r/38318/#comment155490>
Why is this property being removed from the HDFS kerberos.json? Is this related to the support for multiple realms described above?
- Robert Nettleton
On Sept. 13, 2015, 11:31 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/38318/
> -----------------------------------------------------------
>
> (Updated Sept. 13, 2015, 11:31 a.m.)
>
>
> Review request for Ambari, Jaimin Jetly, Jonathan Hurley, and Robert Nettleton.
>
>
> Bugs: AMBARI-13060
> https://issues.apache.org/jira/browse/AMBARI-13060
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Allow user to specify additional realms for auth-to-local rules. This will add _default_ rules for the specified realm(s) to the generated auth-to-local rule sets. For example:
>
> ```
> RULE:[1:$1@$0](.*@USER_REALM.COM)s/@.*//
> ```
>
> The value should be a (comma) delimited list of realm names set in set of global properties in the Kerberos Descriptor.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java 00e8291
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 11f578f
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json df99bce
> ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json 03198dc
> ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java 14c66a2
> ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java 9e65b5e
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java f28a19b
> ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json cf49786
> ambari-web/app/mixins/wizard/addSecurityConfigs.js d14d09e
>
> Diff: https://reviews.apache.org/r/38318/diff/
>
>
> Testing
> -------
>
> Manually tested existing KDC and manual options, both with various additional realm specifications (empty, single, multiple, multiple with random spaces between). Updated realms after enabling Kerberos.
>
> Local test results: PASSED
>
> Jenkins test results:
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 02:03 h
> [INFO] Finished at: 2015-09-12T00:12:36+00:00
> [INFO] Final Memory: 50M/555M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 38318: Kerberos: Allow user to specify additional
realms for auth-to-local rules
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38318/
-----------------------------------------------------------
(Updated Sept. 13, 2015, 7:31 a.m.)
Review request for Ambari, Jaimin Jetly, Jonathan Hurley, and Robert Nettleton.
Bugs: AMBARI-13060
https://issues.apache.org/jira/browse/AMBARI-13060
Repository: ambari
Description
-------
Allow user to specify additional realms for auth-to-local rules. This will add _default_ rules for the specified realm(s) to the generated auth-to-local rule sets. For example:
```
RULE:[1:$1@$0](.*@USER_REALM.COM)s/@.*//
```
The value should be a (comma) delimited list of realm names set in set of global properties in the Kerberos Descriptor.
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java 00e8291
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 11f578f
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json df99bce
ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json 03198dc
ambari-server/src/test/java/org/apache/ambari/server/api/services/AmbariMetaInfoTest.java 14c66a2
ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java 9e65b5e
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java f28a19b
ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json cf49786
ambari-web/app/mixins/wizard/addSecurityConfigs.js d14d09e
Diff: https://reviews.apache.org/r/38318/diff/
Testing (updated)
-------
Manually tested existing KDC and manual options, both with various additional realm specifications (empty, single, multiple, multiple with random spaces between). Updated realms after enabling Kerberos.
Local test results: PASSED
Jenkins test results:
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 02:03 h
[INFO] Finished at: 2015-09-12T00:12:36+00:00
[INFO] Final Memory: 50M/555M
[INFO] ------------------------------------------------------------------------
Thanks,
Robert Levas