----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/30260/#review69658 -----------------------------------------------------------
Ship it! Ship It! - Yusaku Sako On Jan. 25, 2015, 9:09 p.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/30260/ > ----------------------------------------------------------- > > (Updated Jan. 25, 2015, 9:09 p.m.) > > > Review request for Ambari, Emil Anca and Yusaku Sako. > > > Bugs: AMBARI-9323 > https://issues.apache.org/jira/browse/AMBARI-9323 > > > Repository: ambari > > > Description > ------- > > While generating principals, `host/<hostname>@REALM` principals are created. > These should not be created. > > And they are ending-up in the resulting keytab. For example: > > ``` > [root@c6402 keytabs]# klist -kt nn.service.keytab > Keytab name: FILE:nn.service.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 1 01/24/15 18:07:51 nn/[email protected] > 1 01/24/15 18:07:51 nn/[email protected] > 1 01/24/15 18:07:51 nn/[email protected] > 1 01/24/15 18:07:51 nn/[email protected] > 1 01/24/15 18:07:51 nn/[email protected] > 1 01/24/15 18:07:51 host/[email protected] > 1 01/24/15 18:07:51 host/[email protected] > 1 01/24/15 18:07:51 host/[email protected] > 1 01/24/15 18:07:51 host/[email protected] > 1 01/24/15 18:07:51 host/[email protected] > ``` > > The solution is to remove _identities_ from all `kerberos.json` files that > lead to the generation of the `host/<hostname>@<realm>` entries. > > > Diffs > ----- > > ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/kerberos.json > 8b7979e > ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/kerberos.json > 596d607 > > ambari-server/src/test/java/org/apache/ambari/server/stack/KerberosDescriptorTest.java > 0abb2f3 > > ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json > 99a4227 > > Diff: https://reviews.apache.org/r/30260/diff/ > > > Testing > ------- > > Manually tested in test cluster. > > Verified `host/<hostname>@<realm>` are no longer created. Example (does not > indicate all of the keytab files that were fixed): > > ``` > [root@c6503 keytabs]# klist -kt nn.service.keytab > Keytab name: FILE:nn.service.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 1 01/25/15 19:14:49 nn/[email protected] > 1 01/25/15 19:14:49 nn/[email protected] > 1 01/25/15 19:14:49 nn/[email protected] > 1 01/25/15 19:14:49 nn/[email protected] > ``` > > Since the solution is to remove entries from Kerberos descritptor files from > the stack no unit tests were updated or added. > > # Jenkins test results > > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 01:02 h > [INFO] Finished at: 2015-01-25T20:43:13+00:00 > [INFO] Final Memory: 44M/508M > [INFO] > ------------------------------------------------------------------------ > > > Thanks, > > Robert Levas > >
