Review Request 31738: Kerberos: Add Host did not generate keytabs

Wed, 04 Mar 2015 11:23:44 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31738/
-----------------------------------------------------------

Review request for Ambari, Emil Anca, Eugene Chekanskiy, John Speidel, and 
Robert Nettleton.


Bugs: AMBARI-9917
    https://issues.apache.org/jira/browse/AMBARI-9917


Repository: ambari


Description
-------

1) using build 440
2) three node cluster, hdfs, yarn, mr, tez, hive, zk, pig, ams
3) setup nnha, rmha
4) enabled kerb
5) all is good
6) added second hive metastore
7) added second hiveserver2
8) all is good
9) added host with DN and clients
10) keytabs are not created on the new host. i was not prompted for kdc creds. 
basically, i did 1-9 all in one shot, never logging out.

As a workaround 1:
- Attempted to regen keytabs, with "missing only" checkbox checked. it looks 
like it remade all principals and keytabs for the cluster but didn't distribute 
the keytabs. That is concerning that this might be an additional issue for 
another JIRA maybe. Anycase: didn't result in getting keytabs on my new host.

As a workaround 2:
- Attempted regen keytabs all. Made all princs and keytabs and distributed for 
cluster hosts except my new host. So no lock here either.

# Solution 
Force the Kerberos logic to not prune out hosts that _will_ have the Kerberos 
Client installed and in the approperiate state to receive requests. This 
scenarion only occurs when a new host is being added and the components 
(including the KERBEROS_CLIENT) are being mass installed and initialized.


Diffs
-----

  
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
 ac91377 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
 c4a5f4f 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
 8e1c0e8 

Diff: https://reviews.apache.org/r/31738/diff/


Testing
-------

Manually tested in test cluster verifying the following scenarios all work:
- adding hosts, adding services (in varioius orders) 
- bringing a host up after being down before enabling Kerberos
-- regenerating keytabs before _fixing_ the Kerberos client
-- regenerating missing keytabs before _fixing_ the Kerberos client
-- regenerating keytabs after _fixing_ the Kerberos client
-- regenerating missing keytabs after _fixing_ the Kerberos client


# Local unit tests: PASSED

#Jenkins test results: PENDING (issues with Jenkins build)


Thanks,

Robert Levas

Reply via email to