[ https://issues.apache.org/jira/browse/AMBARI-12772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Levas updated AMBARI-12772: ---------------------------------- Attachment: AMBARI-12772_branch-2.1_01.patch > Adding host via blueprint fails on secure cluster > ------------------------------------------------- > > Key: AMBARI-12772 > URL: https://issues.apache.org/jira/browse/AMBARI-12772 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.0.0 > Reporter: Robert Levas > Assignee: Robert Levas > Priority: Critical > Labels: blueprints, kerberos > Fix For: 2.1.2 > > Attachments: AMBARI-12772_branch-2.1_01.patch, > AMBARI-12772_trunk_01.patch > > > *STR* > Install cluster via blueprints > Enable Kerberos security > Add host via blueprints > *Result* > Adding hosts freeze forever > In ambari-server.log: > {code} > The KDC administrator credentials must be set in session by updating the > relevant Cluster resource.This may be done by issuing a PUT to the > api/v1/clusters/(cluster name) API entry point with the following payload: > { > "session_attributes" : { > "kerberos_admin" : {"principal" : "(PRINCIPAL)", "password" : > "(PASSWORD)"} > } > {code} > *Cause* > This is caused because the KDC administrative credentials are not available > when needed during the add host process. If set in the HTTP session, the > credentials are not accessible since the Kerberos logic is executed outside > the scope of that HTTP session. > *Solution* > Store the KDC credentials to a _more secure_ global credential store that is > accessible no matter what the context is. This storage facility is in-memory > and has a retention period of 90 minutes. This solution refactors the > current CredentialStoreService and MasterKeyService classes to allow for > file-based and in-memory implementations. It also paves the way for future > changes to allow for the KDC administrative credentials to be persisted > indefinitely. -- This message was sent by Atlassian JIRA (v6.3.4#6332)