[jira] [Updated] (AMBARI-12772) Adding host via blueprint fails on secure cluster

Wed, 02 Sep 2015 09:50:02 -0700 

     [ 
https://issues.apache.org/jira/browse/AMBARI-12772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Levas updated AMBARI-12772:
----------------------------------
    Attachment: AMBARI-12772_branch-2.1_03.patch

> Adding host via blueprint fails on secure cluster
> -------------------------------------------------
>
>                 Key: AMBARI-12772
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12772
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>              Labels: blueprints, kerberos
>             Fix For: 2.1.2
>
>         Attachments: AMBARI-12772_branch-2.1_01.patch, 
> AMBARI-12772_branch-2.1_03.patch, AMBARI-12772_trunk_01.patch, 
> AMBARI-12772_trunk_02.patch
>
>
> *STR*
> Install cluster via blueprints
> Enable Kerberos security
> Add host via blueprints
> *Result*
> Adding hosts freeze forever
> In ambari-server.log:
> {code}
> The KDC administrator credentials must be set in session by updating the 
> relevant Cluster resource.This may be done by issuing a PUT to the 
> api/v1/clusters/(cluster name) API entry point with the following payload:
> {
>   "session_attributes" : {
>     "kerberos_admin" : {"principal" : "(PRINCIPAL)", "password" : 
> "(PASSWORD)"}
>   }
> {code}
> *Cause*
> This is caused because the KDC administrative credentials are not available 
> when needed during the add host process.  If set in the HTTP session, the 
> credentials are not accessible since the Kerberos logic is executed outside 
> the scope of that HTTP session.  
> *Solution*
> Store the KDC credentials to a _more secure_ global credential store that is 
> accessible no matter what the context is.  This storage facility is in-memory 
> and has a retention period of 90 minutes.  This solution refactors the 
> current CredentialStoreService and MasterKeyService classes to allow for 
> file-based and in-memory implementations. It also paves the way for future 
> changes to allow for the KDC administrative credentials to be persisted 
> indefinitely.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to