[
https://issues.apache.org/jira/browse/AMBARI-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15185813#comment-15185813
]
Bolke de Bruin commented on AMBARI-6432:
----------------------------------------
[~u39kun] Thanks that will help.
In the meantime I also hit a bug on which I need some guidance how to fix it.
FreeIPA does not support uppercase user principal names. If the cluster name is
in uppercase a test identity will be generated with "myname@REALM" . For the
tests to pass I need it to be "myname@REALM".
What would be the best way to fix this?
1) Generate the test identity in lowercase (where is this generated? I could
not find it yet)
2) Ask the user at step 1 to verify the cluster name is in lower case
3) adjust service_check.py to convert to lowercase if a user principal is
encountered
4) use auth_to_local rules and apply these to the test identity
In my opinion option 1 seems the best option. It would affect other Kerberos
providers as well, but as it is only the test identity I would say it would not
matter.
Please advice
> FreeIPA Support in Ambari
> -------------------------
>
> Key: AMBARI-6432
> URL: https://issues.apache.org/jira/browse/AMBARI-6432
> Project: Ambari
> Issue Type: Improvement
> Components: ambari-server
> Affects Versions: trunk
> Reporter: jay vyas
> Assignee: Bolke de Bruin
> Fix For: 2.4.0
>
> Attachments: AMBARI-6432-FreeIPA.patch, AMBARI-6432.patch,
> AMBARI-6432.trunk.v1.patch, AMBARI-6432.trunk.v2.patch,
> AMBARI-6432.trunk.v3.patch, AMBARI-6432.trunk.v4.patch,
> AMBARI-6432.trunk.v5.patch, AMBARI-6432.trunk.v5.patch, ipa-patch-v0.5.patch
>
>
> FreeIPA Is a powerful tool for unifying identity, kerberos credentials,
> across a cluster.
> A great value add for ambari would be to provide support for using FreeIPA to
> kerberize services. This would allow for
> 1) better HCFS interoperability, because first class GID/UID is critical for
> certain file systems (GlusterFS, Lustre, and any other file system which uses
> kernel / FUSE apis for determining identity)
> 2) better enterprise interoperability. Because of the fact that FreeIPA
> makes it easy to interop with different identity solutions (like active
> directory), it would make ambari easier to adopt for various enterprises.
> 3) broadens ambaris scope. Now ambari could also allow people to setup the
> users of their clusters, and at least some of the security features of their
> clusters, all from one interface (no more manual handling of TGTs and such -
> it could all be done quite easily via the ambari UI which could make calls to
> underlying FreeIPA clients).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
