[ https://issues.apache.org/jira/browse/AMBARI-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15185813#comment-15185813 ]
Bolke de Bruin commented on AMBARI-6432: ---------------------------------------- [~u39kun] Thanks that will help. In the meantime I also hit a bug on which I need some guidance how to fix it. FreeIPA does not support uppercase user principal names. If the cluster name is in uppercase a test identity will be generated with "myname@REALM" . For the tests to pass I need it to be "myname@REALM". What would be the best way to fix this? 1) Generate the test identity in lowercase (where is this generated? I could not find it yet) 2) Ask the user at step 1 to verify the cluster name is in lower case 3) adjust service_check.py to convert to lowercase if a user principal is encountered 4) use auth_to_local rules and apply these to the test identity In my opinion option 1 seems the best option. It would affect other Kerberos providers as well, but as it is only the test identity I would say it would not matter. Please advice > FreeIPA Support in Ambari > ------------------------- > > Key: AMBARI-6432 > URL: https://issues.apache.org/jira/browse/AMBARI-6432 > Project: Ambari > Issue Type: Improvement > Components: ambari-server > Affects Versions: trunk > Reporter: jay vyas > Assignee: Bolke de Bruin > Fix For: 2.4.0 > > Attachments: AMBARI-6432-FreeIPA.patch, AMBARI-6432.patch, > AMBARI-6432.trunk.v1.patch, AMBARI-6432.trunk.v2.patch, > AMBARI-6432.trunk.v3.patch, AMBARI-6432.trunk.v4.patch, > AMBARI-6432.trunk.v5.patch, AMBARI-6432.trunk.v5.patch, ipa-patch-v0.5.patch > > > FreeIPA Is a powerful tool for unifying identity, kerberos credentials, > across a cluster. > A great value add for ambari would be to provide support for using FreeIPA to > kerberize services. This would allow for > 1) better HCFS interoperability, because first class GID/UID is critical for > certain file systems (GlusterFS, Lustre, and any other file system which uses > kernel / FUSE apis for determining identity) > 2) better enterprise interoperability. Because of the fact that FreeIPA > makes it easy to interop with different identity solutions (like active > directory), it would make ambari easier to adopt for various enterprises. > 3) broadens ambaris scope. Now ambari could also allow people to setup the > users of their clusters, and at least some of the security features of their > clusters, all from one interface (no more manual handling of TGTs and such - > it could all be done quite easily via the ambari UI which could make calls to > underlying FreeIPA clients). -- This message was sent by Atlassian JIRA (v6.3.4#6332)