[jira] [Commented] (AMBARI-15561) Automate creation of Ambari Server proxy users (secure/non-secure clusters), principal and keytab, setup of JAAS (secure clusters)

[Swapan Shridhar (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AMBARI-15561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15219545#comment-15219545
 ] 

Swapan Shridhar commented on AMBARI-15561:
------------------------------------------

Screenshot : 
https://issues.apache.org/jira/secure/attachment/12796258/Screen%20Shot%202016-03-31%20at%2012.45.42%20AM.png

Steps to reproduce : Have HDFS, YARN, MapReduce2, Tez, Hive, Pig and ZooKeeper 
added. Do the kerberization.


> Automate creation of Ambari Server proxy users (secure/non-secure clusters), 
> principal and keytab, setup of JAAS (secure clusters)
> ----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-15561
>                 URL: https://issues.apache.org/jira/browse/AMBARI-15561
>             Project: Ambari
>          Issue Type: Improvement
>          Components: ambari-server
>            Reporter: Sandor Magyari
>            Assignee: Sandor Magyari
>            Priority: Critical
>             Fix For: ambari-2.4.0
>
>         Attachments: AMBARI-15561-v2.patch, Screen Shot 2016-03-31 at 
> 12.45.42 AM.png
>
>
>       The aim of this improvement is to automate the following: 
> - creation of proxy users for Ambari server necessary for views (Files, Hive, 
> Pig, Tez etc) 
> - creation of Ambari Server principal and keytab, and setup of JAAS which is 
> currently a manual step documented here: 
> http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_optional_set_up_kerberos_for_ambari_server.html
> In case of a non secure cluster, Ambari proxy user will be set up for the 
> user account Ambari Server is running as. This is specified in 
> *ambari-server.properties* by *ambari-server.user* and can be adjusted by 
> running 'ambari-server setup'. 
> Stackadvisor is responsible for configuring proxy users, both for secure / 
> non-secure cluster, wizard or blueprint based deployments. 
> Therefore in case of blueprint based deployments proxy users will be only 
> created if "config_recommendation_strategy": "ALWAYS_APPLY" in Cluster 
> template. 
> The following proxy users will be configured by stackadvisor: 
> {code} 
> hadoop.proxyuser.${ambari_proxy_user}.groups=* 
> hadoop.proxyuser.${ambari_proxy_user}.hosts=* 
> hadoop.proxyuser.hcat.groups=* 
> hadoop.proxyuser.hcat.hosts=* 
> webhcat.proxyuser.${ambari_proxy_user}.groups=* 
> webhcat.proxyuser.${ambari_proxy_user}.hosts=* 
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.hosts=*
>  
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.users=*
>  
> yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.groups=*
>  
> {code} 
> For a secure (eg. securityType=KERBEROS) cluster proxy user will be setup 
> based on Ambari Server principal. 
> A new identity 'ambari-server' will be added to default kerberos descriptor 
> where principal name is specified which can be modified either in Kerberos 
> Setup wizard screen, or by submitting a custom kerberos descriptor in 
> Blueprint case. 
> By default, principal name is: 
> {code}ambari-server-${cluster_name}@${realm}{code} 
> Generate principal & keytab is set in JAAS configuration file. 
> Generation of Ambari Server principal and keytab can be enabled / disabled by 
> setting config property *create_ambari_principal* = true / false in 
> kerberos-env config. ('Create Ambari Principal & Keytab' on Keberos Setup 
> wizard screen). This is enabled by default.
> There is a new functionality in Kerberos related handling of configurations 
> recommended by StackAdvisor, properties marked with delete flag by 
> StackAdvisor are removed from configuration when running Enable Kerberos 
> wizard. This is necessary to be able to remove old Ambari proxy users in 
> non-secure mode.
> In a scenario where multiple Ambari servers are managing a single cluster, 
> only the _operation master_ Ambari server will be affected. All other Ambari 
> server instances will need to be manually updated. Meaning, the Ambari server 
> keytab file will need to be manually distributed to the _other_ Ambari server 
> hosts. Also, the _other_ Ambari servers' JAAS files will need to be manually 
> updated either by editing the {{/etc/ambari-server/conf/krb5JAASLogin.conf}} 
> file or by executing {{ambari-server setup-security}} and selecting option 
> #3, {{Setup Ambari kerberos JAAS configuration}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)