[
https://issues.apache.org/jira/browse/AMBARI-22293?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Levas updated AMBARI-22293:
----------------------------------
Description:
Improve KDC integration by making the interfaces more consistent with each
other.
*Notes:*
* When using the MIT KDC or IPA options, the {{kerberos-env/admin_server_host}}
value *must be the fully qualified domain name* (FQDN) of the host were the KDC
administrator service is.
* When connecting to the MIT KDC, a username a password is not used to
authenticate using the kadmin utility. A Kerberos ticket is first acquired and
that is used for authentication.
* When creating Kerberos identities using the MIT KDC handler, the
Ambari-generated password is no longer used. All password's for principals in
the MIT KDC are generated randomly by the KDC.
* Removed {{kerberos-env/set_password_expiry}} and
{{kerberos-env/password_chat_timeout}} properties since they are no longer
needed
* Changed {{kerberos-env/groups}} to {{kerberos-env/ipa_user_groups}} to be
more explicit in how the property is used.
* The setPassword implementation for the MIT KDC and IPA handlers do nothing
except check to see if the relevant principal exists. This is to maintain
backward compatibility with previous implementations.
was:
Improve KDC integration by making the interfaces more consistent with each
other.
*Notes:*
* When using the MIT KDC or IPA options, the {{kerberos-env/admin_server_host}}
value *must be the fully qualified domain name* (FQDN) of the host were the KDC
administrator service is.
* When connecting to the MIT KDC, a username a password is not used to
authenticate using the kadmin utility. A Kerberos ticket is first acquired and
that is used for authentication.
* When creating Kerberos identities using the MIT KDC handler, the
Ambari-generated password is no longer used. All password's for principals in
the MIT KDC are generated randomly by the KDC.
* Removed {{kerberos-env/set_password_expiry}} and
{{kerberos-env/password_chat_timeout}} properties since they are no longer
needed
* Changed {{kerberos-env/groups}} to {{kerberos-env/ipa_user_groups}} to be
more explicit in what the property is
> Improve KDC integration
> -----------------------
>
> Key: AMBARI-22293
> URL: https://issues.apache.org/jira/browse/AMBARI-22293
> Project: Ambari
> Issue Type: Task
> Components: ambari-server
> Affects Versions: 3.0.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Labels: kerberos
> Fix For: 3.0.0
>
>
> Improve KDC integration by making the interfaces more consistent with each
> other.
> *Notes:*
> * When using the MIT KDC or IPA options, the
> {{kerberos-env/admin_server_host}} value *must be the fully qualified domain
> name* (FQDN) of the host were the KDC administrator service is.
> * When connecting to the MIT KDC, a username a password is not used to
> authenticate using the kadmin utility. A Kerberos ticket is first acquired
> and that is used for authentication.
> * When creating Kerberos identities using the MIT KDC handler, the
> Ambari-generated password is no longer used. All password's for principals
> in the MIT KDC are generated randomly by the KDC.
> * Removed {{kerberos-env/set_password_expiry}} and
> {{kerberos-env/password_chat_timeout}} properties since they are no longer
> needed
> * Changed {{kerberos-env/groups}} to {{kerberos-env/ipa_user_groups}} to be
> more explicit in how the property is used.
> * The setPassword implementation for the MIT KDC and IPA handlers do nothing
> except check to see if the relevant principal exists. This is to maintain
> backward compatibility with previous implementations.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
