[
https://issues.apache.org/jira/browse/AMBARI-24960?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar updated AMBARI-24960:
-----------------------------------
Description:
The Ambari kerberos wizard for Existing FreeIPA displays a warning about
setting up a password policy without expiration for the kerberos principals.
As these (user and service) principals are not created with a password, the
password expiration policy does not apply to them. I verified this by
maintaining a cluster by maintaining a kerberized cluster for 120+ days, where
the password for my ldapbind (and other accounts that do have passwords)
expired in 90 days per default policy, without any impact to my kerberos
principals or cluster operations.
Unless we've seen contradictory information, let's please remove this warning
from the wizard to avoid confusing users on what is needed here.
was:
The Ambari kerberos wizard for Existing FreeIPA displays a warning about
setting up a password policy without expiration for the kerberos principals.
[!image-2018-11-26-08-26-37-452.png?default=false|thumbnail!|https://hortonworks.jira.com/secure/attachment/167582/167582_image-2018-11-26-08-26-37-452.png]
As these (user and service) principals are not created with a password, the
password expiration policy does not apply to them. I verified this by
maintaining a cluster by maintaining a kerberized cluster for 120+ days, where
the password for my ldapbind (and other accounts that do have passwords)
expired in 90 days per default policy, without any impact to my kerberos
principals or cluster operations.
Unless we've seen contradictory information, let's please remove this warning
from the wizard to avoid confusing users on what is needed here.
> Remove warning about requirement for IPA password policy without expiration
> in Ambari kerberos wizard
> -----------------------------------------------------------------------------------------------------
>
> Key: AMBARI-24960
> URL: https://issues.apache.org/jira/browse/AMBARI-24960
> Project: Ambari
> Issue Type: Task
> Components: ambari-web
> Affects Versions: 2.7.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Minor
> Fix For: 2.8.0
>
>
> The Ambari kerberos wizard for Existing FreeIPA displays a warning about
> setting up a password policy without expiration for the kerberos principals.
> As these (user and service) principals are not created with a password, the
> password expiration policy does not apply to them. I verified this by
> maintaining a cluster by maintaining a kerberized cluster for 120+ days,
> where the password for my ldapbind (and other accounts that do have
> passwords) expired in 90 days per default policy, without any impact to my
> kerberos principals or cluster operations.
> Unless we've seen contradictory information, let's please remove this warning
> from the wizard to avoid confusing users on what is needed here.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
