Re: Review Request 48516: SPNEGO keytab and principal configuration for HBase web UIs
> On June 14, 2016, 1:03 p.m., Nate Cole wrote: > > What is the status of this review? Hi Nate. I had made these changes preemptively -- I'm actually still waiting on the corresponding HBase changes to get merged in. I think it best if we wait for that one to get in before we make this change in Ambari. I've had a tough time getting reviewers this time over in HBase-land for whatever reason. I'll send a note here once I get that squared away. Thanks for checking. - Josh --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/48516/#review137497 --- On June 9, 2016, 11 p.m., Josh Elser wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/48516/ > --- > > (Updated June 9, 2016, 11 p.m.) > > > Review request for Ambari, Jonathan Hurley, Nate Cole, and Robert Levas. > > > Bugs: AMBARI-17129 > https://issues.apache.org/jira/browse/AMBARI-17129 > > > Repository: ambari > > > Description > --- > > Adds the SPNEGO principal and keytab to hbase-site.xml to make it simple for > users to enable SPNEGO authentication for HBase web UIs > > > Diffs > - > > > ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java > 5016325 > > ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/alerts.json > 50a7ceb > > ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json > 8be8bda > > ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java > c221138 > > Diff: https://reviews.apache.org/r/48516/diff/ > > > Testing > --- > > Java unit tests and a simple virtual-machine installation of 2.4.0. Verified > that expected configuration properties are present. > > > Thanks, > > Josh Elser > >
Re: Review Request 48516: SPNEGO keytab and principal configuration for HBase web UIs
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/48516/ --- (Updated June 9, 2016, 11 p.m.) Review request for Ambari, Jonathan Hurley, Nate Cole, and Robert Levas. Changes --- Botched my last rebase. Fixing the broken upgrade catalog UT Bugs: AMBARI-17129 https://issues.apache.org/jira/browse/AMBARI-17129 Repository: ambari Description --- Adds the SPNEGO principal and keytab to hbase-site.xml to make it simple for users to enable SPNEGO authentication for HBase web UIs Diffs (updated) - ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java 5016325 ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/alerts.json 50a7ceb ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json 8be8bda ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java c221138 Diff: https://reviews.apache.org/r/48516/diff/ Testing --- Java unit tests and a simple virtual-machine installation of 2.4.0. Verified that expected configuration properties are present. Thanks, Josh Elser
Review Request 48516: SPNEGO keytab and principal configuration for HBase web UIs
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/48516/ --- Review request for Ambari, Jonathan Hurley, Nate Cole, and Robert Levas. Bugs: AMBARI-17129 https://issues.apache.org/jira/browse/AMBARI-17129 Repository: ambari Description --- Adds the SPNEGO principal and keytab to hbase-site.xml to make it simple for users to enable SPNEGO authentication for HBase web UIs Diffs - ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java 5016325 ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/alerts.json 50a7ceb ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json 8be8bda ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java c221138 Diff: https://reviews.apache.org/r/48516/diff/ Testing --- Java unit tests and a simple virtual-machine installation of 2.4.0. Verified that expected configuration properties are present. Thanks, Josh Elser
Re: Review Request 48162: 16171 Addendum2 for stackadvisor with Phoenix Query Server kerberos configuration
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/48162/ --- (Updated June 2, 2016, 3:29 p.m.) Review request for Ambari and Robert Levas. Changes --- Apply Robert's suggestions. Re-ran python tests. Bugs: AMBARI-16171 https://issues.apache.org/jira/browse/AMBARI-16171 Repository: ambari Description --- Fix an issue where unsubstituted variables are being left in core-site.xml Diffs (updated) - ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json f887f92 ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json 5cfe42d ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py 413a2f7 ambari-server/src/test/python/stacks/2.5/common/test_stack_advisor.py d61de7b Diff: https://reviews.apache.org/r/48162/diff/ Testing --- Deployed 2.4 with Kerberos and no PQS Deployed 2.4 with Kerberos and PQS (correct configs for both) Python UTs are passing locally java UTs still running locally Thanks, Josh Elser
Review Request 48162: 16171 Addendum2 for stackadvisor with Phoenix Query Server kerberos configuration
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/48162/ --- Review request for Ambari and Robert Levas. Bugs: AMBARI-16171 https://issues.apache.org/jira/browse/AMBARI-16171 Repository: ambari Description --- Fix an issue where unsubstituted variables are being left in core-site.xml Diffs - ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json f887f92 ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json 5cfe42d ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py 413a2f7 ambari-server/src/test/python/stacks/2.5/common/test_stack_advisor.py d61de7b Diff: https://reviews.apache.org/r/48162/diff/ Testing --- Deployed 2.4 with Kerberos and no PQS Deployed 2.4 with Kerberos and PQS (correct configs for both) Python UTs are passing locally java UTs still running locally Thanks, Josh Elser
Re: Review Request 47428: Changes to Phoenix QueryServer Kerberos configuration
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47428/ --- (Updated May 27, 2016, 10:48 p.m.) Review request for Ambari, Jonathan Hurley, Nate Cole, Robert Levas, and Srimanth Gunturi. Changes --- Just realized that I had one of the UpgradeCatalog240Test cases broken. Bugs: AMBARI-16171 https://issues.apache.org/jira/browse/AMBARI-16171 Repository: ambari Description --- The up-coming version of Phoenix will contain some new functionality to support Kerberos authentication of clients via SPNEGO with the Phoenix Query Server (PQS). Presently, Ambari will configure PQS to use the hbase service keytab which will result in the SPNEGO authentication failing as the RFC requires that the "primary" component of the Kerberos principal for the server is "HTTP". Thus, we need to ensure that we switch PQS over to use the spnego.service.keytab as the keytab and "HTTP/_HOST@REALM" as the principal. Diffs (updated) - ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java 2e857ed ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java 0deba5d ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json c9536f8 ambari-server/src/main/resources/stacks/HDP/2.0.6/services/stack_advisor.py 6e506a0 ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py 8c5351f ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java 4dedc98 ambari-server/src/test/python/stacks/2.5/common/test_stack_advisor.py 0066e1d Diff: https://reviews.apache.org/r/47428/diff/ Testing --- Unit testing, verified installation with trunk and proper kerberization. Thanks, Josh Elser
Re: Review Request 47428: Changes to Phoenix QueryServer Kerberos configuration
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47428/ --- (Updated May 27, 2016, 9:30 p.m.) Review request for Ambari, Jonathan Hurley, Nate Cole, Robert Levas, and Srimanth Gunturi. Changes --- Srimanth helped me out with some direction on how to update the stackadvisor to do the "append" logic instead of an overwrite. I have unit tests added for the relevant python changes. I'm still trying to figure out how to test this on a real installation. It is not going well, but I don't want to sit on this patch for any longer. Bugs: AMBARI-16171 https://issues.apache.org/jira/browse/AMBARI-16171 Repository: ambari Description --- The up-coming version of Phoenix will contain some new functionality to support Kerberos authentication of clients via SPNEGO with the Phoenix Query Server (PQS). Presently, Ambari will configure PQS to use the hbase service keytab which will result in the SPNEGO authentication failing as the RFC requires that the "primary" component of the Kerberos principal for the server is "HTTP". Thus, we need to ensure that we switch PQS over to use the spnego.service.keytab as the keytab and "HTTP/_HOST@REALM" as the principal. Diffs (updated) - ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java 2e857ed ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java 0deba5d ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json c9536f8 ambari-server/src/main/resources/stacks/HDP/2.0.6/services/stack_advisor.py 6e506a0 ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py 8c5351f ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java 4dedc98 ambari-server/src/test/python/stacks/2.5/common/test_stack_advisor.py 0066e1d Diff: https://reviews.apache.org/r/47428/diff/ Testing --- Unit testing, verified upgrade from 2.2.2 Thanks, Josh Elser
Re: Review Request 47428: Changes to Phoenix QueryServer Kerberos configuration
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47428/ --- (Updated May 20, 2016, 6:18 p.m.) Review request for Ambari, Jonathan Hurley, Nate Cole, and Robert Levas. Changes --- Used StackId#compareTo(...) per Jonathan's recommendation. Bugs: AMBARI-16171 https://issues.apache.org/jira/browse/AMBARI-16171 Repository: ambari Description --- The up-coming version of Phoenix will contain some new functionality to support Kerberos authentication of clients via SPNEGO with the Phoenix Query Server (PQS). Presently, Ambari will configure PQS to use the hbase service keytab which will result in the SPNEGO authentication failing as the RFC requires that the "primary" component of the Kerberos principal for the server is "HTTP". Thus, we need to ensure that we switch PQS over to use the spnego.service.keytab as the keytab and "HTTP/_HOST@REALM" as the principal. Diffs (updated) - ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java 2e857ed ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java 41f538e ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json c9536f8 ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java 20fa50f Diff: https://reviews.apache.org/r/47428/diff/ Testing --- Unit testing, verified upgrade from 2.2.2 Thanks, Josh Elser
Re: Review Request 47428: Changes to Phoenix QueryServer Kerberos configuration
> On May 20, 2016, 12:10 p.m., Nate Cole wrote: > > ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java, > > lines 1924-1938 > > <https://reviews.apache.org/r/47428/diff/3/?file=1386387#file1386387line1924> > > > > This is a bit rough on the eyes. There's nothing wrong with > > shortcutting-when-null and really helps readability and indenting > > Robert Levas wrote: > I happen to like the explict checking for null. What do you mean by > "shortcutting-when-null"? > > Like this? > > ``` > KerberosDescriptor kerberosDescriptor = new > KerberosDescriptorFactory().createInstance(data); > KerberosServiceDescriptor serviceDescriptor = (kerberosDescriptor==null) > ? null : kerberosDescriptor.getService("HBASE"); > KerberosComponentDescriptor componentDescriptor = > (serviceDescriptor==null) ? null : > serviceDescriptor.getComponent("PHOENIX_QUERY_SERVER"); > ... > ``` I was mostly following existing code-style in general that I've seen with UpgradeCatalog implementations. I'm happy to change it however you would prefer. - Josh --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47428/#review134136 --- On May 20, 2016, 2:06 a.m., Josh Elser wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/47428/ > --- > > (Updated May 20, 2016, 2:06 a.m.) > > > Review request for Ambari, Jonathan Hurley, Nate Cole, and Robert Levas. > > > Bugs: AMBARI-16171 > https://issues.apache.org/jira/browse/AMBARI-16171 > > > Repository: ambari > > > Description > --- > > The up-coming version of Phoenix will contain some new functionality to > support Kerberos authentication of clients via SPNEGO with the Phoenix Query > Server (PQS). > > Presently, Ambari will configure PQS to use the hbase service keytab which > will result in the SPNEGO authentication failing as the RFC requires that the > "primary" component of the Kerberos principal for the server is "HTTP". Thus, > we need to ensure that we switch PQS over to use the spnego.service.keytab as > the keytab and "HTTP/_HOST@REALM" as the principal. > > > Diffs > - > > > ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java > 2e857ed > > ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java > 41f538e > > ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json > c9536f8 > > ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java > 20fa50f > > Diff: https://reviews.apache.org/r/47428/diff/ > > > Testing > --- > > Unit testing, verified upgrade from 2.2.2 > > > Thanks, > > Josh Elser > >
Re: Review Request 47428: Changes to Phoenix QueryServer Kerberos configuration
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47428/ --- (Updated May 20, 2016, 2:06 a.m.) Review request for Ambari, Jonathan Hurley, Nate Cole, and Robert Levas. Bugs: AMBARI-16171 https://issues.apache.org/jira/browse/AMBARI-16171 Repository: ambari Description --- The up-coming version of Phoenix will contain some new functionality to support Kerberos authentication of clients via SPNEGO with the Phoenix Query Server (PQS). Presently, Ambari will configure PQS to use the hbase service keytab which will result in the SPNEGO authentication failing as the RFC requires that the "primary" component of the Kerberos principal for the server is "HTTP". Thus, we need to ensure that we switch PQS over to use the spnego.service.keytab as the keytab and "HTTP/_HOST@REALM" as the principal. Diffs - ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java 2e857ed ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java 41f538e ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json c9536f8 ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java 20fa50f Diff: https://reviews.apache.org/r/47428/diff/ Testing (updated) --- Unit testing, verified upgrade from 2.2.2 Thanks, Josh Elser
Re: Review Request 47428: Changes to Phoenix QueryServer Kerberos configuration
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47428/ --- (Updated May 18, 2016, 3:09 a.m.) Review request for Ambari and Robert Levas. Changes --- New patch which successfully does upgrades from 2.2.2.0 to 2.4.0.0-SNAPSHOT. Wouldn't have been possible without lots of great help from Robert Levas (thanks again!). Bugs: AMBARI-16171 https://issues.apache.org/jira/browse/AMBARI-16171 Repository: ambari Description --- The up-coming version of Phoenix will contain some new functionality to support Kerberos authentication of clients via SPNEGO with the Phoenix Query Server (PQS). Presently, Ambari will configure PQS to use the hbase service keytab which will result in the SPNEGO authentication failing as the RFC requires that the "primary" component of the Kerberos principal for the server is "HTTP". Thus, we need to ensure that we switch PQS over to use the spnego.service.keytab as the keytab and "HTTP/_HOST@REALM" as the principal. Diffs (updated) - ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java 2e857ed ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java 41f538e ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json c9536f8 ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java 20fa50f Diff: https://reviews.apache.org/r/47428/diff/ Testing --- Unit testing, still working through a "real" Ambari upgrade Thanks, Josh Elser
Re: Review Request 47428: Changes to Phoenix QueryServer Kerberos configuration
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47428/ --- (Updated May 17, 2016, 7:58 p.m.) Review request for Ambari and Robert Levas. Bugs: AMBARI-16171 https://issues.apache.org/jira/browse/AMBARI-16171 Repository: ambari Description --- The up-coming version of Phoenix will contain some new functionality to support Kerberos authentication of clients via SPNEGO with the Phoenix Query Server (PQS). Presently, Ambari will configure PQS to use the hbase service keytab which will result in the SPNEGO authentication failing as the RFC requires that the "primary" component of the Kerberos principal for the server is "HTTP". Thus, we need to ensure that we switch PQS over to use the spnego.service.keytab as the keytab and "HTTP/_HOST@REALM" as the principal. Diffs (updated) - ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java 1f3b1d3 ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json c9536f8 ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java f36e640 Diff: https://reviews.apache.org/r/47428/diff/ Testing --- Unit testing, still working through a "real" Ambari upgrade Thanks, Josh Elser
Review Request 47428: Changes to Phoenix QueryServer Kerberos configuration
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47428/ --- Review request for Ambari and Robert Levas. Bugs: AMBARI-16171 https://issues.apache.org/jira/browse/AMBARI-16171 Repository: ambari Description --- The up-coming version of Phoenix will contain some new functionality to support Kerberos authentication of clients via SPNEGO with the Phoenix Query Server (PQS). Presently, Ambari will configure PQS to use the hbase service keytab which will result in the SPNEGO authentication failing as the RFC requires that the "primary" component of the Kerberos principal for the server is "HTTP". Thus, we need to ensure that we switch PQS over to use the spnego.service.keytab as the keytab and "HTTP/_HOST@REALM" as the principal. Diffs - ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java 1f3b1d3 ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json c9536f8 ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java f36e640 Diff: https://reviews.apache.org/r/47428/diff/ Testing --- Unit testing, still working through a "real" Ambari upgrade Thanks, Josh Elser