Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AMBARI-23026. Using smoke user's principal/keytab within alerts in a secure cluster #2247

Merged
merged 1 commit into from
Sep 5, 2018
Merged

AMBARI-23026. Using smoke user's principal/keytab within alerts in a secure cluster #2247

merged 1 commit into from
Sep 5, 2018

Conversation

smolnar82
Copy link
Contributor

What changes were proposed in this pull request?

All types of alerts should use Ambari's smoke user principal and keytab to authenticate a service when triggering an alert.

How was this patch tested?

Executing unit tests in ambari-server.

E2E tests:

  1. installed a secure cluster with the services I changed the alert definitions for
  2. copied the new alert definitions with my changes
  3. restarted the server and the agents
  4. checked some of the alerts in question: they we all ok; not authentication error occurred

@smolnar82 smolnar82 requested review from rlevas, a user and zeroflag September 5, 2018 12:07
@smolnar82 smolnar82 self-assigned this Sep 5, 2018
@asfgit
Copy link

asfgit commented Sep 5, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/3847/
Test PASSed.

rlevas
rlevas approved these changes Sep 5, 2018
View reviewed changes
Copy link
Contributor

@rlevas rlevas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you ensure that the relevant kerberos.json files indicate that the Ambari smoke test user's Kerberos identity is distributed to the hosts where the service's components are installed?

@rlevas
Copy link
Contributor

rlevas commented Sep 5, 2018

For example the kerberos.json file at common-services/HDFS/2.1.0.2.0/kerberos.json contains the following...

{
  "services": [
    {
      "name": "HDFS",
      "identities": [
        ...,
        {
          "name": "hdfs_smokeuser",
          "reference": "/smokeuser"
        }
      ],
      ...

This indicates the the smoke user's keytab file will be distributed to all hosts where a component of HDFS is installed.

@smolnar82
Copy link
Contributor Author

@rlevas
No, I have not done such a check; let me do it and update the Kerberos descriptor(s) if needed. I'll keep you posted (or will push a new commit to this PR).

@smolnar82
Copy link
Contributor Author

@rlevas
I checked the Kerberos descriptors of all services that I've changed in this PR and found that all have their own SERVICENAME_smokeuser identity in place.
Thanks for your comment; it was very useful for me for the future.

@smolnar82 smolnar82 merged commit fd252bf into apache:branch-2.7 Sep 5, 2018
@smolnar82 smolnar82 deleted the AMBARI-23026 branch September 5, 2018 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zeroflag zeroflag zeroflag approved these changes

@rlevas rlevas rlevas approved these changes

Assignees

@smolnar82 smolnar82

Labels
alerts kerberos security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@smolnar82 @asfgit @rlevas @zeroflag