Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-10305

Kerberos: during disable, need option skip if unable to access KDC to remove principals

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 2.0.0
    • 2.1.0
    • ambari-server

    Description

      Attempted to disable kerb, fails on step to unkerberize because KDC admin is locked out.

      Click retry, can't make it past that.

      Need option to skip and finish "disable kerberos" even if Ambari cannot get the principals cleaned up (i.e. cannot access the KDC) Losing access to the KDC and attempting to disable where ambari can't clean-up the principals should be a skip'able step. User should still be able to get to a clean, not-enabled-kerberos-ambari-state w/o accessing the KDC.

      Solution
      Add a flag to the kerberos-env configuration to specify whether Kerberos identities should be managed by Ambari (true, default) or not (false). This flag is to be overridable via a directive like manage_identities=false when disabling Kerberos, which will skip over any KDC administrative processes.

      Attachments

        1. AMBARI-10305_01.patch
          56 kB
          Robert Levas

        Issue Links

          relates to

          Task - A task that needs to be done. AMBARI-10479 Add the ability to enable Kerberos and not manage identities

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link ReviewBoard

          Activity

            People

              rlevas Robert Levas
              rlevas Robert Levas
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: