Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-12772

Adding host via blueprint fails on secure cluster

    Details

      Description

      STR
      Install cluster via blueprints
      Enable Kerberos security
      Add host via blueprints

      Result
      Adding hosts freeze forever
      In ambari-server.log:

      The KDC administrator credentials must be set in session by updating the relevant Cluster resource.This may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry point with the following payload:
      {
        "session_attributes" : {
          "kerberos_admin" : {"principal" : "(PRINCIPAL)", "password" : "(PASSWORD)"}
        }
      

      Cause
      This is caused because the KDC administrative credentials are not available when needed during the add host process. If set in the HTTP session, the credentials are not accessible since the Kerberos logic is executed outside the scope of that HTTP session.

      Solution
      Store the KDC credentials to a more secure global credential store that is accessible no matter what the context is. This storage facility is in-memory and has a retention period of 90 minutes. This solution refactors the current CredentialStoreService and MasterKeyService classes to allow for file-based and in-memory implementations. It also paves the way for future changes to allow for the KDC administrative credentials to be persisted indefinitely.

        Attachments

        1. AMBARI-12772_trunk_01.patch
          145 kB
          Robert Levas
        2. AMBARI-12772_branch-2.1_01.patch
          146 kB
          Robert Levas
        3. AMBARI-12772_trunk_02.patch
          147 kB
          Robert Levas
        4. AMBARI-12772_branch-2.1_03.patch
          147 kB
          Robert Levas
        5. AMBARI-12772_trunk_03.patch
          147 kB
          Robert Levas

          Issue Links

            Activity

              People

              • Assignee:
                rlevas Robert Levas
                Reporter:
                rlevas Robert Levas
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: