Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-12772

Adding host via blueprint fails on secure cluster

    Details

      Description

      STR
      Install cluster via blueprints
      Enable Kerberos security
      Add host via blueprints

      Result
      Adding hosts freeze forever
      In ambari-server.log:

      The KDC administrator credentials must be set in session by updating the relevant Cluster resource.This may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry point with the following payload:
      {
        "session_attributes" : {
          "kerberos_admin" : {"principal" : "(PRINCIPAL)", "password" : "(PASSWORD)"}
        }
      

      Cause
      This is caused because the KDC administrative credentials are not available when needed during the add host process. If set in the HTTP session, the credentials are not accessible since the Kerberos logic is executed outside the scope of that HTTP session.

      Solution
      Store the KDC credentials to a more secure global credential store that is accessible no matter what the context is. This storage facility is in-memory and has a retention period of 90 minutes. This solution refactors the current CredentialStoreService and MasterKeyService classes to allow for file-based and in-memory implementations. It also paves the way for future changes to allow for the KDC administrative credentials to be persisted indefinitely.

      1. AMBARI-12772_trunk_03.patch
        147 kB
        Robert Levas
      2. AMBARI-12772_trunk_02.patch
        147 kB
        Robert Levas
      3. AMBARI-12772_trunk_01.patch
        145 kB
        Robert Levas
      4. AMBARI-12772_branch-2.1_03.patch
        147 kB
        Robert Levas
      5. AMBARI-12772_branch-2.1_01.patch
        146 kB
        Robert Levas

        Issue Links

          Activity

          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12751784/AMBARI-12772_branch-2.1_01.patch
          against trunk revision .

          -1 patch. The patch command could not apply the patch.

          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3630//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12751784/AMBARI-12772_branch-2.1_01.patch against trunk revision . -1 patch . The patch command could not apply the patch. Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3630//console This message is automatically generated.
          Hide
          hadoopqa Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12753635/AMBARI-12772_trunk_02.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 10 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in ambari-server.

          Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3697//testReport/
          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3697//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12753635/AMBARI-12772_trunk_02.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 10 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in ambari-server. Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3697//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3697//console This message is automatically generated.
          Hide
          hadoopqa Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12753802/AMBARI-12772_trunk_03.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 10 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in ambari-server.

          Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3706//testReport/
          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3706//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12753802/AMBARI-12772_trunk_03.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 10 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in ambari-server. Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3706//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3706//console This message is automatically generated.
          Hide
          rlevas Robert Levas added a comment -

          Committed to trunk

          commit e681f2bf4d2f902d9d46c195baf5c405ab9ebc8e
          Author: Robert Levas <rlevas@hortonworks.com>
          Date:   Fri Sep 4 10:55:36 2015 -0400
          

          Committed to branch-2.1

          commit 7bd69c92de40114bc07111241c0eb8d5f9f449eb
          Author: Robert Levas <rlevas@hortonworks.com>
          Date:   Fri Sep 4 13:18:10 2015 -0400
          
          Show
          rlevas Robert Levas added a comment - Committed to trunk commit e681f2bf4d2f902d9d46c195baf5c405ab9ebc8e Author: Robert Levas <rlevas@hortonworks.com> Date: Fri Sep 4 10:55:36 2015 -0400 Committed to branch-2.1 commit 7bd69c92de40114bc07111241c0eb8d5f9f449eb Author: Robert Levas <rlevas@hortonworks.com> Date: Fri Sep 4 13:18:10 2015 -0400
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Ambari-trunk-Commit #3390 (See https://builds.apache.org/job/Ambari-trunk-Commit/3390/)
          AMBARI-12772. Adding host via blueprint fails on secure cluster (rlevas) (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=e681f2bf4d2f902d9d46c195baf5c405ab9ebc8e)

          • ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialProviderTest.java
          • ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreService.java
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
          • ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosCredential.java
          • ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceImpl.java
          • ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
          • ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
          • ambari-server/src/test/java/org/apache/ambari/server/security/encryption/MasterKeyServiceTest.java
          • ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/InMemoryCredentialStoreService.java
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/FileBasedCredentialStoreService.java
          • ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/MasterKeyServiceImpl.java
          • ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
          • ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosCredentialTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialProvider.java
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Ambari-trunk-Commit #3390 (See https://builds.apache.org/job/Ambari-trunk-Commit/3390/ ) AMBARI-12772 . Adding host via blueprint fails on secure cluster (rlevas) (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=e681f2bf4d2f902d9d46c195baf5c405ab9ebc8e ) ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialProviderTest.java ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreService.java ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosCredential.java ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceImpl.java ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ambari-server/src/test/java/org/apache/ambari/server/security/encryption/MasterKeyServiceTest.java ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/InMemoryCredentialStoreService.java ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/FileBasedCredentialStoreService.java ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceTest.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/MasterKeyServiceImpl.java ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosCredentialTest.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialProvider.java ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Ambari-branch-2.1 #482 (See https://builds.apache.org/job/Ambari-branch-2.1/482/)
          AMBARI-12772. Adding host via blueprint fails on secure cluster (rlevas) (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=7bd69c92de40114bc07111241c0eb8d5f9f449eb)

          • ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialProviderTest.java
          • ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
          • ambari-server/src/test/java/org/apache/ambari/server/security/encryption/MasterKeyServiceTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreService.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/MasterKeyServiceImpl.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceImpl.java
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java
          • ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/InMemoryCredentialStoreService.java
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosCredential.java
          • ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java
          • ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceTest.java
          • ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
          • ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java
          • ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/FileBasedCredentialStoreService.java
          • ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosCredentialTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
          • ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java
          • ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialProvider.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Ambari-branch-2.1 #482 (See https://builds.apache.org/job/Ambari-branch-2.1/482/ ) AMBARI-12772 . Adding host via blueprint fails on secure cluster (rlevas) (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=7bd69c92de40114bc07111241c0eb8d5f9f449eb ) ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialProviderTest.java ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java ambari-server/src/test/java/org/apache/ambari/server/security/encryption/MasterKeyServiceTest.java ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreService.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/MasterKeyServiceImpl.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceImpl.java ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/InMemoryCredentialStoreService.java ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosCredential.java ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceTest.java ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/FileBasedCredentialStoreService.java ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosCredentialTest.java ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialProvider.java

            People

            • Assignee:
              rlevas Robert Levas
              Reporter:
              rlevas Robert Levas
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development