Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
Use common property for principal name prefix to help with customization of unique principal names.
All headless Kerberos identities have a non-unique principal name (across clusters). To help this issue, the cluster name is appended to these principal names by adding "-${cluster-name|toLower()}" after the principal name component. If the user wants to change this convention, they will need to find all headless principals and make the change. On top of that, when adding new components, they will need to remember to make the change to new headless principal names.
A better solution is to provide a global property named "principal_suffix" and use that in each headless principal name. By default the value for this property will be
principal_suffix="-${cluster_name|toLower()}"
If the user would like not use a prefix (in the event there is only a single cluster connecting to the KDC), the value can be changed to
principal_suffix=""
Finally if the user would like to use some other randomizer, they can set the value to something else. For example
principal_suffix="_12345"
The property is set in the Kerberos descriptor's "properties" block. For example:
{
"properties": {
"realm": "${kerberos-env/realm}",
...,
"principal_suffix": "${cluster_name|toLower()}"
},
"identities": [
...,
{
"name": "smokeuser",
"principal": {
"value": "${cluster-env/smokeuser}-${principal_suffix}@${realm}",
"type": "user",
"configuration": "cluster-env/smokeuser_principal_name",
"local_username": "${cluster-env/smokeuser}"
},
...
}
],
"services": [
{
Attachments
Attachments
Issue Links
- links to
