Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-22293

Improve KDC integration



    • Type: Task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 2.7.0
    • Fix Version/s: 3.0.0, 2.7.0
    • Component/s: ambari-server
    • Labels:


      Improve KDC integration by making the interfaces more consistent with each other.


      • When using the MIT KDC or IPA options, the kerberos-env/admin_server_host value must be the fully qualified domain name (FQDN) of the host were the KDC administrator service is.
      • When connecting to the MIT KDC and IPA server, a username a password is not used to authenticate using the kadmin utility. A Kerberos ticket is first acquired and that is used for authentication.
      • When creating Kerberos identities using the MIT KDC and IPA handlers, the Ambari-generated password is not used. All password's for principals in the MIT KDC and IP server are generated randomly by the KDC.
      • Removed kerberos-env/set_password_expiry and kerberos-env/password_chat_timeout properties since they are no longer needed
      • Changed kerberos-env/groups to kerberos-env/ipa_user_groups to be more explicit in how the property is used.
      • The setPassword implementation for the MIT KDC and IPA handlers do nothing except check to see if the relevant principal exists. This is to maintain backward compatibility with previous implementations.


        1. AMBARI-22293_trunk_01.patch
          221 kB
          Robert Levas
        2. AMBARI-22293_trunk_02.patch
          222 kB
          Robert Levas
        3. AMBARI-22293_trunk_addendum_01.patch
          6 kB
          Robert Levas

          Issue Links



              • Assignee:
                rlevas Robert Levas
                rlevas Robert Levas
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created: