[AMBARI-22715] Kafka broken by auth_to_local rules when case_insensitive_username_rules=true - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.5.2
Fix Version/s: None
Component/s: None
Labels:
None

Description

https://issues.apache.org/jira/browse/AMBARI-22715

Kafka brokers will fail to start when Kerberos is set with:
case_insensitive_username_rules=true

This is due to Kafka not supporting the lower case (/L) functionality.

How to reproduce:
1. Deploy a cluster which includes Kafka
2. Kerberize cluster
3. Ensure following is set in 'kerberos-env':

case_insensitive_username_rules=true
manage_auth_to_local=true

4. Start Kafka brokers
5. They will fail to start.

Note the /Ls in the configuration below.

For Kafka to function, Ambari will need to not include the "/L"s in the Kafka configuration.

"sasl.kerberos.principal.to.local.rules" : "RULE:[1:$1@$0](ambari-qa-mytestcluster@CLUSTER.TEST.COM)s/.*/ambari-qa/,RULE:[1:$1@$0](hbase-mytestcluster@CLUSTER.TEST.COM)s/.*/hbase/,RULE:[1:$1@$0](hdfs-mytestcluster@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[1:$1@$0](spark-mytestcluster@CLUSTER.TEST.COM)s/.*/spark/,RULE:[1:$1@$0](zeppelin-mytestcluster@CLUSTER.TEST.COM)s/.*/zeppelin/,RULE:[1:$1@$0](.*@CLUSTER.TEST.COM)s/@.*///L,RULE:[2:$1@$0](activity_analyzer@CLUSTER.TEST.COM)s/.*/activity_analyzer/,RULE:[2:$1@$0](activity_explorer@CLUSTER.TEST.COM)s/.*/activity_explorer/,RULE:[2:$1@$0](amshbase@CLUSTER.TEST.COM)s/.*/ams/,RULE:[2:$1@$0](amszk@CLUSTER.TEST.COM)s/.*/ams/,RULE:[2:$1@$0](atlas@CLUSTER.TEST.COM)s/.*/atlas/,RULE:[2:$1@$0](dn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](hbase@CLUSTER.TEST.COM)s/.*/hbase/,RULE:[2:$1@$0](hive@CLUSTER.TEST.COM)s/.*/hive/,RULE:[2:$1@$0](jhs@CLUSTER.TEST.COM)s/.*/mapred/,RULE:[2:$1@$0](jn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](knox@CLUSTER.TEST.COM)s/.*/knox/,RULE:[2:$1@$0](livy@CLUSTER.TEST.COM)s/.*/livy/,RULE:[2:$1@$0](nm@CLUSTER.TEST.COM)s/.*/yarn/,RULE:[2:$1@$0](nn@CLUSTER.TEST.COM)s/.*/hdfs/,RULE:[2:$1@$0](oozie@CLUSTER.TEST.COM)s/.*/oozie/,RULE:[2:$1@$0](rangeradmin@CLUSTER.TEST.COM)s/.*/ranger/,RULE:[2:$1@$0](rangerkms@CLUSTER.TEST.COM)s/.*/keyadmin/,RULE:[2:$1@$0](rangertagsync@CLUSTER.TEST.COM)s/.*/rangertagsync/,RULE:[2:$1@$0](rangerusersync@CLUSTER.TEST.COM)s/.*/rangerusersync/,RULE:[2:$1@$0](rm@CLUSTER.TEST.COM)s/.*/yarn/,RULE:[2:$1@$0](yarn@CLUSTER.TEST.COM)s/.*/yarn/,DEFAULT",

Attachments

Activity

People

Assignee:: Robert Levas

Reporter:: Sean Roberts

Votes:: 1 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 02/Jan/18 13:10

Updated:: 11/Jul/18 22:14

Resolved:: 11/Jul/18 22:14