Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-23026

WEB type alerts authentication in Kerberos secured cluster

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.5.2, trunk, 2.6.2
    • Fix Version/s: 2.7.3
    • Component/s: alerts
    • Environment:

      Ambari 2.5.2

      Hortonworks HDP-2.5.3.0-37

      Description

      In a Kerberized cluster some web endpoints (App Timeline Web UI, ResourceManger Web UI, etc.) require authentication. Any Ambari alerts checking those endpoints must then be able to authenticate.

      This was addressed in AMBARI-9586, however the default principal and keytab used in the alerts.json is that of the "bare" SPNEGO principal HTTP/_HOST@REALM.
      My understanding is that the HTTP service principal is used to authenticate users to a service, not used to authenticate to another service.

      1. Since most endpoints involved are Web UI, would it be more appropriate to use the smokeuser in the alerts?

      2. This was first observed in Ranger Audit, the YARN Ranger Plug-in showed many access denied from HTTP user. This post provided some direction as to where those requests were coming from. We have updated the ResourceManger Web UI alert definition to use cluster-env/smokeuser_keytab and cluster-env/smokeuser_principal_name and this has resolved the initial HTTP access denied.
      Would it also be advisable to make the change in the other secure Web UI alert definitions?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                smolnar Sandor Molnar
                Reporter:
                quirogadf David F. Quiroga
              • Votes:
                2 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h
                  1h