[AMBARI-23628] Enable Ambari SSO to be enabled without impacting other service sso configs - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.7.0
Fix Version/s: 2.7.0
Component/s: ambari-server
Labels:
- pull-request-available

Epic Link:
Setup SSO via Ambari CLI

Description

Scenario
Ranger and Atlas are SSO enabled via BP deploys and Ambari is not SSO enabled.
Later Ambari SSO has to be enabled without changing existing configs(so restart will not be required) for Atlas and Ranger.
Now this is not possible with "Enable for the selected services" option.
This was possible in previous versions but with the latest changes from ~~AMBARI-23253~~, even if SSO was enabled for services earlier we still have to opt SSO for Ranger and Atlas in the list. When services are specified in the list, this would prompt for service restart.
So,
---If we enable SSO for Ambari and not the other services via the CLI, then any previous SSO setting for those services will be cleared
---If we enable SSO for Ambari and the other services via the CLI, then any previous SSO setting for those services will be potentially updated and this cause services to need to restart. But since data is the same no restart should be needed for those services

Solution
Add new prompts to separate Ambari's SSO configuration from the managed service's SSO configs so they can be managed separately:

Use SSO for Ambari (--sso-enabled-ambari)
Manage SSO configurations for eligible services (--sso-manage-services)

[root@c7401 ~]# ambari-server setup-sso --help
Using python  /usr/bin/python
Setting up SSO authentication properties...
Usage: ambari-server.py action [options]

Options:
  -h, --help            show this help message and exit
  -v, --verbose         Print verbose status messages
  -s, --silent          Silently accepts default prompt values. For db-cleanup
                        command, silent mode will stop ambari server.
  --sso-enabled=SSO_ENABLED
                        Indicates whether to enable/disable SSO
  --sso-enabled-ambari=SSO_ENABLED_AMBARI
                        Indicates whether to enable/disable SSO authentication
                        for Ambari, itself
  --sso-manage-services=SSO_MANAGE_SERVICES
                        Indicates whether Ambari should manage the SSO
                        configurations for specified services
  --sso-enabled-services=SSO_ENABLED_SERVICES
                        A comma separated list of services that are expected
                        to be configured for SSO (you are allowed to use '*'
                        to indicate ALL services)
  --sso-provider-url=SSO_PROVIDER_URL
                        The URL of SSO provider; this must be provided when
                        --sso-enabled is set to 'true'
  --sso-public-cert-file=SSO_PUBLIC_CERT_FILE
                        The path where the public certificate PEM is located;
                        this must be provided when --sso-enabled is set to
                        'true'
  --sso-jwt-cookie-name=SSO_JWT_COOKIE_NAME
                        The name of the JWT cookie
  --sso-jwt-audience-list=SSO_JWT_AUDIENCE_LIST
                        A comma separated list of JWT audience(s)
  --ambari-admin-username=AMBARI_ADMIN_USERNAME
                        Ambari administrator username for accessing Ambari's REST API
  --ambari-admin-password=AMBARI_ADMIN_PASSWORD
                        Ambari administrator password for accessing Ambari's REST API

Attachments

Issue Links

links to

GitHub Pull Request #1054

Activity

People

Assignee:: Robert Levas

Reporter:: suja s

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 19/Apr/18 21:16

Updated:: 20/Apr/18 14:38

Resolved:: 20/Apr/18 13:56

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

0.5h