Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: trunk
    • Fix Version/s: 2.4.0
    • Component/s: ambari-server
    • Labels:
      None

      Description

      FreeIPA Is a powerful tool for unifying identity, kerberos credentials, across a cluster.

      A great value add for ambari would be to provide support for using FreeIPA to kerberize services. This would allow for

      1) better HCFS interoperability, because first class GID/UID is critical for certain file systems (GlusterFS, Lustre, and any other file system which uses kernel / FUSE apis for determining identity)

      2) better enterprise interoperability. Because of the fact that FreeIPA makes it easy to interop with different identity solutions (like active directory), it would make ambari easier to adopt for various enterprises.

      3) broadens ambaris scope. Now ambari could also allow people to setup the users of their clusters, and at least some of the security features of their clusters, all from one interface (no more manual handling of TGTs and such - it could all be done quite easily via the ambari UI which could make calls to underlying FreeIPA clients).

      1. AMBARI-6432.patch
        91 kB
        Bolke de Bruin
      2. AMBARI-6432.patch
        68 kB
        Bolke de Bruin
      3. AMBARI-6432.trunk.v1.patch
        63 kB
        Bolke de Bruin
      4. AMBARI-6432.trunk.v2.patch
        62 kB
        Bolke de Bruin
      5. AMBARI-6432.trunk.v3.patch
        69 kB
        Bolke de Bruin
      6. AMBARI-6432.trunk.v4.patch
        68 kB
        Bolke de Bruin
      7. AMBARI-6432.trunk.v5.patch
        69 kB
        Bolke de Bruin
      8. AMBARI-6432.trunk.v5.patch
        69 kB
        Bolke de Bruin
      9. AMBARI-6432.trunk.v6.patch
        96 kB
        Bolke de Bruin
      10. AMBARI-6432.trunk.v7.patch
        96 kB
        Bolke de Bruin
      11. AMBARI-6432.trunk.v8.patch
        96 kB
        Bolke de Bruin
      12. AMBARI-6432-FreeIPA.patch
        63 kB
        Bolke de Bruin
      13. ipa-patch-v0.5.patch
        51 kB
        Bolke de Bruin

        Issue Links

          Activity

          Hide
          jayunit100 jay vyas added a comment -

          I've just gotten some feedback from the FreeIPA folks, summarizing their thoughts inline here:

          a) Authentication into Ambari
          http://www.freeipa.org/page/Web_App_Authentication

          b) Security and identity of the stack
          FreeIPA can provide

          The next steps for this task would be to draw all the connections between the components (masters, slaves) and how they communicate.

          Show
          jayunit100 jay vyas added a comment - I've just gotten some feedback from the FreeIPA folks, summarizing their thoughts inline here: a) Authentication into Ambari http://www.freeipa.org/page/Web_App_Authentication b) Security and identity of the stack FreeIPA can provide centralised management for service accounts and their keys and certificates, and they smart proxying use FreeIPA as hub for management system to connect + hosts that would be clients/hadoop slaves See http://theforeman.org/manuals/1.5/index.html#4.3.11FreeIPARealm as an example + http://projects.theforeman.org/projects/foreman/wiki/RealmJoinIntegration The next steps for this task would be to draw all the connections between the components (masters, slaves) and how they communicate.
          Hide
          jayunit100 jay vyas added a comment -

          seems like there are already some others using FreeIPA w/ ambari

          Show
          jayunit100 jay vyas added a comment - seems like there are already some others using FreeIPA w/ ambari
          Hide
          harisekhon Hari Sekhon added a comment -

          Jay,

          I wrote a Perl program that does FreeIPA for Ambari that solves this today - it's got full option parsing and error handling at every step. It parses the same CSV that Ambari exports, it just needs an existing FreeIPA system and even distributes the keytabs over ssh, and comes with a sizeable --help description and listing of all the command line switches. You can find it on my github:

          git clone https://github.com/harisekhon/toolbox
          cd toolbox
          make
          
          ./ambari_freeipa_kerberos_setup.pl --help

          Best Regards,

          Hari Sekhon
          (ex-Cloudera)
          http://www.linkedin.com/in/harisekhon

          Show
          harisekhon Hari Sekhon added a comment - Jay, I wrote a Perl program that does FreeIPA for Ambari that solves this today - it's got full option parsing and error handling at every step. It parses the same CSV that Ambari exports, it just needs an existing FreeIPA system and even distributes the keytabs over ssh, and comes with a sizeable --help description and listing of all the command line switches. You can find it on my github: git clone https: //github.com/harisekhon/toolbox cd toolbox make ./ambari_freeipa_kerberos_setup.pl --help Best Regards, Hari Sekhon (ex-Cloudera) http://www.linkedin.com/in/harisekhon
          Hide
          jayunit100 jay vyas added a comment -

          this is great news. this hopefully will start the ball rolling on this as an official ambari feature. im neither an expert in ambari or freeipa (although we've used them together by manually installing freeipa's ldap and then running ambari). thanks for sharing this snippet hari !!!!!!!!

          Show
          jayunit100 jay vyas added a comment - this is great news. this hopefully will start the ball rolling on this as an official ambari feature. im neither an expert in ambari or freeipa (although we've used them together by manually installing freeipa's ldap and then running ambari). thanks for sharing this snippet hari !!!!!!!!
          Hide
          jayunit100 jay vyas added a comment -

          this is great news. this hopefully will start the ball rolling on this as an official ambari feature. im neither an expert in ambari or freeipa (although we've used them together by manually installing freeipa's ldap and then running ambari). thanks for sharing this snippet hari !!!!!!!!

          Show
          jayunit100 jay vyas added a comment - this is great news. this hopefully will start the ball rolling on this as an official ambari feature. im neither an expert in ambari or freeipa (although we've used them together by manually installing freeipa's ldap and then running ambari). thanks for sharing this snippet hari !!!!!!!!
          Hide
          jayunit100 jay vyas added a comment -

          this is great news. this hopefully will start the ball rolling on this as an official ambari feature. im neither an expert in ambari or freeipa (although we've used them together by manually installing freeipa's ldap and then running ambari). thanks for sharing this snippet hari !!!!!!!!

          Show
          jayunit100 jay vyas added a comment - this is great news. this hopefully will start the ball rolling on this as an official ambari feature. im neither an expert in ambari or freeipa (although we've used them together by manually installing freeipa's ldap and then running ambari). thanks for sharing this snippet hari !!!!!!!!
          Hide
          jayunit100 jay vyas added a comment -

          this is great news. this hopefully will start the ball rolling on this as an official ambari feature. im neither an expert in ambari or freeipa (although we've used them together by manually installing freeipa's ldap and then running ambari). thanks for sharing this snippet hari !!!!!!!!

          Show
          jayunit100 jay vyas added a comment - this is great news. this hopefully will start the ball rolling on this as an official ambari feature. im neither an expert in ambari or freeipa (although we've used them together by manually installing freeipa's ldap and then running ambari). thanks for sharing this snippet hari !!!!!!!!
          Hide
          jayunit100 jay vyas added a comment -

          sorry for the quadruple post above. i clicked the button a couple of times .... maybe a commiter or someone w/ karma can delete some of the dupe comments..... thanks again Hari Sekhon

          Show
          jayunit100 jay vyas added a comment - sorry for the quadruple post above. i clicked the button a couple of times .... maybe a commiter or someone w/ karma can delete some of the dupe comments..... thanks again Hari Sekhon
          Hide
          bolke Bolke de Bruin added a comment -

          I have implemented IPA support in my fork at https://github.com/bolkedebruin/ambari. It implements it as a separate kerberos service (ie like MIT, AD). On a couple of things I need some feedback or help:

          • Where do I need to place (ie. which stack) the additional parameters "admin_keytab" and "group"?
          • It seems that not everything is picked up for the ui (like description or location) for these additional parameters. What am I doing wrong?

          Caveats:

          • Some idiosyncracies of IPA and Ambari are difficult to match. For example Ambari likes to create its key tabs programmatically, but this is incompatible with IPA as additional encryption types are generated only after a key tab is requested (and generated in IPA 4) on the server. This means that, in my implementation, the Ambari generated password is ignored for user principals or service principals that get a key tab generated.
          • Also, due to the fact IPA requires a password change on first use for user principals. Also if a key tab is generated for this user (which is a bit weird and I will need to ask to the IPA guys). Therefore, the user administrator (the principal in admin_keytab) requires additional permissions to be able to write to krbPasswordExpiration (ipa permission-add “Set Password Expiry” –permissions=write –type=user –attrs=krbPasswordExpiration, ipa privilege-add-permission “User Administrators” –permission=”Set Password Expiry”). Question: is this the right way to go or should an "expect" utility be implemented so that the password can be set?
          • Tests still need to be written.
          Show
          bolke Bolke de Bruin added a comment - I have implemented IPA support in my fork at https://github.com/bolkedebruin/ambari . It implements it as a separate kerberos service (ie like MIT, AD). On a couple of things I need some feedback or help: Where do I need to place (ie. which stack) the additional parameters "admin_keytab" and "group"? It seems that not everything is picked up for the ui (like description or location) for these additional parameters. What am I doing wrong? Caveats: Some idiosyncracies of IPA and Ambari are difficult to match. For example Ambari likes to create its key tabs programmatically, but this is incompatible with IPA as additional encryption types are generated only after a key tab is requested (and generated in IPA 4) on the server. This means that, in my implementation, the Ambari generated password is ignored for user principals or service principals that get a key tab generated. Also, due to the fact IPA requires a password change on first use for user principals. Also if a key tab is generated for this user (which is a bit weird and I will need to ask to the IPA guys). Therefore, the user administrator (the principal in admin_keytab) requires additional permissions to be able to write to krbPasswordExpiration (ipa permission-add “Set Password Expiry” –permissions=write –type=user –attrs=krbPasswordExpiration, ipa privilege-add-permission “User Administrators” –permission=”Set Password Expiry”). Question: is this the right way to go or should an "expect" utility be implemented so that the password can be set? Tests still need to be written.
          Hide
          bolke Bolke de Bruin added a comment -

          Working IPA implementation, but without full testing yet. For inspection not for merging.

          Show
          bolke Bolke de Bruin added a comment - Working IPA implementation, but without full testing yet. For inspection not for merging.
          Hide
          bolke Bolke de Bruin added a comment -

          Any comments?

          Show
          bolke Bolke de Bruin added a comment - Any comments?
          Hide
          jayunit100 jay vyas added a comment -

          Unfortunately I'm neither an Ambari nor an IPA expert . Can someone on the security/identity side of things reveiew this with thoughts.

          Possibly some red hatters might be interested also, subin Erin A Boyd Scott Creeley , since it is FreeIPA after all

          Show
          jayunit100 jay vyas added a comment - Unfortunately I'm neither an Ambari nor an IPA expert . Can someone on the security/identity side of things reveiew this with thoughts. Possibly some red hatters might be interested also, subin Erin A Boyd Scott Creeley , since it is FreeIPA after all
          Hide
          harisekhon Hari Sekhon added a comment -

          I've previously used krbPasswordExpiration before and would prefer that to an "expect" method supplying the password.

          Show
          harisekhon Hari Sekhon added a comment - I've previously used krbPasswordExpiration before and would prefer that to an "expect" method supplying the password.
          Hide
          bolke Bolke de Bruin added a comment -

          This patch adds support to Ambari for FreeIPA.

          Show
          bolke Bolke de Bruin added a comment - This patch adds support to Ambari for FreeIPA.
          Hide
          bolke Bolke de Bruin added a comment -

          Review request created: https://reviews.apache.org/r/44148/

          Show
          bolke Bolke de Bruin added a comment - Review request created: https://reviews.apache.org/r/44148/
          Hide
          bolke Bolke de Bruin added a comment -

          Small update:

          1. Match filename format for qa
          2. Move LOG.info to LOG.debug

          Show
          bolke Bolke de Bruin added a comment - Small update: 1. Match filename format for qa 2. Move LOG.info to LOG.debug
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12790444/AMBARI-6432.trunk.v1.patch
          against trunk revision .

          -1 patch. Top-level trunk compilation may be broken.

          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5612//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12790444/AMBARI-6432.trunk.v1.patch against trunk revision . -1 patch . Top-level trunk compilation may be broken. Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5612//console This message is automatically generated.
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12790481/AMBARI-6432.trunk.v1.patch
          against trunk revision .

          -1 patch. Top-level trunk compilation may be broken.

          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5620//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12790481/AMBARI-6432.trunk.v1.patch against trunk revision . -1 patch . Top-level trunk compilation may be broken. Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5620//console This message is automatically generated.
          Hide
          bolke Bolke de Bruin added a comment -

          New version of the patch that addresses the issues mentioned on the review board.

          • Code layout (2 vs 4)
          • Better logging
          • Try and catch separate for each stream
          • Configurable timeout for the password chat
          • Bugfix
          Show
          bolke Bolke de Bruin added a comment - New version of the patch that addresses the issues mentioned on the review board. Code layout (2 vs 4) Better logging Try and catch separate for each stream Configurable timeout for the password chat Bugfix
          Hide
          rlevas Robert Levas added a comment -

          Yusaku Sako, Jaimin Jetly... Can you take a look at this patch and review the UI updates? Or suggest someone that could do it?

          Show
          rlevas Robert Levas added a comment - Yusaku Sako , Jaimin Jetly ... Can you take a look at this patch and review the UI updates? Or suggest someone that could do it?
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12790579/AMBARI-6432.trunk.v2.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests in ambari-server ambari-web:

          org.apache.ambari.server.serveraction.kerberos.IPAKerberosOperationHandlerTest

          The test build failed in ambari-web

          Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/5637//testReport/
          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5637//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12790579/AMBARI-6432.trunk.v2.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. -1 core tests . The patch failed these unit tests in ambari-server ambari-web: org.apache.ambari.server.serveraction.kerberos.IPAKerberosOperationHandlerTest The test build failed in ambari-web Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/5637//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5637//console This message is automatically generated.
          Hide
          bolke Bolke de Bruin added a comment -

          Addressing issues mentioned on the review board:

          • Password chat timeout can now be set
          • Does/should not overwrite credentials from JAAS anymore (not tested with JAAS active btw)
          • Password expiry now moves
          Show
          bolke Bolke de Bruin added a comment - Addressing issues mentioned on the review board: Password chat timeout can now be set Does/should not overwrite credentials from JAAS anymore (not tested with JAAS active btw) Password expiry now moves
          Hide
          u39kun Yusaku Sako added a comment -

          Denys Buzhor can you help review the UI part?

          Show
          u39kun Yusaku Sako added a comment - Denys Buzhor can you help review the UI part?
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12790769/AMBARI-6432.trunk.v3.patch
          against trunk revision .

          -1 patch. Top-level trunk compilation may be broken.

          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5663//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12790769/AMBARI-6432.trunk.v3.patch against trunk revision . -1 patch . Top-level trunk compilation may be broken. Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5663//console This message is automatically generated.
          Hide
          BuzhorDenys Denys Buzhor added a comment -

          Yusaku Sako, Bolke de Bruin left 2 comments regarding UI part on review board.

          Show
          BuzhorDenys Denys Buzhor added a comment - Yusaku Sako , Bolke de Bruin left 2 comments regarding UI part on review board.
          Hide
          bolke Bolke de Bruin added a comment -

          Denys Buzhor I fixed the errors. If you know why "manage_krb5_conf" and "installed_packages" are not turned off I would appreciate it (This seems to be a bug already present as it does not do anything on "Manual KDC" either.)

          Show
          bolke Bolke de Bruin added a comment - Denys Buzhor I fixed the errors. If you know why "manage_krb5_conf" and "installed_packages" are not turned off I would appreciate it (This seems to be a bug already present as it does not do anything on "Manual KDC" either.)
          Hide
          BuzhorDenys Denys Buzhor added a comment -

          Bolke de Bruin "manage_krb5_conf" and "installed_packages" these properties should be turned off during Configure Kerberos step on Kerberos Wizard?

          Show
          BuzhorDenys Denys Buzhor added a comment - Bolke de Bruin "manage_krb5_conf" and "installed_packages" these properties should be turned off during Configure Kerberos step on Kerberos Wizard ?
          Hide
          bolke Bolke de Bruin added a comment -

          Yes, IPA manages /etc/krb5.conf and it is assumed (due to previous enrollment) packages have been installed already (and otherwise they wouldn't be sufficient).

          I tried doing this in tweakIpaKdcProperties, but it seems not work (also not with === 'ipa').

          Show
          bolke Bolke de Bruin added a comment - Yes, IPA manages /etc/krb5.conf and it is assumed (due to previous enrollment) packages have been installed already (and otherwise they wouldn't be sufficient). I tried doing this in tweakIpaKdcProperties, but it seems not work (also not with === 'ipa').
          Hide
          BuzhorDenys Denys Buzhor added a comment -

          In case of Kerberos Wizard you can set desired values in ambari-web/app/controllers/main/admin/kerberos/step2_controller.js inside filterConfigs method then these properties will be displayed unchecked. But on transition to the next step (step3) values for these properties will be handled by tweakIpaKdcProperties method which will set values to false and then will send request to save configurations, so they will be always stored as false.

          Same flow for Manual Kerberos setup so there is no bug there.

          Show
          BuzhorDenys Denys Buzhor added a comment - In case of Kerberos Wizard you can set desired values in ambari-web/app/controllers/main/admin/kerberos/step2_controller.js inside filterConfigs method then these properties will be displayed unchecked. But on transition to the next step (step3) values for these properties will be handled by tweakIpaKdcProperties method which will set values to false and then will send request to save configurations, so they will be always stored as false . Same flow for Manual Kerberos setup so there is no bug there.
          Hide
          BuzhorDenys Denys Buzhor added a comment -

          Bolke de Bruin change this condition:

          if (properties['kdc_type'].toLowerCase().indexOf("ipa") > 0) {
          

          with strict check:

          if (properties['kdc_type'].toLowerCase() === 'ipa') {
          
          Show
          BuzhorDenys Denys Buzhor added a comment - Bolke de Bruin change this condition: if (properties['kdc_type'].toLowerCase().indexOf("ipa") > 0) { with strict check: if (properties['kdc_type'].toLowerCase() === 'ipa') {
          Hide
          BuzhorDenys Denys Buzhor added a comment -

          And just checked manage_krb5_conf. You're right its value will not be changed. It will be changed for manage_identities and install_packages only.

          Show
          BuzhorDenys Denys Buzhor added a comment - And just checked manage_krb5_conf . You're right its value will not be changed. It will be changed for manage_identities and install_packages only.
          Hide
          BuzhorDenys Denys Buzhor added a comment -

          This is because createKerberosSiteObj: function (site, tag) { called 2 times with different site and tag, for kerberos-env and krb5-conf.

          Since kdc_type property included in kerberos-env.xml properties['kdc_type'] will be absent in krb5-conf as a result kerberos-env properties will be updated by tweakManualKdcProperties and tweakIpaKdcProperties.

          Show
          BuzhorDenys Denys Buzhor added a comment - This is because createKerberosSiteObj: function (site, tag) { called 2 times with different site and tag, for kerberos-env and krb5-conf . Since kdc_type property included in kerberos-env.xml properties['kdc_type'] will be absent in krb5-conf as a result kerberos-env properties will be updated by tweakManualKdcProperties and tweakIpaKdcProperties .
          Hide
          BuzhorDenys Denys Buzhor added a comment -

          Instead of:

          if (properties['kdc_type'].toLowerCase().indexOf("ipa") > 0)
          

          you can write:

          if (this.get('content.kerberosOption') === App.router.get('mainAdminKerberosController.kdcTypesValues')['ipa'])
          

          this.get('content.kerberosOption) - stores selected type from step1 e.g. Existing IPA.
          App.router.get('mainAdminKerberosController.kdcTypesValues') - stores map of short name to displayed text.

          Show
          BuzhorDenys Denys Buzhor added a comment - Instead of: if (properties['kdc_type'].toLowerCase().indexOf("ipa") > 0) you can write: if (this.get('content.kerberosOption') === App.router.get('mainAdminKerberosController.kdcTypesValues')['ipa']) this.get('content.kerberosOption) - stores selected type from step1 e.g. Existing IPA . App.router.get('mainAdminKerberosController.kdcTypesValues') - stores map of short name to displayed text.
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12790918/AMBARI-6432.trunk.v4.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests in ambari-server ambari-web:

          org.apache.ambari.server.serveraction.kerberos.IPAKerberosOperationHandlerTest

          The test build failed in ambari-web

          Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/5678//testReport/
          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5678//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12790918/AMBARI-6432.trunk.v4.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. -1 core tests . The patch failed these unit tests in ambari-server ambari-web: org.apache.ambari.server.serveraction.kerberos.IPAKerberosOperationHandlerTest The test build failed in ambari-web Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/5678//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5678//console This message is automatically generated.
          Hide
          bolke Bolke de Bruin added a comment -

          Ok. So If I want to make it intuitive for the user what should I do to uncheck these options in the ui?

          Show
          bolke Bolke de Bruin added a comment - Ok. So If I want to make it intuitive for the user what should I do to uncheck these options in the ui?
          Hide
          bolke Bolke de Bruin added a comment -
          • IPA Tests now depend on environment variable HAS_IPA to be defined
          • Web tests should now pass
          • Per comments tweakIpaProperties updated.
          Show
          bolke Bolke de Bruin added a comment - IPA Tests now depend on environment variable HAS_IPA to be defined Web tests should now pass Per comments tweakIpaProperties updated.
          Hide
          bolke Bolke de Bruin added a comment -

          Retry to kick off build

          Show
          bolke Bolke de Bruin added a comment - Retry to kick off build
          Hide
          bolke Bolke de Bruin added a comment -

          Can someone help out to get builds running? I am not sure what is off and I'd like to get this merged.

          Show
          bolke Bolke de Bruin added a comment - Can someone help out to get builds running? I am not sure what is off and I'd like to get this merged.
          Hide
          hadoopqa Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12791665/AMBARI-6432.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in ambari-server ambari-web.

          Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/5744//testReport/
          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5744//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12791665/AMBARI-6432.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in ambari-server ambari-web. Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/5744//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5744//console This message is automatically generated.
          Hide
          bolke Bolke de Bruin added a comment -

          Robert Levas Denys Buzhor Anything left to do for this to be merged?

          Show
          bolke Bolke de Bruin added a comment - Robert Levas Denys Buzhor Anything left to do for this to be merged?
          Hide
          rlevas Robert Levas added a comment -

          Bolke de Bruin... I think we wanted to ask you to add a feature flag to the UI portion of your code. Yusaku Sako should have the details on what this means. After that and if the review board has enough +1's I will be happy to commit the patch.

          BTW: I just too a look at the review and it appear to be closed as submitted. Was the patch already committed?

          Show
          rlevas Robert Levas added a comment - Bolke de Bruin ... I think we wanted to ask you to add a feature flag to the UI portion of your code. Yusaku Sako should have the details on what this means. After that and if the review board has enough +1's I will be happy to commit the patch. BTW: I just too a look at the review and it appear to be closed as submitted. Was the patch already committed?
          Hide
          bolke Bolke de Bruin added a comment -

          Robert Levas ah sorry my bad. Review is open again.

          I would indeed be interested what the feature flag is as I don't have a clue now.

          Show
          bolke Bolke de Bruin added a comment - Robert Levas ah sorry my bad. Review is open again. I would indeed be interested what the feature flag is as I don't have a clue now.
          Hide
          u39kun Yusaku Sako added a comment -

          Hi Bolke de Bruin
          Feature Flags could be used to get new features committed to the code base so that developers and users can try out such features but not expose them as generally available, stable features yet. There's a page for toggling on experimental features that have been coded to utilize feature flags that the end user can go to on a live Ambari Server. Also, it is possible to toggle the flags on/off at build time in the generated app.js (deployed under /usr/lib/ambari-server/javascripts/app.js.gz|app.js).
          Here's a (new) wiki describing feature flags: https://cwiki.apache.org/confluence/display/AMBARI/Feature+Flags

          FreeIPA support is a great addition. It would be good if we can wrap this under a feature flag, so that we can give the end users access to this feature if they want to try it out. Also vendors can turn this feature on/off based on whether they want to officially support this or not.

          Show
          u39kun Yusaku Sako added a comment - Hi Bolke de Bruin Feature Flags could be used to get new features committed to the code base so that developers and users can try out such features but not expose them as generally available, stable features yet. There's a page for toggling on experimental features that have been coded to utilize feature flags that the end user can go to on a live Ambari Server. Also, it is possible to toggle the flags on/off at build time in the generated app.js (deployed under /usr/lib/ambari-server/javascripts/app.js.gz|app.js). Here's a (new) wiki describing feature flags: https://cwiki.apache.org/confluence/display/AMBARI/Feature+Flags FreeIPA support is a great addition. It would be good if we can wrap this under a feature flag, so that we can give the end users access to this feature if they want to try it out. Also vendors can turn this feature on/off based on whether they want to officially support this or not.
          Hide
          bolke Bolke de Bruin added a comment -

          Yusaku Sako Thanks that will help.

          In the meantime I also hit a bug on which I need some guidance how to fix it. FreeIPA does not support uppercase user principal names. If the cluster name is in uppercase a test identity will be generated with "myname@REALM" . For the tests to pass I need it to be "myname@REALM".

          What would be the best way to fix this?

          1) Generate the test identity in lowercase (where is this generated? I could not find it yet)
          2) Ask the user at step 1 to verify the cluster name is in lower case
          3) adjust service_check.py to convert to lowercase if a user principal is encountered
          4) use auth_to_local rules and apply these to the test identity

          In my opinion option 1 seems the best option. It would affect other Kerberos providers as well, but as it is only the test identity I would say it would not matter.

          Please advice

          Show
          bolke Bolke de Bruin added a comment - Yusaku Sako Thanks that will help. In the meantime I also hit a bug on which I need some guidance how to fix it. FreeIPA does not support uppercase user principal names. If the cluster name is in uppercase a test identity will be generated with "myname@REALM" . For the tests to pass I need it to be "myname@REALM". What would be the best way to fix this? 1) Generate the test identity in lowercase (where is this generated? I could not find it yet) 2) Ask the user at step 1 to verify the cluster name is in lower case 3) adjust service_check.py to convert to lowercase if a user principal is encountered 4) use auth_to_local rules and apply these to the test identity In my opinion option 1 seems the best option. It would affect other Kerberos providers as well, but as it is only the test identity I would say it would not matter. Please advice
          Hide
          bolke Bolke de Bruin added a comment -

          Ah I know where it is set now and that it is user configurable. Now to find out how to make this lowercase in case IPA is selected.

          Show
          bolke Bolke de Bruin added a comment - Ah I know where it is set now and that it is user configurable. Now to find out how to make this lowercase in case IPA is selected.
          Hide
          rlevas Robert Levas added a comment -

          Yusaku Sako, Bolke de Bruin... The issue is not limited to the test identity. All headless identities, by default, append the cluster name in order to generate a unique name in the even multiple clusters share the same KDC.

          A possible solution could be to add a new function to the variable replacement facility to convert perform a "to lower" operation on the value - see org.apache.ambari.server.state.kerberos.VariableReplacementHelper.

          If we go that route, the cluster name placeholder can be changed to look like:

          ${cluster_name|toLower}
          

          Or we can add a new kerberos-env property to set all principal names to lowercase - kerberos-env/force_lowercase_principal_names. Then generate the principal names as needed - there may be several places that we need to do this or maybe perform and operation on the Kerberos Descriptor before we do any work with it.

          Show
          rlevas Robert Levas added a comment - Yusaku Sako , Bolke de Bruin ... The issue is not limited to the test identity. All headless identities, by default, append the cluster name in order to generate a unique name in the even multiple clusters share the same KDC. A possible solution could be to add a new function to the variable replacement facility to convert perform a "to lower" operation on the value - see org.apache.ambari.server.state.kerberos.VariableReplacementHelper. If we go that route, the cluster name placeholder can be changed to look like: ${cluster_name|toLower} Or we can add a new kerberos-env property to set all principal names to lowercase - kerberos-env/force_lowercase_principal_names . Then generate the principal names as needed - there may be several places that we need to do this or maybe perform and operation on the Kerberos Descriptor before we do any work with it.
          Hide
          rlevas Robert Levas added a comment -

          Bolke de Bruin... I assume your patch expects IPA version 4.x. I didn't notice in the checklist if a version was specified. On my Centos6.5 cluster, yum installs version 3.0.0:

          [root@c6501 ~]# yum info ipa-server
          Loaded plugins: fastestmirror
          Loading mirror speeds from cached hostfile
           * base: mirror.net.cen.ct.gov
           * epel: mirror.us.leaseweb.net
           * extras: mirror.us.leaseweb.net
           * updates: centos.mirror.constant.com
          Installed Packages
          Name        : ipa-server
          Arch        : x86_64
          Version     : 3.0.0
          Release     : 47.el6.centos.1
          Size        : 4.2 M
          Repo        : installed
          From repo   : updates
          Summary     : The IPA authentication server
          URL         : http://www.freeipa.org/
          License     : GPLv3+
          Description : IPA is an integrated solution to provide centrally managed Identity (machine,
                      : user, virtual machines, groups, authentication credentials), Policy
                      : (configuration settings, access control information) and Audit (events,
                      : logs, analysis thereof). If you are installing an IPA server you need
                      : to install this package (in other words, most people should NOT install
                      : this package).
          

          When Ambari creates principals, I get the following error:

          [root@c6501 ~]# ipa service-add --ok-as-delegate=TRUE HTTP/c6502.ambari.apache.org@HWDEV.ORG
          Usage: ipa [global-options] service-add PRINCIPAL [options]
          
          ipa: error: no such option: --ok-as-delegate
          

          So we should make sure the user knows what version of IPA is supported.

          Show
          rlevas Robert Levas added a comment - Bolke de Bruin ... I assume your patch expects IPA version 4.x. I didn't notice in the checklist if a version was specified. On my Centos6.5 cluster, yum installs version 3.0.0: [root@c6501 ~]# yum info ipa-server Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.net.cen.ct.gov * epel: mirror.us.leaseweb.net * extras: mirror.us.leaseweb.net * updates: centos.mirror.constant.com Installed Packages Name : ipa-server Arch : x86_64 Version : 3.0.0 Release : 47.el6.centos.1 Size : 4.2 M Repo : installed From repo : updates Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). When Ambari creates principals, I get the following error: [root@c6501 ~]# ipa service-add --ok-as-delegate=TRUE HTTP/c6502.ambari.apache.org@HWDEV.ORG Usage: ipa [global-options] service-add PRINCIPAL [options] ipa: error: no such option: --ok-as-delegate So we should make sure the user knows what version of IPA is supported.
          Hide
          bolke Bolke de Bruin added a comment -

          Robert Levas On the review board I mentioned it, however I will see if I can remove the "ok-as-delegate" option, that probably makes it ipa 3 compatible (you really should use 4). Furthermore there is another issue (next to the lowercase/uppercase) that Ambari is regenerating the test user principal keytab for every host (which is weird as it is not host bound) and this makes the password reset for that user, so only the last keytab is valid. So it fails validation. I don't like this behavior but will see if I can implement a password chat for this.

          Thanks for the approach to how to get it to lowercase, I will look into that.

          Show
          bolke Bolke de Bruin added a comment - Robert Levas On the review board I mentioned it, however I will see if I can remove the "ok-as-delegate" option, that probably makes it ipa 3 compatible (you really should use 4). Furthermore there is another issue (next to the lowercase/uppercase) that Ambari is regenerating the test user principal keytab for every host (which is weird as it is not host bound) and this makes the password reset for that user, so only the last keytab is valid. So it fails validation. I don't like this behavior but will see if I can implement a password chat for this. Thanks for the approach to how to get it to lowercase, I will look into that.
          Hide
          rlevas Robert Levas added a comment -

          Bolke de Bruin... I am trying to figure out how to upgrade to 4, but I have gotten side-tracked. It would have been nice if yum installed it for me. Bummer.

          Regarding the password change issue... This is handled internally by Ambari by generating the keytabs itself. Because you are asking IPA to generate the keytab file for you, it is probably generating a random key each time. You will see this for all headless principals. I will have to check the logic for MIT KDC and AD, but I was under the impression that the code was smart enough to know that a keytab file was crated and cached so it only did it once. Maybe the test principal logic isn't as smart.

          Show
          rlevas Robert Levas added a comment - Bolke de Bruin ... I am trying to figure out how to upgrade to 4, but I have gotten side-tracked. It would have been nice if yum installed it for me. Bummer. Regarding the password change issue... This is handled internally by Ambari by generating the keytabs itself. Because you are asking IPA to generate the keytab file for you, it is probably generating a random key each time. You will see this for all headless principals. I will have to check the logic for MIT KDC and AD, but I was under the impression that the code was smart enough to know that a keytab file was crated and cached so it only did it once. Maybe the test principal logic isn't as smart.
          Hide
          bolke Bolke de Bruin added a comment -

          CentOS 7 has IPA 4 by default...

          On the password change issue. IPA does not set any kvno if the keytab has not been generated by IPA itself so letting Ambari generate it is a no go. I consider the behavior of Ambari actually a workaround for AD as for the other KDCs command line tools are available for linux.

          the test logic indeed does not seem that smart unfortunately

          Show
          bolke Bolke de Bruin added a comment - CentOS 7 has IPA 4 by default... On the password change issue. IPA does not set any kvno if the keytab has not been generated by IPA itself so letting Ambari generate it is a no go. I consider the behavior of Ambari actually a workaround for AD as for the other KDCs command line tools are available for linux. the test logic indeed does not seem that smart unfortunately
          Hide
          bolke Bolke de Bruin added a comment -

          I think I have hit a bug in CreateKeytabFilesServerAction. Newly generated keytabs for non service principals can reside in a cache. However, they seem never to be stored into this cache. Hence, keytabs always get regenerated.

          Show
          bolke Bolke de Bruin added a comment - I think I have hit a bug in CreateKeytabFilesServerAction. Newly generated keytabs for non service principals can reside in a cache. However, they seem never to be stored into this cache. Hence, keytabs always get regenerated.
          Hide
          bolke Bolke de Bruin added a comment -

          Robert Levas This latest patch is an intermediate update. A couple of things have been updated

          1. toLower() has been implemented and applied
          2. A cache for keytabs was added to createKeytab - this is the workaround the fact that this function gets called mutiple times for the same principal and thus generates a new keytab with a new kvno. I tried working with Ambari's internal createKeytab, but that did not generate valid keytabs ("password incorrect") (see also the commented out code).
          3. Some smaller bugs have been squashed (using principal names instead of primary for example)

          Show
          bolke Bolke de Bruin added a comment - Robert Levas This latest patch is an intermediate update. A couple of things have been updated 1. toLower() has been implemented and applied 2. A cache for keytabs was added to createKeytab - this is the workaround the fact that this function gets called mutiple times for the same principal and thus generates a new keytab with a new kvno. I tried working with Ambari's internal createKeytab, but that did not generate valid keytabs ("password incorrect") (see also the commented out code). 3. Some smaller bugs have been squashed (using principal names instead of primary for example)
          Hide
          bolke Bolke de Bruin added a comment -

          And it should be possible (did not try) to use this with IPA 3

          Show
          bolke Bolke de Bruin added a comment - And it should be possible (did not try) to use this with IPA 3
          Hide
          bolke Bolke de Bruin added a comment -

          Robert Levas Yusaku Sako v6 patch should address all issues mentioned. I would like to consider it Final if it passes the tests (can someone kicks those off, it does not seem to run on uploading a patch?).

          • FreeIPA 3 should work
          • Marked experimental by 'enableIpa' at the experimental page
          • Tested on 10+2 node system
          • toLower Function implemented in VariableReplacementHelper and applied where needed

          Note:

          • There seems to be a bug in how Ambari handles adding and removing principals: it gets called multiple times for these operations. By turning on debugging output for the Kerberos classes (and use IPA as the other classes dont log enough) you can see this. I haven't been able to look at this.
          Show
          bolke Bolke de Bruin added a comment - Robert Levas Yusaku Sako v6 patch should address all issues mentioned. I would like to consider it Final if it passes the tests (can someone kicks those off, it does not seem to run on uploading a patch?). FreeIPA 3 should work Marked experimental by 'enableIpa' at the experimental page Tested on 10+2 node system toLower Function implemented in VariableReplacementHelper and applied where needed Note: There seems to be a bug in how Ambari handles adding and removing principals: it gets called multiple times for these operations. By turning on debugging output for the Kerberos classes (and use IPA as the other classes dont log enough) you can see this. I haven't been able to look at this.
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12792960/AMBARI-6432.trunk.v6.patch
          against trunk revision .

          -1 patch. The patch command could not apply the patch.

          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5842//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12792960/AMBARI-6432.trunk.v6.patch against trunk revision . -1 patch . The patch command could not apply the patch. Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5842//console This message is automatically generated.
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12793209/AMBARI-6432.trunk.v7.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 8 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests in ambari-funtest ambari-server ambari-web:

          org.apache.ambari.server.state.kerberos.VariableReplacementHelperTest
          org.apache.ambari.server.controller.AmbariManagementControllerImplTest
          org.apache.ambari.server.controller.internal.ArtifactResourceProviderTest

          Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/5855//testReport/
          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5855//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12793209/AMBARI-6432.trunk.v7.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 8 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. -1 core tests . The patch failed these unit tests in ambari-funtest ambari-server ambari-web: org.apache.ambari.server.state.kerberos.VariableReplacementHelperTest org.apache.ambari.server.controller.AmbariManagementControllerImplTest org.apache.ambari.server.controller.internal.ArtifactResourceProviderTest Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/5855//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5855//console This message is automatically generated.
          Hide
          bolke Bolke de Bruin added a comment -
          • Fixes test (VariableReplacementHelperTest)
          • Add some javadoc
          Show
          bolke Bolke de Bruin added a comment - Fixes test (VariableReplacementHelperTest) Add some javadoc
          Hide
          bolke Bolke de Bruin added a comment -

          Robert Levas Fixed typo in the VariableReplacementHelperTest (and tested locally, had some trouble doing this before). Other failures seem unrelated to me.

          Show
          bolke Bolke de Bruin added a comment - Robert Levas Fixed typo in the VariableReplacementHelperTest (and tested locally, had some trouble doing this before). Other failures seem unrelated to me.
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12793397/AMBARI-6432.trunk.v8.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 8 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests in ambari-funtest ambari-server ambari-web:

          org.apache.ambari.server.controller.internal.ArtifactResourceProviderTest
          org.apache.ambari.server.controller.AmbariManagementControllerImplTest

          Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/5865//testReport/
          Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5865//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12793397/AMBARI-6432.trunk.v8.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 8 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. -1 core tests . The patch failed these unit tests in ambari-funtest ambari-server ambari-web: org.apache.ambari.server.controller.internal.ArtifactResourceProviderTest org.apache.ambari.server.controller.AmbariManagementControllerImplTest Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/5865//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/5865//console This message is automatically generated.
          Hide
          rlevas Robert Levas added a comment -

          Thanks for fixing that. The other failures didn't seem relevant to your patch, so I didn't point them out. I just submitted a patch to fix one of the issues (AMBARI-15407), and I can't remember what the other issue was.

          I plan to apply your patch to my sandbox and play with the integration today - ideally with IPA 4.x on CentOS 7. I have my VMs building right now. So hopefully we can close the loop on this and get your patch committed. Sorry for the delay on this.

          Show
          rlevas Robert Levas added a comment - Thanks for fixing that. The other failures didn't seem relevant to your patch, so I didn't point them out. I just submitted a patch to fix one of the issues ( AMBARI-15407 ), and I can't remember what the other issue was. I plan to apply your patch to my sandbox and play with the integration today - ideally with IPA 4.x on CentOS 7. I have my VMs building right now. So hopefully we can close the loop on this and get your patch committed. Sorry for the delay on this.
          Hide
          bolke Bolke de Bruin added a comment -

          How is the testing going? I almost off to holidays and it would be really nice to have this in before that

          Show
          bolke Bolke de Bruin added a comment - How is the testing going? I almost off to holidays and it would be really nice to have this in before that
          Hide
          rlevas Robert Levas added a comment -

          Sorry for the delay. I got side tracked on a bunch of other issues. Also I failed to get FreeIPA installed on CentOS6 and for some reason Ambari no longer properly installs on CentOS7.

          I gave my +1 on the review board assuming all worked fine for you while testing.

          Show
          rlevas Robert Levas added a comment - Sorry for the delay. I got side tracked on a bunch of other issues. Also I failed to get FreeIPA installed on CentOS6 and for some reason Ambari no longer properly installs on CentOS7. I gave my +1 on the review board assuming all worked fine for you while testing.
          Hide
          bolke Bolke de Bruin added a comment -

          Yusaku Sako Robert Levas how to progress from here?

          Show
          bolke Bolke de Bruin added a comment - Yusaku Sako Robert Levas how to progress from here?
          Hide
          rlevas Robert Levas added a comment -

          Bolke de Bruin.... I will commit the patch sometime tonight or tomorrow morning.

          Show
          rlevas Robert Levas added a comment - Bolke de Bruin .... I will commit the patch sometime tonight or tomorrow morning.
          Hide
          rlevas Robert Levas added a comment -

          Bolke de Bruin.. I committed the patch to trunk

          commit 476d87b70b42a58914c69c3ce8098531d9405e48
          Author: Bolke de Bruin <bdbruin@gmail.com>
          Date:   Wed Mar 23 17:55:01 2016 -0400
          
              AMBARI-6432. FreeIPA Support in Ambari (Bolke de Bruin via rlevas)
          

          You can resolve this JIRA and close your review.

          Show
          rlevas Robert Levas added a comment - Bolke de Bruin .. I committed the patch to trunk commit 476d87b70b42a58914c69c3ce8098531d9405e48 Author: Bolke de Bruin <bdbruin@gmail.com> Date: Wed Mar 23 17:55:01 2016 -0400 AMBARI-6432. FreeIPA Support in Ambari (Bolke de Bruin via rlevas) You can resolve this JIRA and close your review.
          Hide
          bolke Bolke de Bruin added a comment -

          That's great news! Thanks

          Show
          bolke Bolke de Bruin added a comment - That's great news! Thanks
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Ambari-trunk-Commit #4535 (See https://builds.apache.org/job/Ambari-trunk-Commit/4535/)
          AMBARI-6432. FreeIPA Support in Ambari (Bolke de Bruin via rlevas) (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=476d87b70b42a58914c69c3ce8098531d9405e48)

          • ambari-web/app/controllers/main/admin/kerberos/step2_controller.js
          • ambari-web/app/controllers/main/admin/kerberos/step1_controller.js
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerFactory.java
          • ambari-server/src/main/resources/stacks/HDP/2.3.ECS/services/ECS/kerberos.json
          • ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java
          • ambari-funtest/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json
          • ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
          • ambari-server/src/main/resources/stacks/HDP/2.3.GlusterFS/services/ACCUMULO/kerberos.json
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
          • ambari-web/app/controllers/main/admin/kerberos/step5_controller.js
          • ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_1_3.json
          • ambari-server/src/main/resources/stacks/HDP/2.3.ECS/services/HBASE/kerberos.json
          • ambari-web/app/config.js
          • ambari-server/src/main/resources/common-services/STORM/0.9.1.2.1/kerberos.json
          • ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/kerberos.json
          • ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
          • ambari-web/app/controllers/main/admin/kerberos.js
          • ambari-web/test/utils/object_utils_test.js
          • ambari-web/app/views/common/controls_view.js
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KDCType.java
          • ambari-web/app/messages.js
          • ambari-server/src/main/java/org/apache/ambari/server/utils/ShellCommandUtil.java
          • ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java
          • ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json
          • ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
          • ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java
          • ambari-server/src/main/resources/common-services/SPARK/1.4.1.2.3/kerberos.json
          • ambari-server/src/main/resources/stacks/HDP/2.3/services/ACCUMULO/kerberos.json
          • ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandlerTest.java
          • ambari-web/app/controllers/main/service/info/configs.js
          • ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_simple.json
          • ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_no_hdfs.json
          • ambari-server/src/main/resources/common-services/SPARK/1.2.0.2.2/kerberos.json
          • ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java
          • ambari-web/app/data/HDP2/site_properties.js
          • ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Ambari-trunk-Commit #4535 (See https://builds.apache.org/job/Ambari-trunk-Commit/4535/ ) AMBARI-6432 . FreeIPA Support in Ambari (Bolke de Bruin via rlevas) (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=476d87b70b42a58914c69c3ce8098531d9405e48 ) ambari-web/app/controllers/main/admin/kerberos/step2_controller.js ambari-web/app/controllers/main/admin/kerberos/step1_controller.js ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerFactory.java ambari-server/src/main/resources/stacks/HDP/2.3.ECS/services/ECS/kerberos.json ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java ambari-funtest/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml ambari-server/src/main/resources/stacks/HDP/2.3.GlusterFS/services/ACCUMULO/kerberos.json ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java ambari-web/app/controllers/main/admin/kerberos/step5_controller.js ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_1_3.json ambari-server/src/main/resources/stacks/HDP/2.3.ECS/services/HBASE/kerberos.json ambari-web/app/config.js ambari-server/src/main/resources/common-services/STORM/0.9.1.2.1/kerberos.json ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/kerberos.json ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java ambari-web/app/controllers/main/admin/kerberos.js ambari-web/test/utils/object_utils_test.js ambari-web/app/views/common/controls_view.js ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KDCType.java ambari-web/app/messages.js ambari-server/src/main/java/org/apache/ambari/server/utils/ShellCommandUtil.java ambari-server/src/main/resources/stacks/HDP/2.0.6/kerberos.json ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java ambari-server/src/main/resources/common-services/SPARK/1.4.1.2.3/kerberos.json ambari-server/src/main/resources/stacks/HDP/2.3/services/ACCUMULO/kerberos.json ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandlerTest.java ambari-web/app/controllers/main/service/info/configs.js ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_simple.json ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_no_hdfs.json ambari-server/src/main/resources/common-services/SPARK/1.2.0.2.2/kerberos.json ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java ambari-web/app/data/HDP2/site_properties.js ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json
          Hide
          rlevas Robert Levas added a comment -

          yup..

          Sorry for the delay.. its been a busy few weeks for me. One of these days I will actually be able to try out your patch - end to end. FreeIPA isn't as easy to install as the MIT KDC.

          Show
          rlevas Robert Levas added a comment - yup.. Sorry for the delay.. its been a busy few weeks for me. One of these days I will actually be able to try out your patch - end to end. FreeIPA isn't as easy to install as the MIT KDC.
          Hide
          bolke Bolke de Bruin added a comment -

          Really? I have to digress. Yum install ipa-server bind bind-dyndb-ldap. ipa-server-install --setup-dns.

          But np

          Show
          bolke Bolke de Bruin added a comment - Really? I have to digress. Yum install ipa-server bind bind-dyndb-ldap. ipa-server-install --setup-dns. But np
          Hide
          rlevas Robert Levas added a comment -

          To install FreeIPA 4, you need CentOS7. Ambari wasn't installing properly on CentOS7.

          Installing FreeIPA 3 kept falling in ipa-server-install on CentOS6 with some CA issue. I didn't have time to investigate.

          Show
          rlevas Robert Levas added a comment - To install FreeIPA 4, you need CentOS7. Ambari wasn't installing properly on CentOS7. Installing FreeIPA 3 kept falling in ipa-server-install on CentOS6 with some CA issue. I didn't have time to investigate.
          Hide
          abajwa Ali Bajwa added a comment -

          Robert Levas Usually what I find is that IPA wants port 8080 and 8443 to be open. So usually when installing FreeIPA on single node I change Ambari/Knox ports from the default.

          Btw this is great stuff! As the next logical step it would nice to have FreeIPA installed/managed by Ambari as well. Would be great to have a separate JIRA on that for future. I have written a basic Ambari service as a potential starting point for this:
          https://github.com/hortonworks-gallery/ambari-freeipa-service

          In case its useful I have a single node VM running HDP 2.3/Centos6 with FreeIPA installed/running as Ambari service with security enabled:
          https://github.com/abajwa-hw/security-workshops#current-release

          Thanks
          Ali

          Show
          abajwa Ali Bajwa added a comment - Robert Levas Usually what I find is that IPA wants port 8080 and 8443 to be open. So usually when installing FreeIPA on single node I change Ambari/Knox ports from the default. Btw this is great stuff! As the next logical step it would nice to have FreeIPA installed/managed by Ambari as well. Would be great to have a separate JIRA on that for future. I have written a basic Ambari service as a potential starting point for this: https://github.com/hortonworks-gallery/ambari-freeipa-service In case its useful I have a single node VM running HDP 2.3/Centos6 with FreeIPA installed/running as Ambari service with security enabled: https://github.com/abajwa-hw/security-workshops#current-release Thanks Ali

            People

            • Assignee:
              bolke Bolke de Bruin
              Reporter:
              jayunit100 jay vyas
            • Votes:
              6 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development