Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-8542

Provide a way to parse and handle Kerberos descriptors

    XMLWordPrintableJSON

Details

    Description

      Provide the ability to read in Kerberos descriptor files (kerberos.json) from the stack at various levels (stack-level, service-level) and to merge them into a single hierarchy. The composite Kerberos descriptor data will be used to control the UI (Kerberos Wizard - see AMBARI-7450).

      An example stack-level Kerberos Descriptor:

      {
        "properties": {
          "realm": "${cluster-env/kerberos_domain}",
          "keytab_dir": "/etc/security/keytabs"
        },
        "identities": [
          {
            "name": "spnego",
            "principal": {
              "value": "HTTP/_HOST@${realm}"
            },
            "keytab": {
              "file": "${keytab_dir}/spnego.service.keytab",
              "owner": {
                "name": "root",
                "access": "r"
              },
              "group": {
                "name": "${cluster-env/user_group}",
                "access": "r"
              }
            }
          }
        ],
        "configurations": [
        ]
      }
      

      An example service-level Kerberos Descriptor - HDFS:

      {
        "configurations": [
          {
            "core-site": {
              "hadoop.security.authentication": "kerberos",
              "hadoop.rpc.protection": "authentication; integrity; privacy",
              "hadoop.security.authorization": "true"
            }
          }
        ],
        "components": [
          {
            "name": "NAMENODE",
            "identities": [
              {
                "name" : "namenode_nn",
                "principal": {
                  "value": "nn/_HOST@${realm}",
                  "configuration": "hdfs-site/dfs.namenode.kerberos.principal"
                },
                "keytab": {
                  "file": "${keytab_dir}/nn.service.keytab",
                  "owner": {
                    "name": "${hadoop-env/hdfs_user}",
                    "access": "r"
                  },
                  "group": {
                    "name": "${cluster-env/user_group}",
                    "access": ""
                  },
                  "configuration": "hdfs-site/dfs.namenode.keytab.file"
                }
              },
              {
                "name" : "namenode_host",
                "principal": {
                  "value": "host/_HOST@${realm}",
                  "configuration": "hdfs-site/dfs.namenode.kerberos.https.principal"
                },
                "keytab": {
                  "file": "${keytab_dir}/host.keytab",
                  "owner": {
                    "name": "${hadoop-env/hdfs_user}",
                    "access": "r"
                  },
                  "group": {
                    "name": "${cluster-env/user_group}",
                    "access": ""
                  },
                  "configuration": "hdfs-site/dfs.namenode.keytab.file"
                }
              },
              {
                "name" : "/spnego",
                "principal": {
                  "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal"
                },
                "keytab": {
                  "configuration": "hdfs/dfs.web.authentication.kerberos.keytab"
                }
              }
            ]
          },
          {
            "name": "DATANODE",
            "identities": [
              {
                "name" : "datanode_dn",
                "principal": {
                  "value": "dn/_HOST@${realm}",
                  "configuration": "hdfs-site/dfs.namenode.kerberos.principal"
                },
                "keytab": {
                  "file": "${keytab_dir}/dn.service.keytab",
                  "owner": {
                    "name": "${hadoop-env/hdfs_user}",
                    "access": "r"
                  },
                  "group": {
                    "name": "${cluster-env/user_group}",
                    "access": ""
                  },
                  "configuration": "hdfs-site/dfs.namenode.keytab.file"
                }
              },
              {
                "name" : "datanode_host",
                "principal": {
                  "value": "host/_HOST@${realm}",
                  "configuration": "hdfs-site/dfs.datanode.kerberos.https.principal"
                },
                "keytab": {
                  "file": "${keytab_dir}/host.keytab.file",
                  "owner": {
                    "name": "${hadoop-env/hdfs_user}",
                    "access": "r"
                  },
                  "group": {
                    "name": "${cluster-env/user_group}",
                    "access": ""
                  },
                  "configuration": "hdfs-site/dfs.namenode.secondary.keytab.file"
                }
              }
            ]
          },
          {
            "name": "SECONDARY_NAMENODE",
            "identities": [
              {
                "name" : "secondary_namenode_nn",
                "principal": {
                  "value": "nn/_HOST@${realm}",
                  "configuration": "hdfs-site/dfs.namenode.secondary.kerberos.principal"
                },
                "keytab": {
                  "file": "${keytab_dir}/snn.service.keytab",
                  "owner": {
                    "name": "${hadoop-env/hdfs_user}",
                    "access": "r"
                  },
                  "group": {
                    "name": "${cluster-env/user_group}",
                    "access": ""
                  },
                  "configuration": "hdfs-site/dfs.namenode.secondary.keytab.file"
                }
              },
              {
                "name" : "secondary_namenode_host",
                "principal": {
                  "value": "host/_HOST@${realm}",
                  "configuration": "hdfs-site/dfs.namenode.secondary.kerberos.https.principal"
                },
                "keytab": {
                  "file": "${keytab_dir}/host.keytab.file",
                  "owner": {
                    "name": "${hadoop-env/hdfs_user}",
                    "access": "r"
                  },
                  "group": {
                    "name": "${cluster-env/user_group}",
                    "access": ""
                  },
                  "configuration": "hdfs-site/dfs.namenode.secondary.keytab.file"
                }
              },
              {
                "name" : "/spnego",
                "principal": {
                  "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal"
                },
                "keytab": {
                  "configuration": "hdfs/dfs.web.authentication.kerberos.keytab"
                }
              }
            ]
          }
        ]
      }
      

      Attachments

        1. AMBARI-8542_01.patch
          158 kB
          Robert Levas
        2. AMBARI-8542_02.patch
          165 kB
          Robert Levas
        3. AMBARI-8542_02.patch
          164 kB
          Robert Levas

        Issue Links

          Activity

            People

              rlevas Robert Levas
              rlevas Robert Levas
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: