AMBARI-21919. Kerberos identity references should use the "reference" attribute (rlevas)

ambari-funtest/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json

@@ -4,7 +4,8 @@
       "name": "HDFS",
       "identities": [
         {
-          "name": "/spnego",
+          "name": "hdfs_spnego",
+          "reference": "/spnego",
           "principal": {
             "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal"
           },
@@ -13,7 +14,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "hdfs_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "hdfs",
@@ -63,7 +65,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal"
               }
@@ -128,7 +131,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_secondary_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal"
               }

ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/AbstractKerberosDescriptorContainer.java

@@ -640,7 +640,7 @@ public abstract class AbstractKerberosDescriptorContainer extends AbstractKerber
    * @param path a String declaring the path to a KerberosIdentityDescriptor
    * @return a KerberosIdentityDescriptor identified by the path or null if not found
    */
-  protected KerberosIdentityDescriptor getReferencedIdentityDescriptor(String path)
+  public KerberosIdentityDescriptor getReferencedIdentityDescriptor(String path)
       throws AmbariException {
     KerberosIdentityDescriptor identityDescriptor = null;
 
@@ -855,12 +855,7 @@ public abstract class AbstractKerberosDescriptorContainer extends AbstractKerber
     if (identity != null) {
       KerberosIdentityDescriptor referencedIdentity;
       try {
-        if (identity.getReference() != null) {
-          referencedIdentity = getReferencedIdentityDescriptor(identity.getReference());
-        } else {
-          // For backwards compatibility, see if the identity's name indicates a reference...
-          referencedIdentity = getReferencedIdentityDescriptor(identity.getName());
-        }
+        referencedIdentity = getReferencedIdentityDescriptor(identity.getReference());
       } catch (AmbariException e) {
         throw new AmbariException(String.format("Invalid Kerberos identity reference: %s", identity.getReference()), e);
       }

ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java

@@ -456,7 +456,7 @@ public class KerberosDescriptor extends AbstractKerberosDescriptorContainer {
 
   private static void collectFromIdentities(String service, String component, Collection<KerberosIdentityDescriptor> identities, Map<String, String> result) {
     for (KerberosIdentityDescriptor each : identities) {
-      if (each.getPrincipalDescriptor() != null && !each.getReferencedServiceName().isPresent() && !each.getName().startsWith("/")) {
+      if (each.getPrincipalDescriptor() != null && !each.getReferencedServiceName().isPresent()) {
         String path = StringUtils.isBlank(component)
             ? String.format("%s/%s", service, each.getName())
             : String.format("%s/%s/%s", service, component, each.getName());

ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -6,9 +6,9 @@
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
- * <p>
- * http://www.apache.org/licenses/LICENSE-2.0
- * <p>
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -41,10 +41,13 @@ import org.apache.ambari.server.orm.entities.RepositoryVersionEntity;
 import org.apache.ambari.server.state.Cluster;
 import org.apache.ambari.server.state.Clusters;
 import org.apache.ambari.server.state.Config;
+import org.apache.ambari.server.state.kerberos.AbstractKerberosDescriptor;
+import org.apache.ambari.server.state.kerberos.AbstractKerberosDescriptorContainer;
 import org.apache.ambari.server.state.kerberos.KerberosComponentDescriptor;
 import org.apache.ambari.server.state.kerberos.KerberosDescriptor;
 import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory;
 import org.apache.ambari.server.state.kerberos.KerberosIdentityDescriptor;
+import org.apache.ambari.server.state.kerberos.KerberosPrincipalDescriptor;
 import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor;
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
@@ -541,21 +544,9 @@ public class UpgradeCatalog260 extends AbstractUpgradeCatalog {
       if (data != null) {
         final KerberosDescriptor kerberosDescriptor = new KerberosDescriptorFactory().createInstance(data);
         if (kerberosDescriptor != null) {
-          KerberosServiceDescriptor rangerKmsServiceDescriptor = kerberosDescriptor.getService("RANGER_KMS");
-          if (rangerKmsServiceDescriptor != null) {
+          fixRangerKMSKerberosDescriptor(kerberosDescriptor);
+          fixIdentityReferences(getCluster(artifactEntity), kerberosDescriptor);
 
-            KerberosIdentityDescriptor rangerKmsServiceIdentity = rangerKmsServiceDescriptor.getIdentity("/smokeuser");
-            if (rangerKmsServiceIdentity != null) {
-              rangerKmsServiceDescriptor.removeIdentity("/smokeuser");
-            }
-            KerberosComponentDescriptor rangerKmscomponentDescriptor = rangerKmsServiceDescriptor.getComponent("RANGER_KMS_SERVER");
-            if (rangerKmscomponentDescriptor != null) {
-              KerberosIdentityDescriptor rangerKmsComponentIdentity = rangerKmscomponentDescriptor.getIdentity("/smokeuser");
-              if (rangerKmsComponentIdentity != null) {
-                rangerKmscomponentDescriptor.removeIdentity("/smokeuser");
-              }
-            }
-          }
           artifactEntity.setArtifactData(kerberosDescriptor.toMap());
           artifactDAO.merge(artifactEntity);
         }
@@ -563,6 +554,24 @@ public class UpgradeCatalog260 extends AbstractUpgradeCatalog {
     }
   }
 
+  protected void fixRangerKMSKerberosDescriptor(KerberosDescriptor kerberosDescriptor) {
+    KerberosServiceDescriptor rangerKmsServiceDescriptor = kerberosDescriptor.getService("RANGER_KMS");
+    if (rangerKmsServiceDescriptor != null) {
+
+      KerberosIdentityDescriptor rangerKmsServiceIdentity = rangerKmsServiceDescriptor.getIdentity("/smokeuser");
+      if (rangerKmsServiceIdentity != null) {
+        rangerKmsServiceDescriptor.removeIdentity("/smokeuser");
+      }
+      KerberosComponentDescriptor rangerKmscomponentDescriptor = rangerKmsServiceDescriptor.getComponent("RANGER_KMS_SERVER");
+      if (rangerKmscomponentDescriptor != null) {
+        KerberosIdentityDescriptor rangerKmsComponentIdentity = rangerKmscomponentDescriptor.getIdentity("/smokeuser");
+        if (rangerKmsComponentIdentity != null) {
+          rangerKmscomponentDescriptor.removeIdentity("/smokeuser");
+        }
+      }
+    }
+  }
+
   protected void updateAmsConfigs() throws AmbariException {
     AmbariManagementController ambariManagementController = injector.getInstance(AmbariManagementController.class);
     Clusters clusters = ambariManagementController.getClusters();
@@ -601,6 +610,181 @@ public class UpgradeCatalog260 extends AbstractUpgradeCatalog {
     updateWidgetDefinitionsForService("HDFS", widgetMap, sectionLayoutMap);
   }
 
+  /**
+   * Retrieves the relevant {@link Cluster} given information from the suppliied {@link ArtifactEntity}.
+   * <p>
+   * The cluster id value is taken from the entity's foreign key value and then used to obtain the cluster object.
+   *
+   * @param artifactEntity an {@link ArtifactEntity}
+   * @return a {@link Cluster}
+   */
+  private Cluster getCluster(ArtifactEntity artifactEntity) {
+    if (artifactEntity != null) {
+      Map<String, String> keys = artifactEntity.getForeignKeys();
+      if (keys != null) {
+        String clusterId = keys.get("cluster");
+        if (StringUtils.isNumeric(clusterId)) {
+          Clusters clusters = injector.getInstance(Clusters.class);
+          try {
+            return clusters.getCluster(Long.valueOf(clusterId));
+          } catch (AmbariException e) {
+            LOG.error(String.format("Failed to obtain cluster using cluster id %s -  %s", clusterId, e.getMessage()), e);
+          }
+        } else {
+          LOG.error(String.format("Failed to obtain cluster id from artifact entity with foreign keys: %s", keys));
+        }
+      }
+    }
+
+    return null;
+  }
+
+  /**
+   * Recursively traverses the Kerberos descriptor to find and fix the identity references.
+   * <p>
+   * Each found identity descriptor that indicates it is a reference by having a <code>name</code>
+   * value that starts with a "/" or a "./" is fixed by clearing the <code>principal name</code>value,
+   * setting the <code>reference</code> value to the <code>name</code> value and changing the
+   * <code>name</code> value to a name with the following pattern:
+   * <code>SERVICE_COMPONENT_IDENTITY</code>
+   * <p>
+   * For example, if the identity is for the "SERVICE1" service and is a reference to "HDFS/NAMENODE/hdfs";
+   * then the name is set to "<code>service1_hdfs</code>"
+   * <p>
+   * For example, if the identity is for the "COMPONENT21" component of the "SERVICE2" service and is a reference to "HDFS/NAMENODE/hdfs";
+   * then the name is set to "<code>service2_component21_hdfs</code>"
+   * <p>
+   * Once the identity descriptor properties of the identity are fixed, the relevant configuration
+   * value is fixed to match the value if the referenced identity. This may lead to a new version
+   * of the relevant configuration type.
+   *
+   * @param cluster   the cluster
+   * @param container the current Kerberos descriptor container
+   * @throws AmbariException if an error occurs
+   */
+  private void fixIdentityReferences(Cluster cluster, AbstractKerberosDescriptorContainer container)
+      throws AmbariException {
+    List<KerberosIdentityDescriptor> identities = container.getIdentities();
+    if (identities != null) {
+      for (KerberosIdentityDescriptor identity : identities) {
+        String name = identity.getName();
+
+        if (!StringUtils.isEmpty(name) && (name.startsWith("/") || name.startsWith("./"))) {
+          String[] parts = name.split("/");
+          String newName = buildName(identity.getParent(), parts[parts.length - 1]);
+
+          identity.setName(newName);
+          identity.setReference(name);
+        }
+
+        String identityReference = identity.getReference();
+        if (!StringUtils.isEmpty(identityReference)) {
+          // If this identity references another identity:
+          //  * The principal name needs to be the same as the referenced identity
+          //    - ensure that no principal name is being set for this identity
+          //  * Any configuration set to contain the reference principal name needs to be fixed to
+          //    be the correct principal name
+          KerberosPrincipalDescriptor principal = identity.getPrincipalDescriptor();
+          if (principal != null) {
+            // Fix the value
+            principal.setValue(null);
+
+            // Fix the relative configuration
+            if (!StringUtils.isEmpty(principal.getConfiguration())) {
+              String referencedPrincipalName = getConfiguredPrincipalNameFromReference(cluster, container, identityReference);
+
+              if(!StringUtils.isEmpty(referencedPrincipalName)) {
+                String[] parts = principal.getConfiguration().split("/");
+                if (parts.length == 2) {
+                  String type = parts[0];
+                  String property = parts[1];
+
+                  updateConfigurationPropertiesForCluster(cluster,
+                      type,
+                      Collections.singletonMap(property, referencedPrincipalName),
+                      true,
+                      false);
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+
+    if (container instanceof KerberosDescriptor) {
+      Map<String, KerberosServiceDescriptor> services = ((KerberosDescriptor) container).getServices();
+      if (services != null) {
+        for (KerberosServiceDescriptor serviceDescriptor : services.values()) {
+          fixIdentityReferences(cluster, serviceDescriptor);
+        }
+      }
+    } else if (container instanceof KerberosServiceDescriptor) {
+      Map<String, KerberosComponentDescriptor> components = ((KerberosServiceDescriptor) container).getComponents();
+      if (components != null) {
+        for (KerberosComponentDescriptor componentDescriptor : components.values()) {
+          fixIdentityReferences(cluster, componentDescriptor);
+        }
+      }
+    }
+  }
+
+  /**
+   * Finds the value of the configuration found for the principal in the referenced identity
+   * descriptor.
+   *
+   * @param cluster           the cluster
+   * @param container         the current {@link KerberosIdentityDescriptor}, ideally the identity's parent descriptor
+   * @param identityReference the path to the referenced identity
+   * @return the value of the configuration specified in the referenced identity's principal descriptor
+   * @throws AmbariException if an error occurs
+   */
+  private String getConfiguredPrincipalNameFromReference(Cluster cluster,
+                                                         AbstractKerberosDescriptorContainer container,
+                                                         String identityReference)
+      throws AmbariException {
+    KerberosIdentityDescriptor identityDescriptor = container.getReferencedIdentityDescriptor(identityReference);
+
+    if (identityDescriptor != null) {
+      KerberosPrincipalDescriptor principal = identityDescriptor.getPrincipalDescriptor();
+      if ((principal != null) && (!StringUtils.isEmpty(principal.getConfiguration()))) {
+        String[] parts = principal.getConfiguration().split("/");
+        if (parts.length == 2) {
+          String type = parts[0];
+          String property = parts[1];
+
+          Config config = cluster.getDesiredConfigByType(type);
+
+          if (config != null) {
+            return config.getProperties().get(property);
+          }
+        }
+      }
+    }
+
+    return null;
+  }
+
+  /**
+   * Builds the name of an identity based on the identity's container and the referenced identity's name.
+   * <p>
+   * The calculated name will be in the following format and converted to all lowercase characters:
+   * <code>SERVICE_COMPONENT_IDENTITY</code>
+   *
+   * @param container    the current {@link KerberosIdentityDescriptor}, ideally the identity's parent descriptor
+   * @param identityName the referenced identity's name
+   * @return a name
+   */
+  private String buildName(AbstractKerberosDescriptor container, String identityName) {
+    if (container instanceof KerberosServiceDescriptor) {
+      return container.getName().toLowerCase() + "_" + identityName;
+    } else if (container instanceof KerberosComponentDescriptor) {
+      return container.getParent().getName().toLowerCase() + "_" + container.getName().toLowerCase() + "_" + identityName;
+    } else {
+      return identityName;
+    }
+  }
+
   /**
    * Sets all existing repository versions to be resolved (we have to assume
    * that they are good since they've been using them to run stuff).

ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/kerberos.json

@@ -47,7 +47,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "accumulo_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -55,7 +56,8 @@
           "name": "ACCUMULO_MASTER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "accumulo_accumulo_master_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         },

ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/kerberos.json

@@ -4,10 +4,12 @@
       "name": "AMBARI_INFRA",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "ambari_infra_smokeuser",
+          "reference": "/smokeuser"
         },
         {
-          "name": "/spnego",
+          "name": "ambari_infra_spnego",
+          "reference": "/spnego",
           "principal": {
             "configuration": "infra-solr-env/infra_solr_web_kerberos_principal"
           },

ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "AMBARI_METRICS",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "ambari_metrics_spnego",
+          "reference": "/spnego"
         }
       ],
       "components": [
@@ -38,7 +39,8 @@
           "name": "METRICS_COLLECTOR",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs",
+              "name": "ambari_metrics_metrics_collector_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs",
               "when" : {
                 "contains" : ["services", "HDFS"]
               }

ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json

@@ -40,7 +40,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "atlas_atlas_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "value": "HTTP/_HOST@${realm}",
                 "configuration": "application-properties/atlas.http.authentication.kerberos.principal"
@@ -50,7 +51,8 @@
               }
             },
             {
-              "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr",
+              "name": "atlas_atlas_server_infra-solr",
+              "reference": "/AMBARI_INFRA/INFRA_SOLR/infra-solr",
               "when" : {
                 "contains" : ["services", "AMBARI_INFRA"]
               }

ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json

@@ -66,7 +66,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "atlas_atlas_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "value": "HTTP/_HOST@${realm}",
                 "configuration": "application-properties/atlas.authentication.method.kerberos.principal"
@@ -86,10 +87,12 @@
               }
             },
             {
-              "name": "/KAFKA/KAFKA_BROKER/kafka_broker"
+              "name": "atlas_atlas_server_kafka_broker",
+              "reference": "/KAFKA/KAFKA_BROKER/kafka_broker"
             },
             {
-              "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr",
+              "name": "atlas_atlas_server_infra-solr",
+              "reference": "/AMBARI_INFRA/INFRA_SOLR/infra-solr",
               "when" : {
                 "contains" : ["services", "AMBARI_INFRA"]
               }

ambari-server/src/main/resources/common-services/ATLAS/0.7.0.3.0/kerberos.json

@@ -67,7 +67,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "atlas_atlas_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "value": "HTTP/_HOST@${realm}",
                 "configuration": "application-properties/atlas.authentication.method.kerberos.principal"
@@ -87,10 +88,12 @@
               }
             },
             {
-              "name": "/KAFKA/KAFKA_BROKER/kafka_broker"
+              "name": "atlas_atlas_server_kafka_broker",
+              "reference": "/KAFKA/KAFKA_BROKER/kafka_broker"
             },
             {
-              "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr"
+              "name": "atlas_atlas_server_infra-solr",
+              "reference": "/AMBARI_INFRA/INFRA_SOLR/infra-solr"
             }
           ]
         }

ambari-server/src/main/resources/common-services/FALCON/0.5.0.2.1/kerberos.json

@@ -4,10 +4,12 @@
       "name": "FALCON",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "falcon_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "falcon_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -27,7 +29,8 @@
           "name": "FALCON_SERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "falcon_falcon_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "falcon_server",
@@ -51,7 +54,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "falcon_falcon_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "value": "HTTP/_HOST@${realm}",
                 "configuration": "falcon-startup.properties/*.falcon.http.authentication.kerberos.principal"

ambari-server/src/main/resources/common-services/HAWQ/2.0.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "HAWQ",
       "identities": [
         {
-          "name": "/HDFS/NAMENODE/hdfs"
+          "name": "hawq_hdfs",
+          "reference": "/HDFS/NAMENODE/hdfs"
         },
         {
           "name": "hawq_identity",
@@ -53,7 +54,8 @@
           "name": "HAWQMASTER",
           "identities": [
             {
-              "name": "/HAWQ/hawq_identity"
+              "name": "hawq_hawqmaster_hawq_identity",
+              "reference": "/HAWQ/hawq_identity"
             }
           ]
         },
@@ -61,7 +63,8 @@
           "name": "HAWQSTANDBY",
           "identities": [
             {
-              "name": "/HAWQ/hawq_identity"
+              "name": "hawq_hawqstandby_hawq_identity",
+              "reference": "/HAWQ/hawq_identity"
             }
           ]
         }

ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "HBASE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "hbase_spnego",
+          "reference": "/spnego"
         },
         {
           "name": "hbase",
@@ -28,7 +29,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "hbase_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -49,7 +51,8 @@
           "name": "HBASE_MASTER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "hbase_hbase_master_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "hbase_master_hbase",

ambari-server/src/main/resources/common-services/HBASE/2.0.0.3.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "HBASE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "hbase_spnego",
+          "reference": "/spnego"
         },
         {
           "name": "hbase",
@@ -28,7 +29,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "hbase_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -60,7 +62,8 @@
           "name": "HBASE_MASTER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "hbase_hbase_master_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "hbase_master_hbase",
@@ -84,7 +87,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hbase_hbase_master_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.principal"
               },
@@ -129,7 +133,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hbase_hbase_regionserver_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.principal"
               },

ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "HDFS",
       "identities": [
         {
-          "name": "/spnego",
+          "name": "hdfs_spnego",
+          "reference": "/spnego",
           "principal": {
             "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal"
           },
@@ -13,7 +14,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "hdfs_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "auth_to_local_properties" : [
@@ -33,7 +35,8 @@
           "name":  "HDFS_CLIENT",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "hdfs_hdfs_client_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         },
@@ -83,7 +86,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal"
               }
@@ -156,7 +160,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_secondary_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal"
               }
@@ -214,7 +219,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_journalnode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.journalnode.kerberos.internal.spnego.principal"
               }

ambari-server/src/main/resources/common-services/HDFS/3.0.0.3.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "HDFS",
       "identities": [
         {
-          "name": "/spnego",
+          "name": "hdfs_spnego",
+          "reference": "/spnego",
           "principal": {
             "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal"
           },
@@ -13,7 +14,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "hdfs_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "auth_to_local_properties" : [
@@ -44,7 +46,8 @@
           "name":  "HDFS_CLIENT",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "hdfs_hdfs_client_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         },
@@ -94,13 +97,15 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal"
               }
             },
             {
-              "name": "/HDFS/NAMENODE/namenode_nn",
+              "name": "hdfs_namenode_namenode_nn",
+              "reference": "/HDFS/NAMENODE/namenode_nn",
               "principal": {
                 "configuration": "ranger-hdfs-audit/xasecure.audit.jaas.Client.option.principal"
               },
@@ -176,7 +181,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_secondary_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal"
               }
@@ -234,7 +240,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_journalnode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.journalnode.kerberos.internal.spnego.principal"
               }

ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/kerberos.json

@@ -4,10 +4,12 @@
       "name": "HIVE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "hive_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "hive_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -49,7 +51,8 @@
           "name": "HIVE_SERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "hive_hive_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "hive_server_hive",
@@ -73,7 +76,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hive_hive_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hive-site/hive.server2.authentication.spnego.principal"
               },
@@ -87,7 +91,8 @@
           "name": "WEBHCAT_SERVER",
           "identities": [
             {
-              "name": "/spnego",
+              "name": "hive_webhcat_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "webhcat-site/templeton.kerberos.principal"
               },

ambari-server/src/main/resources/common-services/HIVE/2.1.0.3.0/kerberos.json

@@ -4,10 +4,12 @@
             "name": "HIVE",
             "identities": [
                 {
-                    "name": "/spnego"
+                    "name": "hive_spnego",
+                    "reference": "/spnego"
                 },
                 {
-                    "name": "/smokeuser"
+                    "name": "hive_smokeuser",
+                    "reference": "/smokeuser"
                 }
             ],
             "configurations": [
@@ -33,7 +35,8 @@
                     "name": "HIVE_METASTORE",
                     "identities": [
                         {
-                            "name": "/HIVE/HIVE_SERVER/hive_server_hive",
+                            "name": "hive_hive_metastore_hive_server_hive",
+                            "reference": "/HIVE/HIVE_SERVER/hive_server_hive",
                             "principal": {
                                 "configuration": "hive-site/hive.metastore.kerberos.principal"
                             },
@@ -47,7 +50,8 @@
                     "name": "HIVE_SERVER",
                     "identities": [
                         {
-                            "name": "/HDFS/NAMENODE/hdfs"
+                            "name": "hive_hive_server_hdfs",
+                            "reference": "/HDFS/NAMENODE/hdfs"
                         },
                         {
                             "name": "hive_server_hive",
@@ -81,7 +85,8 @@
                             }
                         },
                         {
-                            "name": "/spnego",
+                            "name": "hive_hive_server_spnego",
+                            "reference": "/spnego",
                             "principal": {
                                 "configuration": "hive-site/hive.server2.authentication.spnego.principal"
                             },
@@ -105,16 +110,20 @@
                     "name": "HIVE_SERVER_INTERACTIVE",
                     "identities": [
                         {
-                            "name": "/HDFS/NAMENODE/hdfs"
+                            "name": "hive_hive_server_interactive_hdfs",
+                            "reference": "/HDFS/NAMENODE/hdfs"
                         },
                         {
-                            "name": "/HIVE/HIVE_SERVER/hive_server_hive"
+                            "name": "hive_hive_server_interactive_hive_server_hive",
+                            "reference": "/HIVE/HIVE_SERVER/hive_server_hive"
                         },
                         {
-                            "name": "/HIVE/HIVE_SERVER/spnego"
+                            "name": "hive_hive_server_interactive_spnego",
+                            "reference": "/HIVE/HIVE_SERVER/spnego"
                         },
                         {
-                            "name": "/YARN/NODEMANAGER/llap_zk_hive"
+                            "name": "hive_hive_server_interactive_llap_zk_hive",
+                            "reference": "/YARN/NODEMANAGER/llap_zk_hive"
                         }
                     ]
                 },
@@ -122,7 +131,8 @@
                     "name": "WEBHCAT_SERVER",
                     "identities": [
                         {
-                            "name": "/spnego",
+                            "name": "hive_webhcat_server_spnego",
+                            "reference": "/spnego",
                             "principal": {
                                 "configuration": "webhcat-site/templeton.kerberos.principal"
                             },

ambari-server/src/main/resources/common-services/KAFKA/0.10.0.3.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "KAFKA",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "kafka_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -57,7 +58,8 @@
               }
             },
             {
-              "name": "/KAFKA/KAFKA_BROKER/kafka_broker",
+              "name": "kafka_kafka_broker_kafka_broker",
+              "reference": "/KAFKA/KAFKA_BROKER/kafka_broker",
               "principal": {
                 "configuration": "ranger-kafka-audit/xasecure.audit.jaas.Client.option.principal"
               },
@@ -66,7 +68,8 @@
               }
             },
             {
-              "name": "/HDFS/NAMENODE/hdfs",
+              "name": "kafka_kafka_broker_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs",
               "when" : {
                 "contains" : ["services", "HDFS"]
               }

ambari-server/src/main/resources/common-services/KAFKA/0.10.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "KAFKA",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "kafka_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -57,7 +58,8 @@
               }
             },
             {
-              "name": "/KAFKA/KAFKA_BROKER/kafka_broker",
+              "name": "kafka_kafka_broker_kafka_broker",
+              "reference": "/KAFKA/KAFKA_BROKER/kafka_broker",
               "principal": {
                 "configuration": "ranger-kafka-audit/xasecure.audit.jaas.Client.option.principal"
               },
@@ -66,7 +68,8 @@
               }
             },
             {
-              "name": "/HDFS/NAMENODE/hdfs",
+              "name": "kafka_kafka_broker_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs",
               "when" : {
                 "contains" : ["services", "HDFS"]
               }

ambari-server/src/main/resources/common-services/KAFKA/0.9.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "KAFKA",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "kafka_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -47,7 +48,8 @@
               }
             },
             {
-              "name": "/HDFS/NAMENODE/hdfs",
+              "name": "kafka_kafka_broker_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs",
               "when" : {
                 "contains" : ["services", "HDFS"]
               }

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/kerberos.json

@@ -4,7 +4,8 @@
       "name": "KERBEROS",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "kerberos_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-30/kerberos.json

@@ -4,7 +4,8 @@
       "name": "KERBEROS",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "kerberos_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [

ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/kerberos.json

@@ -29,7 +29,8 @@
               }
             },
             {
-              "name": "/KNOX/KNOX_GATEWAY/knox_principal",
+              "name": "knox_knox_gateway_knox_principal",
+              "reference": "/KNOX/KNOX_GATEWAY/knox_principal",
               "principal": {
                 "configuration": "ranger-knox-audit/xasecure.audit.jaas.Client.option.principal"                
               },

ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "LOGSEARCH",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "logsearch_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -32,7 +33,8 @@
               }
             },
             {
-              "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr",
+              "name": "logsearch_logsearch_server_infra-solr",
+              "reference": "/AMBARI_INFRA/INFRA_SOLR/infra-solr",
               "when" : {
                 "contains" : ["services", "AMBARI_INFRA"]
               }

ambari-server/src/main/resources/common-services/MAHOUT/1.0.0.2.3/kerberos.json

@@ -4,7 +4,8 @@
     "name": "MAHOUT",
     "identities": [
       {
-        "name": "/smokeuser"
+        "name": "mahout_smokeuser",
+        "reference": "/smokeuser"
       }
     ],
     "components": [
@@ -12,7 +13,8 @@
         "name": "MAHOUT",
         "identities": [
           {
-            "name": "/HDFS/NAMENODE/hdfs"
+            "name": "mahout_mahout_hdfs",
+            "reference": "/HDFS/NAMENODE/hdfs"
           }
         ]
       }

ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/kerberos.json

@@ -4,10 +4,12 @@
       "name": "OOZIE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "oozie_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "oozie_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "auth_to_local_properties" : [
@@ -28,7 +30,8 @@
           "name": "OOZIE_SERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "oozie_oozie_server_hdfs",
+              "reference" : "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "oozie_server",
@@ -52,7 +55,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "oozie_oozie_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "oozie-site/oozie.authentication.kerberos.principal"
               },

ambari-server/src/main/resources/common-services/OOZIE/4.2.0.2.3/kerberos.json

@@ -4,10 +4,12 @@
       "name": "OOZIE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "oozie_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "oozie_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "auth_to_local_properties" : [
@@ -29,7 +31,8 @@
           "name": "OOZIE_SERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "oozie_oozie_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "oozie_server",
@@ -53,7 +56,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "oozie_oozie_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "oozie-site/oozie.authentication.kerberos.principal"
               },

ambari-server/src/main/resources/common-services/OOZIE/4.2.0.3.0/kerberos.json

@@ -4,10 +4,12 @@
       "name": "OOZIE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "oozie_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "oozie_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "auth_to_local_properties" : [
@@ -30,7 +32,8 @@
           "name": "OOZIE_SERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "oozie_oozie_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "oozie_server",
@@ -54,7 +57,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "oozie_oozie_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "oozie-site/oozie.authentication.kerberos.principal"
               },

ambari-server/src/main/resources/common-services/PIG/0.12.0.2.0/kerberos.json

@@ -7,7 +7,8 @@
           "name": "PIG",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "pig_pig_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }

ambari-server/src/main/resources/common-services/PIG/0.16.1.3.0/kerberos.json

@@ -7,7 +7,8 @@
           "name": "PIG",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "pig_pig_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }

ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json

@@ -4,10 +4,12 @@
       "name": "RANGER",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "ranger_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "ranger_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -59,13 +61,15 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "ranger_ranger_admin_spnego",
+              "reference": "/spnego",
               "keytab": {
                 "configuration": "ranger-admin-site/ranger.spnego.kerberos.keytab"
               }
             },
             {
-              "name": "/RANGER/RANGER_ADMIN/rangeradmin",
+              "name": "ranger_ranger_admin_rangeradmin",
+              "reference": "/RANGER/RANGER_ADMIN/rangeradmin",
               "principal": {
                 "configuration": "ranger-admin-site/xasecure.audit.jaas.Client.option.principal"
               },
@@ -74,7 +78,8 @@
               }
             },
             {
-              "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr",
+              "name": "ranger_ranger_admin_infra-solr",
+              "reference": "/AMBARI_INFRA/INFRA_SOLR/infra-solr",
               "when" : {
                 "contains" : ["services", "AMBARI_INFRA"]
               }
@@ -124,7 +129,8 @@
               }
             },
             {
-              "name": "/RANGER/RANGER_TAGSYNC/rangertagsync",
+              "name": "ranger_ranger_tagsync_rangertagsync",
+              "reference": "/RANGER/RANGER_TAGSYNC/rangertagsync",
               "principal": {
                 "configuration": "tagsync-application-properties/atlas.jaas.KafkaClient.option.principal"
               },

ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/kerberos.json

@@ -4,10 +4,12 @@
       "name": "RANGER",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "ranger_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "ranger_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -59,13 +61,15 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "ranger_ranger_admin_spnego",
+              "reference": "/spnego",
               "keytab": {
                 "configuration": "ranger-admin-site/ranger.spnego.kerberos.keytab"
               }
             },
             {
-              "name": "/RANGER/RANGER_ADMIN/rangeradmin",
+              "name": "ranger_ranger_admin_rangeradmin",
+              "reference": "/RANGER/RANGER_ADMIN/rangeradmin",
               "principal": {
                 "configuration": "ranger-admin-site/xasecure.audit.jaas.Client.option.principal"
               },
@@ -74,7 +78,8 @@
               }
             },
             {
-              "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr",
+              "name": "ranger_ranger_admin_infra-solr",
+              "reference": "/AMBARI_INFRA/INFRA_SOLR/infra-solr",
               "when" : {
                 "contains" : ["services", "AMBARI_INFRA"]
               }
@@ -124,7 +129,8 @@
               }
             },
             {
-              "name": "/RANGER/RANGER_TAGSYNC/rangertagsync",
+              "name": "ranger_ranger_tagsync_rangertagsync",
+              "reference": "/RANGER/RANGER_TAGSYNC/rangertagsync",
               "principal": {
                 "configuration": "tagsync-application-properties/atlas.jaas.KafkaClient.option.principal"
               },

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/kerberos.json

@@ -4,7 +4,8 @@
       "name": "RANGER_KMS",
       "identities": [
         {
-          "name": "/spnego",
+          "name": "ranger_kms_spnego",
+          "reference": "/spnego",
           "keytab": {
             "configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab"
           }
@@ -23,7 +24,8 @@
           "name": "RANGER_KMS_SERVER",
           "identities": [
             {
-              "name": "/spnego",
+              "name": "ranger_kms_ranger_kms_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal"
               },

ambari-server/src/main/resources/common-services/RANGER_KMS/1.0.0.3.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "RANGER_KMS",
       "identities": [
         {
-          "name": "/spnego",
+          "name": "ranger_kms_spnego",
+          "reference": "/spnego",
           "keytab": {
             "configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab"
           }
@@ -36,7 +37,8 @@
           "name": "RANGER_KMS_SERVER",
           "identities": [
             {
-              "name": "/spnego",
+              "name": "ranger_kms_ranger_kms_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal"
               },
@@ -62,7 +64,8 @@
               }
             },
             {
-              "name": "/RANGER_KMS/RANGER_KMS_SERVER/rangerkms",
+              "name": "ranger_kms_ranger_kms_server_rangerkms",
+              "reference": "/RANGER_KMS/RANGER_KMS_SERVER/rangerkms",
               "principal": {
                 "configuration": "ranger-kms-audit/xasecure.audit.jaas.Client.option.principal"
               },

ambari-server/src/main/resources/common-services/SLIDER/0.60.0.2.2/kerberos.json

@@ -7,7 +7,8 @@
           "name": "SLIDER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "slider_slider_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }

ambari-server/src/main/resources/common-services/SLIDER/0.91.0.3.0/kerberos.json

@@ -7,7 +7,8 @@
           "name": "SLIDER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "slider_slider_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }

ambari-server/src/main/resources/common-services/SPARK/1.2.1/kerberos.json

@@ -4,7 +4,8 @@
       "name": "SPARK",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "spark_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "sparkuser",
@@ -40,7 +41,8 @@
           "name": "SPARK_JOBHISTORYSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "spark_spark_jobhistoryserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         },

ambari-server/src/main/resources/common-services/SPARK/1.4.1/kerberos.json

@@ -4,7 +4,8 @@
       "name": "SPARK",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "spark_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "sparkuser",
@@ -46,7 +47,8 @@
           "name": "SPARK_JOBHISTORYSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "spark_spark_jobhistoryserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         },
@@ -57,10 +59,12 @@
           "name": "SPARK_THRIFTSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "spark_spark_thriftserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
-              "name": "/HIVE/HIVE_SERVER/hive_server_hive"
+              "name": "spark_spark_thriftserver_hive_server_hive",
+              "reference": "/HIVE/HIVE_SERVER/hive_server_hive"
             }
           ]
         }

ambari-server/src/main/resources/common-services/SPARK/2.2.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "SPARK",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "spark_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "sparkuser",

ambari-server/src/main/resources/common-services/SPARK2/2.0.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "SPARK2",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "spark2_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "spark2user",
@@ -46,7 +47,8 @@
           "name": "SPARK2_JOBHISTORYSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "spark2_spark2_jobhistoryserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         },
@@ -57,10 +59,12 @@
           "name": "SPARK2_THRIFTSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "spark2_spark2_thriftserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
-              "name": "/HIVE/HIVE_SERVER/hive_server_hive"
+              "name": "spark2_spark2_thriftserver_hive_server_hive",
+              "reference": "/HIVE/HIVE_SERVER/hive_server_hive"
             }
           ]
         }

ambari-server/src/main/resources/common-services/STORM/0.9.1/kerberos.json

@@ -4,10 +4,12 @@
       "name": "STORM",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "storm_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "storm_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "storm_components",
@@ -51,7 +53,8 @@
           "name": "STORM_UI_SERVER",
           "identities": [
             {
-              "name": "/spnego",
+              "name": "storm_storm_ui_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "storm-env/storm_ui_principal_name"
               },

ambari-server/src/main/resources/common-services/STORM/1.0.1.3.0/kerberos.json

@@ -4,10 +4,12 @@
       "name": "STORM",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "storm_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "storm_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "storm_components",
@@ -30,7 +32,8 @@
           }
         },
         {
-          "name": "/STORM/storm_components",
+          "name": "storm_storm_components",
+          "reference": "/STORM/storm_components",
           "principal": {
             "configuration": "storm-atlas-application.properties/atlas.jaas.KafkaClient.option.principal"
           },
@@ -72,7 +75,8 @@
           "name": "STORM_UI_SERVER",
           "identities": [
             {
-              "name": "/spnego",
+              "name": "storm_storm_ui_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "storm-env/storm_ui_principal_name"
               },
@@ -106,7 +110,8 @@
               }
             },
             {
-              "name": "/STORM/storm_components",
+              "name": "storm_nimbus_storm_components",
+              "reference": "/STORM/storm_components",
               "principal": {
                 "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal"
               },

ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json

@@ -4,10 +4,12 @@
       "name": "STORM",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "storm_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "storm_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "storm_components",
@@ -30,7 +32,8 @@
           }
         },
         {
-          "name": "/STORM/storm_components",
+          "name": "storm_storm_components",
+          "reference": "/STORM/storm_components",
           "principal": {
             "configuration": "storm-atlas-application.properties/atlas.jaas.KafkaClient.option.principal"
           },
@@ -72,7 +75,8 @@
           "name": "STORM_UI_SERVER",
           "identities": [
             {
-              "name": "/spnego",
+              "name": "storm_storm_ui_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "storm-env/storm_ui_principal_name"
               },
@@ -106,7 +110,8 @@
               }
             },
             {
-              "name": "/STORM/storm_components",
+              "name": "storm_numbus_storm_components",
+              "reference": "/STORM/storm_components",
               "principal": {
                 "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal"
               },

ambari-server/src/main/resources/common-services/STORM/1.1.0/kerberos.json

@@ -4,10 +4,12 @@
       "name": "STORM",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "storm_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "storm_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "storm_components",
@@ -30,7 +32,8 @@
           }
         },
         {
-          "name": "/STORM/storm_components",
+          "name": "storm_storm_components",
+          "reference": "/STORM/storm_components",
           "principal": {
             "configuration": "storm-atlas-application.properties/atlas.jaas.KafkaClient.option.principal"
           },
@@ -72,7 +75,8 @@
           "name": "STORM_UI_SERVER",
           "identities": [
             {
-              "name": "/spnego",
+              "name": "storm_storm_ui_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "storm-env/storm_ui_principal_name"
               },
@@ -106,7 +110,8 @@
               }
             },
             {
-              "name": "/STORM/storm_components",
+              "name": "storm_numbus_storm_components",
+              "reference": "/STORM/storm_components",
               "principal": {
                 "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal"
               },

ambari-server/src/main/resources/common-services/TEZ/0.4.0.2.1/kerberos.json

@@ -7,7 +7,8 @@
           "name": "TEZ_CLIENT",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "tez_tez_client_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }

ambari-server/src/main/resources/common-services/TEZ/0.9.0.3.0/kerberos.json

@@ -7,7 +7,8 @@
                     "name": "TEZ_CLIENT",
                     "identities": [
                         {
-                            "name": "/HDFS/NAMENODE/hdfs"
+                            "name": "tez_tez_client_hdfs",
+                            "reference": "/HDFS/NAMENODE/hdfs"
                         }
                     ],
                     "configurations": [

ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/kerberos.json

@@ -4,10 +4,12 @@
       "name": "YARN",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "yarn_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "yarn_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -68,7 +70,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_nodemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal"
               },
@@ -110,7 +113,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_resourcemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal"
               },
@@ -145,7 +149,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_app_timeline_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal"
               },
@@ -154,7 +159,8 @@
               }
             },
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "yarn_app_timeline_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }
@@ -164,10 +170,12 @@
       "name": "MAPREDUCE2",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "mapreduce2_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "mapreduce2_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -175,7 +183,8 @@
           "name": "HISTORYSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "mapreduce2_historyserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "history_server_jhs",
@@ -199,7 +208,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "mapreduce2_historyserver_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal"
               },

ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json

@@ -4,10 +4,12 @@
       "name": "YARN",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "yarn_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "yarn_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -91,7 +93,8 @@
               }
             },
             {
-              "name": "/HIVE/HIVE_SERVER/hive_server_hive",
+              "name": "yarn_nodemanager_hive_server_hive",
+              "reference": "/HIVE/HIVE_SERVER/hive_server_hive",
               "principal": {
                 "configuration": "hive-interactive-site/hive.llap.daemon.service.principal"
               },
@@ -126,7 +129,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_nodemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal"
               },
@@ -168,7 +172,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_resourcemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal"
               },
@@ -177,7 +182,8 @@
               }
             },
             {
-              "name": "/YARN/RESOURCEMANAGER/resource_manager_rm",
+              "name": "yarn_resourcemanager_resource_manager_rm",
+              "reference": "/YARN/RESOURCEMANAGER/resource_manager_rm",
               "principal": {
                 "configuration": "ranger-yarn-audit/xasecure.audit.jaas.Client.option.principal"
               },
@@ -212,7 +218,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_app_timeline_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal"
               },
@@ -221,7 +228,8 @@
               }
             },
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "yarn_app_timeline_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }
@@ -231,10 +239,12 @@
       "name": "MAPREDUCE2",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "mapreduce2_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "mapreduce2_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -242,7 +252,8 @@
           "name": "HISTORYSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "mapreduce2_historyserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "history_server_jhs",
@@ -266,7 +277,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "mapreduce2_historyserver_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal"
               },

ambari-server/src/main/resources/common-services/ZEPPELIN/0.6.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "ZEPPELIN",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "zeppelin_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "zeppelin_user",

ambari-server/src/main/resources/common-services/ZEPPELIN/0.7.0/kerberos.json

@@ -4,7 +4,8 @@
       "name": "ZEPPELIN",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "zeppelin_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "zeppelin_user",

ambari-server/src/main/resources/common-services/ZOOKEEPER/3.4.5/kerberos.json

@@ -4,7 +4,8 @@
       "name": "ZOOKEEPER",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "zookeeper_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [

ambari-server/src/main/resources/kerberos_descriptor_schema.json

@@ -5,10 +5,11 @@
       "properties": {
         "name": {
           "type": "string",
-          "pattern": "^(\\.\\/)?[/a-zA-Z0-9_\\-]+$"
+          "pattern": "^[a-zA-Z0-9_\\-]+$"
         },
         "reference": {
-          "type": "string"
+          "type": "string",
+          "pattern": "^(\\.\\/)?[/a-zA-Z0-9_\\-]+$"
         },
         "principal": {
           "type": "object",

ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/kerberos.json

@@ -4,10 +4,12 @@
       "name": "YARN",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "yarn_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "yarn_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -67,7 +69,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_nodemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal"
               },
@@ -109,7 +112,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_resourcemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal"
               },
@@ -144,7 +148,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_app_timeline_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal"
               },
@@ -153,7 +158,8 @@
               }
             },
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "yarn_app_timeline_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }
@@ -163,10 +169,12 @@
       "name": "MAPREDUCE2",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "mapreduce2_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "mapreduce2_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -174,7 +182,8 @@
           "name": "HISTORYSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "mapreduce2_historyserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "history_server_jhs",
@@ -198,7 +207,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "mapreduce2_historyserver_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal"
               },

ambari-server/src/main/resources/stacks/HDP/2.3.ECS/services/ECS/kerberos.json

@@ -4,7 +4,8 @@
       "name": "ECS",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "ecs_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "hdfs",

ambari-server/src/main/resources/stacks/HDP/2.3.ECS/services/HBASE/kerberos.json

@@ -4,10 +4,12 @@
       "name": "HBASE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "hbase_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/ECS/hdfs"
+          "name": "hbase_hdfs",
+          "reference": "/ECS/hdfs"
         },
         {
           "name": "hbase",
@@ -31,7 +33,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "hbase_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [

ambari-server/src/main/resources/stacks/HDP/2.3.ECS/services/YARN/kerberos.json

@@ -4,13 +4,16 @@
       "name": "YARN",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "yarn_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/ECS/hdfs"
+          "name": "yarn_hdfs",
+          "reference": "/ECS/hdfs"
         },
         {
-          "name": "/smokeuser"
+          "name": "yarn_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -69,7 +72,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_nodemanger_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal"
               },
@@ -111,7 +115,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_resourcemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal"
               },
@@ -146,7 +151,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_app_timeline_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal"
               },
@@ -155,7 +161,8 @@
               }
             },
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "yarn_app_timneline_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }
@@ -165,13 +172,16 @@
       "name": "MAPREDUCE2",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "mapreduce2_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/ECS/hdfs"
+          "name": "mapreduce2_hdfs",
+          "reference": "/ECS/hdfs"
         },
         {
-          "name": "/smokeuser"
+          "name": "mapreduce2_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -200,7 +210,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "mapreduce2_historyserver_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal"
               },

ambari-server/src/main/resources/stacks/HDP/2.3.GlusterFS/services/ACCUMULO/kerberos.json

@@ -67,10 +67,12 @@
           }
         },
         {
-          "name": "/HDFS/NAMENODE/hdfs"
+          "name": "accumulo_hdfs",
+          "reference": "/HDFS/NAMENODE/hdfs"
         },
         {
-          "name": "/smokeuser"
+          "name": "accumulo_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -91,7 +93,8 @@
           "name": "ACCUMULO_MASTER",
           "identities": [
             {
-              "name": "./accumulo_service"
+              "name": "accumulo_accumulo_master_accumulo_service",
+              "reference": "./accumulo_service"
             }
           ]
         },
@@ -99,7 +102,8 @@
           "name": "ACCUMULO_TSERVER",
           "identities": [
             {
-              "name": "./accumulo_service"
+              "name": "accumulo_accumulo_tserver_accumulo_service",
+              "reference": "./accumulo_service"
             }
           ]
         },
@@ -107,10 +111,12 @@
           "name": "ACCUMULO_MONITOR",
           "identities": [
             {
-              "name": "./accumulo_service"
+              "name": "accumulo_accumulo_monitor_accumulo_service",
+              "reference": "./accumulo_service"
             },
             {
-              "name": "./accumulo_tracer"
+              "name": "accumulo_accumulo_monitor_accumulo_tracer",
+              "reference": "./accumulo_tracer"
             }
           ]
         },
@@ -118,7 +124,8 @@
           "name": "ACCUMULO_GC",
           "identities": [
             {
-              "name": "./accumulo_service"
+              "name": "accumulo_accumulo_gc_accumulo_service",
+              "reference": "./accumulo_service"
             }
           ]
         },
@@ -126,7 +133,8 @@
           "name": "ACCUMULO_TRACER",
           "identities": [
             {
-              "name": "./accumulo_tracer"
+              "name": "accumulo_accumulo_tracer_accumulo_tracer",
+              "reference": "./accumulo_tracer"
             }
           ]
         },
@@ -134,7 +142,8 @@
           "name": "ACCUMULO_CLIENT",
           "identities": [
             {
-              "name": "./accumulo"
+              "name": "accumulo_accumulo_client_accumulo",
+              "reference": "./accumulo"
             }
           ]
         }

ambari-server/src/main/resources/stacks/HDP/2.3/services/ACCUMULO/kerberos.json

@@ -67,7 +67,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "accumulo_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -93,7 +94,8 @@
           "name": "ACCUMULO_MASTER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "accumulo_accumulo_master_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         },

ambari-server/src/main/resources/stacks/HDP/2.3/services/TEZ/kerberos.json

@@ -7,7 +7,8 @@
           "name": "TEZ_CLIENT",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "tez_tez_client_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ],
           "configurations": [

ambari-server/src/main/resources/stacks/HDP/2.3/services/YARN/kerberos.json

@@ -4,10 +4,12 @@
       "name": "YARN",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "yarn_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "yarn_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -76,7 +78,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_nodemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal"
               },
@@ -118,7 +121,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_resourcemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal"
               },
@@ -153,7 +157,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_app_timeline_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal"
               },
@@ -162,7 +167,8 @@
               }
             },
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "yarn_app_timeline_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }
@@ -172,10 +178,12 @@
       "name": "MAPREDUCE2",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "mapreduce2_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "mapreduce2_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -183,7 +191,8 @@
           "name": "HISTORYSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "mapreduce2_historyserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "history_server_jhs",
@@ -207,7 +216,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "mapreduce2_historyserver_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal"
               },

ambari-server/src/main/resources/stacks/HDP/2.5/services/FALCON/kerberos.json

@@ -4,10 +4,12 @@
       "name": "FALCON",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "falcon_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "falcon_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -27,7 +29,8 @@
           "name": "FALCON_SERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "falcon_falcon_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "falcon_server",
@@ -51,7 +54,8 @@
               }
             },
             {
-              "name": "/FALCON/FALCON_SERVER/falcon_server",
+              "name": "falcon_falcon_server_falcon_server",
+              "reference": "/FALCON/FALCON_SERVER/falcon_server",
               "principal": {
                 "configuration": "falcon-atlas-application.properties/atlas.jaas.KafkaClient.option.principal"
               },
@@ -60,7 +64,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "falcon_falcon_server_falcon_spnego",
+              "reference": "/spnego",
               "principal": {
                 "value": "HTTP/_HOST@${realm}",
                 "configuration": "falcon-startup.properties/*.falcon.http.authentication.kerberos.principal"

ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json

@@ -4,7 +4,8 @@
       "name": "HBASE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "hbase_spnego",
+          "reference": "/spnego"
         },
         {
           "name": "hbase",
@@ -28,7 +29,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "hbase_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -60,7 +62,8 @@
           "name": "HBASE_MASTER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "hbase_hbase_master_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "hbase_master_hbase",
@@ -84,7 +87,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hbase_hbase_master_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.principal"
               },
@@ -129,7 +133,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hbase_hbase_regionserver_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.principal"
               },

ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json

@@ -4,7 +4,8 @@
       "name": "HDFS",
       "identities": [
         {
-          "name": "/spnego",
+          "name": "hdfs_spnego",
+          "reference": "/spnego",
           "principal": {
             "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal"
           },
@@ -13,7 +14,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "hdfs_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "auth_to_local_properties" : [
@@ -43,7 +45,8 @@
           "name":  "HDFS_CLIENT",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "hdfs_hdfs_client_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         },
@@ -93,13 +96,15 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal"
               }
             },
             {
-              "name": "/HDFS/NAMENODE/namenode_nn",
+              "name": "hdfs_namenode_namenode_nn",
+              "reference": "/HDFS/NAMENODE/namenode_nn",
               "principal": {
                 "configuration": "ranger-hdfs-audit/xasecure.audit.jaas.Client.option.principal"                
               },
@@ -175,7 +180,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_secondary_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal"
               }
@@ -233,7 +239,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_journalnode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.journalnode.kerberos.internal.spnego.principal"
               }

ambari-server/src/main/resources/stacks/HDP/2.5/services/HIVE/kerberos.json

@@ -4,10 +4,12 @@
       "name": "HIVE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "hive_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "hive_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -33,7 +35,8 @@
           "name": "HIVE_METASTORE",
           "identities": [
             {
-              "name": "/HIVE/HIVE_SERVER/hive_server_hive",
+              "name": "hive_hive_metastore_hive_server_hive",
+              "reference": "/HIVE/HIVE_SERVER/hive_server_hive",
               "principal": {
                 "configuration": "hive-site/hive.metastore.kerberos.principal"
               },
@@ -47,7 +50,8 @@
           "name": "HIVE_SERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "hive_hive_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "hive_server_hive",
@@ -81,7 +85,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hive_hive_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hive-site/hive.server2.authentication.spnego.principal"
               },
@@ -105,16 +110,20 @@
           "name": "HIVE_SERVER_INTERACTIVE",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "hive_hive_server_interactive_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
-              "name": "/HIVE/HIVE_SERVER/hive_server_hive"
+              "name": "hive_hive_server_interactive_hive_server_hive",
+              "reference": "/HIVE/HIVE_SERVER/hive_server_hive"
             },
             {
-              "name": "/HIVE/HIVE_SERVER/spnego"
+              "name": "hive_hive_server_interactive_spnego",
+              "reference": "/HIVE/HIVE_SERVER/spnego"
             },
             {
-              "name": "/YARN/NODEMANAGER/llap_zk_hive"
+              "name": "hive_hive_server_interactive_llap_zk_hive",
+              "reference": "/YARN/NODEMANAGER/llap_zk_hive"
             }
           ]
         },
@@ -122,7 +131,8 @@
           "name": "WEBHCAT_SERVER",
           "identities": [
             {
-              "name": "/spnego",
+              "name": "hive_webhcat_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "webhcat-site/templeton.kerberos.principal"
               },

ambari-server/src/main/resources/stacks/HDP/2.5/services/KNOX/kerberos.json

@@ -29,7 +29,8 @@
               }
             },
             {
-              "name": "/KNOX/KNOX_GATEWAY/knox_principal",
+              "name": "knox_knox_gateway_knox_principal",
+              "reference": "/KNOX/KNOX_GATEWAY/knox_principal",
               "principal": {
                 "configuration": "ranger-knox-audit/xasecure.audit.jaas.Client.option.principal"                
               },

ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER_KMS/kerberos.json

@@ -4,7 +4,8 @@
       "name": "RANGER_KMS",
       "identities": [
         {
-          "name": "/spnego",
+          "name": "ranger_kms_spnego",
+          "reference": "/spnego",
           "keytab": {
             "configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab"
           }
@@ -36,7 +37,8 @@
           "name": "RANGER_KMS_SERVER",
           "identities": [
             {
-              "name": "/spnego",
+              "name": "ranger_kms_ranger_kms_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal"
               },
@@ -62,7 +64,8 @@
               }
             },
             {
-              "name": "/RANGER_KMS/RANGER_KMS_SERVER/rangerkms",
+              "name": "ranger_kms_ranger_kms_server_rangerkms",
+              "reference": "/RANGER_KMS/RANGER_KMS_SERVER/rangerkms",
               "principal": {
                 "configuration": "ranger-kms-audit/xasecure.audit.jaas.Client.option.principal"
               },

ambari-server/src/main/resources/stacks/HDP/2.5/services/SPARK/kerberos.json

@@ -4,7 +4,8 @@
       "name": "SPARK",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "spark_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "sparkuser",
@@ -58,7 +59,8 @@
           "name": "SPARK_JOBHISTORYSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "spark_spark_jobhistoryserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         },
@@ -69,10 +71,12 @@
           "name": "SPARK_THRIFTSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "spark_spark_thriftserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
-              "name": "/HIVE/HIVE_SERVER/hive_server_hive"
+              "name": "spark_spark_thriftserver_hive_server_hive",
+              "reference": "/HIVE/HIVE_SERVER/hive_server_hive"
             }
           ]
         },
@@ -80,7 +84,8 @@
           "name": "LIVY_SERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "spark_livy_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "livyuser",
@@ -104,7 +109,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "spark_livy_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "livy-conf/livy.server.auth.kerberos.principal"
               },

ambari-server/src/main/resources/stacks/HDP/2.5/services/YARN/kerberos.json

@@ -4,10 +4,12 @@
       "name": "YARN",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "yarn_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "yarn_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -86,7 +88,8 @@
               }
             },
             {
-              "name": "/HIVE/HIVE_SERVER/hive_server_hive",
+              "name": "yarn_nodemanager_hive_server_hive",
+              "reference": "/HIVE/HIVE_SERVER/hive_server_hive",
               "principal": {
                 "configuration": "hive-interactive-site/hive.llap.daemon.service.principal"
               },
@@ -121,7 +124,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_nodemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal"
               },
@@ -163,7 +167,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_resourcemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal"
               },
@@ -172,7 +177,8 @@
               }
             },
             {
-              "name": "/YARN/RESOURCEMANAGER/resource_manager_rm",
+              "name": "yarn_resourcemanager_resource_manager_rm",
+              "reference": "/YARN/RESOURCEMANAGER/resource_manager_rm",
               "principal": {
                 "configuration": "ranger-yarn-audit/xasecure.audit.jaas.Client.option.principal"
               },
@@ -207,7 +213,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_app_timeline_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal"
               },
@@ -216,7 +223,8 @@
               }
             },
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "yarn_app_timeline_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }
@@ -226,10 +234,12 @@
       "name": "MAPREDUCE2",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "mapreduce2_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "mapreduce2_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -237,7 +247,8 @@
           "name": "HISTORYSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "mapreduce2_historyserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "history_server_jhs",
@@ -261,7 +272,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "mapreduce2_historyserver_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal"
               },

ambari-server/src/main/resources/stacks/HDP/2.5/services/ZEPPELIN/kerberos.json

@@ -4,7 +4,8 @@
       "name": "ZEPPELIN",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "zeppelin_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "zeppelin_user",

ambari-server/src/main/resources/stacks/HDP/2.6/services/ATLAS/kerberos.json

@@ -67,7 +67,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "atlas_atlas_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "value": "HTTP/_HOST@${realm}",
                 "configuration": "application-properties/atlas.authentication.method.kerberos.principal"
@@ -87,10 +88,12 @@
               }
             },
             {
-              "name": "/KAFKA/KAFKA_BROKER/kafka_broker"
+              "name": "atlas_atlas_server_kafka_broker",
+              "reference": "/KAFKA/KAFKA_BROKER/kafka_broker"
             },
             {
-              "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr"
+              "name": "atlas_atlas_server_infra-solr",
+              "reference": "/AMBARI_INFRA/INFRA_SOLR/infra-solr"
             }
           ]
         }

ambari-server/src/main/resources/stacks/HDP/2.6/services/DRUID/kerberos.json

@@ -4,7 +4,8 @@
       "name": "DRUID",
       "identities": [
         {
-          "name": "/spnego",
+          "name": "druid_spnego",
+          "reference": "/spnego",
           "principal": {
             "configuration": "druid-common/druid.hadoop.security.spnego.principal"
           },
@@ -55,7 +56,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "druid_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -63,7 +65,8 @@
           "name": "DRUID_HISTORICAL",
           "identities": [
             {
-              "name": "/druid"
+              "name": "druid_druid_historical_druid",
+              "reference": "/druid"
             }
           ]
         },
@@ -71,7 +74,8 @@
           "name": "DRUID_BROKER",
           "identities": [
             {
-              "name": "/druid"
+              "name": "druid_druid_broker_druid",
+              "reference": "/druid"
             }
           ]
         },
@@ -79,7 +83,8 @@
           "name": "DRUID_OVERLORD",
           "identities": [
             {
-              "name": "/druid"
+              "name": "druid_druid_historical_druid",
+              "reference": "/druid"
             }
           ]
         },
@@ -87,7 +92,8 @@
           "name": "DRUID_COORDINATOR",
           "identities": [
             {
-              "name": "/druid"
+              "name": "druid_druid_coordinator_druid",
+              "reference": "/druid"
             }
           ]
         },
@@ -95,7 +101,8 @@
           "name": "DRUID_MIDDLEMANAGER",
           "identities": [
             {
-              "name": "/druid"
+              "name": "druid_druid_middlemanager_druid",
+              "reference": "/druid"
             }
           ]
         },
@@ -103,7 +110,8 @@
           "name": "DRUID_SUPERSET",
           "identities": [
             {
-              "name": "/druid"
+              "name": "druid_druid_superset_druid",
+              "reference": "/druid"
             }
           ]
         }

ambari-server/src/main/resources/stacks/HDP/2.6/services/HDFS/kerberos.json

@@ -4,7 +4,8 @@
       "name": "HDFS",
       "identities": [
         {
-          "name": "/spnego",
+          "name": "hdfs_spnego",
+          "reference": "/spnego",
           "principal": {
             "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal"
           },
@@ -13,7 +14,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "hdfs_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "auth_to_local_properties" : [
@@ -44,7 +46,8 @@
           "name":  "HDFS_CLIENT",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "hdfs_hdfs_client_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         },
@@ -94,13 +97,15 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal"
               }
             },
             {
-              "name": "/HDFS/NAMENODE/namenode_nn",
+              "name": "hdfs_namenode_namenode_nn",
+              "reference": "/HDFS/NAMENODE/namenode_nn",
               "principal": {
                 "configuration": "ranger-hdfs-audit/xasecure.audit.jaas.Client.option.principal"
               },
@@ -176,7 +181,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_secondary_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal"
               }
@@ -234,7 +240,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_journalnode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.journalnode.kerberos.internal.spnego.principal"
               }

ambari-server/src/main/resources/stacks/HDP/2.6/services/OOZIE/kerberos.json

@@ -4,10 +4,12 @@
       "name": "OOZIE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "oozie_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "oozie_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "auth_to_local_properties" : [
@@ -30,7 +32,8 @@
           "name": "OOZIE_SERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "oozie_oozie_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "oozie_server",
@@ -54,7 +57,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "oozie_oozie_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "oozie-site/oozie.authentication.kerberos.principal"
               },

ambari-server/src/main/resources/stacks/HDP/2.6/services/SPARK/kerberos.json

@@ -4,7 +4,8 @@
       "name": "SPARK",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "spark_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "sparkuser",

ambari-server/src/main/resources/stacks/HDP/2.6/services/SPARK2/kerberos.json

@@ -4,7 +4,8 @@
       "name": "SPARK2",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "spark2_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "spark2user",

ambari-server/src/main/resources/stacks/HDP/2.6/services/SUPERSET/kerberos.json

@@ -25,7 +25,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "superset_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -33,7 +34,8 @@
           "name": "SUPERSET",
           "identities": [
             {
-              "name": "/superset"
+              "name": "superset_superset_superset",
+              "reference": "/superset"
             }
           ]
         }

ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json

@@ -4,10 +4,12 @@
       "name": "YARN",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "yarn_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "yarn_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -91,7 +93,8 @@
               }
             },
             {
-              "name": "/HIVE/HIVE_SERVER/hive_server_hive",
+              "name": "yarn_nodemanager_hive_server_hive",
+              "reference": "/HIVE/HIVE_SERVER/hive_server_hive",
               "principal": {
                 "configuration": "hive-interactive-site/hive.llap.daemon.service.principal"
               },
@@ -149,7 +152,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_nodemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal"
               },
@@ -191,7 +195,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_resourcemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal"
               },
@@ -200,7 +205,8 @@
               }
             },
             {
-              "name": "/YARN/RESOURCEMANAGER/resource_manager_rm",
+              "name": "yarn_resourcemanager_resource_manager_rm",
+              "reference": "/YARN/RESOURCEMANAGER/resource_manager_rm",
               "principal": {
                 "configuration": "ranger-yarn-audit/xasecure.audit.jaas.Client.option.principal"
               },
@@ -235,7 +241,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_app_timeline_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal"
               },
@@ -244,7 +251,8 @@
               }
             },
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "yarn_app_timeline_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }
@@ -254,10 +262,12 @@
       "name": "MAPREDUCE2",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "mapreduce2_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "mapreduce2_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -265,7 +275,8 @@
           "name": "HISTORYSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "mapreduce2_historyserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "history_server_jhs",
@@ -289,7 +300,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "mapreduce2_historyserver_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal"
               },

ambari-server/src/main/resources/stacks/HDP/2.6/services/ZEPPELIN/kerberos.json

@@ -4,7 +4,8 @@
       "name": "ZEPPELIN",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "zeppelin_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "zeppelin_user",

ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json

@@ -4,7 +4,8 @@
       "name": "FAKEHBASE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "fakehbase_spnego",
+          "reference": "/spnego"
         },
         {
           "name": "hbase",
@@ -28,7 +29,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "fakehbase_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -60,7 +62,8 @@
           "name": "FAKEHBASE_MASTER",
           "identities": [
             {
-              "name": "/FAKEHDFS/FAKENAMENODE/hdfs"
+              "name": "fakehbase_fakehbase_master_hdfs",
+              "reference": "/FAKEHDFS/FAKENAMENODE/hdfs"
             },
             {
               "name": "hbase_master_hbase",
@@ -84,7 +87,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "fakehbase_fakehbase_master_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.principal"
               },
@@ -129,7 +133,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "fakehbase_fakehbase_regionserver_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.principal"
               },

ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHDFS/kerberos.json

@@ -4,7 +4,8 @@
       "name": "FAKEHDFS",
       "identities": [
         {
-          "name": "/spnego",
+          "name": "fakehdfs_spnego",
+          "reference": "/spnego",
           "principal": {
             "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal"
           },
@@ -13,7 +14,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "fakehdfs_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "auth_to_local_properties" : [
@@ -43,7 +45,8 @@
           "name":  "FAKEHDFS_CLIENT",
           "identities": [
             {
-              "name": "/FAKEHDFS/FAKENAMENODE/hdfs"
+              "name": "fakehdfs_fakehdfs_client_hdfs",
+              "reference": "/FAKEHDFS/FAKENAMENODE/hdfs"
             }
           ]
         },
@@ -93,13 +96,15 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "fakehdfs_fakehdfs_fakenamenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal"
               }
             },
             {
-              "name": "/FAKEHDFS/FAKENAMENODE/namenode_nn",
+              "name": "fakehdfs_fakehdfs_fakenamenode_namenode_nn",
+              "reference": "/FAKEHDFS/FAKENAMENODE/namenode_nn",
               "principal": {
                 "configuration": "ranger-hdfs-audit/xasecure.audit.jaas.Client.option.principal"                
               },
@@ -175,7 +180,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "fakehdfs_secondary_fakenamenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal"
               }
@@ -233,7 +239,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "fakehdfs_fakejournalnode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.journalnode.kerberos.internal.spnego.principal"
               }

ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEYARN/kerberos.json

@@ -4,10 +4,12 @@
       "name": "FAKEYARN",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "fakeyarn_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "fakeyarn_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -87,7 +89,8 @@
               }
             },
             {
-              "name": "/HIVE/HIVE_SERVER/hive_server_hive",
+              "name": "fakeyarn_fakenodemanager_hive_server_hive",
+              "reference": "/HIVE/HIVE_SERVER/hive_server_hive",
               "principal": {
                 "configuration": "hive-interactive-site/hive.llap.daemon.service.principal"
               },
@@ -122,7 +125,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "fakeyarn_fakenodemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal"
               },
@@ -164,7 +168,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "fakeyarn_fakeresourcemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal"
               },
@@ -173,7 +178,8 @@
               }
             },
             {
-              "name": "/FAKEYARN/FAKERESOURCEMANAGER/resource_manager_rm",
+              "name": "fakeyarn_fakeresourcemanager_resource_manager_rm",
+              "reference": "/FAKEYARN/FAKERESOURCEMANAGER/resource_manager_rm",
               "principal": {
                 "configuration": "ranger-yarn-audit/xasecure.audit.jaas.Client.option.principal"
               },
@@ -208,7 +214,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "fakeyarn_fakeapp_timeline_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal"
               },
@@ -217,7 +224,8 @@
               }
             },
             {
-              "name": "/FAKEHDFS/FAKENAMENODE/hdfs"
+              "name": "app_timeline_server_hdfs",
+              "reference": "/FAKEHDFS/FAKENAMENODE/hdfs"
             }
           ]
         }
@@ -227,10 +235,12 @@
       "name": "FAKEMAPREDUCE2",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "fakemapreduce2_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "fakemapreduce2_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -238,7 +248,8 @@
           "name": "FAKEHISTORYSERVER",
           "identities": [
             {
-              "name": "/FAKEHDFS/FAKENAMENODE/hdfs"
+              "name": "fakemapreduce2_fakehistoryserver_hdfs",
+              "reference": "/FAKEHDFS/FAKENAMENODE/hdfs"
             },
             {
               "name": "history_server_jhs",
@@ -262,7 +273,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "fakemapreduce2_fakehistoryserver_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal"
               },

ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEZOOKEEPER/kerberos.json

@@ -4,7 +4,8 @@
       "name": "ZOOKEEPER",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "zookeeper_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [

ambari-server/src/main/resources/stacks/PERF/1.0/services/GRUMPY/kerberos.json

@@ -4,7 +4,8 @@
       "name": "GRUMPY",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "grumpy_spnego",
+          "reference": "/spnego"
         },
         {
           "name": "grumpy",
@@ -28,7 +29,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "grumpy_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -38,7 +40,8 @@
           "name": "GRUMPY",
           "identities": [
             {
-              "name": "/FAKEHDFS/FAKENAMENODE/hdfs"
+              "name": "grumpy_grumpy_hdfs",
+              "reference": "/FAKEHDFS/FAKENAMENODE/hdfs"
             },
             {
               "name": "grumpy_grumpy",
@@ -62,7 +65,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "grumpy_grumpy_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "grumpy-site/grumpy.security.authentication.spnego.kerberos.principal"
               },

ambari-server/src/main/resources/stacks/PERF/1.0/services/HAPPY/kerberos.json

@@ -4,7 +4,8 @@
       "name": "HAPPY",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "happy_spnego",
+          "reference": "/spnego"
         },
         {
           "name": "happy",
@@ -28,7 +29,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "happy_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -38,7 +40,8 @@
           "name": "HAPPY",
           "identities": [
             {
-              "name": "/FAKEHDFS/FAKENAMENODE/hdfs"
+              "name": "happy_happy_hdfs",
+              "reference": "/FAKEHDFS/FAKENAMENODE/hdfs"
             },
             {
               "name": "happy_happy",
@@ -62,7 +65,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "happy_happy_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "happy-site/happy.security.authentication.spnego.kerberos.principal"
               },

ambari-server/src/main/resources/stacks/PERF/1.0/services/KERBEROS/kerberos.json

@@ -4,7 +4,8 @@
       "name": "KERBEROS",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "kerberos_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [

ambari-server/src/main/resources/stacks/PERF/1.0/services/SLEEPY/kerberos.json

@@ -4,7 +4,8 @@
       "name": "SLEEPY",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "sleepy_spnego",
+          "reference": "/spnego"
         },
         {
           "name": "sleepy",
@@ -28,7 +29,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "sleepy_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -38,7 +40,8 @@
           "name": "SLEEPY",
           "identities": [
             {
-              "name": "/FAKEHDFS/FAKENAMENODE/hdfs"
+              "name": "sleepy_sleepy_hdfs",
+              "reference": "/FAKEHDFS/FAKENAMENODE/hdfs"
             },
             {
               "name": "sleepy_sleepy",
@@ -62,7 +65,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "sleepy_sleepy_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "sleepy-site/sleepy.security.authentication.spnego.kerberos.principal"
               },

ambari-server/src/main/resources/stacks/PERF/1.0/services/SNOW/kerberos.json

@@ -4,7 +4,8 @@
       "name": "SNOW",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "snow_spnego",
+          "reference": "/spnego"
         },
         {
           "name": "snow",
@@ -28,7 +29,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "snow_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -38,7 +40,8 @@
           "name": "SNOW_WHITE",
           "identities": [
             {
-              "name": "/FAKEHDFS/FAKENAMENODE/hdfs"
+              "name": "snow_snow_white_hdfs",
+              "reference": "/FAKEHDFS/FAKENAMENODE/hdfs"
             },
             {
               "name": "snow_white_snow",
@@ -62,7 +65,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "snow_snow_white_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "snow-site/snow.security.authentication.spnego.kerberos.principal"
               },

ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java

@@ -55,8 +55,8 @@ import org.apache.ambari.server.api.services.AmbariMetaInfo;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.controller.AmbariManagementController;
 import org.apache.ambari.server.controller.AmbariManagementControllerImpl;
-import org.apache.ambari.server.controller.KerberosHelper;
 import org.apache.ambari.server.controller.MaintenanceStateHelper;
+import org.apache.ambari.server.controller.ServiceConfigVersionResponse;
 import org.apache.ambari.server.orm.DBAccessor;
 import org.apache.ambari.server.orm.DBAccessor.DBColumnInfo;
 import org.apache.ambari.server.orm.dao.ArtifactDAO;
@@ -74,6 +74,7 @@ import org.apache.ambari.server.state.StackInfo;
 import org.apache.ambari.server.state.kerberos.KerberosComponentDescriptor;
 import org.apache.ambari.server.state.kerberos.KerberosDescriptor;
 import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory;
+import org.apache.ambari.server.state.kerberos.KerberosIdentityDescriptor;
 import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor;
 import org.apache.ambari.server.state.stack.OsFamily;
 import org.apache.commons.io.FileUtils;
@@ -131,41 +132,16 @@ public class UpgradeCatalog260Test {
   @Mock(type = MockType.NICE)
   private OsFamily osFamily;
 
-  @Mock(type = MockType.NICE)
-  private KerberosHelper kerberosHelper;
-
-  @Mock(type = MockType.NICE)
-  private ActionManager actionManager;
-
-  @Mock(type = MockType.NICE)
-  private Config config;
-
-  @Mock(type = MockType.STRICT)
-  private Service service;
-
-  @Mock(type = MockType.NICE)
-  private Clusters clusters;
-
-  @Mock(type = MockType.NICE)
-  private Cluster cluster;
-
-  @Mock(type = MockType.NICE)
-  private Injector injector;
-
   @Rule
   public TemporaryFolder temporaryFolder = new TemporaryFolder();
 
   @Before
   public void init() {
-    reset(entityManagerProvider, injector);
+    reset(entityManagerProvider);
 
     expect(entityManagerProvider.get()).andReturn(entityManager).anyTimes();
 
-    expect(injector.getInstance(Gson.class)).andReturn(null).anyTimes();
-    expect(injector.getInstance(MaintenanceStateHelper.class)).andReturn(null).anyTimes();
-    expect(injector.getInstance(KerberosHelper.class)).andReturn(kerberosHelper).anyTimes();
-
-    replay(entityManagerProvider, injector);
+    replay(entityManagerProvider);
   }
 
   @After
@@ -227,17 +203,7 @@ public class UpgradeCatalog260Test {
 
     replay(dbAccessor, configuration, connection, statement, resultSet);
 
-    Module module = new Module() {
-      @Override
-      public void configure(Binder binder) {
-        binder.bind(DBAccessor.class).toInstance(dbAccessor);
-        binder.bind(OsFamily.class).toInstance(osFamily);
-        binder.bind(EntityManager.class).toInstance(entityManager);
-        binder.bind(Configuration.class).toInstance(configuration);
-      }
-    };
-
-    Injector injector = Guice.createInjector(module);
+    Injector injector = getInjector();
     UpgradeCatalog260 upgradeCatalog260 = injector.getInstance(UpgradeCatalog260.class);
     upgradeCatalog260.executeDDLUpdates();
 
@@ -261,7 +227,7 @@ public class UpgradeCatalog260Test {
     expectLastCall().once();
   }
 
-  public  void expectRenameServiceDeletedColumn(Capture<DBColumnInfo> unmapped) throws SQLException {
+  public void expectRenameServiceDeletedColumn(Capture<DBColumnInfo> unmapped) throws SQLException {
     dbAccessor.renameColumn(eq(UpgradeCatalog260.CLUSTER_CONFIG_TABLE), eq(UpgradeCatalog260.SERVICE_DELETED_COLUMN), capture(unmapped));
     expectLastCall().once();
   }
@@ -355,7 +321,7 @@ public class UpgradeCatalog260Test {
   }
 
   public void expectUpdateUpgradeTable(Capture<DBColumnInfo> rvid,
-      Capture<DBColumnInfo> orchestration, Capture<DBColumnInfo> revertAllowed)
+                                       Capture<DBColumnInfo> orchestration, Capture<DBColumnInfo> revertAllowed)
       throws SQLException {
 
     dbAccessor.clearTable(eq(UpgradeCatalog260.UPGRADE_TABLE));
@@ -557,17 +523,7 @@ public class UpgradeCatalog260Test {
     expectLastCall().once();
     replay(dbAccessor, configuration, connection, statement, resultSet);
 
-    Module module = new Module() {
-      @Override
-      public void configure(Binder binder) {
-        binder.bind(DBAccessor.class).toInstance(dbAccessor);
-        binder.bind(OsFamily.class).toInstance(osFamily);
-        binder.bind(EntityManager.class).toInstance(entityManager);
-        binder.bind(Configuration.class).toInstance(configuration);
-      }
-    };
-
-    Injector injector = Guice.createInjector(module);
+    Injector injector = getInjector();
     UpgradeCatalog260 upgradeCatalog260 = injector.getInstance(UpgradeCatalog260.class);
     upgradeCatalog260.executePreDMLUpdates();
 
@@ -605,27 +561,17 @@ public class UpgradeCatalog260Test {
   @Test
   public void testEnsureZeppelinProxyUserConfigs() throws AmbariException {
 
-    final Clusters clusters = createMock(Clusters.class);
+    Injector injector = getInjector();
+
+    final Clusters clusters = injector.getInstance(Clusters.class);
     final Cluster cluster = createMock(Cluster.class);
     final Config zeppelinEnvConf = createMock(Config.class);
     final Config coreSiteConf = createMock(Config.class);
     final Config coreSiteConfNew = createMock(Config.class);
-    final AmbariManagementController controller = createMock(AmbariManagementController.class);
+    final AmbariManagementController controller = injector.getInstance(AmbariManagementController.class);
 
     Capture<? extends Map<String, String>> captureCoreSiteConfProperties = newCapture();
 
-    Module module = new Module() {
-      @Override
-      public void configure(Binder binder) {
-        binder.bind(DBAccessor.class).toInstance(dbAccessor);
-        binder.bind(OsFamily.class).toInstance(osFamily);
-        binder.bind(EntityManager.class).toInstance(entityManager);
-        binder.bind(Configuration.class).toInstance(configuration);
-        binder.bind(Clusters.class).toInstance(clusters);
-        binder.bind(AmbariManagementController.class).toInstance(controller);
-      }
-    };
-
     expect(clusters.getClusters()).andReturn(Collections.singletonMap("c1", cluster)).once();
 
     expect(cluster.getClusterName()).andReturn("c1").atLeastOnce();
@@ -648,7 +594,6 @@ public class UpgradeCatalog260Test {
 
     replay(clusters, cluster, zeppelinEnvConf, coreSiteConf, coreSiteConfNew, controller);
 
-    Injector injector = Guice.createInjector(module);
     UpgradeCatalog260 upgradeCatalog260 = injector.getInstance(UpgradeCatalog260.class);
     upgradeCatalog260.ensureZeppelinProxyUserConfigs();
 
@@ -662,6 +607,8 @@ public class UpgradeCatalog260Test {
   @Test
   public void testUpdateKerberosDescriptorArtifact() throws Exception {
 
+    Injector injector = getInjector();
+
     URL systemResourceURL = ClassLoader.getSystemResource("kerberos/test_kerberos_descriptor_ranger_kms.json");
     Assert.assertNotNull(systemResourceURL);
 
@@ -672,28 +619,71 @@ public class UpgradeCatalog260Test {
     serviceDescriptor = kerberosDescriptor.getService("RANGER_KMS");
     Assert.assertNotNull(serviceDescriptor);
     Assert.assertNotNull(serviceDescriptor.getIdentity("/smokeuser"));
+    Assert.assertNotNull(serviceDescriptor.getIdentity("/spnego"));
 
     KerberosComponentDescriptor componentDescriptor;
     componentDescriptor = serviceDescriptor.getComponent("RANGER_KMS_SERVER");
     Assert.assertNotNull(componentDescriptor);
     Assert.assertNotNull(componentDescriptor.getIdentity("/smokeuser"));
+    Assert.assertNotNull(componentDescriptor.getIdentity("/spnego"));
+    Assert.assertNotNull(componentDescriptor.getIdentity("/spnego").getPrincipalDescriptor());
+    Assert.assertEquals("invalid_name@${realm}", componentDescriptor.getIdentity("/spnego").getPrincipalDescriptor().getValue());
 
     ArtifactEntity artifactEntity = createMock(ArtifactEntity.class);
 
     expect(artifactEntity.getArtifactData()).andReturn(kerberosDescriptor.toMap()).once();
 
     Capture<Map<String, Object>> captureMap = newCapture();
+    expect(artifactEntity.getForeignKeys()).andReturn(Collections.singletonMap("cluster", "2"));
     artifactEntity.setArtifactData(capture(captureMap));
     expectLastCall().once();
 
     ArtifactDAO artifactDAO = createMock(ArtifactDAO.class);
     expect(artifactDAO.merge(artifactEntity)).andReturn(artifactEntity).atLeastOnce();
 
-    replay(artifactDAO, artifactEntity);
+    Map<String, String> properties = new HashMap<>();
+    properties.put("ranger.ks.kerberos.principal", "correct_value@EXAMPLE.COM");
+    properties.put("xasecure.audit.jaas.Client.option.principal", "wrong_value@EXAMPLE.COM");
+
+    Config config = createMock(Config.class);
+    expect(config.getProperties()).andReturn(properties).anyTimes();
+    expect(config.getPropertiesAttributes()).andReturn(Collections.<String, Map<String, String>>emptyMap()).anyTimes();
+    expect(config.getTag()).andReturn("version1").anyTimes();
+    expect(config.getType()).andReturn("ranger-kms-audit").anyTimes();
+
+    Config newConfig = createMock(Config.class);
+    expect(newConfig.getTag()).andReturn("version2").anyTimes();
+    expect(newConfig.getType()).andReturn("ranger-kms-audit").anyTimes();
+
+    ServiceConfigVersionResponse response = createMock(ServiceConfigVersionResponse.class);
+
+    StackId stackId = createMock(StackId.class);
+
+    Cluster cluster = createMock(Cluster.class);
+    expect(cluster.getDesiredStackVersion()).andReturn(stackId).anyTimes();
+    expect(cluster.getDesiredConfigByType("dbks-site")).andReturn(config).anyTimes();
+    expect(cluster.getDesiredConfigByType("ranger-kms-audit")).andReturn(config).anyTimes();
+    expect(cluster.getConfigsByType("ranger-kms-audit")).andReturn(Collections.singletonMap("version1", config)).anyTimes();
+    expect(cluster.getServiceByConfigType("ranger-kms-audit")).andReturn("RANGER").anyTimes();
+    expect(cluster.getClusterName()).andReturn("cl1").anyTimes();
+    expect(cluster.getConfig(eq("ranger-kms-audit"), anyString())).andReturn(newConfig).once();
+    expect(cluster.addDesiredConfig("ambari-upgrade", Collections.singleton(newConfig), "Updated ranger-kms-audit during Ambari Upgrade from 2.5.2 to 2.6.0.")).andReturn(response).once();
+
+    final Clusters clusters = injector.getInstance(Clusters.class);
+    expect(clusters.getCluster(2L)).andReturn(cluster).anyTimes();
 
-    UpgradeCatalog260 upgradeCatalog260 = createMockBuilder(UpgradeCatalog260.class).createMock();
+    Capture<? extends Map<String, String>> captureProperties = newCapture();
+
+    AmbariManagementController controller = injector.getInstance(AmbariManagementController.class);
+    expect(controller.createConfig(eq(cluster), eq(stackId), eq("ranger-kms-audit"), capture(captureProperties), anyString(), anyObject(Map.class)))
+        .andReturn(null)
+        .once();
+
+    replay(artifactDAO, artifactEntity, cluster, clusters, config, newConfig, response, controller, stackId);
+
+    UpgradeCatalog260 upgradeCatalog260 = injector.getInstance(UpgradeCatalog260.class);
     upgradeCatalog260.updateKerberosDescriptorArtifact(artifactDAO, artifactEntity);
-    verify(artifactDAO, artifactEntity);
+    verify(artifactDAO, artifactEntity, cluster, clusters, config, newConfig, response, controller, stackId);
 
     KerberosDescriptor kerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(captureMap.getValue());
     Assert.assertNotNull(kerberosDescriptorUpdated);
@@ -701,10 +691,27 @@ public class UpgradeCatalog260Test {
     Assert.assertNull(kerberosDescriptorUpdated.getService("RANGER_KMS").getIdentity("/smokeuser"));
     Assert.assertNull(kerberosDescriptorUpdated.getService("RANGER_KMS").getComponent("RANGER_KMS_SERVER").getIdentity("/smokeuser"));
 
+    KerberosIdentityDescriptor identity;
+
+    Assert.assertNull(kerberosDescriptorUpdated.getService("RANGER_KMS").getIdentity("/spnego"));
+    identity = kerberosDescriptorUpdated.getService("RANGER_KMS").getIdentity("ranger_kms_spnego");
+    Assert.assertNotNull(identity);
+    Assert.assertEquals("/spnego", identity.getReference());
+
+    Assert.assertNull(kerberosDescriptorUpdated.getService("RANGER_KMS").getComponent("RANGER_KMS_SERVER").getIdentity("/spnego"));
+    identity = kerberosDescriptorUpdated.getService("RANGER_KMS").getComponent("RANGER_KMS_SERVER").getIdentity("ranger_kms_ranger_kms_server_spnego");
+    Assert.assertNotNull(identity);
+    Assert.assertEquals("/spnego", identity.getReference());
+    Assert.assertNotNull(identity.getPrincipalDescriptor());
+    Assert.assertNull(identity.getPrincipalDescriptor().getValue());
+
+    Assert.assertTrue(captureProperties.hasCaptured());
+    Map<String, String> newProperties = captureProperties.getValue();
+    Assert.assertEquals("correct_value@EXAMPLE.COM", newProperties.get("xasecure.audit.jaas.Client.option.principal"));
   }
 
   @Test
-  public void testUpdateAmsConfigs() throws Exception{
+  public void testUpdateAmsConfigs() throws Exception {
 
     Map<String, String> oldProperties = new HashMap<String, String>() {
       {
@@ -832,5 +839,19 @@ public class UpgradeCatalog260Test {
            verify(clusters, cluster, controller, widgetDAO, widgetEntity, stackInfo, serviceInfo);
        }
 
+  private Injector getInjector() {
+
+    return Guice.createInjector(new Module() {
+      @Override
+      public void configure(Binder binder) {
+        binder.bind(DBAccessor.class).toInstance(dbAccessor);
+        binder.bind(OsFamily.class).toInstance(osFamily);
+        binder.bind(EntityManager.class).toInstance(entityManager);
+        binder.bind(Configuration.class).toInstance(configuration);
+        binder.bind(Clusters.class).toInstance(createMock(Clusters.class));
+        binder.bind(AmbariManagementController.class).toInstance(createMock(AmbariManagementController.class));
+      }
+    });
+  }
 
 }

ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json

@@ -65,6 +65,7 @@
             {
               "name": "/spnego",
               "principal": {
+                "value" : "invalid_name@${realm}",
                 "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal"
               },
               "keytab": {

ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json

@@ -4,7 +4,8 @@
       "name": "HDFS",
       "identities": [
         {
-          "name": "/spnego",
+          "name": "hdfs_spnego",
+          "reference": "/spnego",
           "principal": {
             "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal"
           },
@@ -13,7 +14,8 @@
           }
         },
         {
-          "name": "/smokeuser"
+          "name": "hdfs_smokeuser",
+          "reference": "/smokeuser"
         },
         {
           "name": "hdfs",
@@ -63,7 +65,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal"
               }
@@ -128,7 +131,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hdfs_secondary_namenode_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal"
               }

contrib/management-packs/hdf-ambari-mpack/src/main/resources/common-services/NIFI/1.0.0/kerberos.json

@@ -7,7 +7,8 @@
           "name": "NIFI_MASTER",
           "identities": [
             {
-              "name": "/spnego",
+              "name": "nifi_nifi_master_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "nifi-properties/nifi.kerberos.spnego.principal"
               },
@@ -38,7 +39,8 @@
               }
             },
             {
-              "name": "/NIFI/NIFI_MASTER/nifi_principal",
+              "name": "nifi_nifi_master_nifi_principal",
+              "reference": "/NIFI/NIFI_MASTER/nifi_principal",
               "principal": {
                 "configuration": "ranger-nifi-audit/xasecure.audit.jaas.Client.option.principal"
               },

contrib/management-packs/hdf-ambari-mpack/src/main/resources/stacks/HDF/2.0/services/KAFKA/kerberos.json

@@ -4,7 +4,8 @@
       "name": "KAFKA",
       "identities": [
         {
-          "name": "/smokeuser"
+          "name": "kafka_smokeuser",
+          "refernce": "/smokeuser"
         }
       ],
       "configurations": [
@@ -56,7 +57,8 @@
               }
             },
             {
-              "name": "/KAFKA/KAFKA_BROKER/kafka_broker",
+              "name": "kafka_kafka_broker_kafka_broker",
+              "reference": "/KAFKA/KAFKA_BROKER/kafka_broker",
               "principal": {
                 "configuration": "ranger-kafka-audit/xasecure.audit.jaas.Client.option.principal"
               },

contrib/management-packs/microsoft-r_mpack/src/main/resources/common-services/MICROSOFT_R_SERVER/8.0.5/kerberos.json

@@ -4,10 +4,12 @@
       "name": "MICROSOFT_R_SERVER",
       "identities": [
         {
-          "name": "/HDFS/NAMENODE/hdfs"
+          "name": "microsoft_r_server_hdfs",
+          "reference": "/HDFS/NAMENODE/hdfs"
         },
         {
-          "name": "/smokeuser"
+          "name": "microsoft_r_server_smokeuser",
+          "reference": "/smokeuser"
         }
       ]
     }

contrib/management-packs/odpi-ambari-mpack/src/main/resources/stacks/ODPi/2.0/services/HIVE/kerberos.json

@@ -4,10 +4,12 @@
       "name": "HIVE",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "hive_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "hive_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -44,7 +46,8 @@
           "name": "HIVE_METASTORE",
           "identities": [
             {
-              "name": "/HIVE/HIVE_SERVER/hive_server_hive",
+              "name": "hive_hive_metastore_hive",
+              "reference": "/HIVE/HIVE_SERVER/hive_server_hive",
               "principal": {
                 "configuration": "hive-site/hive.metastore.kerberos.principal"
               },
@@ -58,7 +61,8 @@
           "name": "HIVE_SERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "hive_hive_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "hive_server_hive",
@@ -92,7 +96,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "hive_hive_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "hive-site/hive.server2.authentication.spnego.principal"
               },
@@ -116,7 +121,8 @@
           "name": "WEBHCAT_SERVER",
           "identities": [
             {
-              "name": "/spnego",
+              "name": "hive_webhcat_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "webhcat-site/templeton.kerberos.principal"
               },

contrib/management-packs/odpi-ambari-mpack/src/main/resources/stacks/ODPi/2.0/services/YARN/kerberos.json

@@ -4,10 +4,12 @@
       "name": "YARN",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "yarn_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "yarn_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "configurations": [
@@ -67,7 +69,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_nodemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal"
               },
@@ -109,7 +112,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_resourcemanager_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal"
               },
@@ -144,7 +148,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "yarn_app_timeline_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal"
               },
@@ -153,7 +158,8 @@
               }
             },
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "yarn_app_timelineserver_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             }
           ]
         }
@@ -163,10 +169,12 @@
       "name": "MAPREDUCE2",
       "identities": [
         {
-          "name": "/spnego"
+          "name": "mapreduce2_spnego",
+          "reference": "/spnego"
         },
         {
-          "name": "/smokeuser"
+          "name": "mapreduce2_smokeuser",
+          "reference": "/smokeuser"
         }
       ],
       "components": [
@@ -174,7 +182,8 @@
           "name": "HISTORYSERVER",
           "identities": [
             {
-              "name": "/HDFS/NAMENODE/hdfs"
+              "name": "mapreduce2_history_server_hdfs",
+              "reference": "/HDFS/NAMENODE/hdfs"
             },
             {
               "name": "history_server_jhs",
@@ -198,7 +207,8 @@
               }
             },
             {
-              "name": "/spnego",
+              "name": "mapreduce2_history_server_spnego",
+              "reference": "/spnego",
               "principal": {
                 "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal"
               },