AMBARI-9937. Ambari must support deployment on separate host (rlevas)

ambari-server/conf/unix/ambari.properties

@@ -66,6 +66,9 @@ server.execution.scheduler.maxThreads=5
 server.execution.scheduler.maxDbConnections=5
 server.execution.scheduler.misfire.toleration.minutes=480
 
+# Kerberos settings
+kerberos.keytab.cache.dir = /var/lib/ambari-server/data/cache
+
 # Default timeout in seconds before task is killed
 agent.task.timeout=900
 # Default timeout in seconds before package installation task is killed

ambari-server/conf/windows/ambari.properties

@@ -50,6 +50,9 @@ server.execution.scheduler.maxThreads=5
 server.execution.scheduler.maxDbConnections=5
 server.execution.scheduler.misfire.toleration.minutes=480
 
+# Kerberos settings
+kerberos.keytab.cache.dir = data\\cache
+
 recommendations.dir=\\var\\run\\ambari-server\\stack-recommendations
 stackadvisor.script=resources\\scripts\\stack_advisor.py
 server.tmp.dir=\\var\\run\\ambari-server\\tmp

ambari-server/pom.xml

@@ -485,6 +485,12 @@
               <username>root</username>
               <groupname>root</groupname>
             </mapping>
+            <mapping>
+              <directory>/var/lib/ambari-server/data/cache</directory>
+              <filemode>700</filemode>
+              <username>root</username>
+              <groupname>root</groupname>
+            </mapping>
             <mapping>
               <directory>/var/lib/ambari-server/resources/apps</directory>
               <filemode>755</filemode>
@@ -667,6 +673,7 @@
                 <path>/var/log/ambari-server</path>
                 <path>/var/lib/ambari-server/resources/upgrade</path>
                 <path>/var/lib/ambari-server/data/tmp</path>
+                <path>/var/lib/ambari-server/data/cache</path>
               </paths>
             </data>
             <!-- TODO: should be included all subdirs, if exists-->

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -234,6 +234,8 @@ public class Configuration {
   public static final String KDC_PORT_KEY_DEFAULT = "88";
   public static final String KDC_CONNECTION_CHECK_TIMEOUT_KEY = "kdcserver.connection.check.timeout";
   public static final String KDC_CONNECTION_CHECK_TIMEOUT_DEFAULT = "10000";
+  public static final String KERBEROS_KEYTAB_CACHE_DIR_KEY = "kerberos.keytab.cache.dir";
+  public static final String KERBEROS_KEYTAB_CACHE_DIR_DEFAULT = "/var/lib/ambari-server/data/cache";
   /**
    * This key defines whether stages of parallel requests are executed in
    * parallel or sequentally. Only stages from different requests
@@ -1323,6 +1325,16 @@ public class Configuration {
         KDC_CONNECTION_CHECK_TIMEOUT_KEY, KDC_CONNECTION_CHECK_TIMEOUT_DEFAULT));
   }
 
+  /**
+   * Gets the directory where Ambari is to store cached keytab files.
+   *
+   * @return a File containing the path to the directory to use to store cached keytab files
+   */
+  public File getKerberosKeytabCacheDir() {
+    String fileName = properties.getProperty(KERBEROS_KEYTAB_CACHE_DIR_KEY, KERBEROS_KEYTAB_CACHE_DIR_DEFAULT);
+    return new File(fileName);
+  }
+
   /**
    * Gets the type of database by examining the {@link #getDatabaseUrl()} JDBC
    * URL.

ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java

@@ -155,6 +155,9 @@ public class KerberosHelper {
   @Inject
   private ConfigHelper configHelper;
 
+  @Inject
+  private Configuration configuration;
+
   @Inject
   private KerberosOperationHandlerFactory kerberosOperationHandlerFactory;
 
@@ -191,7 +194,7 @@ public class KerberosHelper {
    * executed to complete this task; or null if no stages need to be executed.
    * @throws AmbariException
    * @throws KerberosInvalidConfigurationException if an issue occurs trying to get the
-   * Kerberos-specific configuration details
+   *                                               Kerberos-specific configuration details
    * @throws KerberosOperationException
    */
   public RequestStageContainer toggleKerberos(Cluster cluster, SecurityType securityType,
@@ -228,7 +231,7 @@ public class KerberosHelper {
    * @throws AmbariException
    * @throws KerberosOperationException
    * @throws KerberosInvalidConfigurationException if an issue occurs trying to get the
-   * Kerberos-specific configuration details
+   *                                               Kerberos-specific configuration details
    */
   public RequestStageContainer executeCustomOperations(Cluster cluster, Map<String, String> requestProperties,
                                                        RequestStageContainer requestStageContainer)
@@ -313,7 +316,7 @@ public class KerberosHelper {
       throws AmbariException, KerberosOperationException {
     return handle(cluster, getKerberosDetails(cluster), serviceComponentFilter, identityFilter,
         hostsToForceKerberosOperations, requestStageContainer, new CreatePrincipalsAndKeytabsHandler(false));
- }
+  }
 
   /**
    * Deletes the set of filtered principals and keytabs from the cluster.
@@ -455,7 +458,6 @@ public class KerberosHelper {
    * Validate the KDC admin credentials.
    *
    * @param cluster associated cluster
-   *
    * @throws AmbariException if any other error occurs while trying to validate the credentials
    */
   public void validateKDCCredentials(Cluster cluster) throws KerberosMissingAdminCredentialsException,
@@ -641,28 +643,28 @@ public class KerberosHelper {
    * need to be done.  Calls into the Handler implementation to provide guidance and set up stages
    * to perform the work needed to complete the relative action.
    *
-   * @param cluster                the relevant Cluster
-   * @param kerberosDetails        a KerberosDetails containing information about relevant Kerberos configuration
-   * @param serviceComponentFilter a Map of service names to component names indicating the relevant
-   *                               set of services and components - if null, no filter is relevant;
-   *                               if empty, the filter indicates no relevant services or components
-   * @param identityFilter         a Collection of identity names indicating the relevant identities -
-   *                               if null, no filter is relevant; if empty, the filter indicates no
-   *                               relevant identities
-   * @param requestStageContainer  a RequestStageContainer to place generated stages, if needed -
-   *                               if null a new RequestStageContainer will be created.
+   * @param cluster                        the relevant Cluster
+   * @param kerberosDetails                a KerberosDetails containing information about relevant Kerberos configuration
+   * @param serviceComponentFilter         a Map of service names to component names indicating the relevant
+   *                                       set of services and components - if null, no filter is relevant;
+   *                                       if empty, the filter indicates no relevant services or components
+   * @param identityFilter                 a Collection of identity names indicating the relevant identities -
+   *                                       if null, no filter is relevant; if empty, the filter indicates no
+   *                                       relevant identities
+   * @param requestStageContainer          a RequestStageContainer to place generated stages, if needed -
+   *                                       if null a new RequestStageContainer will be created.
    * @param hostsToForceKerberosOperations a set of host names on which it is expected that the
    *                                       Kerberos client is or will be in the INSTALLED state by
    *                                       the time the operations targeted for them are to be
    *                                       executed - if empty or null, this no hosts will be
    *                                       "forced"
-   * @param handler                a Handler to use to provide guidance and set up stages
-   *                               to perform the work needed to complete the relative action
+   * @param handler                        a Handler to use to provide guidance and set up stages
+   *                                       to perform the work needed to complete the relative action
    * @return the updated or a new RequestStageContainer containing the stages that need to be
    * executed to complete this task; or null if no stages need to be executed.
    * @throws AmbariException
    * @throws KerberosInvalidConfigurationException if an issue occurs trying to get the
-   * Kerberos-specific configuration details
+   *                                               Kerberos-specific configuration details
    */
   @Transactional
   private RequestStageContainer handle(Cluster cluster,
@@ -695,7 +697,7 @@ public class KerberosHelper {
 
         // Ensure that that hosts that should be assumed to be in the correct state when needed are
         // in the hostsWithValidKerberosClient collection.
-        if(hostsToForceKerberosOperations != null) {
+        if (hostsToForceKerberosOperations != null) {
           hostsWithValidKerberosClient.addAll(hostsToForceKerberosOperations);
         }
 
@@ -733,7 +735,7 @@ public class KerberosHelper {
                 // If the current ServiceComponentHost represents the KERBEROS/KERBEROS_CLIENT and
                 // indicates that the KERBEROS_CLIENT component is in the INSTALLED state, add the
                 // current host to the set of hosts that should be handled...
-                if(Service.Type.KERBEROS.name().equals(serviceName) &&
+                if (Service.Type.KERBEROS.name().equals(serviceName) &&
                     Role.KERBEROS_CLIENT.name().equals(componentName) &&
                     (sch.getState() == State.INSTALLED)) {
                   hostsWithValidKerberosClient.add(hostname);
@@ -915,7 +917,7 @@ public class KerberosHelper {
                                                    Map<String, String> commandParameters, RequestStageContainer requestStageContainer,
                                                    Handler handler) throws AmbariException, KerberosOperationException {
 
-    if(commandParameters == null) {
+    if (commandParameters == null) {
       throw new AmbariException("The properties map must not be null.  It is needed to store data related to the service check identity");
     }
 
@@ -969,6 +971,8 @@ public class KerberosHelper {
                       put("name", "${cluster-env/user_group}");
                       put("access", "r");
                     }});
+
+                    put("cachable", "false");
                   }
                 });
           }
@@ -1005,7 +1009,7 @@ public class KerberosHelper {
                 // If the current ServiceComponentHost represents the KERBEROS/KERBEROS_CLIENT and
                 // indicates that the KERBEROS_CLIENT component is in the INSTALLED state, add the
                 // current host to the set of hosts that should be handled...
-                if(Service.Type.KERBEROS.name().equals(serviceName) &&
+                if (Service.Type.KERBEROS.name().equals(serviceName) &&
                     Role.KERBEROS_CLIENT.name().equals(componentName) &&
                     (sch.getState() == State.INSTALLED)) {
                   hostsWithValidKerberosClient.add(hostname);
@@ -1023,7 +1027,7 @@ public class KerberosHelper {
 
                   if (identitiesAdded > 0) {
                     // Add the relevant principal name and keytab file data to the command params state
-                    if(!commandParameters.containsKey("principal_name") || !commandParameters.containsKey("keytab_file")) {
+                    if (!commandParameters.containsKey("principal_name") || !commandParameters.containsKey("keytab_file")) {
                       commandParameters.put("principal_name",
                           KerberosDescriptor.replaceVariables(identity.getPrincipalDescriptor().getValue(), configurations));
                       commandParameters.put("keytab_file",
@@ -1154,7 +1158,7 @@ public class KerberosHelper {
 
     KDCType kdcType;
     String kdcTypeProperty = kerberosEnvProperties.get("kdc_type");
-    if(kdcTypeProperty == null) {
+    if (kdcTypeProperty == null) {
       String message = "The 'kerberos-env/kdc_type' value must be set to a valid KDC type";
       LOG.error(message);
       throw new KerberosInvalidConfigurationException(message);
@@ -1290,7 +1294,12 @@ public class KerberosHelper {
    * @throws AmbariException if a new temporary directory cannot be created
    */
   private File createTemporaryDirectory() throws AmbariException {
-    String tempDirectoryPath = System.getProperty("java.io.tmpdir");
+    String tempDirectoryPath = configuration.getProperty(Configuration.SERVER_TMP_DIR_KEY);
+
+    if ((tempDirectoryPath == null) || tempDirectoryPath.isEmpty()) {
+      tempDirectoryPath = System.getProperty("java.io.tmpdir");
+    }
+
     try {
       if (tempDirectoryPath == null) {
         throw new IOException("The System property 'java.io.tmpdir' does not specify a temporary directory");
@@ -1316,8 +1325,7 @@ public class KerberosHelper {
       }
 
       return directory;
-    }
-    catch (IOException e) {
+    } catch (IOException e) {
       String message = "Failed to create the temporary data directory.";
       LOG.error(message, e);
       throw new AmbariException(message, e);
@@ -1451,7 +1459,8 @@ public class KerberosHelper {
                 keytabFileOwnerAccess,
                 keytabFileGroupName,
                 keytabFileGroupAccess,
-                keytabFileConfiguration);
+                keytabFileConfiguration,
+                (keytabDescriptor.isCachable()) ? "true" : "false");
 
             identitiesAdded++;
           }

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java

@@ -22,20 +22,25 @@ import com.google.inject.Inject;
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.actionmanager.HostRoleStatus;
 import org.apache.ambari.server.agent.CommandReport;
+import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.dao.KerberosPrincipalDAO;
 import org.apache.ambari.server.orm.dao.KerberosPrincipalHostDAO;
 import org.apache.ambari.server.orm.entities.KerberosPrincipalEntity;
 import org.apache.commons.codec.digest.DigestUtils;
-import org.apache.commons.io.FileUtils;
+import org.apache.directory.server.kerberos.shared.keytab.Keytab;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.File;
 import java.io.IOException;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.ConcurrentMap;
 
 import static org.apache.ambari.server.serveraction.kerberos.KerberosActionDataFile.HOSTNAME;
+import static org.apache.ambari.server.serveraction.kerberos.KerberosActionDataFile.KEYTAB_FILE_IS_CACHABLE;
 import static org.apache.ambari.server.serveraction.kerberos.KerberosActionDataFile.KEYTAB_FILE_PATH;
 
 /**
@@ -63,6 +68,18 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
   @Inject
   private KerberosPrincipalHostDAO kerberosPrincipalHostDAO;
 
+  /**
+   * Configuration used to get the configured properties such as the keytab file cache directory
+   */
+  @Inject
+  private Configuration configuration;
+
+  /**
+   * A map of data used to track what has been processed in order to optimize the creation of keytabs
+   * such as knowing when to create a cached keytab file or use a cached keytab file.
+   */
+  Map<String, Set<String>> visitedIdentities = new HashMap<String, Set<String>>();
+
   /**
    * Called to execute this action.  Upon invocation, calls
    * {@link org.apache.ambari.server.serveraction.kerberos.KerberosServerAction#processIdentities(java.util.Map)} )}
@@ -126,9 +143,7 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
     CommandReport commandReport = null;
 
     if (identityRecord != null) {
-      String message = String.format("Creating keytab file for %s", evaluatedPrincipal);
-      LOG.info(message);
-      actionLog.writeStdOut(message);
+      String message;
 
       if (operationHandler == null) {
         message = String.format("Failed to create keytab file for %s, missing KerberosOperationHandler", evaluatedPrincipal);
@@ -143,84 +158,157 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
         String keytabFilePath = identityRecord.get(KEYTAB_FILE_PATH);
 
         if ((host != null) && !host.isEmpty() && (keytabFilePath != null) && !keytabFilePath.isEmpty()) {
-          // Look up the current evaluatedPrincipal's password.
-          // If found create th keytab file, else skip it.
-          String password = principalPasswordMap.get(evaluatedPrincipal);
-
-          // Determine where to store the keytab file.  It should go into a host-specific
-          // directory under the previously determined data directory.
-          File hostDirectory = new File(getDataDirectoryPath(), host);
-
-          // Ensure the host directory exists...
-          if (hostDirectory.exists() || hostDirectory.mkdirs()) {
-            File keytabFile = new File(hostDirectory, DigestUtils.sha1Hex(keytabFilePath));
-
-            if (password == null) {
-              if (kerberosPrincipalHostDAO.exists(evaluatedPrincipal, host)) {
-                // There is nothing to do for this since it must already exist and we don't want to
-                // regenerate the keytab
-                message = String.format("Skipping keytab file for %s, missing password indicates nothing to do", evaluatedPrincipal);
-                LOG.debug(message);
-              } else {
-                KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
-                String cachedKeytabPath = (principalEntity == null) ? null : principalEntity.getCachedKeytabPath();
-
-                if (cachedKeytabPath == null) {
-                  message = String.format("Failed to create keytab file for %s, missing password", evaluatedPrincipal);
-                  actionLog.writeStdErr(message);
-                  LOG.error(message);
-                  commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
+          Set<String> visitedPrincipalKeys = visitedIdentities.get(evaluatedPrincipal);
+          String visitationKey = String.format("%s|%s", host, keytabFilePath);
+
+          if ((visitedPrincipalKeys == null) || !visitedPrincipalKeys.contains(visitationKey)) {
+            // Look up the current evaluatedPrincipal's password.
+            // If found create the keytab file, else try to find it in the cache.
+            String password = principalPasswordMap.get(evaluatedPrincipal);
+
+            message = String.format("Creating keytab file for %s on host %s", evaluatedPrincipal, host);
+            LOG.info(message);
+            actionLog.writeStdOut(message);
+
+            // Determine where to store the keytab file.  It should go into a host-specific
+            // directory under the previously determined data directory.
+            File hostDirectory = new File(getDataDirectoryPath(), host);
+
+            // Ensure the host directory exists...
+            if (!hostDirectory.exists() && hostDirectory.mkdirs()) {
+              // Make sure only Ambari has access to this directory.
+              ensureAmbariOnlyAccess(hostDirectory);
+            }
+
+            if (hostDirectory.exists()) {
+              File destinationKeytabFile = new File(hostDirectory, DigestUtils.sha1Hex(keytabFilePath));
+
+              if (password == null) {
+                if (kerberosPrincipalHostDAO.exists(evaluatedPrincipal, host)) {
+                  // There is nothing to do for this since it must already exist and we don't want to
+                  // regenerate the keytab
+                  message = String.format("Skipping keytab file for %s, missing password indicates nothing to do", evaluatedPrincipal);
+                  LOG.debug(message);
                 } else {
+                  KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
+                  String cachedKeytabPath = (principalEntity == null) ? null : principalEntity.getCachedKeytabPath();
+
+                  if (cachedKeytabPath == null) {
+                    message = String.format("Failed to create keytab for %s, missing cached file", evaluatedPrincipal);
+                    actionLog.writeStdErr(message);
+                    LOG.error(message);
+                    commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
+                  } else {
+                    try {
+                      operationHandler.createKeytabFile(new File(cachedKeytabPath), destinationKeytabFile);
+                    } catch (KerberosOperationException e) {
+                      message = String.format("Failed to create keytab file for %s - %s", evaluatedPrincipal, e.getMessage());
+                      actionLog.writeStdErr(message);
+                      LOG.error(message, e);
+                      commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
+                    }
+                  }
+                }
+              } else {
+                Keytab keytab = null;
+
+                // Possibly get the keytab from the cache
+                if (visitedPrincipalKeys != null) {
+                  // Since we have visited this principal before, attempt to pull the keytab from the
+                  // cache...
+                  KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
+                  String cachedKeytabPath = (principalEntity == null) ? null : principalEntity.getCachedKeytabPath();
+
+                  if (cachedKeytabPath != null) {
+                    try {
+                      keytab = Keytab.read(new File(cachedKeytabPath));
+                    } catch (IOException e) {
+                      message = String.format("Failed to read the cached keytab for %s, recreating if possible - %s",
+                          evaluatedPrincipal, e.getMessage());
+
+                      if (LOG.isDebugEnabled()) {
+                        LOG.warn(message, e);
+                      } else {
+                        LOG.warn(message, e);
+                      }
+                    }
+                  }
+                }
+
+                // If the keytab was not retrieved from the cache... create it.
+                if (keytab == null) {
+                  Integer keyNumber = principalKeyNumberMap.get(evaluatedPrincipal);
+
                   try {
-                    FileUtils.copyFile(new File(cachedKeytabPath), keytabFile);
-                    message = String.format("Using cached keytab file for %s at %s", evaluatedPrincipal, keytabFile.getAbsolutePath());
-                    LOG.debug(message);
-                  } catch (IOException e) {
-                    message = String.format("Failed to use cached keytab file for %s at %s: %s", evaluatedPrincipal, keytabFile.getAbsolutePath(), e.getMessage());
+                    keytab = operationHandler.createKeytab(evaluatedPrincipal, password, keyNumber);
+
+                    // If the current identity does not represent a service, copy it to a secure location
+                    // and store that location so it can be reused rather than recreate it.
+                    KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
+                    if (principalEntity != null) {
+                      if (!principalEntity.isService() && ("true".equalsIgnoreCase(identityRecord.get(KEYTAB_FILE_IS_CACHABLE)))) {
+                        File cachedKeytabFile = cacheKeytab(evaluatedPrincipal, keytab);
+                        String previousCachedFilePath = principalEntity.getCachedKeytabPath();
+                        String cachedKeytabFilePath = ((cachedKeytabFile == null) || !cachedKeytabFile.exists())
+                            ? null
+                            : cachedKeytabFile.getAbsolutePath();
+
+                        principalEntity.setCachedKeytabPath(cachedKeytabFilePath);
+                        kerberosPrincipalDAO.merge(principalEntity);
+
+                        if(previousCachedFilePath != null) {
+                          if(!new File(previousCachedFilePath).delete()) {
+                            LOG.debug(String.format("Failed to remove orphaned cache file %s", previousCachedFilePath));
+                          }
+                        }
+                      }
+                    }
+                  } catch (KerberosOperationException e) {
+                    message = String.format("Failed to create keytab file for %s - %s", evaluatedPrincipal, e.getMessage());
                     actionLog.writeStdErr(message);
-                    LOG.warn(message);
+                    LOG.error(message, e);
                     commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
                   }
                 }
-              }
-            } else {
-              Integer keyNumber = principalKeyNumberMap.get(evaluatedPrincipal);
 
-              try {
-                if (operationHandler.createKeytabFile(evaluatedPrincipal, password, keyNumber, keytabFile)) {
-                  message = String.format("Successfully created keytab file for %s at %s", evaluatedPrincipal, keytabFile.getAbsolutePath());
-                  LOG.debug(message);
+                if (keytab != null) {
+                  try {
+                    if (operationHandler.createKeytabFile(keytab, destinationKeytabFile)) {
+                      ensureAmbariOnlyAccess(destinationKeytabFile);
 
-                  // If the current identity does not represent a service, store the location of the
-                  // keytab file so it can be reused rather than recreate it.
-                  // Note: for now we are using the keytab's destination directory on the Ambari
-                  // server
-                  KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
-                  if (principalEntity != null) {
-                    if (!principalEntity.isService()) {
-                      principalEntity.setCachedKeytabPath(keytabFilePath);
-                      kerberosPrincipalDAO.merge(principalEntity);
+                      message = String.format("Successfully created keytab file for %s at %s", evaluatedPrincipal, destinationKeytabFile.getAbsolutePath());
+                      LOG.debug(message);
+                    } else {
+                      message = String.format("Failed to create keytab file for %s at %s", evaluatedPrincipal, destinationKeytabFile.getAbsolutePath());
+                      actionLog.writeStdErr(message);
+                      LOG.error(message);
+                      commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
                     }
+                  } catch (KerberosOperationException e) {
+                    message = String.format("Failed to create keytab file for %s - %s", evaluatedPrincipal, e.getMessage());
+                    actionLog.writeStdErr(message);
+                    LOG.error(message, e);
+                    commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
                   }
-                } else {
-                  message = String.format("Failed to create keytab file for %s at %s", evaluatedPrincipal, keytabFile.getAbsolutePath());
-                  actionLog.writeStdErr(message);
-                  LOG.error(message);
-                  commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
                 }
-              } catch (KerberosOperationException e) {
-                message = String.format("Failed to create keytab file for %s - %s", evaluatedPrincipal, e.getMessage());
-                actionLog.writeStdErr(message);
-                LOG.error(message, e);
-                commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
               }
+            } else {
+              message = String.format("Failed to create keytab file for %s, the container directory does not exist: %s",
+                  evaluatedPrincipal, hostDirectory.getAbsolutePath());
+              actionLog.writeStdErr(message);
+              LOG.error(message);
+              commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
             }
-          } else {
-            message = String.format("Failed to create keytab file for %s, the container directory does not exist: %s",
-                evaluatedPrincipal, hostDirectory.getAbsolutePath());
-            actionLog.writeStdErr(message);
-            LOG.error(message);
-            commandReport = createCommandReport(1, HostRoleStatus.FAILED, "{}", actionLog.getStdOut(), actionLog.getStdErr());
+
+            if(visitedPrincipalKeys == null) {
+              visitedPrincipalKeys = new HashSet<String>();
+              visitedIdentities.put(evaluatedPrincipal, visitedPrincipalKeys);
+            }
+
+            visitedPrincipalKeys.add(visitationKey);
+          }
+          else {
+            LOG.debug(String.format("Skipping previously processed keytab for %s on host %s", evaluatedPrincipal, host));
           }
         }
       }
@@ -228,4 +316,83 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
 
     return commandReport;
   }
+
+  /**
+   * Cache a keytab given its relative principal name and the keytab data.
+   * <p/>
+   * The specified keytab is stored in a file in a location derived using the configured keytab
+   * cache directory and the seeded hash of the principal name - this is to add a slight level
+   * of obscurity so that it cannot be determined what keytab data is in the file based on its name.
+   * The file is the set readable by only the Ambari server process owner.
+   *
+   * @param principal the principal name related to the keytab data
+   * @param keytab    the keytab data to cache
+   * @return a File pointing to the cached keytab file
+   * @throws AmbariException if a failure occurs while creating the cache file containing the the keytab data
+   */
+  private File cacheKeytab(String principal, Keytab keytab) throws AmbariException {
+    File cacheDirectory = configuration.getKerberosKeytabCacheDir();
+
+    if (cacheDirectory == null) {
+      String message = "The Kerberos keytab cache directory is not configured in the Ambari properties";
+      LOG.error(message);
+      throw new AmbariException(message);
+    }
+
+    if (!cacheDirectory.exists()) {
+      // If the cache directory does not exist, create it and ensure only Ambari has access to it
+      if (cacheDirectory.mkdirs()) {
+        ensureAmbariOnlyAccess(cacheDirectory);
+
+        if (!cacheDirectory.exists()) {
+          String message = String.format("Failed to create the keytab cache directory %s",
+              cacheDirectory.getAbsolutePath());
+          LOG.error(message);
+          throw new AmbariException(message);
+        }
+      }
+    }
+
+    File cachedKeytabFile = new File(cacheDirectory, DigestUtils.sha1Hex(principal + String.valueOf(System.currentTimeMillis())));
+
+    try {
+      keytab.write(cachedKeytabFile);
+      ensureAmbariOnlyAccess(cachedKeytabFile);
+    } catch (IOException e) {
+      String message = String.format("Failed to write the keytab for %s to the cache location (%s)",
+          principal, cachedKeytabFile.getAbsolutePath());
+      LOG.error(message, e);
+      throw new AmbariException(message, e);
+    }
+
+    return cachedKeytabFile;
+  }
+
+  /**
+   * Ensures that the owner of the Ambari server process is the only local user account able to
+   * read and write to the specified file or read, write to, and execute the specified directory.
+   *
+   * @param file the file or directory for which to modify access
+   */
+  private void ensureAmbariOnlyAccess(File file) {
+    if (file.exists()) {
+      if (!file.setReadable(false, false) || !file.setReadable(true, true)) {
+        LOG.warn(String.format("Failed to set %s readable only by Ambari", file.getAbsolutePath()));
+      }
+
+      if (!file.setWritable(false, false) || !file.setWritable(true, true)) {
+        LOG.warn(String.format("Failed to set %s writable only by Ambari", file.getAbsolutePath()));
+      }
+
+      if (file.isDirectory()) {
+        if (!file.setExecutable(false, false) && !file.setExecutable(true, true)) {
+          LOG.warn(String.format("Failed to set %s executable by Ambari", file.getAbsolutePath()));
+        }
+      } else {
+        if (!file.setExecutable(false, false)) {
+          LOG.warn(String.format("Failed to set %s not executable", file.getAbsolutePath()));
+        }
+      }
+    }
+  }
 }

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java

@@ -22,9 +22,11 @@ import com.google.inject.Inject;
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.agent.CommandReport;
 import org.apache.ambari.server.orm.dao.KerberosPrincipalDAO;
+import org.apache.ambari.server.orm.entities.KerberosPrincipalEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.File;
 import java.util.Map;
 import java.util.concurrent.ConcurrentMap;
 
@@ -95,7 +97,20 @@ public class DestroyPrincipalsServerAction extends KerberosServerAction {
     }
 
     try {
-      kerberosPrincipalDAO.remove(evaluatedPrincipal);
+      KerberosPrincipalEntity principalEntity = kerberosPrincipalDAO.find(evaluatedPrincipal);
+
+      if(principalEntity != null) {
+        String cachedKeytabPath = principalEntity.getCachedKeytabPath();
+
+        kerberosPrincipalDAO.remove(principalEntity);
+
+        // If a cached  keytabs file exists for this principal, delete it.
+        if (cachedKeytabPath != null) {
+          if (!new File(cachedKeytabPath).delete()) {
+            LOG.debug(String.format("Failed to remove cached keytab for %s", evaluatedPrincipal));
+          }
+        }
+      }
     }
     catch (Throwable t) {
       message = String.format("Failed to remove identity for %s from the Ambari database - %s", evaluatedPrincipal, t.getMessage());

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFile.java

@@ -37,4 +37,5 @@ public class KerberosActionDataFile {
   public static final String KEYTAB_FILE_GROUP_NAME = "keytab_file_group_name";
   public static final String KEYTAB_FILE_GROUP_ACCESS = "keytab_file_group_access";
   public static final String KEYTAB_FILE_CONFIGURATION = "keytab_file_configuration";
+  public static final String KEYTAB_FILE_IS_CACHABLE = "keytab_file_is_cachable";
 }

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFileBuilder.java

@@ -70,13 +70,16 @@ public class KerberosActionDataFileBuilder extends AbstractKerberosDataFileBuild
    *                                (expected to be the type and name of the configuration property
    *                                to use to store the keytab file's absolute path in
    *                                - i.e., config-type/property)
+   * @param keytabFileCanCache      a String containing a boolean value (true, false) indicating
+   *                                whether the generated keytab can be cached or not
    * @throws IOException
    */
   public void addRecord(String hostName, String serviceName, String serviceComponentName,
                         String principal, String principalType, String principalConfiguration,
                         String keytabFilePath, String keytabFileOwnerName,
                         String keytabFileOwnerAccess, String keytabFileGroupName,
-                        String keytabFileGroupAccess, String keytabFileConfiguration)
+                        String keytabFileGroupAccess, String keytabFileConfiguration,
+                        String keytabFileCanCache)
       throws IOException {
     super.appendRecord(hostName,
         serviceName,
@@ -89,7 +92,8 @@ public class KerberosActionDataFileBuilder extends AbstractKerberosDataFileBuild
         keytabFileOwnerAccess,
         keytabFileGroupName,
         keytabFileGroupAccess,
-        keytabFileConfiguration);
+        keytabFileConfiguration,
+        keytabFileCanCache);
   }
 
   @Override
@@ -105,6 +109,7 @@ public class KerberosActionDataFileBuilder extends AbstractKerberosDataFileBuild
         KEYTAB_FILE_OWNER_ACCESS,
         KEYTAB_FILE_GROUP_NAME,
         KEYTAB_FILE_GROUP_ACCESS,
-        KEYTAB_FILE_CONFIGURATION);
+        KEYTAB_FILE_CONFIGURATION,
+        KEYTAB_FILE_IS_CACHABLE);
   }
 }

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java

@@ -40,6 +40,7 @@ import java.util.Collections;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -79,6 +80,16 @@ public abstract class KerberosOperationHandler {
    */
   public final static String KERBEROS_ENV_ENCRYPTION_TYPES = "encryption_types";
 
+  /**
+   * Kerberos-env configuration property name: kdc_host
+   */
+  public final static String KERBEROS_ENV_KDC_HOST = "kdc_host";
+
+  /**
+   * Kerberos-env configuration property name: admin_server_host
+   */
+  public final static String KERBEROS_ENV_ADMIN_SERVER_HOST = "admin_server_host";
+
   /**
    * The set of available characters to use when generating a secure password
    */
@@ -317,94 +328,185 @@ public abstract class KerberosOperationHandler {
   }
 
   /**
-   * Create or append to a keytab file using the specified principal and password.
+   * Create a keytab using the specified principal and password.
    *
-   * @param principal  a String containing the principal to test
-   * @param password   a String containing the password to use when creating the principal
-   * @param keytabFile a File containing the absolute path to the keytab file
-   * @return true if the keytab file was successfully created; false otherwise
+   * @param principal a String containing the principal to test
+   * @param password  a String containing the password to use when creating the principal
+   * @param keyNumber a Integer indicating the key number for the keytab entries
+   * @return the created Keytab
    * @throws KerberosOperationException
    */
-  public boolean createKeytabFile(String principal, String password, Integer keyNumber, File keytabFile)
+  protected Keytab createKeytab(String principal, String password, Integer keyNumber)
       throws KerberosOperationException {
-    boolean success = false;
 
     if ((principal == null) || principal.isEmpty()) {
       throw new KerberosOperationException("Failed to create keytab file, missing principal");
-    } else if (password == null) {
+    }
+
+    if (password == null) {
       throw new KerberosOperationException(String.format("Failed to create keytab file for %s, missing password", principal));
-    } else if (keytabFile == null) {
-      throw new KerberosOperationException(String.format("Failed to create keytab file for %s, missing file path", principal));
-    } else {
-      Keytab keytab;
-      Set<EncryptionType> ciphers = new HashSet<EncryptionType>(keyEncryptionTypes);
-      List<KeytabEntry> keytabEntries = new ArrayList<KeytabEntry>();
-
-      if (keytabFile.exists() && keytabFile.canRead() && (keytabFile.length() > 0)) {
-        // If the keytab file already exists, read it in and append the new keytabs to it so that
-        // potentially important data is not lost
-        try {
-          keytab = Keytab.read(keytabFile);
-        } catch (IOException e) {
-          // There was an issue reading in the existing keytab file... we might loose some keytabs
-          // but that is unlikely...
-          keytab = new Keytab();
-        }
+    }
 
-        // In case there were any existing keytab entries, add them to the new entries list so
-        // they are not lost.  While at it, remove ciphers that already exist for the given principal
-        // so duplicate entries aren't added to the file.
-        List<KeytabEntry> existingEntries = keytab.getEntries();
-        if ((existingEntries != null) && !existingEntries.isEmpty()) {
+    Set<EncryptionType> ciphers = new HashSet<EncryptionType>(keyEncryptionTypes);
+    List<KeytabEntry> keytabEntries = new ArrayList<KeytabEntry>();
+    Keytab keytab = new Keytab();
 
-          for (KeytabEntry entry : existingEntries) {
-            // Remove ciphers that will cause duplicate entries
-            if (principal.equals(entry.getPrincipalName())) {
-              ciphers.remove(entry.getKey().getKeyType());
-            }
 
-            keytabEntries.add(entry);
-          }
+    if (!ciphers.isEmpty()) {
+      // Create a set of keys and relevant keytab entries
+      Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory.getKerberosKeys(principal, password, ciphers);
+
+      if (keys != null) {
+        byte keyVersion = (keyNumber == null) ? 0 : keyNumber.byteValue();
+        KerberosTime timestamp = new KerberosTime();
+
+        for (EncryptionKey encryptionKey : keys.values()) {
+          keytabEntries.add(new KeytabEntry(principal, 1, timestamp, keyVersion, encryptionKey));
         }
-      } else {
-        keytab = new Keytab();
+
+        keytab.setEntries(keytabEntries);
       }
+    }
 
-      if (ciphers.isEmpty()) {
-        // There are no new keys to create
-        success = true;
-      } else {
-        // Create a set of keys and relevant keytab entries
-        Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory.getKerberosKeys(principal, password, ciphers);
+    return keytab;
+  }
 
-        if (keys != null) {
-          byte keyVersion = (keyNumber == null) ? 0 : keyNumber.byteValue();
-          KerberosTime timestamp = new KerberosTime();
+  /**
+   * Create or append to a keytab file using keytab data from another keytab file.
+   * <p/>
+   * If the destination keytab file contains keytab data, that data will be merged with the new data
+   * to create a composite set of keytab entries.
+   *
+   * @param sourceKeytabFile      a File containing the absolute path to the file with the keytab data to store
+   * @param destinationKeytabFile a File containing the absolute path to where the keytab data is to be stored
+   * @return true if the keytab file was successfully created; false otherwise
+   * @throws KerberosOperationException
+   * @see #createKeytabFile(org.apache.directory.server.kerberos.shared.keytab.Keytab, java.io.File)
+   */
+  protected boolean createKeytabFile(File sourceKeytabFile, File destinationKeytabFile)
+      throws KerberosOperationException {
+    return createKeytabFile(readKeytabFile(sourceKeytabFile), destinationKeytabFile);
+  }
 
-          for (EncryptionKey encryptionKey : keys.values()) {
-            keytabEntries.add(new KeytabEntry(principal, 1, timestamp, keyVersion, encryptionKey));
-          }
+  /**
+   * Create or append to a keytab file using the specified principal and password.
+   * <p/>
+   * If the destination keytab file contains keytab data, that data will be merged with the new data
+   * to create a composite set of keytab entries.
+   *
+   * @param principal             a String containing the principal to test
+   * @param password              a String containing the password to use when creating the principal
+   * @param keyNumber             an Integer declaring the relevant key number to use for the keytabs entries
+   * @param destinationKeytabFile a File containing the absolute path to where the keytab data is to be stored
+   * @return true if the keytab file was successfully created; false otherwise
+   * @throws KerberosOperationException
+   * @see #createKeytabFile(org.apache.directory.server.kerberos.shared.keytab.Keytab, java.io.File)
+   */
+  protected boolean createKeytabFile(String principal, String password, Integer keyNumber, File destinationKeytabFile)
+      throws KerberosOperationException {
+    return createKeytabFile(createKeytab(principal, password, keyNumber), destinationKeytabFile);
+  }
 
-          keytab.setEntries(keytabEntries);
+  /**
+   * Create or append to a keytab file using the specified Keytab
+   * <p/>
+   * If the destination keytab file contains keytab data, that data will be merged with the new data
+   * to create a composite set of keytab entries.
+   *
+   * @param keytab                the Keytab containing the data to add to the keytab file
+   * @param destinationKeytabFile a File containing the absolute path to where the keytab data is to be stored
+   * @return true if the keytab file was successfully created; false otherwise
+   * @throws KerberosOperationException
+   */
+  protected boolean createKeytabFile(Keytab keytab, File destinationKeytabFile)
+      throws KerberosOperationException {
 
-          try {
-            keytab.write(keytabFile);
-            success = true;
-          } catch (IOException e) {
-            String message = String.format("Failed to export keytab file for %s", principal);
-            LOG.error(message, e);
+    if (destinationKeytabFile == null) {
+      throw new KerberosOperationException("The destination file path is null");
+    }
+
+    try {
+      mergeKeytabs(readKeytabFile(destinationKeytabFile), keytab).write(destinationKeytabFile);
+      return true;
+    } catch (IOException e) {
+      String message = "Failed to export keytab file";
+      LOG.error(message, e);
 
-            if (!keytabFile.delete()) {
-              keytabFile.deleteOnExit();
-            }
+      if (!destinationKeytabFile.delete()) {
+        destinationKeytabFile.deleteOnExit();
+      }
 
-            throw new KerberosOperationException(message, e);
+      throw new KerberosOperationException(message, e);
+    }
+  }
+
+  /**
+   * Merge the keytab data from one keytab with the keytab data from a different keytab.
+   * <p/>
+   * If similar key entries exist for the same principal, the updated values will be used
+   *
+   * @param keytab  a Keytab with the base keytab data
+   * @param updates a Keytab containing the updated keytab data
+   * @return a Keytab with the merged data
+   */
+  protected Keytab mergeKeytabs(Keytab keytab, Keytab updates) {
+    List<KeytabEntry> keytabEntries = (keytab == null)
+        ? Collections.<KeytabEntry>emptyList()
+        : new ArrayList<KeytabEntry>(keytab.getEntries());
+    List<KeytabEntry> updateEntries = (updates == null)
+        ? Collections.<KeytabEntry>emptyList()
+        : new ArrayList<KeytabEntry>(updates.getEntries());
+    List<KeytabEntry> mergedEntries = new ArrayList<KeytabEntry>();
+
+    if (keytabEntries.isEmpty()) {
+      mergedEntries.addAll(updateEntries);
+    } else if (updateEntries.isEmpty()) {
+      mergedEntries.addAll(keytabEntries);
+    } else {
+      Iterator<KeytabEntry> iterator = keytabEntries.iterator();
+
+      while (iterator.hasNext()) {
+        KeytabEntry keytabEntry = iterator.next();
+
+        for (KeytabEntry entry : updateEntries) {
+          if (entry.getPrincipalName().equals(keytabEntry.getPrincipalName()) &&
+              entry.getKey().getKeyType().equals(keytabEntry.getKey().getKeyType())) {
+            iterator.remove();
+            break;
           }
         }
       }
+
+      mergedEntries.addAll(keytabEntries);
+      mergedEntries.addAll(updateEntries);
+    }
+
+    Keytab mergedKeytab = new Keytab();
+    mergedKeytab.setEntries(mergedEntries);
+    return mergedKeytab;
+  }
+
+  /**
+   * Reads a file containing keytab data into a new Keytab
+   *
+   * @param file A File containing the path to the file from which to read keytab data
+   * @return a Keytab or null if the file was not readable
+   */
+  protected Keytab readKeytabFile(File file) {
+    Keytab keytab;
+
+    if (file.exists() && file.canRead() && (file.length() > 0)) {
+      try {
+        keytab = Keytab.read(file);
+      } catch (IOException e) {
+        // There was an issue reading in the existing keytab file... quietly assume no data
+        keytab = null;
+      }
+    } else {
+      keytab = null;
     }
 
-    return success;
+    return keytab;
   }
 
   public KerberosCredential getAdministratorCredentials() {

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java

@@ -491,10 +491,6 @@ public abstract class KerberosServerAction extends AbstractServerAction {
         // by replacing the _HOST and _REALM variables.
         String evaluatedPrincipal = principal.replace("_HOST", host).replace("_REALM", defaultRealm);
 
-        String message = String.format("Processing identity for %s", evaluatedPrincipal);
-        actionLog.writeStdOut(message);
-        LOG.info(message);
-
         commandReport = processIdentity(record, evaluatedPrincipal, operationHandler, requestSharedDataContext);
       }
     }

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java

@@ -54,6 +54,8 @@ public class MITKerberosOperationHandler extends KerberosOperationHandler {
   @Inject
   private Configuration configuration;
 
+  private String adminServerHost = null;
+
   /**
    * Prepares and creates resources to be used by this KerberosOperationHandler
    * <p/>
@@ -80,6 +82,7 @@ public class MITKerberosOperationHandler extends KerberosOperationHandler {
 
     if (kerberosConfiguration != null) {
       setKeyEncryptionTypes(translateEncryptionTypes(kerberosConfiguration.get(KERBEROS_ENV_ENCRYPTION_TYPES), "\\s+"));
+      setAdminServerHost(kerberosConfiguration.get(KERBEROS_ENV_ADMIN_SERVER_HOST));
     }
 
     setOpen(true);
@@ -339,6 +342,12 @@ public class MITKerberosOperationHandler extends KerberosOperationHandler {
         // Set the kdamin interface to be kadmin
         command.add(pathToCommand + "kadmin");
 
+        // Add explicit KDC admin host, if available
+        if(getAdminServerHost() != null) {
+          command.add("-s");
+          command.add(getAdminServerHost());
+        }
+
         // Add the administrative principal
         command.add("-p");
         command.add(adminPrincipal);
@@ -439,4 +448,22 @@ public class MITKerberosOperationHandler extends KerberosOperationHandler {
 
     return result;
   }
+
+  /**
+   * Sets the KDC administrator server host address
+   *
+   * @param adminServerHost the ip address or FQDN of the KDC administrator server
+   */
+  public void setAdminServerHost(String adminServerHost) {
+    this.adminServerHost = adminServerHost;
+  }
+
+  /**
+   * Gets the IP address or FQDN of the KDC administrator server
+   *
+   * @return the IP address or FQDN of the KDC administrator server
+   */
+  public String getAdminServerHost() {
+    return adminServerHost;
+  }
 }

ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosKeytabDescriptor.java

@@ -31,6 +31,7 @@ import java.util.Map;
  * <li>owner {name, access}</li>
  * <li>group {name, access}</li>
  * <li>configuration</li>
+ * <li>cachable</li>
  * </ul>
  * <p/>
  * The following JSON Schema will yield a valid KerberosPrincipalDescriptor
@@ -81,6 +82,11 @@ import java.util.Map;
  *                          - format: config-type/property.name",
  *          "type": "string"
  *        }
+ *        "cachable" : {
+ *          "description": "Indicates whether the generated keytab is allowed to be cached by the
+ *                          Ambari server (true) or not (false)",
+ *          "type": "boolean"
+ *        }
  *      }
  *   }
  * </pre>
@@ -142,6 +148,12 @@ public class KerberosKeytabDescriptor extends AbstractKerberosDescriptor {
   private String configuration = null;
 
 
+  /**
+   * A boolean value indicating whether the generated keytab is allowed to be cached by the Ambari
+   * server or not.
+   */
+  private boolean cachable = true;
+
   /**
    * Creates a new KerberosKeytabDescriptor
    * <p/>
@@ -174,6 +186,9 @@ public class KerberosKeytabDescriptor extends AbstractKerberosDescriptor {
       }
 
       setConfiguration(getStringValue(data, "configuration"));
+
+      // If the "cachable" value is anything but false, set it to true
+      setCachable(!"false".equalsIgnoreCase(getStringValue(data, "cachable")));
     }
   }
 
@@ -309,6 +324,24 @@ public class KerberosKeytabDescriptor extends AbstractKerberosDescriptor {
     this.configuration = configuration;
   }
 
+  /**
+   * Indicates whether the generated keytab is allowed to be cached by the Ambari server or not
+   *
+   * @return true if allowed to be cached; false otherwise
+   */
+  public boolean isCachable() {
+    return cachable;
+  }
+
+  /**
+   * Sets whether the generated keytab is allowed to be cached by the Ambari server or not
+   *
+   * @param cachable true if allowed to be cached; false otherwise
+   */
+  public void setCachable(boolean cachable) {
+    this.cachable = cachable;
+  }
+
   /**
    * Updates this KerberosKeytabDescriptor with data from another KerberosKeytabDescriptor
    * <p/>

ambari-server/src/main/python/ambari_server/serverConfiguration.py

@@ -322,6 +322,8 @@ class ServerConfigDefaultsLinux(ServerConfigDefaults):
       ("/var/run/ambari-server/stack-recommendations/", "755", "{0}", False),
       ("/var/lib/ambari-server/data/tmp/", "644", "{0}", True),
       ("/var/lib/ambari-server/data/tmp/", "755", "{0}", False),
+      ("/var/lib/ambari-server/data/cache/", "600", "{0}", True),
+      ("/var/lib/ambari-server/data/cache/", "700", "{0}", False),
       # Also, /etc/ambari-server/conf/password.dat
       # is generated later at store_password_file
     ]

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml

@@ -61,8 +61,24 @@
     <value/>
   </property>
 
+  <property require-input="true">
+    <name>kdc_host</name>
+    <description>
+      The IP address or FQDN for the KDC host. Optionally a port number may be included.
+    </description>
+    <value/>
+  </property>
+
+  <property>
+    <name>admin_server_host</name>
+    <description>
+      The IP address or FQDN for the KDC Kerberos administrative host. Optionally a port number may be included.
+    </description>
+    <value/>
+  </property>
+
 
-    <property require-input="true">
+  <property require-input="true">
     <name>create_attributes_template</name>
     <description>
       A Velocity template to use to generate a JSON-formatted document containing the set of

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml

@@ -21,79 +21,6 @@
 -->
 
 <configuration>
-  <property>
-    <name>logging_default</name>
-    <description>
-      Default Kerberos library log location.
-    </description>
-    <value>FILE:/var/log/krb5libs.log</value>
-  </property>
-  <property>
-    <name>logging_kdc</name>
-    <description>
-      KDC log location.
-    </description>
-    <value>FILE:/var/log/krb5kdc.log</value>
-  </property>
-  <property>
-    <name>logging_admin_server</name>
-    <description>
-      Admin server log location.
-    </description>
-    <value>FILE:/var/log/kadmind.log</value>
-  </property>
-
-  <property>
-    <name>libdefaults_dns_lookup_realm</name>
-    <description>
-      If true, DNS TXT records will be used to determine the Kerberos realm of a host.
-    </description>
-    <value>false</value>
-  </property>
-  <property>
-    <name>libdefaults_dns_lookup_kdc</name>
-    <description>
-      If true, DNS SRV records will be used to locate the KDCs and other servers for the realm.
-    </description>
-    <value>false</value>
-  </property>
-  <property>
-    <name>libdefaults_ticket_lifetime</name>
-    <description>
-      Default lifetime of a ticket.
-    </description>
-    <value>24h</value>
-  </property>
-  <property>
-    <name>libdefaults_renew_lifetime</name>
-    <description>
-      Default renewable lifetime for initial tickets.
-    </description>
-    <value>7d</value>
-  </property>
-  <property>
-    <name>libdefaults_forwardable</name>
-    <description>
-      If true, initial tickets will be forwardable.
-    </description>
-    <value>true</value>
-  </property>
-  <property require-input="false">
-    <name>libdefaults_default_tgs_enctypes</name>
-    <description>
-      A space-delimited list of session key encryption types supported by the KDC or Active
-      Directory
-    </description>
-    <value/>
-  </property>
-  <property require-input="false">
-    <name>libdefaults_default_tkt_enctypes</name>
-    <description>
-      A space-delimited list of session key encryption types supported by the KDC or Active
-      Directory.
-    </description>
-    <value/>
-  </property>
   <property require-input="false">
     <name>domains</name>
     <description>
@@ -101,20 +28,6 @@
     </description>
     <value/>
   </property>
-  <property require-input="true">
-    <name>kdc_host</name>
-    <description>
-      The IP address or FQDN for the KDC host. Optionally a port number may be included.
-    </description>
-    <value/>
-  </property>
-  <property>
-    <name>admin_server_host</name>
-    <description>
-      The IP address or FQDN for the KDC Kerberos administrative host. Optionally a port number may be included.
-    </description>
-    <value/>
-  </property>
 
   <property>
     <name>manage_krb5_conf</name>
@@ -134,18 +47,14 @@
     <description>Customizable krb5.conf template (Jinja template engine)</description>
     <value>
 [libdefaults]
-  renew_lifetime = {{libdefaults_renew_lifetime}}
-  forwardable = {{libdefaults_forwardable}}
+  renew_lifetime = 7d
+  forwardable = true
   default_realm = {{realm|upper()}}
-  ticket_lifetime = {{libdefaults_ticket_lifetime}}
-  dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
-  dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
-  {% if libdefaults_default_tgs_enctypes %}
-  default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
-  {% endif %}
-  {% if libdefaults_default_tkt_enctypes %}
-  default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
-  {% endif %}
+  ticket_lifetime = 24h
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  #default_tgs_enctypes = {{encryption_types}}
+  #default_tkt_enctypes = {{encryption_types}}
 
 {% if domains %}
 [domain_realm]
@@ -155,12 +64,9 @@
 {% endif %}
 
 [logging]
-  default = {{logging_default}}
-{#
-# The following options are unused unless a managed KDC is installed
-  admin_server = {{logging_admin_server}}
-  kdc = {{logging_admin_kdc}}
-#}
+  default = FILE:/var/log/krb5kdc.log
+  admin_server = FILE:/var/log/kadmind.log
+  kdc = FILE:/var/log/krb5kdc.log
 
 [realms]
   {{realm}} = {

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py

@@ -99,17 +99,6 @@ if config is not None:
   # ################################################################################################
   # Get krb5.conf template data
   # ################################################################################################
-  logging_default = 'FILE:/var/log/krb5libs.log'
-  logging_kdc = 'FILE:/var/log/krb5kdc.log'
-  logging_admin_server = 'FILE:/var/log/kadmind.log'
-  libdefaults_dns_lookup_realm = 'false'
-  libdefaults_dns_lookup_kdc = 'false'
-  libdefaults_ticket_lifetime = '24h'
-  libdefaults_renew_lifetime = '7d'
-  libdefaults_forwardable = 'true'
-  libdefaults_default_tgs_enctypes = None
-  libdefaults_default_tkt_enctypes = None
-
   realm = 'EXAMPLE.COM'
   domains = ''
   kdc_host = 'localhost'
@@ -132,33 +121,12 @@ if config is not None:
   if kerberos_env is not None:
     encryption_types = get_property_value(kerberos_env, "encryption_types", None, True, None)
     realm = get_property_value(kerberos_env, "realm", None, True, None)
+    kdc_host = get_property_value(kerberos_env, 'kdc_host', kdc_host)
+    admin_server_host = get_property_value(kerberos_env, 'admin_server_host', admin_server_host)
 
   if krb5_conf_data is not None:
-    logging_default = get_property_value(krb5_conf_data, 'logging_default', logging_default)
-    logging_kdc = get_property_value(krb5_conf_data, 'logging_kdc', logging_kdc)
-    logging_admin_server = get_property_value(krb5_conf_data, 'logging_admin_server',
-                                              logging_admin_server)
-    libdefaults_dns_lookup_realm = get_property_value(krb5_conf_data,
-                                                      'libdefaults_dns_lookup_realm',
-                                                      libdefaults_dns_lookup_realm)
-    libdefaults_dns_lookup_kdc = get_property_value(krb5_conf_data, 'libdefaults_dns_lookup_kdc',
-                                                    libdefaults_dns_lookup_kdc)
-    libdefaults_ticket_lifetime = get_property_value(krb5_conf_data, 'libdefaults_ticket_lifetime',
-                                                     libdefaults_ticket_lifetime)
-    libdefaults_renew_lifetime = get_property_value(krb5_conf_data, 'libdefaults_renew_lifetime',
-                                                    libdefaults_renew_lifetime)
-    libdefaults_forwardable = get_property_value(krb5_conf_data, 'libdefaults_forwardable',
-                                                 libdefaults_forwardable)
-    libdefaults_default_tgs_enctypes = get_property_value(krb5_conf_data,
-                                                          'libdefaults_default_tgs_enctypes',
-                                                          libdefaults_default_tgs_enctypes)
-    libdefaults_default_tkt_enctypes = get_property_value(krb5_conf_data,
-                                                          'libdefaults_default_tkt_enctypes',
-                                                          libdefaults_default_tkt_enctypes)
     realm = get_property_value(krb5_conf_data, 'realm', realm)
     domains = get_property_value(krb5_conf_data, 'domains', domains)
-    kdc_host = get_property_value(krb5_conf_data, 'kdc_host', kdc_host)
-    admin_server_host = get_property_value(krb5_conf_data, 'admin_server_host', admin_server_host)
 
     admin_principal = get_property_value(krb5_conf_data, 'admin_principal', admin_principal, True,
                                          None)

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2

@@ -16,18 +16,14 @@
 # limitations under the License.
 #}
 [libdefaults]
-  renew_lifetime = {{libdefaults_renew_lifetime}}
-  forwardable = {{libdefaults_forwardable}}
+  renew_lifetime = 7d
+  forwardable = true
   default_realm = {{realm|upper()}}
-  ticket_lifetime = {{libdefaults_ticket_lifetime}}
-  dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
-  dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
-  {% if libdefaults_default_tgs_enctypes %}
-  default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
-  {% endif %}
-  {% if libdefaults_default_tkt_enctypes %}
-  default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
-  {% endif %}
+  ticket_lifetime = 24h
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  #default_tgs_enctypes = {{encryption_types}}
+  #default_tkt_enctypes = {{encryption_types}}
 
 {% if domains %}
 [domain_realm]
@@ -37,12 +33,9 @@
 {% endif %}
 
 [logging]
-  default = {{logging_default}}
-{#
-# The following options are unused unless a managed KDC is installed
-  admin_server = {{logging_admin_server}}
-  kdc = {{logging_admin_kdc}}
-#}
+  default = FILE:/var/log/krb5kdc.log
+  admin_server = FILE:/var/log/kadmind.log
+  kdc = FILE:/var/log/krb5kdc.log
 
 [realms]
   {{realm}} = {

ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/configuration/krb5-conf.xml

@@ -21,55 +21,6 @@
 -->
 
 <configuration>
-  <property>
-    <name>logging_default</name>
-    <value>FILE:/var/log/krb5libs.log</value>
-  </property>
-  <property>
-    <name>logging_kdc</name>
-    <value>FILE:/var/log/krb5kdc.log</value>
-  </property>
-  <property>
-    <name>logging_admin_server</name>
-    <value>FILE:/var/log/kadmind.log</value>
-  </property>
-
-  <property>
-    <name>libdefaults_dns_lookup_realm</name>
-    <value>false</value>
-  </property>
-  <property>
-    <name>libdefaults_dns_lookup_kdc</name>
-    <value>false</value>
-  </property>
-  <property>
-    <name>libdefaults_ticket_lifetime</name>
-    <value>24h</value>
-  </property>
-  <property>
-    <name>libdefaults_renew_lifetime</name>
-    <value>7d</value>
-  </property>
-  <property>
-    <name>libdefaults_forwardable</name>
-    <value>true</value>
-  </property>
-  <property require-input="false">
-    <name>libdefaults_default_tgs_enctypes</name>
-    <description>
-      A space-delimited list of session key encryption types supported by the KDC or Active
-      Directory
-    </description>
-    <value/>
-  </property>
-  <property require-input="false">
-    <name>libdefaults_default_tkt_enctypes</name>
-    <description>
-      A space-delimited list of session key encryption types supported by the KDC or Active
-      Directory
-    </description>
-    <value/>
-  </property>
   <property require-input="false">
     <name>domains</name>
     <description>
@@ -77,22 +28,6 @@
     </description>
     <value/>
   </property>
-  <property require-input="true">
-    <name>kdc_host</name>
-    <description>
-      The IP address or FQDN of the KDC or Active Directory server, optionally a port number may be
-      provided
-    </description>
-    <value/>
-  </property>
-  <property>
-    <name>admin_server_host</name>
-    <description>
-      The IP address or FQDN of the administrative Kerberos server, optionally a port number may be
-      provided
-    </description>
-    <value/>
-  </property>
   <property>
     <name>test_principal</name>
     <description>
@@ -138,18 +73,14 @@
     <description>The jinja template for the krb5.conf file</description>
     <value>
 [libdefaults]
-  renew_lifetime = {{libdefaults_renew_lifetime}}
-  forwardable = {{libdefaults_forwardable}}
+  renew_lifetime = 7d
+  forwardable = true
   default_realm = {{realm|upper()}}
-  ticket_lifetime = {{libdefaults_ticket_lifetime}}
-  dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
-  dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
-  {% if libdefaults_default_tgs_enctypes %}
-  default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
-  {% endif %}
-  {% if libdefaults_default_tkt_enctypes %}
-  default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
-  {% endif %}
+  ticket_lifetime = 24h
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  #default_tgs_enctypes = {{encryption_types}}
+  #default_tkt_enctypes = {{encryption_types}}
 
 {% if domains %}
 [domain_realm]
@@ -159,12 +90,9 @@
 {% endif %}
 
 [logging]
-  default = {{logging_default}}
-{#
-# The following options are unused unless a managed KDC is installed
-  admin_server = {{logging_admin_server}}
-  kdc = {{logging_admin_kdc}}
-#}
+  default = FILE:/var/log/krb5kdc.log
+  admin_server = FILE:/var/log/kadmind.log
+  kdc = FILE:/var/log/krb5kdc.log
 
 [realms]
   {{realm}} = {

ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/scripts/params.py

@@ -88,20 +88,6 @@ if config is not None:
   # ################################################################################################
   # Get krb5.conf template data
   # ################################################################################################
-  logging_default = 'FILE:/var/log/krb5libs.log'
-  logging_kdc = 'FILE:/var/log/krb5kdc.log'
-  logging_admin_server = 'FILE:/var/log/kadmind.log'
-  libdefaults_dns_lookup_realm = 'false'
-  libdefaults_dns_lookup_kdc = 'false'
-  libdefaults_ticket_lifetime = '24h'
-  libdefaults_renew_lifetime = '7d'
-  libdefaults_forwardable = 'true'
-  libdefaults_default_tgs_enctypes = 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 ' \
-                                     'arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac ' \
-                                     'des-cbc-crc des-cbc-md5 des-cbc-md4'
-  libdefaults_default_tkt_enctypes = 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 ' \
-                                     'arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac ' \
-                                     'des-cbc-crc des-cbc-md5 des-cbc-md4'
   realm = 'EXAMPLE.COM'
   domains = ''
   kdc_host = 'localhost'
@@ -127,33 +113,12 @@ if config is not None:
   if kerberos_env is not None:
     encryption_types = get_property_value(kerberos_env, "encryption_types", None)
     realm = get_property_value(kerberos_env, "realm", None)
+    kdc_host = get_property_value(kerberos_env, 'kdc_host', kdc_host)
+    admin_server_host = get_property_value(kerberos_env, 'admin_server_host', admin_server_host)
 
   if krb5_conf_data is not None:
-    logging_default = get_property_value(krb5_conf_data, 'logging_default', logging_default)
-    logging_kdc = get_property_value(krb5_conf_data, 'logging_kdc', logging_kdc)
-    logging_admin_server = get_property_value(krb5_conf_data, 'logging_admin_server',
-                                              logging_admin_server)
-    libdefaults_dns_lookup_realm = get_property_value(krb5_conf_data,
-                                                      'libdefaults_dns_lookup_realm',
-                                                      libdefaults_dns_lookup_realm)
-    libdefaults_dns_lookup_kdc = get_property_value(krb5_conf_data, 'libdefaults_dns_lookup_kdc',
-                                                    libdefaults_dns_lookup_kdc)
-    libdefaults_ticket_lifetime = get_property_value(krb5_conf_data, 'libdefaults_ticket_lifetime',
-                                                     libdefaults_ticket_lifetime)
-    libdefaults_renew_lifetime = get_property_value(krb5_conf_data, 'libdefaults_renew_lifetime',
-                                                    libdefaults_renew_lifetime)
-    libdefaults_forwardable = get_property_value(krb5_conf_data, 'libdefaults_forwardable',
-                                                 libdefaults_forwardable)
-    libdefaults_default_tgs_enctypes = get_property_value(krb5_conf_data,
-                                                          'libdefaults_default_tgs_enctypes',
-                                                          encryption_types)
-    libdefaults_default_tkt_enctypes = get_property_value(krb5_conf_data,
-                                                          'libdefaults_default_tkt_enctypes',
-                                                          encryption_types)
     realm = get_property_value(krb5_conf_data, 'realm', realm)
     domains = get_property_value(krb5_conf_data, 'domains', domains)
-    kdc_host = get_property_value(krb5_conf_data, 'kdc_host', kdc_host)
-    admin_server_host = get_property_value(krb5_conf_data, 'admin_server_host', admin_server_host)
 
     admin_principal = get_property_value(krb5_conf_data, 'admin_principal', admin_principal)
     admin_password = get_property_value(krb5_conf_data, 'admin_password', admin_password)

ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KERBEROS/package/templates/krb5_conf.j2

@@ -16,18 +16,14 @@
 # limitations under the License.
 #}
 [libdefaults]
-  renew_lifetime = {{libdefaults_renew_lifetime}}
-  forwardable = {{libdefaults_forwardable}}
+  renew_lifetime = 7d
+  forwardable = true
   default_realm = {{realm|upper()}}
-  ticket_lifetime = {{libdefaults_ticket_lifetime}}
-  dns_lookup_realm = {{libdefaults_dns_lookup_realm}}
-  dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}
-  {% if libdefaults_default_tgs_enctypes %}
-  default_tgs_enctypes = {{libdefaults_default_tgs_enctypes}}
-  {% endif %}
-  {% if libdefaults_default_tkt_enctypes %}
-  default_tkt_enctypes = {{libdefaults_default_tkt_enctypes}}
-  {% endif %}
+  ticket_lifetime = 24h
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  #default_tgs_enctypes = {{encryption_types}}
+  #default_tkt_enctypes = {{encryption_types}}
 
 {% if domains %}
 [domain_realm]
@@ -37,12 +33,9 @@
 {% endif %}
 
 [logging]
-  default = {{logging_default}}
-{#
-# The following options are unused unless a managed KDC is installed
-  admin_server = {{logging_admin_server}}
-  kdc = {{logging_admin_kdc}}
-#}
+  default = FILE:/var/log/krb5kdc.log
+  admin_server = FILE:/var/log/kadmind.log
+  kdc = FILE:/var/log/krb5kdc.log
 
 [realms]
   {{realm}} = {

ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java

@@ -2619,7 +2619,7 @@ public class TestHeartbeatHandler {
     kerberosActionDataFileBuilder.addRecord("c6403.ambari.apache.org", "HDFS", "DATANODE",
         "dn/_HOST@_REALM", "service", "hdfs-site/dfs.namenode.kerberos.principal",
         "/etc/security/keytabs/dn.service.keytab",
-        "hdfs", "r", "hadoop", "", "hdfs-site/dfs.namenode.keytab.file");
+        "hdfs", "r", "hadoop", "", "hdfs-site/dfs.namenode.keytab.file", "false");
 
     kerberosActionDataFileBuilder.close();
 

ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java

@@ -215,10 +215,10 @@ public class KerberosHelperTest extends EasyMockSupport {
 
     final Map<String, String> kerberosEnvProperties = createNiceMock(Map.class);
     expect(kerberosEnvProperties.get("realm")).andReturn("EXAMPLE.COM").once();
+    expect(kerberosEnvProperties.get("kdc_host")).andReturn("10.0.100.1").once();
+    expect(kerberosEnvProperties.get("kadmin_host")).andReturn("10.0.100.1").once();
 
     final Map<String, String> krb5ConfProperties = createNiceMock(Map.class);
-    expect(krb5ConfProperties.get("kdc_host")).andReturn("10.0.100.1").once();
-    expect(krb5ConfProperties.get("kadmin_host")).andReturn("10.0.100.1").once();
 
     final Config krb5ConfConfig = createNiceMock(Config.class);
     expect(krb5ConfConfig.getProperties()).andReturn(krb5ConfProperties).once();
@@ -543,6 +543,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(keytabDescriptor1.getGroupName()).andReturn("hadoop").once();
     expect(keytabDescriptor1.getGroupAccess()).andReturn("").once();
     expect(keytabDescriptor1.getConfiguration()).andReturn("service1-site/component1.keytab.file").once();
+    expect(keytabDescriptor1.isCachable()).andReturn(false).once();
 
     final KerberosKeytabDescriptor keytabDescriptor2 = createNiceMock(KerberosKeytabDescriptor.class);
     expect(keytabDescriptor2.getFile()).andReturn("${keytab_dir}/service2.keytab").once();
@@ -551,6 +552,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(keytabDescriptor2.getGroupName()).andReturn("hadoop").once();
     expect(keytabDescriptor2.getGroupAccess()).andReturn("").once();
     expect(keytabDescriptor2.getConfiguration()).andReturn("service2-site/component2.keytab.file").once();
+    expect(keytabDescriptor2.isCachable()).andReturn(false).once();
 
     final KerberosIdentityDescriptor identityDescriptor1 = createNiceMock(KerberosIdentityDescriptor.class);
     expect(identityDescriptor1.getPrincipalDescriptor()).andReturn(principalDescriptor1).once();
@@ -819,6 +821,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(keytabDescriptor1.getGroupName()).andReturn("hadoop").once();
     expect(keytabDescriptor1.getGroupAccess()).andReturn("").once();
     expect(keytabDescriptor1.getConfiguration()).andReturn("service1-site/component1.keytab.file").once();
+    expect(keytabDescriptor1.isCachable()).andReturn(false).once();
 
     final KerberosKeytabDescriptor keytabDescriptor2 = createNiceMock(KerberosKeytabDescriptor.class);
     expect(keytabDescriptor2.getFile()).andReturn("${keytab_dir}/service2.keytab").once();
@@ -827,6 +830,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(keytabDescriptor2.getGroupName()).andReturn("hadoop").once();
     expect(keytabDescriptor2.getGroupAccess()).andReturn("").once();
     expect(keytabDescriptor2.getConfiguration()).andReturn("service2-site/component2.keytab.file").once();
+    expect(keytabDescriptor2.isCachable()).andReturn(false).once();
 
     final KerberosIdentityDescriptor identityDescriptor1 = createNiceMock(KerberosIdentityDescriptor.class);
     expect(identityDescriptor1.getPrincipalDescriptor()).andReturn(principalDescriptor1).once();
@@ -1106,6 +1110,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(keytabDescriptor1.getGroupName()).andReturn("hadoop").once();
     expect(keytabDescriptor1.getGroupAccess()).andReturn("").once();
     expect(keytabDescriptor1.getConfiguration()).andReturn("service1-site/component1.keytab.file").once();
+    expect(keytabDescriptor1.isCachable()).andReturn(false).once();
 
     final KerberosKeytabDescriptor keytabDescriptor2 = createNiceMock(KerberosKeytabDescriptor.class);
     expect(keytabDescriptor2.getFile()).andReturn("${keytab_dir}/service2.keytab").once();
@@ -1114,6 +1119,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(keytabDescriptor2.getGroupName()).andReturn("hadoop").once();
     expect(keytabDescriptor2.getGroupAccess()).andReturn("").once();
     expect(keytabDescriptor2.getConfiguration()).andReturn("service2-site/component2.keytab.file").once();
+    expect(keytabDescriptor2.isCachable()).andReturn(false).once();
 
     final KerberosIdentityDescriptor identityDescriptor1 = createNiceMock(KerberosIdentityDescriptor.class);
     expect(identityDescriptor1.getPrincipalDescriptor()).andReturn(principalDescriptor1).once();
@@ -1489,6 +1495,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(keytabDescriptor1.getGroupName()).andReturn("hadoop").times(3);
     expect(keytabDescriptor1.getGroupAccess()).andReturn("").times(3);
     expect(keytabDescriptor1.getConfiguration()).andReturn("service1-site/component1.keytab.file").times(3);
+    expect(keytabDescriptor1.isCachable()).andReturn(false).times(3);
 
     final KerberosKeytabDescriptor keytabDescriptor3 = createMock(KerberosKeytabDescriptor.class);
     expect(keytabDescriptor3.getFile()).andReturn("${keytab_dir}/service3.keytab").once();
@@ -1497,6 +1504,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(keytabDescriptor3.getGroupName()).andReturn("hadoop").once();
     expect(keytabDescriptor3.getGroupAccess()).andReturn("").once();
     expect(keytabDescriptor3.getConfiguration()).andReturn("service3-site/component3.keytab.file").once();
+    expect(keytabDescriptor3.isCachable()).andReturn(false).times(1);
 
     final KerberosIdentityDescriptor identityDescriptor1a = createMock(KerberosIdentityDescriptor.class);
     expect(identityDescriptor1a.getName()).andReturn("identity1a").anyTimes();
@@ -1773,6 +1781,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(keytabDescriptor1.getGroupName()).andReturn("hadoop").once();
     expect(keytabDescriptor1.getGroupAccess()).andReturn("").once();
     expect(keytabDescriptor1.getConfiguration()).andReturn("service1-site/component1.keytab.file").once();
+    expect(keytabDescriptor1.isCachable()).andReturn(false).once();
 
     final KerberosKeytabDescriptor keytabDescriptor3 = createMock(KerberosKeytabDescriptor.class);
     expect(keytabDescriptor3.getFile()).andReturn("${keytab_dir}/service3.keytab").once();
@@ -1781,6 +1790,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     expect(keytabDescriptor3.getGroupName()).andReturn("hadoop").once();
     expect(keytabDescriptor3.getGroupAccess()).andReturn("").once();
     expect(keytabDescriptor3.getConfiguration()).andReturn("service3-site/component3.keytab.file").once();
+    expect(keytabDescriptor3.isCachable()).andReturn(false).once();
 
     final KerberosIdentityDescriptor identityDescriptor1a = createMock(KerberosIdentityDescriptor.class);
     expect(identityDescriptor1a.getName()).andReturn("identity1a").anyTimes();

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java

@@ -21,7 +21,6 @@ package org.apache.ambari.server.serveraction.kerberos;
 import junit.framework.Assert;
 import org.easymock.Capture;
 import org.easymock.CaptureType;
-import org.easymock.EasyMockSupport;
 import org.easymock.IAnswer;
 import org.junit.Ignore;
 import org.junit.Test;

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosActionDataFileTest.java

@@ -50,7 +50,7 @@ public class KerberosActionDataFileTest {
           "principal" + i, "principal_type" + i, "principalConfiguration" + i, "keytabFilePath" + i,
           "keytabFileOwnerName" + i, "keytabFileOwnerAccess" + i,
           "keytabFileGroupName" + i, "keytabFileGroupAccess" + i,
-          "keytabFileConfiguration" + i);
+          "keytabFileConfiguration" + i, "false");
     }
 
     // Add some odd characters
@@ -58,7 +58,7 @@ public class KerberosActionDataFileTest {
         "principal", "principal_type", "principalConfiguration", "keytabFilePath",
         "'keytabFileOwnerName'", "<keytabFileOwnerAccess>",
         "\"keytabFileGroupName\"", "keytab,File,Group,Access",
-        "\"keytab,'File',Configuration\"");
+        "\"keytab,'File',Configuration\"", "false");
 
     builder.close();
     Assert.assertTrue(builder.isClosed());
@@ -88,6 +88,7 @@ public class KerberosActionDataFileTest {
         Assert.assertEquals("keytabFileGroupName" + i, record.get(KerberosActionDataFile.KEYTAB_FILE_GROUP_NAME));
         Assert.assertEquals("keytabFileGroupAccess" + i, record.get(KerberosActionDataFile.KEYTAB_FILE_GROUP_ACCESS));
         Assert.assertEquals("keytabFileConfiguration" + i, record.get(KerberosActionDataFile.KEYTAB_FILE_CONFIGURATION));
+        Assert.assertEquals("false", record.get(KerberosActionDataFile.KEYTAB_FILE_IS_CACHABLE));
       } else {
         Assert.assertEquals("hostName's", record.get(KerberosActionDataFile.HOSTNAME));
         Assert.assertEquals("serviceName#", record.get(KerberosActionDataFile.SERVICE));
@@ -101,6 +102,7 @@ public class KerberosActionDataFileTest {
         Assert.assertEquals("\"keytabFileGroupName\"", record.get(KerberosActionDataFile.KEYTAB_FILE_GROUP_NAME));
         Assert.assertEquals("keytab,File,Group,Access", record.get(KerberosActionDataFile.KEYTAB_FILE_GROUP_ACCESS));
         Assert.assertEquals("\"keytab,'File',Configuration\"", record.get(KerberosActionDataFile.KEYTAB_FILE_CONFIGURATION));
+        Assert.assertEquals("false", record.get(KerberosActionDataFile.KEYTAB_FILE_IS_CACHABLE));
       }
 
       i++;
@@ -155,7 +157,7 @@ public class KerberosActionDataFileTest {
         "principal","principal_type", "principalConfiguration", "keytabFilePath",
         "keytabFileOwnerName", "keytabFileOwnerAccess",
         "keytabFileGroupName", "keytabFileGroupAccess",
-        "keytabFileConfiguration");
+        "keytabFileConfiguration", "true");
 
     builder.close();
     Assert.assertTrue(builder.isClosed());
@@ -181,7 +183,7 @@ public class KerberosActionDataFileTest {
         "principal", "principal_type", "principalConfiguration", "keytabFilePath",
         "keytabFileOwnerName", "keytabFileOwnerAccess",
         "keytabFileGroupName", "keytabFileGroupAccess",
-        "keytabFileConfiguration");
+        "keytabFileConfiguration", "true");
 
     builder.close();
     Assert.assertTrue(builder.isClosed());

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerTest.java

@@ -28,7 +28,6 @@ import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
 
-import javax.naming.InvalidNameException;
 import java.io.File;
 import java.io.FileInputStream;
 import java.util.Collections;
@@ -205,6 +204,29 @@ public abstract class KerberosOperationHandlerTest extends EasyMockSupport {
     }
   }
 
+  @Test
+  public void testMergeKeytabs() throws KerberosOperationException {
+    KerberosOperationHandler handler = createHandler();
+
+    Keytab keytab1 = handler.createKeytab("principal@EXAMPLE.COM", "password", 1);
+    Keytab keytab2 = handler.createKeytab("principal@EXAMPLE.COM", "password1", 1);
+    Keytab keytab3 = handler.createKeytab("principal1@EXAMPLE.COM", "password", 4);
+
+    Keytab merged;
+
+    merged = handler.mergeKeytabs(keytab1, keytab2);
+    Assert.assertEquals(keytab1.getEntries().size(), merged.getEntries().size());
+
+    merged = handler.mergeKeytabs(keytab1, keytab3);
+    Assert.assertEquals(keytab1.getEntries().size() + keytab3.getEntries().size(), merged.getEntries().size());
+
+    merged = handler.mergeKeytabs(keytab2, keytab3);
+    Assert.assertEquals(keytab2.getEntries().size() + keytab3.getEntries().size(), merged.getEntries().size());
+
+    merged = handler.mergeKeytabs(keytab2, merged);
+    Assert.assertEquals(keytab2.getEntries().size() + keytab3.getEntries().size(), merged.getEntries().size());
+  }
+
   @Test
   public void testTranslateEncryptionTypes() throws Exception {
     KerberosOperationHandler handler = createHandler();

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java

@@ -105,7 +105,7 @@ public class KerberosServerActionTest {
           "principal|_HOST|_REALM" + i, "principal_type", "principalConfiguration" + i, "keytabFilePath" + i,
           "keytabFileOwnerName" + i, "keytabFileOwnerAccess" + i,
           "keytabFileGroupName" + i, "keytabFileGroupAccess" + i,
-          "keytabFileConfiguration" + i);
+          "keytabFileConfiguration" + i, "false");
     }
     builder.close();
 

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java

@@ -24,7 +24,6 @@ import com.google.inject.Injector;
 import junit.framework.Assert;
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.configuration.Configuration;
-import org.apache.ambari.server.controller.KerberosHelper;
 import org.apache.ambari.server.state.Clusters;
 import org.apache.ambari.server.utils.ShellCommandUtil;
 import org.easymock.EasyMock;
@@ -33,7 +32,6 @@ import org.junit.BeforeClass;
 import org.junit.Ignore;
 import org.junit.Test;
 
-import java.lang.reflect.Field;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -52,6 +50,8 @@ public class MITKerberosOperationHandlerTest extends KerberosOperationHandlerTes
   private static final Map<String, String> KERBEROS_ENV_MAP = new HashMap<String, String>() {
     {
       put(MITKerberosOperationHandler.KERBEROS_ENV_ENCRYPTION_TYPES, null);
+      put(MITKerberosOperationHandler.KERBEROS_ENV_KDC_HOST, "localhost");
+      put(MITKerberosOperationHandler.KERBEROS_ENV_ADMIN_SERVER_HOST, "localhost");
     }
   };
 

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/UpdateKerberosConfigsServerActionTest.java

@@ -99,7 +99,7 @@ public class UpdateKerberosConfigsServerActionTest {
     kerberosActionDataFileBuilder.addRecord("c6403.ambari.apache.org", "HDFS", "DATANODE",
       "dn/_HOST@_REALM", "service", "hdfs-site/dfs.namenode.kerberos.principal",
       "/etc/security/keytabs/dn.service.keytab",
-      "hdfs", "r", "hadoop", "", "hdfs-site/dfs.namenode.keytab.file");
+      "hdfs", "r", "hadoop", "", "hdfs-site/dfs.namenode.keytab.file", "false");
 
     kerberosActionDataFileBuilder.close();
     File hostDirectory = new File(dataDir, "c6403.ambari.apache.org");

ambari-server/src/test/python/stacks/2.2/KERBEROS/use_cases.py

@@ -21,12 +21,12 @@ import json
 
 krb5_conf_template = \
   '[libdefaults]\n' \
-  '  renew_lifetime = {{libdefaults_renew_lifetime}}\n' \
-  '  forwardable = {{libdefaults_forwardable}}\n' \
+  '  renew_lifetime = 7d\n' \
+  '  forwardable = true\n' \
   '  realm = {{realm|upper()}}\n' \
-  '  ticket_lifetime = {{libdefaults_ticket_lifetime}}\n' \
-  '  dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n' \
-  '  dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n' \
+  '  ticket_lifetime = 24h\n' \
+  '  dns_lookup_realm = false\n' \
+  '  dns_lookup_kdc = false\n' \
   '\n' \
   '{% if domains %}\n' \
   '[domain_realm]\n' \
@@ -36,12 +36,10 @@ krb5_conf_template = \
   '{% endif %}\n' \
   '\n' \
   '[logging]\n' \
-  '  default = {{logging_default}}\n' \
-  '{#\n' \
-  ' # The following options are unused unless a managed KDC is installed\n' \
-  '  admin_server = {{logging_admin_server}}\n' \
-  'kdc = {{logging_admin_kdc}}\n' \
-  '#}\n' \
+  '  default = FILE:/var/log/krb5kdc.log\n' \
+  '  admin_server = FILE:/var/log/kadmind.log\n' \
+  '  kdc = FILE:/var/log/krb5kdc.log\n' \
+  '\n' \
   '[realms]\n' \
   '  {{realm}} = {\n' \
   '    admin_server = {{admin_server_host|default(kdc_host, True)}}\n' \
@@ -75,11 +73,11 @@ def get_manged_kdc_use_case():
 
   json_data['clusterHostInfo']['kdc_server_hosts'] = ['c6401.ambari.apache.org']
   json_data['configurations']['kerberos-env'] = {
-    'kdc_type': 'mit-kdc'
+    'kdc_type': 'mit-kdc',
+    'kdc_host': 'c6401.ambari.apache.org'
   }
   json_data['configurations']['krb5-conf'] = {
     'realm': 'MANAGED_REALM.COM',
-    'kdc_host': 'c6401.ambari.apache.org',
     'admin_principal': "admin/admin",
     'admin_password': "hadoop"
   }
@@ -94,6 +92,7 @@ def get_unmanged_kdc_use_case():
     json_data = json.load(f)
 
   json_data['configurations']['kerberos-env'] = {
+    'kdc_host': 'ad.oscorp_industries.com',
     'kdc_type': 'mit-kdc'
   }
   json_data['configurations']['krb5-conf'] = {
@@ -101,7 +100,6 @@ def get_unmanged_kdc_use_case():
     'conf_file': 'krb5_unmanaged.conf',
     'content': krb5_conf_template,
     'realm': 'OSCORPINDUSTRIES.COM',
-    'kdc_host': 'ad.oscorp_industries.com',
     'admin_principal': "admin/admin",
     'admin_password': "hadoop"
   }
@@ -125,12 +123,14 @@ def get_unmanged_krb5conf_use_case():
   json_data['configurations']['krb5-conf'] = {
     'realm': 'MANAGED_REALM.COM',
     'kdc_type': 'mit-kdc',
-    'kdc_host': 'c6401.ambari.apache.org',
     'admin_principal': "admin/admin",
     'admin_password': "hadoop",
     'manage_krb5_conf': "false"
   }
-  json_data['configurations']['kerberos-env'] = { 'encryption_types' : 'aes256-cts-hmac-sha1-96'}
+  json_data['configurations']['kerberos-env'] = {
+    'kdc_host': 'c6401.ambari.apache.org',
+    'encryption_types' : 'aes256-cts-hmac-sha1-96'
+  }
 
   return json_data
 
@@ -140,6 +140,7 @@ def get_unmanged_ad_use_case():
     json_data = json.load(f)
 
   json_data['configurations']['kerberos-env'] = {
+    'kdc_host': 'ad.oscorp_industries.com',
     'kdc_type': 'active-directory',
   }
   json_data['configurations']['krb5-conf'] = {
@@ -147,7 +148,6 @@ def get_unmanged_ad_use_case():
     'conf_file': 'krb5_ad.conf',
     'content': krb5_conf_template,
     'realm': 'OSCORPINDUSTRIES.COM',
-    'kdc_host': 'ad.oscorp_industries.com',
     'admin_principal': "admin/admin",
     'admin_password': "hadoop"
   }
@@ -173,12 +173,12 @@ def get_cross_realm_use_case():
 
   json_data['clusterHostInfo']['kdc_server_hosts'] = ['c6401.ambari.apache.org']
   json_data['configurations']['kerberos-env'] = {
+    'kdc_host': 'c6401.ambari.apache.org',
     'kdc_type': 'mit-kdc'
   }
   json_data['configurations']['krb5-conf'] = {
     'content': _krb5_conf_template,
     'realm': 'MANAGED_REALM.COM',
-    'kdc_host': 'c6401.ambari.apache.org',
     'admin_principal': "admin/admin",
     'admin_password': "hadoop"
   }

ambari-web/app/assets/data/wizard/stack/hdp/version2.0.1/KERBEROS.json

@@ -13,7 +13,7 @@
         "service_name" : "KERBEROS",
         "stack_name" : "HDP",
         "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
+        "type" : "kerberos-env.xml"
       }
     },
     {
@@ -79,7 +79,7 @@
         "property_description" : "The jinja template for the kdc.conf file",
         "property_name" : "content",
         "property_type" : [ ],
-        "property_value" : "\n      [kdcdefaults]\n        kdc_ports = {{kdcdefaults_kdc_ports}}\n        kdc_tcp_ports = {{kdcdefaults_kdc_tcp_ports}}\n\n      [realms]\n        {{realm}} = {\n          acl_file = {{kadm5_acl_path}}\n          dict_file = /usr/share/dict/words\n          admin_keytab = {{kadm5_acl_dir}}/kadm5.keytab\n          supported_enctypes = {{libdefaults_default_tgs_enctypes}}\n      }\n\n      {# Append additional realm declarations should be placed below #}\n    ",
+        "property_value" : "\n      [kdcdefaults]\n        kdc_ports = {{kdcdefaults_kdc_ports}}\n        kdc_tcp_ports = {{kdcdefaults_kdc_tcp_ports}}\n\n      [realms]\n        {{realm}} = {\n          acl_file = {{kadm5_acl_path}}\n          dict_file = /usr/share/dict/words\n          admin_keytab = {{kadm5_acl_dir}}/kadm5.keytab\n          supported_enctypes = {{encryption_types}}\n      }\n\n      {# Append additional realm declarations should be placed below #}\n    ",
         "service_name" : "KERBEROS",
         "stack_name" : "HDP",
         "stack_version" : "2.2",
@@ -93,7 +93,7 @@
         "property_description" : "The jinja template for the krb5.conf file",
         "property_name" : "content",
         "property_type" : [ ],
-        "property_value" : "\n[libdefaults]\n  renew_lifetime = {{libdefaults_renew_lifetime}}\n  forwardable = {{libdefaults_forwardable}}\n  default_realm = {{realm|upper()}}\n  ticket_lifetime = {{libdefaults_ticket_lifetime}}\n  dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n  dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains %}\n  {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n  default = {{logging_default}}\n{#\n# The following options are unused unless a managed KDC is installed\n  admin_server = {{logging_admin_server}}\n  kdc = {{logging_admin_kdc}}\n#}\n\n[realms]\n  {{realm}} = {\n    admin_server = {{admin_server_host|default(kdc_host, True)}}\n    kdc = {{kdc_host}}\n  }\n\n{# Append additional realm declarations should be placed below #}\n    ",
+        "property_value" : "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm|upper()}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains %}\n  {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n    admin_server = {{admin_server_host|default(kdc_host, True)}}\n    kdc = {{kdc_host}}\n  }\n\n{# Append additional realm declarations should be placed below #}\n    ",
         "service_name" : "KERBEROS",
         "stack_name" : "HDP",
         "stack_version" : "2.2",
@@ -125,7 +125,7 @@
         "service_name" : "KERBEROS",
         "stack_name" : "HDP",
         "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
+        "type" : "kerberos-env.xml"
       }
     },
     {
@@ -170,146 +170,6 @@
         "type" : "kdc-conf.xml"
       }
     },
-    {
-      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/libdefaults_default_tgs_enctypes",
-      "StackConfigurations" : {
-        "final" : "false",
-        "property_description" : "\n      a space-delimited list of session key encryption types supported by the KDC or Active\n      Directory\n    ",
-        "property_name" : "libdefaults_default_tgs_enctypes",
-        "property_type" : [ ],
-        "property_value" : "\n      aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5\n      camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4\n    ",
-        "service_name" : "KERBEROS",
-        "stack_name" : "HDP",
-        "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
-      }
-    },
-    {
-      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/libdefaults_default_tkt_enctypes",
-      "StackConfigurations" : {
-        "final" : "false",
-        "property_description" : "\n      a space-delimited list of session key encryption types supported by the KDC or Active\n      Directory\n    ",
-        "property_name" : "libdefaults_default_tkt_enctypes",
-        "property_type" : [ ],
-        "property_value" : "\n      aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5\n      camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4\n    ",
-        "service_name" : "KERBEROS",
-        "stack_name" : "HDP",
-        "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
-      }
-    },
-    {
-      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/libdefaults_dns_lookup_kdc",
-      "StackConfigurations" : {
-        "final" : "false",
-        "property_description" : null,
-        "property_name" : "libdefaults_dns_lookup_kdc",
-        "property_type" : [ ],
-        "property_value" : "false",
-        "service_name" : "KERBEROS",
-        "stack_name" : "HDP",
-        "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
-      }
-    },
-    {
-      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/libdefaults_dns_lookup_realm",
-      "StackConfigurations" : {
-        "final" : "false",
-        "property_description" : null,
-        "property_name" : "libdefaults_dns_lookup_realm",
-        "property_type" : [ ],
-        "property_value" : "false",
-        "service_name" : "KERBEROS",
-        "stack_name" : "HDP",
-        "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
-      }
-    },
-    {
-      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/libdefaults_forwardable",
-      "StackConfigurations" : {
-        "final" : "false",
-        "property_description" : null,
-        "property_name" : "libdefaults_forwardable",
-        "property_type" : [ ],
-        "property_value" : "true",
-        "service_name" : "KERBEROS",
-        "stack_name" : "HDP",
-        "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
-      }
-    },
-    {
-      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/libdefaults_renew_lifetime",
-      "StackConfigurations" : {
-        "final" : "false",
-        "property_description" : null,
-        "property_name" : "libdefaults_renew_lifetime",
-        "property_type" : [ ],
-        "property_value" : "7d",
-        "service_name" : "KERBEROS",
-        "stack_name" : "HDP",
-        "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
-      }
-    },
-    {
-      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/libdefaults_ticket_lifetime",
-      "StackConfigurations" : {
-        "final" : "false",
-        "property_description" : null,
-        "property_name" : "libdefaults_ticket_lifetime",
-        "property_type" : [ ],
-        "property_value" : "24h",
-        "service_name" : "KERBEROS",
-        "stack_name" : "HDP",
-        "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
-      }
-    },
-    {
-      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/logging_admin_server",
-      "StackConfigurations" : {
-        "final" : "false",
-        "property_description" : null,
-        "property_name" : "logging_admin_server",
-        "property_type" : [ ],
-        "property_value" : "FILE:/var/log/kadmind.log",
-        "service_name" : "KERBEROS",
-        "stack_name" : "HDP",
-        "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
-      }
-    },
-    {
-      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/logging_default",
-      "StackConfigurations" : {
-        "final" : "false",
-        "property_description" : null,
-        "property_name" : "logging_default",
-        "property_type" : [ ],
-        "property_value" : "FILE:/var/log/krb5libs.log",
-        "service_name" : "KERBEROS",
-        "stack_name" : "HDP",
-        "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
-      }
-    },
-    {
-      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/logging_kdc",
-      "StackConfigurations" : {
-        "final" : "false",
-        "property_description" : null,
-        "property_name" : "logging_kdc",
-        "property_type" : [ ],
-        "property_value" : "FILE:/var/log/krb5kdc.log",
-        "service_name" : "KERBEROS",
-        "stack_name" : "HDP",
-        "stack_version" : "2.2",
-        "type" : "krb5-conf.xml"
-      }
-    },
     {
       "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/realm",
       "StackConfigurations" : {

ambari-web/app/data/HDP2/site_properties.js

@@ -1888,7 +1888,7 @@ var hdp2properties = [
     "isRequiredByAgent": true,
     "displayType": "supportTextConnection",
     "serviceName": "KERBEROS",
-    "filename": "krb5-conf.xml",
+    "filename": "kerberos-env.xml",
     "category": "KDC",
     "index": 1
   },
@@ -1964,7 +1964,7 @@ var hdp2properties = [
     "isVisible": true,
     "isRequiredByAgent": true,
     "serviceName": "KERBEROS",
-    "filename": "krb5-conf.xml",
+    "filename": "kerberos-env.xml",
     "category": "Kadmin",
     "index": 0
   },
@@ -2037,36 +2037,6 @@ var hdp2properties = [
     "category": "Advanced krb5-conf",
     "index": 2
   },
-  {
-    "id": "puppet var",
-    "name": "libdefaults_default_tgs_enctypes",
-    "displayName": "libdefaults_default_tgs_enctypes",
-    "value": "",
-    "defaultValue": "",
-    "description": "",
-    "isOverridable": false,
-    "isVisible": true,
-    "isRequiredByAgent": true,
-    "isRequired": false,
-    "serviceName": "KERBEROS",
-    "filename": "krb5-conf.xml",
-    "category": "Advanced krb5-conf"
-  },
-  {
-    "id": "puppet var",
-    "name": "libdefaults_default_tkt_enctypes",
-    "displayName": "libdefaults_default_tkt_enctypes",
-    "value": "",
-    "defaultValue": "",
-    "description": "",
-    "isOverridable": false,
-    "isVisible": true,
-    "isRequiredByAgent": true,
-    "isRequired": false,
-    "serviceName": "KERBEROS",
-    "filename": "krb5-conf.xml",
-    "category": "Advanced krb5-conf"
-  },
 /********************************************* flume-agent *****************************/
   {
     "id": "site property",