AMBARI-13240. Kerberos: Allow multiple KDC hosts to be set while enabling Kerberos (rlevas)

ambari-server/src/main/java/org/apache/ambari/server/api/rest/KdcServerReachabilityCheck.java

@@ -45,26 +45,39 @@ public class KdcServerReachabilityCheck {
   private static KdcServerConnectionVerification kdcConnectionChecker;
 
 
-
   /**
-   * Handles: GET /kdc_check/{hostname}
-   * Checks the reachability of given KDC server
-   *
-   * @param headers             http headers
-   * @param ui                  uri info
-   * @param kdcServerHostName   HostName of KDC server. May contain port separate by a colon (:)
+   * Handles: GET /kdc_check/{hosts}
+   * Checks the reachability of the given KDC server(s). If a list of hosts is sent, checks will be
+   * performs until the first one succeeds, else a failure will be returned.
    *
+   * @param headers      http headers
+   * @param ui           uri info
+   * @param hosts A comma-delimited list of host names to check for a KDC server.
+   *                     Each entry may contain port separate by a colon (:)
    * @return status whether KDC server is reachable or not
    */
   @GET
-  @Path("{hostname}")
+  @Path("{hosts}")
   @Produces(MediaType.TEXT_PLAIN)
   public String plainTextCheck(@Context HttpHeaders headers, @Context UriInfo ui,
-      @PathParam("hostname") String kdcServerHostName) {
+                               @PathParam("hosts") String hosts) {
     String status = UNREACHABLE;
-    if (kdcConnectionChecker.isKdcReachable(kdcServerHostName)) {
-      status = REACHABLE;
-    }   	
+    if(hosts != null) {
+      String[] kdcHosts = hosts.split(",");
+      for(String kdcHost : kdcHosts) {
+        kdcHost = kdcHost.trim();
+
+        if (!kdcHost.isEmpty()) {
+          if (kdcConnectionChecker.isKdcReachable(kdcHost)) {
+            status = REACHABLE;
+
+            // We found a success, so break since we only care about at least one successful connection
+            break;
+          }
+        }
+      }
+    }
+
     return status;
   }
 

ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java

@@ -158,7 +158,7 @@ public class BlueprintConfigurationProcessor {
     { new PasswordPropertyFilter(),
       new SimplePropertyNameExportFilter("tez.tez-ui.history-url.base", "tez-site"),
       new SimplePropertyNameExportFilter("admin_server_host", "kerberos-env"),
-      new SimplePropertyNameExportFilter("kdc_host", "kerberos-env"),
+      new SimplePropertyNameExportFilter("kdc_hosts", "kerberos-env"),
       new SimplePropertyNameExportFilter("realm", "kerberos-env"),
       new SimplePropertyNameExportFilter("kdc_type", "kerberos-env"),
       new SimplePropertyNameExportFilter("ldap-url", "kerberos-env"),

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java

@@ -101,9 +101,9 @@ public abstract class KerberosOperationHandler {
   public final static String KERBEROS_ENV_ENCRYPTION_TYPES = "encryption_types";
 
   /**
-   * Kerberos-env configuration property name: kdc_host
+   * Kerberos-env configuration property name: kdc_hosts
    */
-  public final static String KERBEROS_ENV_KDC_HOST = "kdc_host";
+  public final static String KERBEROS_ENV_KDC_HOSTS = "kdc_hosts";
 
   /**
    * Kerberos-env configuration property name: admin_server_host

ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java

@@ -185,6 +185,7 @@ public class UpgradeCatalog240 extends AbstractUpgradeCatalog {
     updateAMSConfigs();
     updateClusterEnv();
     updateHostRoleCommandTableDML();
+    updateKerberosConfigs();
   }
 
   private void createSettingTable() throws SQLException {
@@ -1143,4 +1144,52 @@ public class UpgradeCatalog240 extends AbstractUpgradeCatalog {
           true);
     }
   }
+
+  /**
+   * Updates the Kerberos-related configurations for the clusters managed by this Ambari
+   * <p/>
+   * Performs the following updates:
+   * <ul>
+   * <li>Rename <code>kerberos-env/kdc_host</code> to
+   * <code>kerberos-env/kdc_hosts</li>
+   * <li>If krb5-conf/content was not changed from the original stack default, update it to the new
+   * stack default</li>
+   * </ul>
+   *
+   * @throws AmbariException if an error occurs while updating the configurations
+   */
+  protected void updateKerberosConfigs() throws AmbariException {
+    AmbariManagementController ambariManagementController = injector.getInstance(AmbariManagementController.class);
+    Clusters clusters = ambariManagementController.getClusters();
+    Map<String, Cluster> clusterMap = getCheckedClusterMap(clusters);
+
+    for (final Cluster cluster : clusterMap.values()) {
+      Config config;
+
+      config = cluster.getDesiredConfigByType("kerberos-env");
+      if (config != null) {
+        // Rename kdc_host to kdc_hosts
+        String value = config.getProperties().get("kdc_host");
+        Map<String, String> updates = Collections.singletonMap("kdc_hosts", value);
+        Set<String> removes = Collections.singleton("kdc_host");
+
+        updateConfigurationPropertiesForCluster(cluster, "kerberos-env", updates, removes, true, false);
+      }
+
+      config = cluster.getDesiredConfigByType("krb5-conf");
+      if (config != null) {
+        String value = config.getProperties().get("content");
+        String oldDefault = "\n[libdefaults]\n  renew_lifetime \u003d 7d\n  forwardable \u003d true\n  default_realm \u003d {{realm}}\n  ticket_lifetime \u003d 24h\n  dns_lookup_realm \u003d false\n  dns_lookup_kdc \u003d false\n  #default_tgs_enctypes \u003d {{encryption_types}}\n  #default_tkt_enctypes \u003d {{encryption_types}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(\u0027,\u0027) %}\n  {{domain|trim}} \u003d {{realm}}\n{% endfor %}\n{% endif %}\n\n[logging]\n  default \u003d FILE:/var/log/krb5kdc.log\n  admin_server \u003d FILE:/var/log/kadmind.log\n  kdc \u003d FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} \u003d {\n    admin_server \u003d {{admin_server_host|default(kdc_host, True)}}\n    kdc \u003d {{kdc_host}}\n  }\n\n{# Append additional realm declarations below #}";
+
+        // if the content is the same as the old stack default, update to the new stack default;
+        // else leave it alone since the user may have changed it for a reason.
+        if(oldDefault.equalsIgnoreCase(value)) {
+          String newDefault ="[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n{% if domains %}\n[domain_realm]\n{%- for domain in domains.split(',') %}\n  {{domain|trim()}} = {{realm}}\n{%- endfor %}\n{% endif %}\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n{%- if kdc_hosts > 0 -%}\n{%- set kdc_host_list = kdc_hosts.split(',')  -%}\n{%- if kdc_host_list and kdc_host_list|length > 0 %}\n    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n{%- if kdc_host_list -%}\n{% for kdc_host in kdc_host_list %}\n    kdc = {{kdc_host|trim()}}\n{%- endfor -%}\n{% endif %}\n{%- endif %}\n{%- endif %}\n  }\n\n{# Append additional realm declarations below #}";
+          Map<String, String> updates = Collections.singletonMap("content", newDefault);
+          updateConfigurationPropertiesForCluster(cluster, "krb5-conf", updates, null, true, false);
+        }
+      }
+    }
+  }
+
 }

ambari-server/src/main/java/org/apache/ambari/server/utils/StageUtils.java

@@ -152,8 +152,6 @@ public class StageUtils {
     componentToClusterInfoKeyMap.put("DATANODE", "slave_hosts");
     componentToClusterInfoKeyMap.put("TASKTRACKER", "mapred_tt_hosts");
     componentToClusterInfoKeyMap.put("HBASE_REGIONSERVER", "hbase_rs_hosts");
-    componentToClusterInfoKeyMap.put("KERBEROS_SERVER", "kdc_host");
-    componentToClusterInfoKeyMap.put("KERBEROS_ADMIN_CLIENT", "kerberos_adminclient_host");
     componentToClusterInfoKeyMap.put("ACCUMULO_MASTER", "accumulo_master_hosts");
     componentToClusterInfoKeyMap.put("ACCUMULO_MONITOR", "accumulo_monitor_hosts");
     componentToClusterInfoKeyMap.put("ACCUMULO_GC", "accumulo_gc_hosts");

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml

@@ -133,11 +133,13 @@
   </property>
 
   <property require-input="true">
-    <name>kdc_host</name>
+    <name>kdc_hosts</name>
     <description>
-      The IP address or FQDN for the KDC host. Optionally a port number may be included.
+      A comma-delimited list of IP addresses or FQDNs declaring the KDC hosts.
+      Optionally a port number may be included in each entry by separating each host and port by a
+      colon (:). Example:  kdc1.example.com:88, kdc2.example.com:88
     </description>
-    <display-name>KDC host</display-name>
+    <display-name>KDC hosts</display-name>
     <value/>
     <value-attributes>
       <overridable>false</overridable>

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/krb5-conf.xml

@@ -71,14 +71,12 @@
   dns_lookup_kdc = false
   #default_tgs_enctypes = {{encryption_types}}
   #default_tkt_enctypes = {{encryption_types}}
-
 {% if domains %}
 [domain_realm]
-{% for domain in domains.split(',') %}
-  {{domain}} = {{realm}}
-{% endfor %}
+{%- for domain in domains.split(',') %}
+  {{domain|trim()}} = {{realm}}
+{%- endfor %}
 {% endif %}
-
 [logging]
   default = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log
@@ -86,8 +84,17 @@
 
 [realms]
   {{realm}} = {
-    admin_server = {{admin_server_host|default(kdc_host, True)}}
-    kdc = {{kdc_host}}
+{%- if kdc_hosts > 0 -%}
+{%- set kdc_host_list = kdc_hosts.split(',')  -%}
+{%- if kdc_host_list and kdc_host_list|length > 0 %}
+    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}
+{%- if kdc_host_list -%}
+{% for kdc_host in kdc_host_list %}
+    kdc = {{kdc_host|trim()}}
+{%- endfor -%}
+{% endif %}
+{%- endif %}
+{%- endif %}
   }
 
 {# Append additional realm declarations below #}

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/params.py

@@ -101,7 +101,7 @@ if config is not None:
     # ##############################################################################################
     realm = 'EXAMPLE.COM'
     domains = ''
-    kdc_host = 'localhost'
+    kdc_hosts = 'localhost'
     admin_server_host = None
     admin_principal = None
     admin_password = None
@@ -122,7 +122,7 @@ if config is not None:
       manage_identities = get_property_value(kerberos_env, "manage_identities", "true", True, "true")
       encryption_types = get_property_value(kerberos_env, "encryption_types", None, True, None)
       realm = get_property_value(kerberos_env, "realm", None, True, None)
-      kdc_host = get_property_value(kerberos_env, 'kdc_host', kdc_host)
+      kdc_hosts = get_property_value(kerberos_env, 'kdc_hosts', kdc_hosts)
       admin_server_host = get_property_value(kerberos_env, 'admin_server_host', admin_server_host)
 
     if krb5_conf_data is not None:

ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/templates/krb5_conf.j2

@@ -18,20 +18,18 @@
 [libdefaults]
   renew_lifetime = 7d
   forwardable = true
-  default_realm = {{realm|upper()}}
+  default_realm = {{realm}}
   ticket_lifetime = 24h
   dns_lookup_realm = false
   dns_lookup_kdc = false
   #default_tgs_enctypes = {{encryption_types}}
   #default_tkt_enctypes = {{encryption_types}}
-
 {% if domains %}
 [domain_realm]
-{% for domain in domains.split(',') %}
-  {{domain}} = {{realm|upper()}}
-{% endfor %}
+{%- for domain in domains.split(',') %}
+  {{domain|trim()}} = {{realm}}
+{%- endfor %}
 {% endif %}
-
 [logging]
   default = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log
@@ -39,8 +37,17 @@
 
 [realms]
   {{realm}} = {
-    admin_server = {{admin_server_host|default(kdc_host, True)}}
-    kdc = {{kdc_host}}
+{%- if kdc_hosts > 0 -%}
+{%- set kdc_host_list = kdc_hosts.split(',')  -%}
+{%- if kdc_host_list and kdc_host_list|length > 0 %}
+    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}
+{%- if kdc_host_list -%}
+{% for kdc_host in kdc_host_list %}
+    kdc = {{kdc_host|trim()}}
+{%- endfor -%}
+{% endif %}
+{%- endif %}
+{%- endif %}
   }
 
 {# Append additional realm declarations below #}

ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java

@@ -277,7 +277,7 @@ public class KerberosHelperTest extends EasyMockSupport {
 
     final Map<String, String> kerberosEnvProperties = createMock(Map.class);
     expect(kerberosEnvProperties.get("realm")).andReturn("EXAMPLE.COM").once();
-    expect(kerberosEnvProperties.get("kdc_host")).andReturn("10.0.100.1").once();
+    expect(kerberosEnvProperties.get("kdc_hosts")).andReturn("10.0.100.1").once();
 
     final Map<String, String> krb5ConfProperties = createMock(Map.class);
     expect(krb5ConfProperties.get("kadmin_host")).andReturn("10.0.100.1").once();

ambari-server/src/test/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessorTest.java

@@ -222,7 +222,7 @@ public class BlueprintConfigurationProcessorTest {
 
     Map<String, String> kerberosEnvProps = new HashMap<String, String>();
     kerberosEnvProps.put("admin_server_host", "test");
-    kerberosEnvProps.put("kdc_host", "test");
+    kerberosEnvProps.put("kdc_hosts", "test");
     kerberosEnvProps.put("realm", "test");
     kerberosEnvProps.put("kdc_type", "test");
     kerberosEnvProps.put("ldap-url", "test");
@@ -877,7 +877,7 @@ public class BlueprintConfigurationProcessorTest {
     // simulate the case of a Kerberized cluster, including config
     // added by the Kerberos service
     kerberosEnvProperties.put("admin_server_host", expectedHostName);
-    kerberosEnvProperties.put("kdc_host", expectedHostName);
+    kerberosEnvProperties.put("kdc_hosts", expectedHostName);
     coreSiteProperties.put("hadoop.proxyuser.yarn.hosts", expectedHostName);
 
     Configuration clusterConfig = new Configuration(configProperties,
@@ -904,8 +904,8 @@ public class BlueprintConfigurationProcessorTest {
     // verify that these properties are filtered out of the exported configuration
     assertFalse("admin_server_host should not be present in exported blueprint in kerberos-env",
       kerberosEnvProperties.containsKey("admin_server_host"));
-    assertFalse("kdc_host should not be present in exported blueprint in kerberos-env",
-      kerberosEnvProperties.containsKey("kdc_host"));
+    assertFalse("kdc_hosts should not be present in exported blueprint in kerberos-env",
+      kerberosEnvProperties.containsKey("kdc_hosts"));
     assertEquals("hadoop.proxyuser.yarn.hosts was not exported correctly",
       createExportedHostName("host_group_1"), coreSiteProperties.get("hadoop.proxyuser.yarn.hosts"));
   }

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandlerTest.java

@@ -50,7 +50,7 @@ public class IPAKerberosOperationHandlerTest extends KerberosOperationHandlerTes
   private static final Map<String, String> KERBEROS_ENV_MAP = new HashMap<String, String>() {
     {
       put(IPAKerberosOperationHandler.KERBEROS_ENV_ENCRYPTION_TYPES, null);
-      put(IPAKerberosOperationHandler.KERBEROS_ENV_KDC_HOST, "localhost");
+      put(IPAKerberosOperationHandler.KERBEROS_ENV_KDC_HOSTS, "localhost");
       put(IPAKerberosOperationHandler.KERBEROS_ENV_ADMIN_SERVER_HOST, "localhost");
       put(IPAKerberosOperationHandler.KERBEROS_ENV_USER_PRINCIPAL_GROUP, "");
     }

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandlerTest.java

@@ -58,7 +58,7 @@ public class MITKerberosOperationHandlerTest extends KerberosOperationHandlerTes
   private static final Map<String, String> KERBEROS_ENV_MAP = new HashMap<String, String>() {
     {
       put(MITKerberosOperationHandler.KERBEROS_ENV_ENCRYPTION_TYPES, null);
-      put(MITKerberosOperationHandler.KERBEROS_ENV_KDC_HOST, "localhost");
+      put(MITKerberosOperationHandler.KERBEROS_ENV_KDC_HOSTS, "localhost");
       put(MITKerberosOperationHandler.KERBEROS_ENV_ADMIN_SERVER_HOST, "localhost");
       put(MITKerberosOperationHandler.KERBEROS_ENV_AD_CREATE_ATTRIBUTES_TEMPLATE, "AD Create Template");
       put(MITKerberosOperationHandler.KERBEROS_ENV_KDC_CREATE_ATTRIBUTES, "-attr1 -attr2 foo=345");

ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java

@@ -42,6 +42,7 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -50,6 +51,7 @@ import javax.persistence.EntityManager;
 
 import com.google.common.collect.Maps;
 import com.google.gson.Gson;
+import com.google.inject.AbstractModule;
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.actionmanager.ActionManager;
 import org.apache.ambari.server.api.services.AmbariMetaInfo;
@@ -357,6 +359,7 @@ public class UpgradeCatalog240Test {
     Method updateAmsConfigs = UpgradeCatalog240.class.getDeclaredMethod("updateAMSConfigs");
     Method updateClusterEnv = UpgradeCatalog240.class.getDeclaredMethod("updateClusterEnv");
     Method updateHostRoleCommandTableDML = UpgradeCatalog240.class.getDeclaredMethod("updateHostRoleCommandTableDML");
+    Method updateKerberosEnv = UpgradeCatalog240.class.getDeclaredMethod("updateKerberosConfigs");
 
     Capture<String> capturedStatements = newCapture(CaptureType.ALL);
 
@@ -372,6 +375,7 @@ public class UpgradeCatalog240Test {
             .addMockedMethod(updateAmsConfigs)
             .addMockedMethod(updateClusterEnv)
             .addMockedMethod(updateHostRoleCommandTableDML)
+            .addMockedMethod(updateKerberosEnv)
             .createMock();
 
     Field field = AbstractUpgradeCatalog.class.getDeclaredField("dbAccessor");
@@ -385,6 +389,7 @@ public class UpgradeCatalog240Test {
     upgradeCatalog240.updateAMSConfigs();
     upgradeCatalog240.updateClusterEnv();
     upgradeCatalog240.updateHostRoleCommandTableDML();
+    upgradeCatalog240.updateKerberosConfigs();
 
     replay(upgradeCatalog240, dbAccessor);
 
@@ -483,4 +488,284 @@ public class UpgradeCatalog240Test {
     Map<String, String> updatedProperties = propertiesCapture.getValue();
     assertTrue(Maps.difference(newPropertiesAmsHbaseEnv, updatedProperties).areEqual());
   }
+
+  @Test
+  public void testUpdateKerberosConfiguration() throws Exception {
+    final AmbariManagementController controller = createNiceMock(AmbariManagementController.class);
+    final DBAccessor dbAccessor = createNiceMock(DBAccessor.class);
+    final OsFamily osFamily = createNiceMock(OsFamily.class);
+
+    final Map<String, String> propertiesKerberosEnv = new HashMap<String, String>() {
+      {
+        put("realm", "EXAMPLE.COM");
+        put("encryption_types", "aes des3-cbc-sha1 rc4 des-cbc-md5");
+        put("kdc_host", "c6407.ambari.apache.org");
+        put("admin_server_host", "c6407.ambari.apache.org");
+        put("kdc_type", "mit-kdc");
+      }
+    };
+
+    final Map<String, String> propertiesKrb5Conf = new HashMap<String, String>() {
+      {
+        put("content", "\n" +
+            "[libdefaults]\n" +
+            "  renew_lifetime = 7d\n" +
+            "  forwardable = true\n" +
+            "  default_realm = {{realm}}\n" +
+            "  ticket_lifetime = 24h\n" +
+            "  dns_lookup_realm = false\n" +
+            "  dns_lookup_kdc = false\n" +
+            "  #default_tgs_enctypes = {{encryption_types}}\n" +
+            "  #default_tkt_enctypes = {{encryption_types}}\n" +
+            "\n" +
+            "{% if domains %}\n" +
+            "[domain_realm]\n" +
+            "{% for domain in domains.split(',') %}\n" +
+            "  {{domain|trim}} = {{realm}}\n" +
+            "{% endfor %}\n" +
+            "{% endif %}\n" +
+            "\n" +
+            "[logging]\n" +
+            "  default = FILE:/var/log/krb5kdc.log\n" +
+            "  admin_server = FILE:/var/log/kadmind.log\n" +
+            "  kdc = FILE:/var/log/krb5kdc.log\n" +
+            "\n" +
+            "[realms]\n" +
+            "  {{realm}} = {\n" +
+            "    admin_server = {{admin_server_host|default(kdc_host, True)}}\n" +
+            "    kdc = {{kdc_host}}\n" +
+            "  }\n" +
+            "\n" +
+            "{# Append additional realm declarations below #}");
+      }
+    };
+
+    final Config configKerberosEnv = createNiceMock(Config.class);
+    expect(configKerberosEnv.getProperties()).andReturn(propertiesKerberosEnv).anyTimes();
+    expect(configKerberosEnv.getTag()).andReturn("tag1").anyTimes();
+
+    final Config configKrb5Conf = createNiceMock(Config.class);
+    expect(configKrb5Conf.getProperties()).andReturn(propertiesKrb5Conf).anyTimes();
+    expect(configKrb5Conf.getTag()).andReturn("tag1").anyTimes();
+
+    final Cluster cluster = createNiceMock(Cluster.class);
+    expect(cluster.getDesiredConfigByType("kerberos-env")).andReturn(configKerberosEnv).once();
+    expect(cluster.getDesiredConfigByType("krb5-conf")).andReturn(configKrb5Conf).once();
+
+    final Clusters clusters = createNiceMock(Clusters.class);
+    expect(clusters.getClusters()).andReturn(Collections.singletonMap("c1", cluster));
+
+    expect(controller.getClusters()).andReturn(clusters).once();
+
+    expect(cluster.getConfigsByType("kerberos-env"))
+        .andReturn(Collections.singletonMap("tag1", configKerberosEnv))
+        .once();
+    expect(cluster.getConfigsByType("krb5-conf"))
+        .andReturn(Collections.singletonMap("tag1", configKerberosEnv))
+        .once();
+
+    expect(cluster.getDesiredConfigByType("kerberos-env"))
+        .andReturn(configKerberosEnv)
+        .once();
+    expect(cluster.getDesiredConfigByType("krb5-conf"))
+        .andReturn(configKerberosEnv)
+        .once();
+
+    Capture<Cluster> clusterCapture = newCapture(CaptureType.ALL);
+    Capture<String> typeCapture = newCapture(CaptureType.ALL);
+    Capture<Map> propertiesCapture = newCapture(CaptureType.ALL);
+    Capture<String> tagCapture = newCapture(CaptureType.ALL);
+    Capture<Map> attributesCapture = newCapture(CaptureType.ALL);
+
+
+    expect(controller.createConfig(capture(clusterCapture), capture(typeCapture),
+        capture(propertiesCapture), capture(tagCapture), capture(attributesCapture) ))
+        .andReturn(createNiceMock(Config.class))
+        .anyTimes();
+
+    replay(controller, dbAccessor, osFamily, cluster, configKerberosEnv, configKrb5Conf, clusters);
+
+    final Injector injector = Guice.createInjector(new AbstractModule() {
+      @Override
+      protected void configure() {
+        bind(AmbariManagementController.class).toInstance(controller);
+        bind(DBAccessor.class).toInstance(dbAccessor);
+        bind(OsFamily.class).toInstance(osFamily);
+        bind(EntityManager.class).toInstance(entityManager);
+      }
+    });
+
+    injector.getInstance(UpgradeCatalog240.class).updateKerberosConfigs();
+
+    verify(controller, dbAccessor, osFamily, cluster, configKerberosEnv, configKrb5Conf, clusters);
+
+    List<String> typeCaptureValues = typeCapture.getValues();
+    Assert.assertEquals(2, typeCaptureValues.size());
+    Assert.assertEquals("kerberos-env", typeCaptureValues.get(0));
+    Assert.assertEquals("krb5-conf", typeCaptureValues.get(1));
+
+    List<Map> propertiesCaptureValues = propertiesCapture.getValues();
+    Assert.assertEquals(2, propertiesCaptureValues.size());
+
+    Map<String, String> capturedCRProperties;
+
+    capturedCRProperties = propertiesCaptureValues.get(0);
+    Assert.assertNotNull(capturedCRProperties);
+    Assert.assertFalse(capturedCRProperties.containsKey("kdc_host"));
+    Assert.assertTrue(capturedCRProperties.containsKey("kdc_hosts"));
+
+    for (String property : propertiesKerberosEnv.keySet()) {
+      if ("kdc_host".equals(property)) {
+        Assert.assertEquals(property, propertiesKerberosEnv.get(property), capturedCRProperties.get("kdc_hosts"));
+      } else {
+        Assert.assertEquals(property, propertiesKerberosEnv.get(property), capturedCRProperties.get(property));
+      }
+    }
+
+    capturedCRProperties = propertiesCaptureValues.get(1);
+    Assert.assertNotNull(capturedCRProperties);
+    Assert.assertTrue(capturedCRProperties.containsKey("content"));
+
+    for (String property : propertiesKerberosEnv.keySet()) {
+      if ("content".equals(property)) {
+        Assert.assertEquals(property, "[libdefaults]\n" +
+            "  renew_lifetime = 7d\n" +
+            "  forwardable = true\n" +
+            "  default_realm = {{realm}}\n" +
+            "  ticket_lifetime = 24h\n" +
+            "  dns_lookup_realm = false\n" +
+            "  dns_lookup_kdc = false\n" +
+            "  #default_tgs_enctypes = {{encryption_types}}\n" +
+            "  #default_tkt_enctypes = {{encryption_types}}\n" +
+            "{% if domains %}\n" +
+            "[domain_realm]\n" +
+            "{%- for domain in domains.split(',') %}\n" +
+            "  {{domain|trim()}} = {{realm}}\n" +
+            "{%- endfor %}\n" +
+            "{% endif %}\n" +
+            "[logging]\n" +
+            "  default = FILE:/var/log/krb5kdc.log\n" +
+            "  admin_server = FILE:/var/log/kadmind.log\n" +
+            "  kdc = FILE:/var/log/krb5kdc.log\n" +
+            "\n" +
+            "[realms]\n" +
+            "  {{realm}} = {\n" +
+            "{%- if kdc_hosts > 0 -%}\n" +
+            "{%- set kdc_host_list = kdc_hosts.split(',')  -%}\n" +
+            "{%- if kdc_host_list and kdc_host_list|length > 0 %}\n" +
+            "    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n" +
+            "{%- if kdc_host_list -%}\n" +
+            "{% for kdc_host in kdc_host_list %}\n" +
+            "    kdc = {{kdc_host|trim()}}\n" +
+            "{%- endfor -%}\n" +
+            "{% endif %}\n" +
+            "{%- endif %}\n" +
+            "{%- endif %}\n" +
+            "  }\n" +
+            "\n" +
+            "{# Append additional realm declarations below #}", capturedCRProperties.get("content"));
+      } else {
+        Assert.assertEquals(property, propertiesKerberosEnv.get(property), capturedCRProperties.get(property));
+      }
+    }
+  }
+
+  @Test
+  public void testUpdateKerberosConfigurationWithChangedKrb5ConfContent() throws Exception {
+    final AmbariManagementController controller = createNiceMock(AmbariManagementController.class);
+    final DBAccessor dbAccessor = createNiceMock(DBAccessor.class);
+    final OsFamily osFamily = createNiceMock(OsFamily.class);
+
+    final Map<String, String> propertiesKerberosEnv = new HashMap<String, String>() {
+      {
+        put("realm", "EXAMPLE.COM");
+        put("encryption_types", "aes des3-cbc-sha1 rc4 des-cbc-md5");
+        put("kdc_host", "c6407.ambari.apache.org");
+        put("admin_server_host", "c6407.ambari.apache.org");
+        put("kdc_type", "mit-kdc");
+      }
+    };
+
+    final Map<String, String> propertiesKrb5Conf = new HashMap<String, String>() {
+      {
+        put("content", "CHANGED CONTENT");
+      }
+    };
+
+    final Config configKerberosEnv = createNiceMock(Config.class);
+    expect(configKerberosEnv.getProperties()).andReturn(propertiesKerberosEnv).anyTimes();
+    expect(configKerberosEnv.getTag()).andReturn("tag1").anyTimes();
+
+    final Config configKrb5Conf = createNiceMock(Config.class);
+    expect(configKrb5Conf.getProperties()).andReturn(propertiesKrb5Conf).anyTimes();
+    expect(configKrb5Conf.getTag()).andReturn("tag1").anyTimes();
+
+    final Cluster cluster = createNiceMock(Cluster.class);
+    expect(cluster.getDesiredConfigByType("kerberos-env")).andReturn(configKerberosEnv).once();
+    expect(cluster.getDesiredConfigByType("krb5-conf")).andReturn(configKrb5Conf).once();
+
+    final Clusters clusters = createNiceMock(Clusters.class);
+    expect(clusters.getClusters()).andReturn(Collections.singletonMap("c1", cluster));
+
+    expect(controller.getClusters()).andReturn(clusters).once();
+
+    expect(cluster.getConfigsByType("kerberos-env"))
+        .andReturn(Collections.singletonMap("tag1", configKerberosEnv))
+        .once();
+
+    expect(cluster.getDesiredConfigByType("kerberos-env"))
+        .andReturn(configKerberosEnv)
+        .once();
+
+    Capture<Cluster> clusterCapture = newCapture(CaptureType.ALL);
+    Capture<String> typeCapture = newCapture(CaptureType.ALL);
+    Capture<Map> propertiesCapture = newCapture(CaptureType.ALL);
+    Capture<String> tagCapture = newCapture(CaptureType.ALL);
+    Capture<Map> attributesCapture = newCapture(CaptureType.ALL);
+
+
+    expect(controller.createConfig(capture(clusterCapture), capture(typeCapture),
+        capture(propertiesCapture), capture(tagCapture), capture(attributesCapture)))
+        .andReturn(createNiceMock(Config.class))
+        .anyTimes();
+
+    replay(controller, dbAccessor, osFamily, cluster, configKerberosEnv, configKrb5Conf, clusters);
+
+    final Injector injector = Guice.createInjector(new AbstractModule() {
+      @Override
+      protected void configure() {
+        bind(AmbariManagementController.class).toInstance(controller);
+        bind(DBAccessor.class).toInstance(dbAccessor);
+        bind(OsFamily.class).toInstance(osFamily);
+        bind(EntityManager.class).toInstance(entityManager);
+      }
+    });
+
+    injector.getInstance(UpgradeCatalog240.class).updateKerberosConfigs();
+
+    verify(controller, dbAccessor, osFamily, cluster, configKerberosEnv, configKrb5Conf, clusters);
+
+    List<String> typeCaptureValues = typeCapture.getValues();
+    Assert.assertEquals(1, typeCaptureValues.size());
+    Assert.assertEquals("kerberos-env", typeCaptureValues.get(0));
+
+    List<Map> propertiesCaptureValues = propertiesCapture.getValues();
+    Assert.assertEquals(1, propertiesCaptureValues.size());
+
+    Map<String, String> capturedCRProperties;
+
+    capturedCRProperties = propertiesCaptureValues.get(0);
+    Assert.assertNotNull(capturedCRProperties);
+    Assert.assertFalse(capturedCRProperties.containsKey("kdc_host"));
+    Assert.assertTrue(capturedCRProperties.containsKey("kdc_hosts"));
+
+    for (String property : propertiesKerberosEnv.keySet()) {
+      if ("kdc_host".equals(property)) {
+        Assert.assertEquals(property, propertiesKerberosEnv.get(property), capturedCRProperties.get("kdc_hosts"));
+      } else {
+        Assert.assertEquals(property, propertiesKerberosEnv.get(property), capturedCRProperties.get(property));
+      }
+    }
+  }
 }
+

ambari-server/src/test/python/stacks/2.2/KERBEROS/test_kerberos_server.py

@@ -1,266 +0,0 @@
-"""
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-"""
-
-import os
-import use_cases
-
-from stacks.utils.RMFTestCase import *
-
-from only_for_platform import not_for_platform, PLATFORM_WINDOWS
-
-@not_for_platform(PLATFORM_WINDOWS)
-class TestKerberosServer(RMFTestCase):
-  COMMON_SERVICES_PACKAGE_DIR = "KERBEROS/1.10.3-10/package"
-  STACK_VERSION = "2.2"
-
-  def test_configure_managed_kdc(self):
-    json_data = use_cases.get_manged_kdc_use_case()
-
-    self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/kerberos_server.py",
-                       classname="KerberosServer",
-                       command="configure",
-                       config_dict=json_data,
-                       stack_version = self.STACK_VERSION,
-                       target = RMFTestCase.TARGET_COMMON_SERVICES
-    )
-
-    # Validate krb5.conf file
-    self.assertResourceCalled('Directory', use_cases.get_krb5_conf_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0755,
-                              create_parents = True)
-
-    file_path = (use_cases.get_krb5_conf_dir(json_data) +
-                 "/" +
-                 use_cases.get_krb5_conf_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=Template('krb5_conf.j2'),
-                              owner='root',
-                              group='root',
-                              mode=0644)
-
-    # Validate kdc.conf file
-    self.assertResourceCalled('Directory', use_cases.get_kdc_conf_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0700,
-                              create_parents = True)
-
-    file_path = (use_cases.get_kdc_conf_dir(json_data) +
-                 "/" +
-                 use_cases.get_kdc_conf_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=Template('kdc_conf.j2'),
-                              owner='root',
-                              group='root',
-                              mode=0600)
-
-    # Validate kadm5.acl file
-    self.assertResourceCalled('Directory', use_cases.get_kadm5_acl_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0700,
-                              create_parents = True)
-
-    file_path = (use_cases.get_kadm5_acl_dir(json_data) +
-                 "/" +
-                 use_cases.get_kadm5_acl_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=Template('kadm5_acl.j2'),
-                              owner='root',
-                              group='root',
-                              mode=0600)
-
-  def test_configure_unmanaged_kdc(self):
-    json_data = use_cases.get_unmanged_kdc_use_case()
-
-    self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/kerberos_server.py",
-                       classname="KerberosServer",
-                       command="configure",
-                       config_dict=json_data,
-                       stack_version = self.STACK_VERSION,
-                       target = RMFTestCase.TARGET_COMMON_SERVICES
-    )
-
-    # Validate krb5.conf file
-    self.assertResourceCalled('Directory', use_cases.get_krb5_conf_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0755,
-                              create_parents = True)
-
-    file_path = (use_cases.get_krb5_conf_dir(json_data) +
-                 "/" +
-                 use_cases.get_krb5_conf_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=InlineTemplate(use_cases.get_krb5_conf_template(json_data)),
-                              owner='root',
-                              group='root',
-                              mode=0644)
-
-    # Validate kdc.conf file
-    self.assertResourceCalled('Directory', use_cases.get_kdc_conf_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0700,
-                              create_parents = True)
-
-    file_path = (use_cases.get_kdc_conf_dir(json_data) +
-                 "/" +
-                 use_cases.get_kdc_conf_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=InlineTemplate(use_cases.get_kdc_conf_template(json_data)),
-                              owner='root',
-                              group='root',
-                              mode=0600)
-
-    # Validate kadm5.acl file
-    self.assertResourceCalled('Directory', use_cases.get_kadm5_acl_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0700,
-                              create_parents = True)
-
-    file_path = (use_cases.get_kadm5_acl_dir(json_data) +
-                 "/" +
-                 use_cases.get_kadm5_acl_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=InlineTemplate(use_cases.get_kadm5_acl_template(json_data)),
-                              owner='root',
-                              group='root',
-                              mode=0600)
-
-  def test_configure_unmanaged_ad(self):
-    json_data = use_cases.get_unmanged_ad_use_case()
-
-    self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/kerberos_server.py",
-                       classname="KerberosServer",
-                       command="configure",
-                       config_dict=json_data,
-                       stack_version = self.STACK_VERSION,
-                       target = RMFTestCase.TARGET_COMMON_SERVICES
-    )
-
-    # Validate krb5.conf file
-    self.assertResourceCalled('Directory', use_cases.get_krb5_conf_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0755,
-                              create_parents = True)
-
-    file_path = (use_cases.get_krb5_conf_dir(json_data) +
-                 "/" +
-                 use_cases.get_krb5_conf_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=InlineTemplate(use_cases.get_krb5_conf_template(json_data)),
-                              owner='root',
-                              group='root',
-                              mode=0644)
-
-    # Validate kdc.conf file
-    self.assertResourceCalled('Directory', use_cases.get_kdc_conf_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0700,
-                              create_parents = True)
-
-    file_path = (use_cases.get_kdc_conf_dir(json_data) +
-                 "/" +
-                 use_cases.get_kdc_conf_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=InlineTemplate(use_cases.get_kdc_conf_template(json_data)),
-                              owner='root',
-                              group='root',
-                              mode=0600)
-
-    # Validate kadm5.acl file
-    self.assertResourceCalled('Directory', use_cases.get_kadm5_acl_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0700,
-                              create_parents = True)
-
-    file_path = (use_cases.get_kadm5_acl_dir(json_data) +
-                 "/" +
-                 use_cases.get_kadm5_acl_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=InlineTemplate(use_cases.get_kadm5_acl_template(json_data)),
-                              owner='root',
-                              group='root',
-                              mode=0600)
-
-  def test_configure_cross_realm_trust(self):
-    json_data = use_cases.get_cross_realm_use_case()
-
-    self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/kerberos_server.py",
-                       classname="KerberosServer",
-                       command="configure",
-                       config_dict=json_data,
-                       stack_version = self.STACK_VERSION,
-                       target = RMFTestCase.TARGET_COMMON_SERVICES
-    )
-
-    # Validate krb5.conf file
-    self.assertResourceCalled('Directory', use_cases.get_krb5_conf_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0755,
-                              create_parents = True)
-
-    file_path = (use_cases.get_krb5_conf_dir(json_data) +
-                 "/" +
-                 use_cases.get_krb5_conf_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=InlineTemplate(use_cases.get_krb5_conf_template(json_data)),
-                              owner='root',
-                              group='root',
-                              mode=0644)
-
-    # Validate kdc.conf file
-    self.assertResourceCalled('Directory', use_cases.get_kdc_conf_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0700,
-                              create_parents = True)
-
-    file_path = (use_cases.get_kdc_conf_dir(json_data) +
-                 "/" +
-                 use_cases.get_kdc_conf_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=InlineTemplate(use_cases.get_kdc_conf_template(json_data)),
-                              owner='root',
-                              group='root',
-                              mode=0600)
-
-    # Validate kadm5.acl file
-    self.assertResourceCalled('Directory', use_cases.get_kadm5_acl_dir(json_data),
-                              owner='root',
-                              group='root',
-                              mode=0700,
-                              create_parents = True)
-
-    file_path = (use_cases.get_kadm5_acl_dir(json_data) +
-                 "/" +
-                 use_cases.get_kadm5_acl_file(json_data))
-    self.assertResourceCalled('File', file_path,
-                              content=InlineTemplate(use_cases.get_kadm5_acl_template(json_data)),
-                              owner='root',
-                              group='root',
-                              mode=0600)

ambari-server/src/test/python/stacks/2.2/KERBEROS/use_cases.py

@@ -23,18 +23,17 @@ krb5_conf_template = \
   '[libdefaults]\n' \
   '  renew_lifetime = 7d\n' \
   '  forwardable = true\n' \
-  '  realm = {{realm|upper()}}\n' \
+  '  realm = {{realm}}\n' \
   '  ticket_lifetime = 24h\n' \
   '  dns_lookup_realm = false\n' \
   '  dns_lookup_kdc = false\n' \
   '\n' \
   '{% if domains %}\n' \
   '[domain_realm]\n' \
-  '{% for domain in domains %}\n' \
-  '  {{domain}} = {{realm|upper()}}\n' \
-  '{% endfor %}\n' \
+  '{%- for domain in domains.split(\',\') %}\n' \
+  '  {{domain|trim()}} = {{realm}}\n' \
+  '{%- endfor %}\n' \
   '{% endif %}\n' \
-  '\n' \
   '[logging]\n' \
   '  default = FILE:/var/log/krb5kdc.log\n' \
   '  admin_server = FILE:/var/log/kadmind.log\n' \
@@ -42,9 +41,18 @@ krb5_conf_template = \
   '\n' \
   '[realms]\n' \
   '  {{realm}} = {\n' \
-  '    admin_server = {{admin_server_host|default(kdc_host, True)}}\n' \
-  '    kdc = {{kdc_host}}\n' \
-  '}\n' \
+  '{%- if kdc_hosts > 0 -%}\n' \
+  '{%- set kdc_host_list = kdc_hosts.split(\',\')  -%}\n' \
+  '{%- if kdc_host_list and kdc_host_list|length > 0 %}\n' \
+  '    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n' \
+  '{%- if kdc_host_list -%}\n' \
+  '{% for kdc_host in kdc_host_list %}\n' \
+  '    kdc = {{kdc_host|trim()}}\n' \
+  '{%- endfor -%}\n' \
+  '{% endif %}\n' \
+  '{%- endif %}\n' \
+  '{%- endif %}\n' \
+  '  }\n' \
   '\n' \
   '{# Append additional realm declarations should be placed below #}\n'
 
@@ -74,7 +82,7 @@ def get_manged_kdc_use_case():
   json_data['clusterHostInfo']['kdc_server_hosts'] = ['c6401.ambari.apache.org']
   json_data['configurations']['kerberos-env'] = {
     'kdc_type': 'mit-kdc',
-    'kdc_host': 'c6401.ambari.apache.org'
+    'kdc_hosts': 'c6401.ambari.apache.org, c6402.ambari.apache.org'
   }
   json_data['configurations']['krb5-conf'] = {
     'realm': 'MANAGED_REALM.COM',
@@ -92,7 +100,7 @@ def get_unmanged_kdc_use_case():
     json_data = json.load(f)
 
   json_data['configurations']['kerberos-env'] = {
-    'kdc_host': 'ad.oscorp_industries.com',
+    'kdc_hosts': 'c6401.ambari.apache.org, c6402.ambari.apache.org',
     'kdc_type': 'mit-kdc'
   }
   json_data['configurations']['krb5-conf'] = {
@@ -128,7 +136,7 @@ def get_unmanged_krb5conf_use_case():
     'manage_krb5_conf': "false"
   }
   json_data['configurations']['kerberos-env'] = {
-    'kdc_host': 'c6401.ambari.apache.org',
+    'kdc_hosts': 'c6401.ambari.apache.org, c6402.ambari.apache.org',
     'encryption_types' : 'aes256-cts-hmac-sha1-96'
   }
 
@@ -140,7 +148,7 @@ def get_unmanged_ad_use_case():
     json_data = json.load(f)
 
   json_data['configurations']['kerberos-env'] = {
-    'kdc_host': 'ad.oscorp_industries.com',
+    'kdc_hosts': 'c6401.ambari.apache.org, c6402.ambari.apache.org',
     'kdc_type': 'active-directory',
   }
   json_data['configurations']['krb5-conf'] = {
@@ -173,7 +181,7 @@ def get_cross_realm_use_case():
 
   json_data['clusterHostInfo']['kdc_server_hosts'] = ['c6401.ambari.apache.org']
   json_data['configurations']['kerberos-env'] = {
-    'kdc_host': 'c6401.ambari.apache.org',
+    'kdc_hosts': 'c6401.ambari.apache.org, c6402.ambari.apache.org',
     'kdc_type': 'mit-kdc'
   }
   json_data['configurations']['krb5-conf'] = {

ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade-hdfs-secure.json

@@ -169,7 +169,7 @@
         }, 
         "kerberos-env": {
             "kdc_type": "mit-kdc",
-            "kdc_host": "c6406.ambari.apache.org",
+            "kdc_hosts": "c6406.ambari.apache.org",
             "admin_server_host": "c6406.ambari.apache.org",
             "ldap_url": "",
             "ad_create_attributes_template": "\n{\n  \"objectClass\": [\"top\", \"person\", \"organizationalPerson\", \"user\"],\n  \"cn\": \"$principal_name\",\n  #if( $is_service )\n  \"servicePrincipalName\": \"$principal_name\",\n  #end\n  \"userPrincipalName\": \"$normalized_principal\",\n  \"unicodePwd\": \"$password\",\n  \"accountExpires\": \"0\",\n  \"userAccountControl\": \"66048\"\n}\n    ",
@@ -1004,7 +1004,7 @@
         "krb5-conf": {
             "realm": "EXAMPLE.COM",
             "conf_dir": "/etc",
-            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm|upper()}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n  {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n    admin_server = {{admin_server_host|default(kdc_host, True)}}\n    kdc = {{kdc_host}}\n  }\n\n{# Append additional realm declarations below #}\n    ",
+            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n{% if domains %}\n[domain_realm]\n{%- for domain in domains.split(',') %}\n  {{domain|trim()}} = {{realm}}\n{%- endfor %}\n{% endif %}\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n{%- if kdc_hosts > 0 -%}\n{%- set kdc_host_list = kdc_hosts.split(',')  -%}\n{%- if kdc_host_list and kdc_host_list|length > 0 %}\n    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n{%- if kdc_host_list -%}\n{% for kdc_host in kdc_host_list %}\n    kdc = {{kdc_host|trim()}}\n{%- endfor -%}\n{% endif %}\n{%- endif %}\n{%- endif %}\n  }\n\n{# Append additional realm declarations below #}\n    ",
             "domains": ""
         },
         "yarn-log4j": {

ambari-server/src/test/python/stacks/2.2/configs/journalnode-upgrade.json

@@ -169,7 +169,7 @@
         }, 
         "kerberos-env": {
             "kdc_type": "mit-kdc",
-            "kdc_host": "c6406.ambari.apache.org",
+            "kdc_hosts": "c6406.ambari.apache.org",
             "admin_server_host": "c6406.ambari.apache.org",
             "ldap_url": "",
             "ad_create_attributes_template": "\n{\n  \"objectClass\": [\"top\", \"person\", \"organizationalPerson\", \"user\"],\n  \"cn\": \"$principal_name\",\n  #if( $is_service )\n  \"servicePrincipalName\": \"$principal_name\",\n  #end\n  \"userPrincipalName\": \"$normalized_principal\",\n  \"unicodePwd\": \"$password\",\n  \"accountExpires\": \"0\",\n  \"userAccountControl\": \"66048\"\n}\n    ",
@@ -1004,7 +1004,7 @@
         "krb5-conf": {
             "realm": "EXAMPLE.COM",
             "conf_dir": "/etc",
-            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm|upper()}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n  {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n    admin_server = {{admin_server_host|default(kdc_host, True)}}\n    kdc = {{kdc_host}}\n  }\n\n{# Append additional realm declarations below #}\n    ",
+            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n{% if domains %}\n[domain_realm]\n{%- for domain in domains.split(',') %}\n  {{domain|trim()}} = {{realm}}\n{%- endfor %}\n{% endif %}\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n{%- if kdc_hosts > 0 -%}\n{%- set kdc_host_list = kdc_hosts.split(',')  -%}\n{%- if kdc_host_list and kdc_host_list|length > 0 %}\n    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n{%- if kdc_host_list -%}\n{% for kdc_host in kdc_host_list %}\n    kdc = {{kdc_host|trim()}}\n{%- endfor -%}\n{% endif %}\n{%- endif %}\n{%- endif %}\n  }\n\n{# Append additional realm declarations below #}\n    ",
             "domains": ""
         },
         "yarn-log4j": {

ambari-server/src/test/python/stacks/2.2/configs/pig-service-check-secure.json

@@ -146,7 +146,7 @@
             "ldap_url": "", 
             "encryption_types": "aes des3-cbc-sha1 rc4 des-cbc-md5", 
             "kdc_type": "mit-kdc",
-            "kdc_host": "c6401.ambari.apache.org",
+            "kdc_hosts": "c6401.ambari.apache.org",
             "admin_server_host": "c6401.ambari.apache.org"
         },
         "tez-site": {
@@ -285,7 +285,7 @@
         }, 
         "krb5-conf": {
             "conf_dir": "/etc",
-            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm|upper()}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n  {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n    admin_server = {{admin_server_host|default(kdc_host, True)}}\n    kdc = {{kdc_host}}\n  }\n\n{# Append additional realm declarations below #}\n    ",
+            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n{% if domains %}\n[domain_realm]\n{%- for domain in domains.split(',') %}\n  {{domain|trim()}} = {{realm}}\n{%- endfor %}\n{% endif %}\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n{%- if kdc_hosts > 0 -%}\n{%- set kdc_host_list = kdc_hosts.split(',')  -%}\n{%- if kdc_host_list and kdc_host_list|length > 0 %}\n    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n{%- if kdc_host_list -%}\n{% for kdc_host in kdc_host_list %}\n    kdc = {{kdc_host|trim()}}\n{%- endfor -%}\n{% endif %}\n{%- endif %}\n{%- endif %}\n  }\n\n{# Append additional realm declarations below #}\n    ",
             "domains": "",
             "manage_krb5_conf": "true"
         },

ambari-server/src/test/python/stacks/2.2/configs/ranger-admin-upgrade.json

@@ -161,7 +161,7 @@
         }, 
         "krb5-conf": {
             "conf_dir": "/etc",
-            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm|upper()}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n  {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n    admin_server = {{admin_server_host|default(kdc_host, True)}}\n    kdc = {{kdc_host}}\n  }\n\n{# Append additional realm declarations below #}\n    ",
+            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n{% if domains %}\n[domain_realm]\n{%- for domain in domains.split(',') %}\n  {{domain|trim()}} = {{realm}}\n{%- endfor %}\n{% endif %}\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n{%- if kdc_hosts > 0 -%}\n{%- set kdc_host_list = kdc_hosts.split(',')  -%}\n{%- if kdc_host_list and kdc_host_list|length > 0 %}\n    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n{%- if kdc_host_list -%}\n{% for kdc_host in kdc_host_list %}\n    kdc = {{kdc_host|trim()}}\n{%- endfor -%}\n{% endif %}\n{%- endif %}\n{%- endif %}\n  }\n\n{# Append additional realm declarations below #}\n    ",
             "domains": "",
             "manage_krb5_conf": "true"
         },
@@ -202,7 +202,7 @@
             "container_dn": "", 
             "ldap_url": "", 
             "encryption_types": "aes des3-cbc-sha1 rc4 des-cbc-md5",
-            "kdc_host": "c6407.ambari.apache.org",
+            "kdc_hosts": "c6407.ambari.apache.org",
             "admin_server_host": "c6407.ambari.apache.org",
             "kdc_type": "mit-kdc"
         }, 

ambari-server/src/test/python/stacks/2.2/configs/ranger-usersync-upgrade.json

@@ -156,7 +156,7 @@
         }, 
         "krb5-conf": {
             "conf_dir": "/etc",
-            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm|upper()}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n  {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n    admin_server = {{admin_server_host|default(kdc_host, True)}}\n    kdc = {{kdc_host}}\n  }\n\n{# Append additional realm declarations below #}\n    ",
+            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n{% if domains %}\n[domain_realm]\n{%- for domain in domains.split(',') %}\n  {{domain|trim()}} = {{realm}}\n{%- endfor %}\n{% endif %}\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n{%- if kdc_hosts > 0 -%}\n{%- set kdc_host_list = kdc_hosts.split(',')  -%}\n{%- if kdc_host_list and kdc_host_list|length > 0 %}\n    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n{%- if kdc_host_list -%}\n{% for kdc_host in kdc_host_list %}\n    kdc = {{kdc_host|trim()}}\n{%- endfor -%}\n{% endif %}\n{%- endif %}\n{%- endif %}\n  }\n\n{# Append additional realm declarations below #}\n    ",
             "domains": "",
             "manage_krb5_conf": "true"
         },
@@ -192,7 +192,7 @@
         }, 
         "kerberos-env": {
             "ad_create_attributes_template": "\n{\n  \"objectClass\": [\"top\", \"person\", \"organizationalPerson\", \"user\"],\n  \"cn\": \"$principal_name\",\n  #if( $is_service )\n  \"servicePrincipalName\": \"$principal_name\",\n  #end\n  \"userPrincipalName\": \"$normalized_principal\",\n  \"unicodePwd\": \"$password\",\n  \"accountExpires\": \"0\",\n  \"userAccountControl\": \"66048\"\n}\n    ",
-            "kdc_host": "c6407.ambari.apache.org",
+            "kdc_hosts": "c6407.ambari.apache.org",
             "admin_server_host": "c6407.ambari.apache.org",
             "realm": "EXAMPLE.COM",
             "container_dn": "", 

ambari-server/src/test/python/stacks/2.3/configs/hbase_secure.json

@@ -138,7 +138,7 @@
             "security.client.protocol.acl": "*"
         }, 
         "kerberos-env": {
-            "kdc_host": "c6405.ambari.apache.org", 
+            "kdc_hosts": "c6405.ambari.apache.org",
             "ad_create_attributes_template": "\n{\n  \"objectClass\": [\"top\", \"person\", \"organizationalPerson\", \"user\"],\n  \"cn\": \"$principal_name\",\n  #if( $is_service )\n  \"servicePrincipalName\": \"$principal_name\",\n  #end\n  \"userPrincipalName\": \"$normalized_principal\",\n  \"unicodePwd\": \"$password\",\n  \"accountExpires\": \"0\",\n  \"userAccountControl\": \"66048\"\n}\n    ",
             "realm": "EXAMPLE.COM", 
             "container_dn": "", 
@@ -435,7 +435,7 @@
         "krb5-conf": {
             "domains": "EXAMPLE.COM", 
             "manage_krb5_conf": "true", 
-            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm|upper()}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n  {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n    admin_server = {{admin_server_host|default(kdc_host, True)}}\n    kdc = {{kdc_host}}\n  }\n\n{# Append additional realm declarations below #}\n    ", 
+            "content": "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n{% if domains %}\n[domain_realm]\n{%- for domain in domains.split(',') %}\n  {{domain|trim()}} = {{realm}}\n{%- endfor %}\n{% endif %}\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n{%- if kdc_hosts > 0 -%}\n{%- set kdc_host_list = kdc_hosts.split(',')  -%}\n{%- if kdc_host_list and kdc_host_list|length > 0 %}\n    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n{%- if kdc_host_list -%}\n{% for kdc_host in kdc_host_list %}\n    kdc = {{kdc_host|trim()}}\n{%- endfor -%}\n{% endif %}\n{%- endif %}\n{%- endif %}\n  }\n\n{# Append additional realm declarations below #}\n    ",
             "conf_dir": "/etc"
         }, 
         "ldap-log4j": {

ambari-web/app/assets/data/stacks/HDP-2.2/configurations.json

@@ -9464,7 +9464,7 @@
             "property_description" : "Customizable krb5.conf template (Jinja template engine)",
             "property_name" : "content",
             "property_type" : [ ],
-            "property_value" : "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm|upper()}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n  {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n    admin_server = {{admin_server_host|default(kdc_host, True)}}\n    kdc = {{kdc_host}}\n  }\n\n{# Append additional realm declarations below #}\n    ",
+            "property_value" : "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n{% if domains %}\n[domain_realm]\n{%- for domain in domains.split(',') %}\n  {{domain|trim()}} = {{realm}}\n{%- endfor %}\n{% endif %}\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n{%- if kdc_hosts > 0 -%}\n{%- set kdc_host_list = kdc_hosts.split(',')  -%}\n{%- if kdc_host_list and kdc_host_list|length > 0 %}\n    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n{%- if kdc_host_list -%}\n{% for kdc_host in kdc_host_list %}\n    kdc = {{kdc_host|trim()}}\n{%- endfor -%}\n{% endif %}\n{%- endif %}\n{%- endif %}\n  }\n\n{# Append additional realm declarations below #}\n    ",
             "service_name" : "KERBEROS",
             "stack_name" : "HDP",
             "stack_version" : "2.2",
@@ -9514,11 +9514,11 @@
           }
         },
         {
-          "href" : "http://c6401:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/kdc_host",
+          "href" : "http://c6401:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/kdc_hosts",
           "StackConfigurations" : {
             "final" : "false",
-            "property_description" : "\n      The IP address or FQDN for the KDC host. Optionally a port number may be included.\n    ",
-            "property_name" : "kdc_host",
+            "property_description" : "\n            A comma-delimited list of IP addresses or FQDNs declaring the KDC hosts. Optionally a port number may be included in each entry by separating each host and port by a colon (:). Example:  kdc1.example.com:88, kdc2.example.com:88.\n",
+            "property_name" : "kdc_hosts",
             "property_type" : [ ],
             "property_value" : "",
             "service_name" : "KERBEROS",

ambari-web/app/assets/data/wizard/stack/hdp/version2.0.1/KERBEROS.json

@@ -93,7 +93,7 @@
         "property_description" : "The jinja template for the krb5.conf file",
         "property_name" : "content",
         "property_type" : [ ],
-        "property_value" : "\n[libdefaults]\n  renew_lifetime = {{libdefaults_renew_lifetime}}\n  forwardable = {{libdefaults_forwardable}}\n  default_realm = {{realm|upper()}}\n  ticket_lifetime = {{libdefaults_ticket_lifetime}}\n  dns_lookup_realm = {{libdefaults_dns_lookup_realm}}\n  dns_lookup_kdc = {{libdefaults_dns_lookup_kdc}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains %}\n  {{domain}} = {{realm|upper()}}\n{% endfor %}\n{% endif %}\n\n[logging]\n  default = {{logging_default}}\n{#\n# The following options are unused unless a managed KDC is installed\n  admin_server = {{logging_admin_server}}\n  kdc = {{logging_admin_kdc}}\n#}\n\n[realms]\n  {{realm}} = {\n    admin_server = {{admin_server_host|default(kdc_host, True)}}\n    kdc = {{kdc_host}}\n  }\n\n{# Append additional realm declarations should be placed below #}\n    ",
+        "property_value" : "\n[libdefaults]\n  renew_lifetime = 7d\n  forwardable = true\n  default_realm = {{realm}}\n  ticket_lifetime = 24h\n  dns_lookup_realm = false\n  dns_lookup_kdc = false\n  #default_tgs_enctypes = {{encryption_types}}\n  #default_tkt_enctypes = {{encryption_types}}\n{% if domains %}\n[domain_realm]\n{%- for domain in domains.split(',') %}\n  {{domain|trim()}} = {{realm}}\n{%- endfor %}\n{% endif %}\n[logging]\n  default = FILE:/var/log/krb5kdc.log\n  admin_server = FILE:/var/log/kadmind.log\n  kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n  {{realm}} = {\n{%- if kdc_hosts > 0 -%}\n{%- set kdc_host_list = kdc_hosts.split(',')  -%}\n{%- if kdc_host_list and kdc_host_list|length > 0 %}\n    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n{%- if kdc_host_list -%}\n{% for kdc_host in kdc_host_list %}\n    kdc = {{kdc_host|trim()}}\n{%- endfor -%}\n{% endif %}\n{%- endif %}\n{%- endif %}\n  }\n\n{# Append additional realm declarations below #}\n    ",
         "service_name" : "KERBEROS",
         "stack_name" : "HDP",
         "stack_version" : "2.2",
@@ -115,11 +115,11 @@
       }
     },
     {
-      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/kdc_host",
+      "href" : "http://c6403.ambari.apache.org:8080/api/v1/stacks/HDP/versions/2.2/services/KERBEROS/configurations/kdc_hosts",
       "StackConfigurations" : {
         "final" : "false",
-        "property_description" : "\n      The IP address or FQDN of the KDC or Active Directory server, optionally a port number may be\n      provided\n    ",
-        "property_name" : "kdc_host",
+        "property_description" : "\n            A comma-delimited list of IP addresses or FQDNs declaring the KDC hosts. Optionally a port number may be included in each entry by separating each host and port by a colon (:). Example:  kdc1.example.com:88, kdc2.example.com:88\n    ",
+        "property_name" : "kdc_hosts",
         "property_type" : [ ],
         "property_value" : "",
         "service_name" : "KERBEROS",

ambari-web/app/controllers/main/admin/kerberos/step2_controller.js

@@ -211,7 +211,7 @@ App.KerberosWizardStep2Controller = App.WizardStep7Controller.extend(App.KDCCred
     var content = this.get('stepConfigs')[0].get('configs');
     var configs = content.filterProperty('filename', site + '.xml');
     // properties that should be formated as hosts
-    var hostProperties = ['kdc_host', 'realm'];
+    var hostProperties = ['kdc_hosts', 'realm'];
     configs.forEach(function (_configProperty) {
       // do not pass any globals whose name ends with _host or _hosts
       if (_configProperty.isRequiredByAgent !== false) {

ambari-web/app/controllers/main/admin/kerberos/step5_controller.js

@@ -123,15 +123,15 @@ App.KerberosWizardStep5Controller = App.KerberosProgressPageController.extend({
         filterObject = [
           {
             key: Em.I18n.t('admin.kerberos.wizard.step1.option.kdc'),
-            properties: ['kdc_type', 'kdc_host', 'realm', 'executable_search_paths']
+            properties: ['kdc_type', 'kdc_hosts', 'realm', 'executable_search_paths']
           },
           {
             key: Em.I18n.t('admin.kerberos.wizard.step1.option.ad'),
-            properties: ['kdc_type', 'kdc_host', 'realm', 'ldap_url', 'container_dn', 'executable_search_paths']
+            properties: ['kdc_type', 'kdc_hosts', 'realm', 'ldap_url', 'container_dn', 'executable_search_paths']
           },
           {
             key: Em.I18n.t('admin.kerberos.wizard.step1.option.ipa'),
-            properties: ['kdc_type', 'kdc_host', 'realm', 'executable_search_paths']
+            properties: ['kdc_type', 'kdc_hosts', 'realm', 'executable_search_paths']
           },
           {
             key: Em.I18n.t('admin.kerberos.wizard.step1.option.manual'),

ambari-web/app/controllers/main/service/info/configs.js

@@ -362,7 +362,7 @@ App.MainServiceInfoConfigsController = Em.Controller.extend(App.ConfigsLoader, A
     if (this.get('content.serviceName') === 'KERBEROS') {
       var kdc_type = configs.findProperty('name', 'kdc_type');
       if (kdc_type.get('value') === 'none') {
-        configs.findProperty('name', 'kdc_host').set('isVisible', false);
+        configs.findProperty('name', 'kdc_hosts').set('isVisible', false);
         configs.findProperty('name', 'admin_server_host').set('isVisible', false);
         configs.findProperty('name', 'domains').set('isVisible', false);
       } else if (kdc_type.get('value') === 'active-directory') {

ambari-web/app/data/HDP2/site_properties.js

@@ -1357,7 +1357,7 @@ var hdp2properties = [
     "index": 0
   },
   {
-    "name": "kdc_host",
+    "name": "kdc_hosts",
     "displayType": "supportTextConnection",
     "serviceName": "KERBEROS",
     "filename": "kerberos-env.xml",

ambari-web/app/messages.js

@@ -1165,7 +1165,7 @@ Em.I18n.translations = {
   'admin.kerberos.wizard.step5.moreInfoNonManual.body': 'Using the <b>Download CSV button</b>, you can download a csv file which contains a list of the principals and keytabs that will automatically be created by Ambari.',
   'admin.kerberos.wizard.step5.moreInfoManual.body': 'Important: Use the <b>Download CSV</b> button to obtain a list of the <b>required</b> principals and keytabs that are needed by Ambari to enable Kerberos in the cluster. <b>Do not proceed</b> until you have manually created and distributed the principals and keytabs to the cluster hosts.',
   'admin.kerberos.wizard.step5.kdc_type.label': 'KDC Type',
-  'admin.kerberos.wizard.step5.kdc_host.label': 'KDC Host',
+  'admin.kerberos.wizard.step5.kdc_hosts.label': 'KDC Hosts',
   'admin.kerberos.wizard.step5.realm.label': 'Realm Name',
   'admin.kerberos.wizard.step5.ldap_url.label': 'LDAP URL',
   'admin.kerberos.wizard.step5.container_dn.label': 'Container DN',

ambari-web/app/mixins/common/configs/toggle_isrequired.js

@@ -27,11 +27,11 @@ App.ToggleIsRequiredMixin = Em.Mixin.create({
     var excludeProperties = [
       {
         name: 'KERBEROS',                                                                // affected service
-        exclude: ['kdc_host', 'admin_server_host', 'admin_principal', 'admin_password'] // affected properties
+        exclude: ['kdc_hosts', 'admin_server_host', 'admin_principal', 'admin_password'] // affected properties
       },
       {
         name: 'KERBEROS_GENERAL',                                                                // affected service
-        exclude: ['kdc_host', 'admin_server_host', 'admin_principal', 'admin_password'] // affected properties
+        exclude: ['kdc_hosts', 'admin_server_host', 'admin_principal', 'admin_password'] // affected properties
       }
     ];
     var serviceName = serviceConfigs.get('serviceName'),

ambari-web/app/models/configs/objects/service_config_property.js

@@ -429,7 +429,7 @@ App.ServiceConfigProperty = Em.Object.extend({
           break;
         case 'supportTextConnection':
         case 'host':
-          var connectionProperties = ['kdc_host'];
+          var connectionProperties = ['kdc_hosts'];
           if ((validator.isNotTrimmed(value) && connectionProperties.contains(this.get('name')) || validator.isNotTrimmed(value))) {
             this.set('errorMessage', Em.I18n.t('host.trimspacesValidation'));
             isError = true;

ambari-web/app/views/common/controls_view.js

@@ -1014,7 +1014,7 @@ App.CheckDBConnectionView = Ember.View.extend({
     if (!/wizard/i.test(this.get('controller.name')) && this.get('parentView.service.serviceName') === 'HIVE') {
       return this.get('parentView.service.serviceName').toLowerCase() + '_hostname';
     } else if (this.get('parentView.service.serviceName') === 'KERBEROS') {
-      return 'kdc_host';
+      return 'kdc_hosts';
     } else if (this.get('parentView.service.serviceName') === 'RANGER') {
       return '{0}_{1}_host'.format(this.get('parentView.service.serviceName').toLowerCase(), this.get('databaseName').toLowerCase());
     }
@@ -1027,7 +1027,7 @@ App.CheckDBConnectionView = Ember.View.extend({
     var propertiesMap = {
       OOZIE: ['oozie.db.schema.name', 'oozie.service.JPAService.jdbc.username', 'oozie.service.JPAService.jdbc.password', 'oozie.service.JPAService.jdbc.driver', 'oozie.service.JPAService.jdbc.url'],
       HIVE: ['ambari.hive.db.schema.name', 'javax.jdo.option.ConnectionUserName', 'javax.jdo.option.ConnectionPassword', 'javax.jdo.option.ConnectionDriverName', 'javax.jdo.option.ConnectionURL'],
-      KERBEROS: ['kdc_host'],
+      KERBEROS: ['kdc_hosts'],
       RANGER: App.get('isHadoop23Stack') ? ['db_user', 'db_password', 'db_name', 'ranger.jpa.jdbc.url', 'ranger.jpa.jdbc.driver'] :
           ['db_user', 'db_password', 'db_name', 'ranger_jdbc_connection_url', 'ranger_jdbc_driver']
     };
@@ -1036,7 +1036,7 @@ App.CheckDBConnectionView = Ember.View.extend({
   /** @property {Object} propertiesPattern - check pattern according to type of connection properties **/
   propertiesPattern: function() {
     var patterns = {
-      db_connection_url: /jdbc\.url|connection_url|connectionurl|kdc_host/ig
+      db_connection_url: /jdbc\.url|connection_url|connectionurl|kdc_hosts/ig
     };
     if (this.get('parentView.service.serviceName') != "KERBEROS") {
       patterns.user_name = /(username|dblogin|db_user)$/ig;
@@ -1050,7 +1050,7 @@ App.CheckDBConnectionView = Ember.View.extend({
       'OOZIE': 'oozie_server_hosts',
       'HDFS': 'hadoop_host',
       'HIVE': 'hive_metastore_hosts',
-      'KERBEROS': 'kdc_host',
+      'KERBEROS': 'kdc_hosts',
       'RANGER': 'ranger_server_hosts'
     };
     return this.get('parentView.categoryConfigsAll').findProperty('name', serviceMasterMap[this.get('parentView.service.serviceName')]).get('value');

ambari-web/test/controllers/main/admin/kerberos/step2_controller_test.js

@@ -65,13 +65,13 @@ describe('App.KerberosWizardStep2Controller', function() {
         stepConfigs: [
           ['realm', ' SPACES ', 'host'],
           ['admin_server_host', ' space_left', 'host'],
-          ['kdc_host', ' space_left_and_right ', 'host'],
+          ['kdc_hosts', ' space_left_and_right ', 'host'],
           ['ldap_url', 'space_right ', 'host']
         ],
         e: {
           realm: 'SPACES',
           admin_server_host: 'space_left',
-          kdc_host: 'space_left_and_right',
+          kdc_hosts: 'space_left_and_right',
           ldap_url: 'space_right'
         }
       }

ambari-web/test/mixins/common/configs/toggle_isrequired_test.js

@@ -29,7 +29,7 @@ describe('#_overrideConfigIsRequired', function () {
     instanceObject = mixinObject.create({});
 
     configs = Em.A([
-      App.ServiceConfigProperty.create({ name: 'kdc_host', value: '', category: 'KDC', serviceName: 'KERBEROS', isRequired: true}),
+      App.ServiceConfigProperty.create({ name: 'kdc_hosts', value: '', category: 'KDC', serviceName: 'KERBEROS', isRequired: true}),
       App.ServiceConfigProperty.create({ name: 'admin_server_host', value: '', category: 'KDC', serviceName: 'KERBEROS', isRequired: true}),
       App.ServiceConfigProperty.create({ name: 'admin_principal', value: '', category: 'KDC', serviceName: 'KERBEROS', isRequired: true}),
       App.ServiceConfigProperty.create({ name: 'admin_password', value: '', category: 'KDC', serviceName: 'KERBEROS', isRequired: true})

ambari-web/test/views/common/controls_view_test.js

@@ -625,7 +625,7 @@ describe('App.CheckDBConnectionView', function () {
           value: 'h0'
         }),
         Em.Object.create({
-          name: 'kdc_host',
+          name: 'kdc_hosts',
           value: 'h1'
         }),
         Em.Object.create({