AMBARI-11085. Kerberos: missing identities for AMS in the CSV (rlevas)

ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java

@@ -2077,11 +2077,20 @@ public class KerberosHelper {
               }
 
               if (principal != null) {
+                KerberosKeytabDescriptor keytabDescriptor = identity.getKeytabDescriptor();
+                String keytabFile = null;
+
+                if (keytabDescriptor != null) {
+                  keytabFile = KerberosDescriptor.replaceVariables(keytabDescriptor.getFile(), configurations);
+                }
+
                 if (replaceHostNames) {
                   principal = principal.replace("_HOST", hostname);
                 }
 
-                if (!hostActiveIdentities.containsKey(principal)) {
+                String uniqueKey = String.format("%s|%s", principal, (keytabFile == null) ? "" : keytabFile);
+
+                if (!hostActiveIdentities.containsKey(uniqueKey)) {
                   KerberosPrincipalDescriptor resolvedPrincipalDescriptor =
                       new KerberosPrincipalDescriptor(principal,
                           principalDescriptor.getType(),
@@ -2090,13 +2099,12 @@ public class KerberosHelper {
 
                   KerberosKeytabDescriptor resolvedKeytabDescriptor;
 
-                  KerberosKeytabDescriptor keytabDescriptor = identity.getKeytabDescriptor();
-                  if (keytabDescriptor == null) {
+                  if (keytabFile == null) {
                     resolvedKeytabDescriptor = null;
                   } else {
                     resolvedKeytabDescriptor =
                         new KerberosKeytabDescriptor(
-                            KerberosDescriptor.replaceVariables(keytabDescriptor.getFile(), configurations),
+                            keytabFile,
                             KerberosDescriptor.replaceVariables(keytabDescriptor.getOwnerName(), configurations),
                             KerberosDescriptor.replaceVariables(keytabDescriptor.getOwnerAccess(), configurations),
                             KerberosDescriptor.replaceVariables(keytabDescriptor.getGroupName(), configurations),
@@ -2105,7 +2113,7 @@ public class KerberosHelper {
                             keytabDescriptor.isCachable());
                   }
 
-                  hostActiveIdentities.put(principal, new KerberosIdentityDescriptor(
+                  hostActiveIdentities.put(uniqueKey, new KerberosIdentityDescriptor(
                       identity.getName(),
                       resolvedPrincipalDescriptor,
                       resolvedKeytabDescriptor));

ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/kerberos.json

@@ -80,13 +80,13 @@
             {
               "name": "ams_zookeeper",
               "principal": {
-                "value": "zookeeper/_HOST@${realm}",
+                "value": "amszk/_HOST@${realm}",
                 "type": "service",
                 "configuration": "ams-hbase-security-site/ams.zookeeper.principal",
                 "local_username": "${ams-env/ambari_metrics_user}"
               },
               "keytab": {
-                "file": "${keytab_dir}/zk.service.ams.keytab",
+                "file": "${keytab_dir}/ams-zk.service.keytab",
                 "owner": {
                   "name": "${ams-env/ambari_metrics_user}",
                   "access": "r"

ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java

@@ -462,7 +462,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     validateIdentities(hostIdentities, new HashMap<String, Map<String, Object>>() {{
       put("identity1", new HashMap<String, Object>() {
         {
-          put("principal_name", "component1/host1@EXAMPLE.COM");
+          put("principal_name", "service1/host1@EXAMPLE.COM");
           put("principal_type", KerberosPrincipalType.SERVICE);
           put("principal_configuration", "service1-site/component1.kerberos.principal");
           put("principal_local_username", "service1");
@@ -526,7 +526,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     validateIdentities(hostIdentities, new HashMap<String, Map<String, Object>>() {{
       put("identity1", new HashMap<String, Object>() {
         {
-          put("principal_name", "component1/host1@EXAMPLE.COM");
+          put("principal_name", "service1/host1@EXAMPLE.COM");
           put("principal_type", KerberosPrincipalType.SERVICE);
           put("principal_configuration", "service1-site/component1.kerberos.principal");
           put("principal_local_username", "service1");
@@ -564,7 +564,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     validateIdentities(hostIdentities, new HashMap<String, Map<String, Object>>() {{
       put("identity1", new HashMap<String, Object>() {
         {
-          put("principal_name", "component1/host2@EXAMPLE.COM");
+          put("principal_name", "service1/host2@EXAMPLE.COM");
           put("principal_type", KerberosPrincipalType.SERVICE);
           put("principal_configuration", "service1-site/component1.kerberos.principal");
           put("principal_local_username", "service1");
@@ -611,7 +611,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     validateIdentities(hostIdentities, new HashMap<String, Map<String, Object>>() {{
       put("identity1", new HashMap<String, Object>() {
         {
-          put("principal_name", "component1/host2@EXAMPLE.COM");
+          put("principal_name", "service1/host2@EXAMPLE.COM");
           put("principal_type", KerberosPrincipalType.SERVICE);
           put("principal_configuration", "service1-site/component1.kerberos.principal");
           put("principal_local_username", "service1");
@@ -712,7 +712,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     validateIdentities(hostIdentities, new HashMap<String, Map<String, Object>>() {{
       put("identity1", new HashMap<String, Object>() {
         {
-          put("principal_name", "component1/host1@EXAMPLE.COM");
+          put("principal_name", "service1/host1@EXAMPLE.COM");
           put("principal_type", KerberosPrincipalType.SERVICE);
           put("principal_configuration", "service1-site/component1.kerberos.principal");
           put("principal_local_username", "service1");
@@ -766,7 +766,7 @@ public class KerberosHelperTest extends EasyMockSupport {
     validateIdentities(hostIdentities, new HashMap<String, Map<String, Object>>() {{
       put("identity1", new HashMap<String, Object>() {
         {
-          put("principal_name", "component1/host2@EXAMPLE.COM");
+          put("principal_name", "service1/host2@EXAMPLE.COM");
           put("principal_type", KerberosPrincipalType.SERVICE);
           put("principal_configuration", "service1-site/component1.kerberos.principal");
           put("principal_local_username", "service1");
@@ -3049,7 +3049,7 @@ public class KerberosHelperTest extends EasyMockSupport {
         .anyTimes();
 
     final KerberosPrincipalDescriptor principalDescriptor1 = createMock(KerberosPrincipalDescriptor.class);
-    expect(principalDescriptor1.getValue()).andReturn("component1/_HOST@${realm}").anyTimes();
+    expect(principalDescriptor1.getValue()).andReturn("service1/_HOST@${realm}").anyTimes();
     expect(principalDescriptor1.getType()).andReturn(KerberosPrincipalType.SERVICE).anyTimes();
     expect(principalDescriptor1.getConfiguration()).andReturn("service1-site/component1.kerberos.principal").anyTimes();
     expect(principalDescriptor1.getLocalUsername()).andReturn("service1").anyTimes();