Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2021 07 freeipa dep fix #40

Merged
merged 4 commits into from
Jul 15, 2022

Conversation

WillDyson
Copy link
Contributor

This PR includes:

  • Changes required for FreeIPA
  • Change to how CA certs are fetched to support FreeIPA
  • Updated TLS error message
  • Fixed error message when templates aren't correctly set
  • Removed invalid Ranger configs
  • Added a check for TEZ gateways when HIVE_ON_TEZ is used

Note: This PR must be merged with the corresponding cloudera-deploy PR of the same name

@@ -23,12 +23,21 @@
ipaclient_servers: "{{ groups['krb5_server'] }}"
when: "krb5_kdc_type == 'Red Hat IPA' and 'krb5_server' in groups"

- name: Set sssd to enumerate users and groups
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happened to this SSSD bit? Not sure it should have been in freeipa.yml, but does it need to go somewhere else? Or have we just decided we don't want it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was being used by Ranger to get the users and groups. It's a tricky decision as there are some environments where this will cause a lot of problems (envs with lots of users and groups). The playbook already configures all of the LDAP user-sync properties for Ranger but it won't enable the LDAP resolver automatically as the unix shell resolver is required for the first run. It's a manual task to switch that post-deployment. It is definitely a trade-off that needs to be considered.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be made optional or even configurable so that filters could be specified to optimize it for environments with lots of groups/users?

@@ -31,3 +32,12 @@
fail_msg: >-
Unknown role(s) {{ invalid_roles }} for service '{{ template.service }}'
defined in host template '{{ host_template.name }}'.

- name: Ensure the Tez gateway has been deployed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a separate change? Please split out.

@WillDyson
Copy link
Contributor Author

WIP, I need to add a validation step to ensure that TLS is only configured for cluster nodes.

@WillDyson WillDyson force-pushed the 2021-07-freeipa-dep-fix branch from 73b3ffe to 9879761 Compare December 8, 2021 10:58
@WillDyson WillDyson force-pushed the 2021-07-freeipa-dep-fix branch from 89f1f5f to 88f049e Compare February 10, 2022 18:22
wmudge
wmudge previously approved these changes Jul 14, 2022
@wmudge wmudge dismissed their stale review July 14, 2022 17:32

Need to reconcile with PR in cloudera-deploy

@wmudge wmudge added the enhancement New feature or request label Jul 14, 2022
@WillDyson WillDyson force-pushed the 2021-07-freeipa-dep-fix branch from 48848b2 to e096314 Compare July 15, 2022 09:26
William Dyson added 4 commits July 15, 2022 10:44
Signed-off-by: William Dyson <wdyson@cloudera.com>
Signed-off-by: William Dyson <wdyson@cloudera.com>
Signed-off-by: William Dyson <wdyson@cloudera.com>
Signed-off-by: William Dyson <wdyson@cloudera.com>
@WillDyson WillDyson force-pushed the 2021-07-freeipa-dep-fix branch from e096314 to 9d69201 Compare July 15, 2022 09:45
Copy link
Collaborator

@Chaffelson Chaffelson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basic tests completed, merging to devel and rolling into PvC update testing

@Chaffelson Chaffelson merged commit 78de09a into cloudera-labs:devel Jul 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Development

Successfully merging this pull request may close these issues.

5 participants