-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2021 07 freeipa dep fix #40
2021 07 freeipa dep fix #40
Conversation
6bfad54
to
73b3ffe
Compare
@@ -23,12 +23,21 @@ | |||
ipaclient_servers: "{{ groups['krb5_server'] }}" | |||
when: "krb5_kdc_type == 'Red Hat IPA' and 'krb5_server' in groups" | |||
|
|||
- name: Set sssd to enumerate users and groups |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happened to this SSSD bit? Not sure it should have been in freeipa.yml, but does it need to go somewhere else? Or have we just decided we don't want it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was being used by Ranger to get the users and groups. It's a tricky decision as there are some environments where this will cause a lot of problems (envs with lots of users and groups). The playbook already configures all of the LDAP user-sync properties for Ranger but it won't enable the LDAP resolver automatically as the unix shell resolver is required for the first run. It's a manual task to switch that post-deployment. It is definitely a trade-off that needs to be considered.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this be made optional or even configurable so that filters could be specified to optimize it for environments with lots of groups/users?
@@ -31,3 +32,12 @@ | |||
fail_msg: >- | |||
Unknown role(s) {{ invalid_roles }} for service '{{ template.service }}' | |||
defined in host template '{{ host_template.name }}'. | |||
|
|||
- name: Ensure the Tez gateway has been deployed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like a separate change? Please split out.
WIP, I need to add a validation step to ensure that TLS is only configured for cluster nodes. |
73b3ffe
to
9879761
Compare
89f1f5f
to
88f049e
Compare
Need to reconcile with PR in cloudera-deploy
48848b2
to
e096314
Compare
Signed-off-by: William Dyson <wdyson@cloudera.com>
Signed-off-by: William Dyson <wdyson@cloudera.com>
Signed-off-by: William Dyson <wdyson@cloudera.com>
Signed-off-by: William Dyson <wdyson@cloudera.com>
e096314
to
9d69201
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Basic tests completed, merging to devel and rolling into PvC update testing
This PR includes:
Note: This PR must be merged with the corresponding cloudera-deploy PR of the same name