Skip to content

2021 07 freeipa dep fix #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 15, 2022
Merged

2021 07 freeipa dep fix #40

merged 4 commits into from
Jul 15, 2022

Conversation

@WillDyson
Copy link
Contributor

This PR includes:

  • Changes required for FreeIPA
  • Change to how CA certs are fetched to support FreeIPA
  • Updated TLS error message
  • Fixed error message when templates aren't correctly set
  • Removed invalid Ranger configs
  • Added a check for TEZ gateways when HIVE_ON_TEZ is used

Note: This PR must be merged with the corresponding cloudera-deploy PR of the same name

@WillDyson WillDyson force-pushed the 2021-07-freeipa-dep-fix branch from 6bfad54 to 73b3ffe Compare November 23, 2021 16:06
@wmudge wmudge mentioned this pull request Nov 23, 2021
Merged
tmgstevens
tmgstevens reviewed Nov 24, 2021
View reviewed changes
roles/infrastructure/krb5_client/tasks/freeipa.yml
ipaclient_servers: "{{ groups['krb5_server'] }}"
when: "krb5_kdc_type == 'Red Hat IPA' and 'krb5_server' in groups"

- name: Set sssd to enumerate users and groups
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happened to this SSSD bit? Not sure it should have been in freeipa.yml, but does it need to go somewhere else? Or have we just decided we don't want it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was being used by Ranger to get the users and groups. It's a tricky decision as there are some environments where this will cause a lot of problems (envs with lots of users and groups). The playbook already configures all of the LDAP user-sync properties for Ranger but it won't enable the LDAP resolver automatically as the unix shell resolver is required for the first run. It's a manual task to switch that post-deployment. It is definitely a trade-off that needs to be considered.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be made optional or even configurable so that filters could be specified to optimize it for environments with lots of groups/users?

roles/verify/parcels_and_roles/tasks/check_template_roles.yml
Unknown role(s) {{ invalid_roles }} for service '{{ template.service }}'
defined in host template '{{ host_template.name }}'.
- name: Ensure the Tez gateway has been deployed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a separate change? Please split out.

@WillDyson
Copy link
Contributor Author

WIP, I need to add a validation step to ensure that TLS is only configured for cluster nodes.

@WillDyson WillDyson force-pushed the 2021-07-freeipa-dep-fix branch from 73b3ffe to 9879761 Compare December 8, 2021 10:58
@WillDyson WillDyson force-pushed the 2021-07-freeipa-dep-fix branch from 89f1f5f to 88f049e Compare February 10, 2022 18:22
wmudge
wmudge previously approved these changes Jul 14, 2022
View reviewed changes
@wmudge wmudge dismissed their stale review July 14, 2022 17:32

Need to reconcile with PR in cloudera-deploy

@wmudge wmudge added the enhancement MINOR - New feature or enhancement entry in the CHANGELOG label Jul 14, 2022
@WillDyson WillDyson force-pushed the 2021-07-freeipa-dep-fix branch from 48848b2 to e096314 Compare July 15, 2022 09:26
@WillDyson WillDyson force-pushed the 2021-07-freeipa-dep-fix branch from e096314 to 9d69201 Compare July 15, 2022 09:45
Chaffelson
Chaffelson approved these changes Jul 15, 2022
View reviewed changes
Copy link
Contributor

@Chaffelson Chaffelson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basic tests completed, merging to devel and rolling into PvC update testing

@Chaffelson Chaffelson merged commit 78de09a into cloudera-labs:devel Jul 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asdaraujo asdaraujo Awaiting requested review from asdaraujo

@wmudge wmudge Awaiting requested review from wmudge

2 more reviewers

@tmgstevens tmgstevens tmgstevens left review comments

@Chaffelson Chaffelson Chaffelson approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement MINOR - New feature or enhancement entry in the CHANGELOG

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@WillDyson @wmudge @asdaraujo @tmgstevens @Chaffelson