AMBARI-26277:Fix kerberos encryption error, Update Supported Encryption Types in Kerberos Configuration #3926
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
@JiaLiangC can you review this? |
JiaLiangC
approved these changes
Jan 14, 2025
JiaLiangC
added a commit
that referenced
this pull request
Feb 6, 2025
* AMBARI-26232 There will be failure when executing shell.py and wrong order of imports for WidgetResourceProvider.java (#3872) * There will be failure when executing shell.py * Wrong order of imports for WidgetResourceProvider.java * Fix issue of test failure * AMBARI-26234: ClusterNotFoundException in stage Confirm Hosts during deploying a cluster #3875 * AMBARI-26184: Resolve snakeyaml 1.12 CVE #3869 * AMBARI-26235: Unable to check firewalld status when setup ambari #3878 * AMBARI-26195: Ambari database page not wokring after JQ upgrade #3885 * AMBARI-26239: Fix OozieUtils (#3894) * AMBARI-26239: Fix OozieUtils * AMBARI-26205: Dropdown menu flex layout overflow #3895 * AMBARI-26236: The database password character type requirement is too few (#3883) * The database password character type requirement is too few * Add more special characters, and add UT for this case * Update test case * AMBARI-26240: Fix alter dispatcher (#3896) * AMBARI-26241: _threadlocal has no uid because it is always None #3898 * AMBARI-26243: refactor: convert .format() to f-strings #3899 * AMBARI-26244: convert .format() to f-strings for ambari-server #3901 * AMBARI-26245: refactor(ambari-agent): convert .format() to f-strings (#3902) * AMBARI-26249: Timeline Service v2 failed to start because of unable to create leveldb state store directory #3905 * AMBARI-26247: convert .format() to f-strings for ambari-contrib #3903 * Update the KEYS File * AMBARI-26253: Can't download all client configs (#3906) * AMBARI-26257: Create new Configuration Group now worked #3907 * AMBARI-26248: Timeline Service Reader failed to start if hbase is not installed #3904 * AMBARI-26147: Add Ruff integration to ambari (#3908) * add ruff check files * add formatted code * AMBARI-26251: tooltip display issue #3911 * AMBARI-26207: Metrics sortable not work #3912 * AMBARI-26255: fix can't add capacity-scheduler views (#3913) * AMBARI-26270: Add quicklink of hiveserver2 web ui #3918 * AMBARI-26142: JDK17 support for Ambari Co-authored-by: Mohammad Arshad <[email protected]> (#3851) * AMBARI-26204: Migrate RecommendationResourceProviderTest from EasyMoc… (#3860) * AMBARI-26204: Migrate RecommendationResourceProviderTest from EasyMock to Mockito * AMBARI-26203: Fix annotation processing issue in ConfigurationTest after JDK 17 upgrade (#3859) * AMBARI-26203: Fix testAllPropertiesHaveMarkdownDescriptions failed * AMBARI-26212: Fix checkstyle error (#3862) * Ambari-26211: Fix TaskActionScheduler test failed (#3861) * AMBARI-26211: Fix TaskActionScheduler test failed * AMBARI-26215: Fix BlueprintConfigurationProcessorTest and others (#3863) * AMBARI-26215: Fix BlueprintConfigurationProcessorTest and others * AMBARI-26220: Fix ConfigureClusterTaskTest Unexpected method calls: ClusterConfigurationRequest.getRequiredHostGroups() error (#3864) fix AsyncCallableServiceTest Unexpected method calls: Callable.call() error * AMBARI-26221: Fix StackAdvisorCommandTest error,remove unnecessary code. (#3865) * AMBARI-26222: Fix ClientConfigResourceProviderTest & PreUpgradeCheckResourceProviderTest& ExecutionSchedulerTest& AmbariProxiedUserDetailsServiceTest * AMBARI-26233: Fix ambari-env.sh after jdk upgrade (#3873) * fix ambari agent env after jdk upgrade * AMBARI-26238: Add Ambari Java Home configuration for JDK 17 in Ambari… (#3891) * AMBARI-26238: Add Ambari Java Home configuration for JDK 17 in Ambari server * AMBARI-26268: Remove default value for ambari-java-home in ambari-server.py to fix setup handling #3915 Co-authored-by: tongxiaojun <[email protected]> * AMBARI-26269: Fix regex pattern flag position in ambari_jinja2 filters #3917 * AMBARI-26269: Fix regex pattern flag position in ambari_jinja2 filters --------- Co-authored-by: tongxiaojun <[email protected]> * AMBARI-26249: Addendum, adjusting the location of creating directory code (#3920) * AMBARI-26271: Invalid parameter was provided when using shell.call in HostInfo.py #3919 * AMBARI-26273: Add Oceanbase Support to Ambari MySQL DDL #3921 Co-authored-by: tongxiaojun <[email protected]> * AMBARI-26275: NoClassesFoundToAnalyzeException when compiling ambari with jdk17 #3924 * AMBARI-25848 : Need to update org.codehaus.jackson:jackson-mapper-asl dependency (#3922) Issue: Need to update org.codehaus.jackson:jackson-mapper-asl dependency. Cause: the library has been moved to com.fasterxml.jackson.core » jackson-databind, hence to keep up with the newer versions need to update the library dependency. Changes made: to update the jackson-mapper-asl dependency to jackson-databind and the required library version upgrades Co-authored-by: Vishal Suvagia <[email protected]> * AMBARI-26276: fix hdfs web service check (#3925) * AMBARI-26277:fix kerberos encryption error (#3926) * AMBARI-26279: ambari-agent prints logs that netstat command not found #3928 * AMBARI-26286: refactor(ambari-ruff): convert .format() to f-strings #3927 AMBARI-26286: refactor(ambari-ruff): convert .format() to f-strings * AMBARI-26055: Add alluxio support (#3934) * add alluxio service Co-authored-by: jialiang <[email protected]> * fix license --------- Co-authored-by: jialiang <[email protected]> * AMBARI-26185: Upgrade commons-collections to resolve CVEs (#3936) --------- Co-authored-by: Peng Lu <[email protected]> Co-authored-by: Sandeep Kumar <[email protected]> Co-authored-by: zrain <[email protected]> Co-authored-by: coldless177 <[email protected]> Co-authored-by: jialiang <[email protected]> Co-authored-by: yaruyng <[email protected]> Co-authored-by: tongxiaojun <[email protected]> Co-authored-by: tongxiaojun <[email protected]> Co-authored-by: Vishal Suvagia <[email protected]> Co-authored-by: Vishal Suvagia <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This PR updates the supported encryption types in the Kerberos configuration to enhance security and align with modern encryption standards. The current configuration includes outdated and less secure encryption types, which are replaced with stronger and more widely supported encryption algorithms.
Changes:
kerberos-env.xmlfile in theambari/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/services/KERBEROS/configuration/directory.Reason for Change:
des3-cbc-sha1,rc4, anddes-cbc-md5) are considered weak and vulnerable to attacks.aes256-cts-hmac-sha1-96andaes128-cts-hmac-sha1-96) are more secure and widely supported in modern Kerberos implementations.Impact:
ambari/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/services/KERBEROS/configuration/kerberos-env.xml
ambari/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/services/KERBEROS/properties/krb5_conf.j2
