Kerberos 客户端模板渲染异常处理源码修改
# 一、问题背景
在 Ambari 部署 Kerberos 的过程中,部分版本可能在生成 krb5.conf
时出现模板渲染异常,导致配置文件内容缺失或不完整。
问题根源来自 krb5_conf.j2 模板缩进与 Jinja2 渲染指令不规范。
# 二、异常表现与截图
# 三、问题模板(原始版本)
下方为 Ambari 原始模板 krb5_conf.j2
(位于 ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/services/KERBEROS/properties/),可看到大量 {%- 与 -%}
控制符混用、空格不统一,容易造成渲染出错。
{#
# Licensed to the Apache Software Foundation (ASF)...
#}
[libdefaults]
#renew_lifetime = 7d
forwardable = true
default_realm = {{ realm }}
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = {{ encryption_types }}
#default_tkt_enctypes = {{ encryption_types }}
{% if force_tcp %}
udp_preference_limit = 1
{% endif %}
{% if domains %}
[domain_realm]
{% for domain in domains.split(',') %}
{{ domain|trim() }} = {{ realm }}
{% endfor %}
{% endif %}
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
{{ realm }} = {
{% if master_kdc %}
master_kdc = {{ master_kdc|trim() }}
{% endif %}
{% set _kdc_hosts = kdc_hosts|default('', true)|trim() %}
{% if _kdc_hosts %}
{% set kdc_host_list = _kdc_hosts.split(',') %}
{% if kdc_host_list and kdc_host_list|length > 0 %}
admin_server = {{ admin_server_host|default(kdc_host_list[0]|trim(), True) }}
{% if kdc_host_list %}
{% if master_kdc and (master_kdc not in kdc_host_list) %}
kdc = {{ master_kdc|trim() }}
{% endif %}
{% for kdc_host in kdc_host_list %}
{% if kdc_host|trim() %}
kdc = {{ kdc_host|trim() }}
{% endif %}
{% endfor %}
{% endif %}
{% endif %}
{% endif %}
}
{# Append additional realm declarations below #}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
问题分析
模板中控制语句缺少统一缩进和空格对齐,导致:
- 变量
realm、kdc_host_list等未正常渲染; - 部分 for 循环提前结束;
- 生成文件中
[realms]段缺少admin_server与kdc字段。
# 四、修正版模板(推荐方案)
该版本通过调整空格、控制符与循环嵌套层级,彻底修复模板渲染异常。
{#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#}
[libdefaults]
#renew_lifetime = 7d
forwardable = true
default_realm = {{ realm }}
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = {{ encryption_types }}
#default_tkt_enctypes = {{ encryption_types }}
{% if force_tcp %}
udp_preference_limit = 1
{% endif %}
{% if domains %}
[domain_realm]
{% for domain in domains.split(',') %}
{{ domain|trim() }} = {{ realm }}
{% endfor %}
{% endif %}
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
{{ realm }} = {
{% if master_kdc %}
master_kdc = {{ master_kdc|trim() }}
{% endif %}
{% set _kdc_hosts = kdc_hosts|default('', true)|trim() %}
{% if _kdc_hosts %}
{% set kdc_host_list = _kdc_hosts.split(',') %}
{% if kdc_host_list and kdc_host_list|length > 0 %}
admin_server = {{ admin_server_host|default(kdc_host_list[0]|trim(), True) }}
{% if kdc_host_list %}
{% if master_kdc and (master_kdc not in kdc_host_list) %}
kdc = {{ master_kdc|trim() }}
{% endif %}
{% for kdc_host in kdc_host_list %}
{% if kdc_host|trim() %}
kdc = {{ kdc_host|trim() }}
{% endif %}
{% endfor %}
{% endif %}
{% endif %}
{% endif %}
}
{# Append additional realm declarations below #}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# 五、源码差异(diff 对比)
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/services/KERBEROS/properties/krb5_conf.j2 b/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/services/KERBEROS/properties/krb5_conf.j2
--- a/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/services/KERBEROS/properties/krb5_conf.j2 (revision d993a6d0d350ac64161d3e762e4ddb9d3af0f298)
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/services/KERBEROS/properties/krb5_conf.j2 (revision fbc97535262c3a9e8cf72cd8ffa7c995541649ea)
@@ -18,46 +18,52 @@
[libdefaults]
#renew_lifetime = 7d
forwardable = true
- default_realm = {{realm}}
+ default_realm = {{ realm }}
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
- #default_tgs_enctypes = {{encryption_types}}
- #default_tkt_enctypes = {{encryption_types}}
- {%- if force_tcp %}
+ #default_tgs_enctypes = {{ encryption_types }}
+ #default_tkt_enctypes = {{ encryption_types }}
+ {% if force_tcp %}
udp_preference_limit = 1
- {%- endif -%}
+ {% endif %}
+
{% if domains %}
[domain_realm]
-{%- for domain in domains.split(',') %}
- {{domain|trim()}} = {{realm}}
-{%- endfor %}
+{% for domain in domains.split(',') %}
+ {{ domain|trim() }} = {{ realm }}
+{% endfor %}
{% endif %}
+
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
- {{realm}} = {
-{%- if master_kdc %}
- master_kdc = {{master_kdc|trim()}}
-{%- endif -%}
-{%- if kdc_hosts > 0 -%}
-{%- set kdc_host_list = kdc_hosts.split(',') -%}
-{%- if kdc_host_list and kdc_host_list|length > 0 %}
- admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}
-{%- if kdc_host_list -%}
-{%- if master_kdc and (master_kdc not in kdc_host_list) %}
- kdc = {{master_kdc|trim()}}
-{%- endif -%}
+ {{ realm }} = {
+{% if master_kdc %}
+ master_kdc = {{ master_kdc|trim() }}
+{% endif %}
+
+{% set _kdc_hosts = kdc_hosts|default('', true)|trim() %}
+{% if _kdc_hosts %}
+{% set kdc_host_list = _kdc_hosts.split(',') %}
+{% if kdc_host_list and kdc_host_list|length > 0 %}
+ admin_server = {{ admin_server_host|default(kdc_host_list[0]|trim(), True) }}
+{% if kdc_host_list %}
+{% if master_kdc and (master_kdc not in kdc_host_list) %}
+ kdc = {{ master_kdc|trim() }}
+{% endif %}
{% for kdc_host in kdc_host_list %}
- kdc = {{kdc_host|trim()}}
-{%- endfor -%}
+{% if kdc_host|trim() %}
+ kdc = {{ kdc_host|trim() }}
+{% endif %}
+{% endfor %}
{% endif %}
-{%- endif %}
-{%- endif %}
+{% endif %}
+{% endif %}
}
{# Append additional realm declarations below #}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
处理完毕需要重新编译
- 01
- Ambari开启Kerberos认证加密类型错误 Kylin V1011-05
- 02
- KERBEROS SERVICE CHECK 报错11-04