Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Abmari blueprint question

Solved Go to solution

Abmari blueprint question

Super Guru

I'm getting below error while initiating cluster installation via Ambari blueprints.

{ 
"status" : 400, 
"message" : "Blueprint configuration validation failed: Secret references are 
not allowed in blueprints, replace following properties with real passwords:\n 
Config:ranger-admin-site Property:ranger.service.https.attrib.keystore.pass\n 
onfig:knox-env Property:knox_master_secret\n" 
} 

I don't want to use clear text passwords in the configuration.

Is there any workaround for this?

Related Community Jira(s):

https://issues.apache.org/jira/browse/AMBARI-14885 https://issues.apache.org/jira/browse/AMBARI-15338

I see work is already in progress for this at - https://issues.apache.org/jira/browse/AMBARI-15395

Please do let me know if there is any workaround till this issue gets fixed.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Abmari blueprint question

Rising Star

Hi @Kuldeep Kulkarni,

Generally, it is good practice to avoid setting passwords in the Blueprint document.

We generally recommend that any passwords be configured in the Cluster Creation Template document, which is POST-ed to actually create the cluster, based on a given Blueprint.

Since the Cluster Creation Template is not persisted by Ambari, it is usually the best place to configure passwords.

While not a perfect solution, since the document still includes the passwords in clear text, it does have the advantage of keeping the passwords out of the Blueprint, which is persisted by Ambari, and is available via the REST API (although the "secret reference" feature usually guarantees that the passwords are not available to a REST client).

Hope this helps.

5 REPLIES 5

Re: Abmari blueprint question

Super Guru

Re: Abmari blueprint question

@Kuldeep Kulkarni

I am not familiar enough with Blueprints to be able to comment on this. Maybe @rnettleton can comment on hiding passwords in Blueprints.

Re: Abmari blueprint question

Super Guru

Thanks @Robert Levas. I'm waiting for further updates from @rnettleton

Re: Abmari blueprint question

Rising Star

Hi @Kuldeep Kulkarni,

Generally, it is good practice to avoid setting passwords in the Blueprint document.

We generally recommend that any passwords be configured in the Cluster Creation Template document, which is POST-ed to actually create the cluster, based on a given Blueprint.

Since the Cluster Creation Template is not persisted by Ambari, it is usually the best place to configure passwords.

While not a perfect solution, since the document still includes the passwords in clear text, it does have the advantage of keeping the passwords out of the Blueprint, which is persisted by Ambari, and is available via the REST API (although the "secret reference" feature usually guarantees that the passwords are not available to a REST client).

Hope this helps.

Re: Abmari blueprint question

Super Guru

Thank you so much @rnettleton.

So there is no alternative apart from having passwords set in cluster creation template. We can always change those passwords after cluster installation is done (just for security purpose)