accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-4489) Monitor login for trace viewing should fall back to GENERAL_KERBEROS_KEYTAB to match behavior of trace server
Date Mon, 10 Oct 2016 02:42:20 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-4489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15561083#comment-15561083
] 

Josh Elser commented on ACCUMULO-4489:
--------------------------------------

bq. This works as expected on the TraceServer, but the Monitor's servlet for viewing traces
only uses the trace keytab.

Hrmph. That seems very unexpected to me. I don't know why the monitor wouldn't always be using
the Monitor's keytab. I guess we are expecting that the Monitor's identity might not have
authorization otherwise.

Nit: s/{{keytab.length() == 0}}/{{keytab.isEmpty()}}/

LGTM, [~busbey]

> Monitor login for trace viewing should fall back to GENERAL_KERBEROS_KEYTAB to match
behavior of trace server
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: ACCUMULO-4489
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4489
>             Project: Accumulo
>          Issue Type: Bug
>          Components: monitor, trace
>    Affects Versions: 1.7.1, 1.7.2
>            Reporter: Sean Busbey
>            Assignee: Sean Busbey
>            Priority: Critical
>             Fix For: 1.7.3, 1.8.1, 2.0.0
>
>         Attachments: ACCUMULO-4489.1.patch, ACCUMULO-4489.2.patch
>
>
> The current kerberos instructions rely on the trace user falling back to the GENERAL_KERBEROS_KEYTAB
when kerberos for client access is enabled. This works as expected on the TraceServer, but
the Monitor's servlet for viewing traces only uses the trace keytab.
> workaround is to use the undocumented {{trace.token.property.keytab}} property to specify
the appropriate keytab.
> Even once the trace user keytab property is documented in ACCUMULO-4488, we should make
the behavior match that in the TraceServer.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message