airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruslan Dautkhanov (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (AIRFLOW-987) `airflow kerberos` ignores --keytab and --principal arguments
Date Wed, 15 Mar 2017 06:24:41 GMT

    [ https://issues.apache.org/jira/browse/AIRFLOW-987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15925608#comment-15925608
] 

Ruslan Dautkhanov edited comment on AIRFLOW-987 at 3/15/17 6:24 AM:
--------------------------------------------------------------------

I use kinit very often and familiar with the tool. 

kinit works fine outside of Airflow

{noformat}
$ kinit -kt /home/rdautkha/.keytab rdautkhanov@CORP.SOME.COM; echo $?
0

rdautkha@pc1udatahgw01 airflow  $ klist | grep "03/15/17"
03/15/17 00:19:38  03/15/17 10:19:40  krbtgt/CORP.SOME.COM@CORP.SOME.COM
{noformat}
(I've changed realm)

If you didn't notice `airflow kerberos` used "airflow" as principal and "airflow.keytab" in
the output dump above, no matter which parameters I give.


was (Author: tagar):
I use kinit very often and familiar with the tool. 

kinit works fine outside of Airflow

{noformat}
$ kinit -kt /home/rdautkha/.keytab rdautkhanov@CORP.SOME.COM; echo $?
0

rdautkha@pc1udatahgw01 airflow  $ klist | grep "03/15/17"
03/15/17 00:19:38  03/15/17 10:19:40  krbtgt/CORP.EPSILON.COM@CORP.SOME.COM
{noformat}
(I've changed realm)

If you didn't notice `airflow kerberos` used "airflow" as principal and "airflow.keytab" in
the output dump above, no matter which parameters I give.

> `airflow kerberos` ignores --keytab and --principal arguments
> -------------------------------------------------------------
>
>                 Key: AIRFLOW-987
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-987
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: security
>    Affects Versions: Airflow 1.8
>         Environment: 1.8-rc5
>            Reporter: Ruslan Dautkhanov
>            Assignee: Bolke de Bruin
>              Labels: easyfix, kerberos, security
>
> No matter which arguments I pass to `airflow kerberos`, 
> it always executes as `kinit -r 3600m -k -t airflow.keytab -c /tmp/airflow_krb5_ccache
airflow`
> So it failes with expected "kinit: Keytab contains no suitable keys for airflow@CORP.SOME.COM
while getting initial credentials"
> Tried different arguments, -kt and --keytab, here's one of the runs (some lines wrapped
for readability):
> {noformat}
> $ airflow kerberos -kt /home/rdautkha/.keytab rdautkhanov@CORP.SOME.COM
> [2017-03-14 23:50:11,523] {__init__.py:57} INFO - Using executor LocalExecutor
> [2017-03-14 23:50:12,069] {kerberos.py:43} INFO - Reinitting kerberos from keytab: 
> kinit -r 3600m -k -t airflow.keytab -c /tmp/airflow_krb5_ccache airflow
> [2017-03-14 23:50:12,080] {kerberos.py:55} ERROR -
>  Couldn't reinit from keytab! `kinit' exited with 1.
> kinit: Keytab contains no suitable keys for airflow@CORP.SOME.COM 
> while getting initial credentials
> {noformat}
> 1.8-rc5



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message