airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruslan Dautkhanov (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (AIRFLOW-987) `airflow kerberos` ignores --keytab and --principal arguments
Date Wed, 15 Mar 2017 06:48:41 GMT

    [ https://issues.apache.org/jira/browse/AIRFLOW-987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15925630#comment-15925630
] 

Ruslan Dautkhanov edited comment on AIRFLOW-987 at 3/15/17 6:47 AM:
--------------------------------------------------------------------

kerberos.py:39 - it always gets principal and keytab from configuration (airflow.cfg):
https://github.com/apache/incubator-airflow/blob/master/airflow/security/kerberos.py#L39 
{code}
            "-t", configuration.get('kerberos', 'keytab'),   # specify keytab
            "-c", configuration.get('kerberos', 'ccache'),   # specify credentials cache
{code}

Notice help for `airflow kerberos`:
{noformat}
$ airflow kerberos -h
[2017-03-15 00:40:12,215] {__init__.py:57} INFO - Using executor LocalExecutor
usage: airflow kerberos [-h] [-kt [KEYTAB]] [--pid [PID]] [-D]
                        [--stdout STDOUT] [--stderr STDERR] [-l LOG_FILE]
                        [principal]
{noformat}

One can think that you can provide principal and keytab as `airflow kerberos` arguments -
that's not true and it's a bug.

Although it's not a critical bug as I was able to make `airflow kerberos` working just by
adding kerberos section in airflow.cfg

`airflow kerberos -h` has to be corrected to reflect that `airflow kerberos` doesn't actually
accept principal and keytab as arguments.

Thank you.


was (Author: tagar):
kerberos.py:39 - it always gets principal and keytab from configuration (airflow.cfg):
https://github.com/apache/incubator-airflow/blob/master/airflow/security/kerberos.py#L39 
{code}
            "-t", configuration.get('kerberos', 'keytab'),   # specify keytab
            "-c", configuration.get('kerberos', 'ccache'),   # specify credentials cache
{code}

Notice help for `airflow kerberos`:
{noformat}
$ airflow kerberos -h
[2017-03-15 00:40:12,215] {__init__.py:57} INFO - Using executor LocalExecutor
usage: airflow kerberos [-h] [-kt [KEYTAB]] [--pid [PID]] [-D]
                        [--stdout STDOUT] [--stderr STDERR] [-l LOG_FILE]
                        [principal]
{noformat}

One can think that you can provide principal and keytab as `airflow kerberos` - that's not
true and it's a bug.

Although it's not a critical bug as I was able to make `airflow kerberos` working just by
adding kerberos section in airflow.cfg

`airflow kerberos -h` has to be corrected to reflect that `airflow kerberos` doesn't actually
accept principal and keytab as arguments.

Thank you.

> `airflow kerberos` ignores --keytab and --principal arguments
> -------------------------------------------------------------
>
>                 Key: AIRFLOW-987
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-987
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: security
>    Affects Versions: Airflow 1.8
>         Environment: 1.8-rc5
>            Reporter: Ruslan Dautkhanov
>            Assignee: Bolke de Bruin
>              Labels: easyfix, kerberos, security
>
> No matter which arguments I pass to `airflow kerberos`, 
> it always executes as `kinit -r 3600m -k -t airflow.keytab -c /tmp/airflow_krb5_ccache
airflow`
> So it failes with expected "kinit: Keytab contains no suitable keys for airflow@CORP.SOME.COM
while getting initial credentials"
> Tried different arguments, -kt and --keytab, here's one of the runs (some lines wrapped
for readability):
> {noformat}
> $ airflow kerberos -kt /home/rdautkha/.keytab rdautkhanov@CORP.SOME.COM
> [2017-03-14 23:50:11,523] {__init__.py:57} INFO - Using executor LocalExecutor
> [2017-03-14 23:50:12,069] {kerberos.py:43} INFO - Reinitting kerberos from keytab: 
> kinit -r 3600m -k -t airflow.keytab -c /tmp/airflow_krb5_ccache airflow
> [2017-03-14 23:50:12,080] {kerberos.py:55} ERROR -
>  Couldn't reinit from keytab! `kinit' exited with 1.
> kinit: Keytab contains no suitable keys for airflow@CORP.SOME.COM 
> while getting initial credentials
> {noformat}
> 1.8-rc5



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message