airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kris Wilson (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AIRFLOW-3144) Validate kerberos keytab on startup
Date Wed, 03 Oct 2018 01:55:00 GMT

     [ https://issues.apache.org/jira/browse/AIRFLOW-3144?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kris Wilson updated AIRFLOW-3144:
---------------------------------
    Description: 
at Twitter, we recently ran into an issue where an Airflow user was passing the wrong secrets
file as their kerberos service principal keytab. Airflow happily accepted this file (which
contained plain old ascii text) as a keytab and then broke at runtime with the following opaque
log message:

 
{code:java}
[2018-10-01 23:45:14,976] ERROR in kerberos_ldap: Kerberos initialization error for HTTP@$REDACTED:
('Cannot get sequence cursor from keytab', 2){code}
 

this made the problem unclear. rather than blindly accept any old file as a keytab, it would
be awesome if Airflow could run a validation step against the file to confirm it's validity
on startup by shelling out to either `klist` or `kutil` (or using some equivalent lib).

 

  was:
at Twitter, we recently ran into an issue where an Airflow user was passing the wrong secrets
file as their kerberos service principal keytab. Airflow happily accepted this file (which
contained plain old ascii text) as a keytab and then broke at runtime with the following opaque
log message:

 
{code:java}
[2018-10-01 23:45:14,976] ERROR in kerberos_ldap: Kerberos initialization error for HTTP@$REDACTED:
('Cannot get sequence cursor from keytab', 2){code}
 

this made the problem unclear. rather than blindly accept any old file as a keytab, it would
be awesome if Airflow could run a validation step against the file to confirm it's validity
on startup by shelling out to either `klist` or `kutil`.

 


> Validate kerberos keytab on startup
> -----------------------------------
>
>                 Key: AIRFLOW-3144
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-3144
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: authentication
>            Reporter: Kris Wilson
>            Priority: Minor
>
> at Twitter, we recently ran into an issue where an Airflow user was passing the wrong
secrets file as their kerberos service principal keytab. Airflow happily accepted this file
(which contained plain old ascii text) as a keytab and then broke at runtime with the following
opaque log message:
>  
> {code:java}
> [2018-10-01 23:45:14,976] ERROR in kerberos_ldap: Kerberos initialization error for HTTP@$REDACTED:
('Cannot get sequence cursor from keytab', 2){code}
>  
> this made the problem unclear. rather than blindly accept any old file as a keytab,
it would be awesome if Airflow could run a validation step against the file to confirm it's validity
on startup by shelling out to either `klist` or `kutil` (or using some equivalent lib).
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message