ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jaimin D Jetly (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-7780) Storm UI server should have the same default keytab value as of other components for spnego principal
Date Tue, 14 Oct 2014 23:59:35 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-7780?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jaimin D Jetly updated AMBARI-7780:
-----------------------------------
    Description: 
The problem will occur when there are two different keytabs containing same principal on a
host. In this scenario only one principal will be considered to be valid. (The reason is due
to different kvno of the principal in both keytabs while using --randkey option to add principal
to keytab)
For example if Namenode host and Storm UI Server are co-hosted. 
spnego.service.keytab will have principal HTTP/hostname@EXAMPLE.COM which will be used by
NameNode web UI.
Storm UI daemon will also try to authenticate with the same principal but from a different
keytab path and with different kvno.
In this scenario the keytab that was created last with the principal will hold valid principal
and the other daemon will fail to authenticate with kerberos authentication error.

> Storm UI server should have the same default keytab value as of other components for
spnego principal
> -----------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-7780
>                 URL: https://issues.apache.org/jira/browse/AMBARI-7780
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 1.7.0
>            Reporter: Jaimin D Jetly
>            Assignee: Jaimin D Jetly
>            Priority: Critical
>             Fix For: 1.7.0
>
>
> The problem will occur when there are two different keytabs containing same principal
on a host. In this scenario only one principal will be considered to be valid. (The reason
is due to different kvno of the principal in both keytabs while using --randkey option to
add principal to keytab)
> For example if Namenode host and Storm UI Server are co-hosted. 
> spnego.service.keytab will have principal HTTP/hostname@EXAMPLE.COM which will be used
by NameNode web UI.
> Storm UI daemon will also try to authenticate with the same principal but from a different
keytab path and with different kvno.
> In this scenario the keytab that was created last with the principal will hold valid
principal and the other daemon will fail to authenticate with kerberos authentication error.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message