ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas" <rle...@hortonworks.com>
Subject Re: Review Request 31483: Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket.
Date Fri, 27 Feb 2015 18:26:44 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31483/
-----------------------------------------------------------

(Updated Feb. 27, 2015, 1:26 p.m.)


Review request for Ambari, Andrew Onischuk, Emil Anca, Jonathan Hurley, and Vitalyi Brodetskyi.


Changes
-------

Addresses reviewer concerns and applied changes due to merging conflicts


Bugs: AMBARI-9785
    https://issues.apache.org/jira/browse/AMBARI-9785


Repository: ambari


Description
-------

After enabling Kerberos, the root user has the spnego user set for it 

```
[root@c6501 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/c6501.ambari.apache.org@EXAMPLE.COM

Valid starting     Expires            Service principal
02/18/15 22:14:51  02/19/15 22:14:51  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 02/18/15 22:14:51
```

It appears that the issue is related to the agent-side scheduler and/or some job that is scheduled
to run periodically. Apparently some job is kinit-ing with the SPNEGO identity as the running
user (root in this case) without changing the ticket cache. Thus whenever the job runs the
root user's ticket cache gets changed to contain the SPNEGO identity's ticket.

While investigating and solving the issue it was found that other credentials were added to
this cache, overwriting what was there, during backround processing, as well.

Most of the issues were releated to _alert_ checking on web-based UI endpoints while configuring
the environment for curl to use Kerberos authentication.  Another place (in Oozie) was a failure
to run a command as the `oozie` local user.

Solving this includes using an alternate credential cache when kinit-ing. While at it, the
cached is checked to see if the tickets are expired (or even there) before kinit-ing.


Diffs (updated)
-----

  ambari-agent/src/main/python/ambari_agent/AlertSchedulerHandler.py a53201e 
  ambari-agent/src/main/python/ambari_agent/alerts/web_alert.py 5052ca0 
  ambari-common/src/main/python/resource_management/libraries/functions/__init__.py 6bcd7cd

  ambari-common/src/main/python/resource_management/libraries/functions/find_path.py PRE-CREATION

  ambari-common/src/main/python/resource_management/libraries/functions/get_kdestroy_path.py
f6d7f78 
  ambari-common/src/main/python/resource_management/libraries/functions/get_kinit_path.py
98434a2 
  ambari-common/src/main/python/resource_management/libraries/functions/get_klist_path.py
PRE-CREATION 
  ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_webhcat_server.py
9773ec3 
  ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/alerts/alert_check_oozie_server.py
23a3482 
  ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie_service.py
092149d 
  ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/HBASE/package/scripts/params.py
f368703 
  ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/HDFS/package/scripts/params.py
9fbce1d 
  ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/HIVE/package/scripts/params.py
90235e9 
  ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/OOZIE/package/files/alert_check_oozie_server.py
a5a066b 
  ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/OOZIE/package/scripts/params.py
f13fbaf 
  ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/PIG/package/scripts/params.py
b334f3b 
  ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/WEBHCAT/package/files/alert_webhcat_server.py
970ddde 
  ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/YARN/package/scripts/params.py
187ddc0 
  ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/ZOOKEEPER/package/scripts/params.py
b668f67 
  ambari-server/src/main/resources/stacks/HDP/2.0.6.GlusterFS/services/YARN/package/scripts/params.py
0fdaf18 
  ambari-server/src/main/resources/stacks/HDP/2.1.GlusterFS/services/FALCON/package/scripts/params.py
056380b 
  ambari-server/src/main/resources/stacks/HDP/2.1.GlusterFS/services/YARN/package/scripts/params.py
0fdaf18 
  ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KNOX/package/scripts/params.py
b11eddb 
  ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/SLIDER/package/scripts/params.py
121bbd4 
  ambari-server/src/main/resources/stacks/HDPWIN/2.1/services/YARN/package/scripts/params.py
a548f98 
  ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/HBASE/package/scripts/params.py
8c4f5e5 
  ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/HDFS/package/scripts/params.py
ff61dd7 
  ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/HIVE/package/scripts/params.py
a9a67f7 
  ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/NAGIOS/package/scripts/params.py
5a0ffbb 
  ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/OOZIE/package/scripts/params.py
7659529 
  ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/PIG/package/scripts/params.py
60a9806 
  ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/YARN/package/scripts/params.py
6e7f170 
  ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/ZOOKEEPER/package/scripts/params.py
9fa99b5 
  ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py 321a9c1 
  ambari-server/src/test/resources/TestAmbaryServer.samples/dummy_common_services/HIVE/0.11.0.2.0.5.0/package/scripts/params.py
0cf89be 
  ambari-server/src/test/resources/TestAmbaryServer.samples/dummy_stack/HIVE/package/scripts/params.py
0cf89be 
  ambari-server/src/test/resources/stacks/HDP/2.0.7/services/HIVE/package/scripts/params.py
648913b 

Diff: https://reviews.apache.org/r/31483/diff/


Testing
-------

Manually tested all services in test cluster to see which might have this issue. Found only
OOZIE and HIVE issues and tests showed they are fixed and working as they should.

#Jenkins Test Results

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:12 h
[INFO] Finished at: 2015-02-26T06:35:45+00:00
[INFO] Final Memory: 44M/457M
[INFO] ------------------------------------------------------------------------


Thanks,

Robert Levas


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message