ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-9742) Kerberos: fails when entering admin principal with blank password
Date Sun, 22 Feb 2015 22:53:12 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-9742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-9742:
---------------------------------
    Description: 
Note: I don't believe the below is specific to add host, but related to the prompting and
how the set admin cred works in case of a blank password. I hit this during testing of add
host though.

- install cluster, kerberize
- add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
- got to the review part of add host, click deploy
- prompted for admin creds (as expected)
- tried messing around by putting in bad creds and that seemed to work...
- expect when I put in the right admin cred principal name (admin/admin) but a blank password.
I was surprised it allowed me to click save (because the password field was blank)
- so I click save, dialog disappears and I am cannot get it to re-prompt.
- this is what it PUT and the response was blank...
 
{code}
[{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
Response Headersview source
{code}

in ambari-server.log, nothing

{code}
17:58:05,860  INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster
request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster,
clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null,
hosts=[] }
{code}

- back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again

The overall issue is how the credentials are being validated.  If no password is being set,
the command to test the credentials when using a MIT KDC generates the following command:
{code}
kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
{code}

The empty password ({{-w ""}}) in the command creates an interactive session where the command
is waiting for data on STDIN, thus hanging the process.

An empty password should not cause the same behavior when using Active Directory.

  was:
Note: I don't believe the below is specific to add host, but related to the prompting and
how the set admin cred works in case of a blank password. I hit this during testing of add
host though.

- install cluster, kerberize
- add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
- got to the review part of add host, click deploy
- prompted for admin creds (as expected)
- tried messing around by putting in bad creds and that seemed to work...
- expect when I put in the right admin cred principal name (admin/admin) but a blank password.
I was surprised it allowed me to click save (because the password field was blank)
- so I click save, dialog disappears and I am cannot get it to re-prompt.
- this is what it PUT and the response was blank...
 
{code}
[{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
Response Headersview source
{code}

in ambari-server.log, nothing

{code}
17:58:05,860  INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster
request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster,
clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null,
hosts=[] }
{code}

- back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again

The overall issue is how the credentials are being validated.  If no password is being set,
the command to test the credentials when using a MIT KDC generates the following command:
{code}
kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
{code}

The empty password ({{-w ""}}) in the command creates an interactive session where the command
is waiting for data on STDIN, thus hanging the process.

This most likely does not affect an Active Directory scenario.


> Kerberos: fails when entering admin principal with blank password 
> ------------------------------------------------------------------
>
>                 Key: AMBARI-9742
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9742
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>              Labels: kerberos
>             Fix For: 2.0.0
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> Note: I don't believe the below is specific to add host, but related to the prompting
and how the set admin cred works in case of a blank password. I hit this during testing of
add host though.
> - install cluster, kerberize
> - add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
> - got to the review part of add host, click deploy
> - prompted for admin creds (as expected)
> - tried messing around by putting in bad creds and that seemed to work...
> - expect when I put in the right admin cred principal name (admin/admin) but a blank
password. I was surprised it allowed me to click save (because the password field was blank)
> - so I click save, dialog disappears and I am cannot get it to re-prompt.
> - this is what it PUT and the response was blank...
>  
> {code}
> [{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
> Response Headersview source
> {code}
> in ambari-server.log, nothing
> {code}
> 17:58:05,860  INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received
a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={
clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2,
desired_scv=null, hosts=[] }
> {code}
> - back in wizard doesn't solve it. had to completely exit wizard and ambari web to start
again
> The overall issue is how the credentials are being validated.  If no password is being
set, the command to test the credentials when using a MIT KDC generates the following command:
> {code}
> kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
> {code}
> The empty password ({{-w ""}}) in the command creates an interactive session where the
command is waiting for data on STDIN, thus hanging the process.
> An empty password should not cause the same behavior when using Active Directory.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message