ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMBARI-9785) Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket.
Date Wed, 25 Feb 2015 01:18:04 GMT
Robert Levas created AMBARI-9785:
------------------------------------

             Summary: Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled,
root should have no ticket.
                 Key: AMBARI-9785
                 URL: https://issues.apache.org/jira/browse/AMBARI-9785
             Project: Ambari
          Issue Type: Bug
          Components: ambari-agent
    Affects Versions: 2.0.0
            Reporter: Robert Levas
            Assignee: Robert Levas
            Priority: Blocker
             Fix For: 2.0.0


After enabling Kerberos, the root user has the spnego user set for it 

{code}
[root@c6501 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/c6501.ambari.apache.org@EXAMPLE.COM

Valid starting     Expires            Service principal
02/18/15 22:14:51  02/19/15 22:14:51  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 02/18/15 22:14:51
{code}

It appears that the issue is related to the agent-side scheduler and/or some job that is scheduled
to run periodically. Apparently some job is kinit-ing with the SPNEGO identity as the running
user (root in this case) without changing the ticket cache. Thus whenever the job runs the
root user's ticket cache gets changed to contain the SPNEGO identity's ticket.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message