Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D738017C79 for ; Thu, 26 Feb 2015 01:28:06 +0000 (UTC) Received: (qmail 58607 invoked by uid 500); 26 Feb 2015 01:28:06 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 58581 invoked by uid 500); 26 Feb 2015 01:28:06 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 58422 invoked by uid 99); 26 Feb 2015 01:28:06 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Feb 2015 01:28:06 +0000 Date: Thu, 26 Feb 2015 01:28:06 +0000 (UTC) From: "Robert Levas (JIRA)" To: dev@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (AMBARI-9785) Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AMBARI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Levas updated AMBARI-9785: --------------------------------- Attachment: AMBARI-9785_01.patch * Added get_klist_path to find the klist executable (like get_kinit_path) * Updated alerts web_alert.py to use an alternate credentials cache file when kinit-ing and to kinit only when needed * Updated alert_webhcat_server.py to use an alternate credentials cache file when kinit-ing and to kinit only when needed * Updated alert_check_oozie_server.py to use an alternate credentials cache file when kinit-ing and to kinit only when needed * Updated oozie_service.py to su to the oozie user when needed Each update ensures that the root user's default credential cache is untouched during non-interactive Ambari-related processing Patch File [^AMBARI-9785_01.patch] > Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket. > ------------------------------------------------------------------------------------------------------ > > Key: AMBARI-9785 > URL: https://issues.apache.org/jira/browse/AMBARI-9785 > Project: Ambari > Issue Type: Bug > Components: ambari-agent > Affects Versions: 2.0.0 > Reporter: Robert Levas > Assignee: Robert Levas > Priority: Blocker > Labels: kerberos, keytabs > Fix For: 2.0.0 > > Attachments: AMBARI-9785_01.patch > > > After enabling Kerberos, the root user has the spnego user set for it > {code} > [root@c6501 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: HTTP/c6501.ambari.apache.org@EXAMPLE.COM > Valid starting Expires Service principal > 02/18/15 22:14:51 02/19/15 22:14:51 krbtgt/EXAMPLE.COM@EXAMPLE.COM > renew until 02/18/15 22:14:51 > {code} > It appears that the issue is related to the agent-side scheduler and/or some job that is scheduled to run periodically. Apparently some job is kinit-ing with the SPNEGO identity as the running user (root in this case) without changing the ticket cache. Thus whenever the job runs the root user's ticket cache gets changed to contain the SPNEGO identity's ticket. -- This message was sent by Atlassian JIRA (v6.3.4#6332)