ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (AMBARI-11001) Ambari uses users' interactive ticket cache
Date Wed, 07 Dec 2016 02:16:58 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-11001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15727419#comment-15727419
] 

Eric Yang edited comment on AMBARI-11001 at 12/7/16 2:16 AM:
-------------------------------------------------------------

Hi Robert,

Krb5LoginModule will not have a thread to renew expired ticket, if "renewTGT=false".  I concur
this code change is incorrect.  The file browser or Ambari functions should use doAs impersonation
to interact with Hadoop services.  If ticket is not renewed, file browser function would stop
working.  When end user present end user credential via SPNEGO ticket.  Ambari suppose have
a list of acl  to the credential.  However, receiving end user credential and sending service
credential to other services are two different things.  We like to understand the reason to
disable service from renewing it ticket.  It seems like the wrong thing to do.


was (Author: eyang):
Hi Robert,

Krb5LoginModule will not have a thread to renew expired ticket, if "renewTGT=false".  I concur
this code change is incorrect.  The file browser or Ambari functions should use doAs impersonation
to interact with Hadoop services.  If ticket is not renewed, file browser function would stop
working.  When end user present end user credential via SPNEGO ticket.  Ambari suppose have
a list of acl list to the credential.  However, receiving end user credential and sending
service credential to other services are two different things.  We like to understand the
reason to disable service from renewing it ticket.  It seems like the wrong thing to do.

> Ambari uses users' interactive ticket cache
> -------------------------------------------
>
>                 Key: AMBARI-11001
>                 URL: https://issues.apache.org/jira/browse/AMBARI-11001
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>              Labels: JAAS
>             Fix For: 2.1.0
>
>         Attachments: AMBARI-11001_01.patch
>
>
> It appears that it is necessary to kinit prior to starting ambari-server, even after
ambari-server setup-security (#3). It seems that this should be automatically handled by Ambari.

> Ambari-server should NOT use the same ticket cache as the interactive user. 
> STR:
> 1. kinit
> 2. ambari-server start
> 3. verify that ambari-server can authenticate with ticket specified in #1
> 4. kdestroy
> 5. try to authenticate through Ambari again (it will not work)
> *Solution*
> Ensure JAAS Login works properly such that the Kerberos tickets for the account that
executes Ambari is not relevant.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message