ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-21146) Knox JAAS configuration file should not allow the Kerberos ticket cache to be used when establishing its identity on startup
Date Thu, 08 Jun 2017 10:28:18 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-21146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16042525#comment-16042525
] 

Hudson commented on AMBARI-21146:
---------------------------------

FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #7589 (See [https://builds.apache.org/job/Ambari-trunk-Commit/7589/])
AMBARI-21146. Knox JAAS configuration file should not allow the Kerberos (adoroszlai: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=e71f49e4ef30ff720ad4f8b7fb3823d68acd48cc])
* (edit) ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/templates/krb5JAASLogin.conf.j2
* (edit) ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/templates/krb5JAASLogin.conf.j2


> Knox JAAS configuration file should not allow the Kerberos ticket cache to be used when
establishing its identity on startup
> ----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-21146
>                 URL: https://issues.apache.org/jira/browse/AMBARI-21146
>             Project: Ambari
>          Issue Type: Bug
>    Affects Versions: 1.7.0
>            Reporter: Attila Magyar
>            Assignee: Attila Magyar
>             Fix For: 2.5.2
>
>         Attachments: AMBARI-21146_branch2.5.patch, AMBARI-21146.patch
>
>
> The JAAS configuration for Knox allows the interactive user's ticket cache to be used
to establish the service's identity when starting up. This is problematic and potentially
confusing. To prevent this, the JAAS config should be set as follows:
> {code}
> com.sun.security.jgss.initiate {
>   com.sun.security.auth.module.Krb5LoginModule required
>   renewTGT=false
>   doNotPrompt=true
>   useKeyTab=true
>   keyTab="/etc/security/keytabs/knox.service.keytab"
>   principal="knox/c6403.ambari.apache.org@EXAMPLE.COM"
>   storeKey=true
>   useTicketCache=false;
> };
> {code}
> Note: the keytab file and principal name values need to be set based on the relevant
Kerberos configuration.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message