hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tianyin Xu (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (HADOOP-12676) Inconsistent assumptions of the default keytab file of Kerberos
Date Thu, 24 Dec 2015 23:13:49 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-12676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Tianyin Xu resolved HADOOP-12676.
---------------------------------
    Resolution: Invalid

> Inconsistent assumptions of the default keytab file of Kerberos
> ---------------------------------------------------------------
>
>                 Key: HADOOP-12676
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12676
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.1, 2.6.2
>            Reporter: Tianyin Xu
>            Assignee: Tianyin Xu
>            Priority: Minor
>
> In the current implementation of {{SecurityUtil}}, we do not consider the default keytab
file of Kerberos (which is {{/etc/krb5.keytab}} in [MIT Kerberos defaults|http://web.mit.edu/kerberos/krb5-1.13/doc/mitK5defaults.html#paths]).
> If the user does not set the keytab file, an {{IOException}} will be thrown. 
> {code:title=SecurityUtil.java|borderStyle=solid}
> 230   public static void login(final Configuration conf,
> 231       final String keytabFileKey, final String userNameKey, String hostname)
> 232       throws IOException { 
> ...
> 237     String keytabFilename = conf.get(keytabFileKey);
> 238     if (keytabFilename == null || keytabFilename.length() == 0) {
> 239       throw new IOException("Running in secure mode, but config doesn't have a keytab");
> 240     }
> {code} 
> However, the default keytab location is assumed by some of the callers. For example,
in [{{yarn-default.xml}}|https://hadoop.apache.org/docs/r2.7.1/hadoop-yarn/hadoop-yarn-common/yarn-default.xml],
> ||property                                || default||
> |yarn.resourcemanager.keytab  | /etc/krb5.keytab
> |yarn.nodemanager.keytab        | /etc/krb5.keytab
> |yarn.timeline-service.keytab     | /etc/krb5.keytab
> On the other hand, these callers directly call the {{SecurityUtil.login}} method; therefore,
the docs are incorrect that the defaults are actually {{null}} (as we do not have a default)...
> {code:title=NodeManager.java|borderStyle=solid}
>   protected void doSecureLogin() throws IOException {
>     SecurityUtil.login(getConfig(), YarnConfiguration.NM_KEYTAB,
>         YarnConfiguration.NM_PRINCIPAL);
>   }
> {code}
> I don't know if we should make {{/etc/krb5.keytab}} as the default in {{SecurityUtil}},
or ask the callers to correct their assumptions. I post here as a minor issue.
> Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message