Return-Path: X-Original-To: apmail-storm-dev-archive@minotaur.apache.org Delivered-To: apmail-storm-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 936D61179F for ; Tue, 8 Jul 2014 23:41:29 +0000 (UTC) Received: (qmail 23188 invoked by uid 500); 8 Jul 2014 23:41:29 -0000 Delivered-To: apmail-storm-dev-archive@storm.apache.org Received: (qmail 23143 invoked by uid 500); 8 Jul 2014 23:41:29 -0000 Mailing-List: contact dev-help@storm.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@storm.incubator.apache.org Delivered-To: mailing list dev@storm.incubator.apache.org Received: (qmail 23132 invoked by uid 99); 8 Jul 2014 23:41:29 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jul 2014 23:41:29 +0000 X-ASF-Spam-Status: No, hits=-2000.7 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 08 Jul 2014 23:41:30 +0000 Received: (qmail 22591 invoked by uid 99); 8 Jul 2014 23:41:04 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jul 2014 23:41:04 +0000 Date: Tue, 8 Jul 2014 23:41:04 +0000 (UTC) From: "Sriharsha Chintalapani (JIRA)" To: dev@storm.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (STORM-345) (Security) AutoTGT renewal is not working MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/STORM-345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14055674#comment-14055674 ] Sriharsha Chintalapani edited comment on STORM-345 at 7/8/14 11:39 PM: ----------------------------------------------------------------------- [~revans2] I was able to test it by using the following conf in kerberos {code} ccache_type = 4 forwardable = true proxiable = true udp_preference_limit = 1 ticket_lifetime = 5m renew_lifetime = 10m {code} and changing AutoTGT main to {code} public static void main(String[] args) throws Exception { AutoTGT at = new AutoTGT(); Map conf = new java.util.HashMap(); conf.put("java.security.auth.login.config", args[0]); at.prepare(conf); Map creds = new java.util.HashMap(); at.populateCredentials(creds); Subject s = new Subject(); at.populateSubject(s, creds); System.out.println("Got a Subject "+s); Thread.sleep(360000); at.renew(creds); System.out.println("Got a Subject "+s); } {code} and my jaas.conf {code} StormClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/vagrant/keytabs/harsha.keytab" useTicketCache=true renewTicket=true serviceName="nimbus" debug=true principal="harsha/zookeeper.witzend.com@WITZEND.COM"; }; {code} I did kinit -k -t /vagrant/keytabs/harsha.keytab harsha/zookeeper.witzend.com@WITZEND.COM before running AutoTGT . I am able to renew ticket before and after ticket_lifetime . was (Author: sriharsha): [~revans2] I was able to test it by using the following conf in kerberos ccache_type = 4 forwardable = true proxiable = true udp_preference_limit = 1 ticket_lifetime = 5m renew_lifetime = 10m and changing AutoTGT main to public static void main(String[] args) throws Exception { AutoTGT at = new AutoTGT(); Map conf = new java.util.HashMap(); conf.put("java.security.auth.login.config", args[0]); at.prepare(conf); Map creds = new java.util.HashMap(); at.populateCredentials(creds); Subject s = new Subject(); at.populateSubject(s, creds); System.out.println("Got a Subject "+s); Thread.sleep(360000); at.renew(creds); System.out.println("Got a Subject "+s); } and my jaas.conf StormClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/vagrant/keytabs/harsha.keytab" useTicketCache=true renewTicket=true serviceName="nimbus" debug=true principal="harsha/zookeeper.witzend.com@WITZEND.COM"; }; I did kinit -k -t /vagrant/keytabs/harsha.keytab harsha/zookeeper.witzend.com@WITZEND.COM before running AutoTGT . I am able to renew ticket before and after ticket_lifetime . > (Security) AutoTGT renewal is not working > ----------------------------------------- > > Key: STORM-345 > URL: https://issues.apache.org/jira/browse/STORM-345 > Project: Apache Storm (Incubating) > Issue Type: Bug > Reporter: Robert Joseph Evans > Assignee: Raghavendra Nandagopal > Labels: security > > AutoTGT will call tgt.refresh(); to try and renew a token, but ever time we try to make this work the java code blows up with some very odd errors. > Either we need to find some configurations and document them on how to make this work. > Rip out the renewal code and update the documentation to explain that the renewal is not supported. > Find another way to renew the TGT (Some other library) -- This message was sent by Atlassian JIRA (v6.2#6252)