You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Jaimin Jetly <ja...@hortonworks.com> on 2014/10/15 02:41:55 UTC
Review Request 26719: Storm UI server should have the same default
keytab value as of other components for spnego principal
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26719/
-----------------------------------------------------------
Review request for Ambari, Srimanth Gunturi and Yusaku Sako.
Bugs: AMBARI-7780
https://issues.apache.org/jira/browse/AMBARI-7780
Repository: ambari
Description
-------
The problem will occur when there are two different keytabs containing same principal on a host. In this scenario only one principal will be considered to be valid if a principal is added to keytab in a specif way using --rankey option. (The reason is due to different kvno of the principal in both keytabs while using --randkey option to add principal to keytab)
For example if Namenode host and Storm UI Server are co-hosted.
spnego.service.keytab will have principal HTTP/hostname@EXAMPLE.COM which will be used by NameNode web UI.
Storm UI daemon will also try to authenticate with the same principal but from a different keytab path and with different kvno.
In this scenario the keytab that was created last with the principal will hold valid principal and the other daemon will fail to authenticate with kerberos authentication error.
Diffs
-----
ambari-web/app/data/HDP2/secure_properties.js 10d1a41
Diff: https://reviews.apache.org/r/26719/diff/
Testing
-------
tested e2e by securing a cluster
Thanks,
Jaimin Jetly
Re: Review Request 26719: Storm UI server should have the same default
keytab value as of other components for spnego principal
Posted by Yusaku Sako <yu...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26719/#review56623
-----------------------------------------------------------
Ship it!
Ship It!
- Yusaku Sako
On Oct. 15, 2014, 12:41 a.m., Jaimin Jetly wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/26719/
> -----------------------------------------------------------
>
> (Updated Oct. 15, 2014, 12:41 a.m.)
>
>
> Review request for Ambari, Srimanth Gunturi and Yusaku Sako.
>
>
> Bugs: AMBARI-7780
> https://issues.apache.org/jira/browse/AMBARI-7780
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The problem will occur when there are two different keytabs containing same principal on a host. In this scenario only one principal will be considered to be valid if a principal is added to keytab in a specif way using --rankey option. (The reason is due to different kvno of the principal in both keytabs while using --randkey option to add principal to keytab)
> For example if Namenode host and Storm UI Server are co-hosted.
> spnego.service.keytab will have principal HTTP/hostname@EXAMPLE.COM which will be used by NameNode web UI.
> Storm UI daemon will also try to authenticate with the same principal but from a different keytab path and with different kvno.
> In this scenario the keytab that was created last with the principal will hold valid principal and the other daemon will fail to authenticate with kerberos authentication error.
>
>
> Diffs
> -----
>
> ambari-web/app/data/HDP2/secure_properties.js 10d1a41
>
> Diff: https://reviews.apache.org/r/26719/diff/
>
>
> Testing
> -------
>
> tested e2e by securing a cluster
>
>
> Thanks,
>
> Jaimin Jetly
>
>
Re: Review Request 26719: Storm UI server should have the same default
keytab value as of other components for spnego principal
Posted by Srimanth Gunturi <sr...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26719/#review56626
-----------------------------------------------------------
Ship it!
Ship It!
- Srimanth Gunturi
On Oct. 15, 2014, 12:41 a.m., Jaimin Jetly wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/26719/
> -----------------------------------------------------------
>
> (Updated Oct. 15, 2014, 12:41 a.m.)
>
>
> Review request for Ambari, Srimanth Gunturi and Yusaku Sako.
>
>
> Bugs: AMBARI-7780
> https://issues.apache.org/jira/browse/AMBARI-7780
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The problem will occur when there are two different keytabs containing same principal on a host. In this scenario only one principal will be considered to be valid if a principal is added to keytab in a specif way using --rankey option. (The reason is due to different kvno of the principal in both keytabs while using --randkey option to add principal to keytab)
> For example if Namenode host and Storm UI Server are co-hosted.
> spnego.service.keytab will have principal HTTP/hostname@EXAMPLE.COM which will be used by NameNode web UI.
> Storm UI daemon will also try to authenticate with the same principal but from a different keytab path and with different kvno.
> In this scenario the keytab that was created last with the principal will hold valid principal and the other daemon will fail to authenticate with kerberos authentication error.
>
>
> Diffs
> -----
>
> ambari-web/app/data/HDP2/secure_properties.js 10d1a41
>
> Diff: https://reviews.apache.org/r/26719/diff/
>
>
> Testing
> -------
>
> tested e2e by securing a cluster
>
>
> Thanks,
>
> Jaimin Jetly
>
>