You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by Jaimin Jetly <ja...@hortonworks.com> on 2014/10/15 02:41:55 UTC

Review Request 26719: Storm UI server should have the same default keytab value as of other components for spnego principal

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26719/
-----------------------------------------------------------

Review request for Ambari, Srimanth Gunturi and Yusaku Sako.


Bugs: AMBARI-7780
    https://issues.apache.org/jira/browse/AMBARI-7780


Repository: ambari


Description
-------

The problem will occur when there are two different keytabs containing same principal on a host. In this scenario only one principal will be considered to be valid if a principal is added to keytab in a specif way using --rankey option. (The reason is due to different kvno of the principal in both keytabs while using --randkey option to add principal to keytab)
For example if Namenode host and Storm UI Server are co-hosted. 
spnego.service.keytab will have principal HTTP/hostname@EXAMPLE.COM which will be used by NameNode web UI.
Storm UI daemon will also try to authenticate with the same principal but from a different keytab path and with different kvno.
In this scenario the keytab that was created last with the principal will hold valid principal and the other daemon will fail to authenticate with kerberos authentication error.


Diffs
-----

  ambari-web/app/data/HDP2/secure_properties.js 10d1a41 

Diff: https://reviews.apache.org/r/26719/diff/


Testing
-------

tested e2e by securing a cluster


Thanks,

Jaimin Jetly

Re: Review Request 26719: Storm UI server should have the same default keytab value as of other components for spnego principal

Posted by Yusaku Sako <yu...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26719/#review56623
-----------------------------------------------------------

Ship it!


Ship It!

- Yusaku Sako


On Oct. 15, 2014, 12:41 a.m., Jaimin Jetly wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/26719/
> -----------------------------------------------------------
> 
> (Updated Oct. 15, 2014, 12:41 a.m.)
> 
> 
> Review request for Ambari, Srimanth Gunturi and Yusaku Sako.
> 
> 
> Bugs: AMBARI-7780
>     https://issues.apache.org/jira/browse/AMBARI-7780
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> The problem will occur when there are two different keytabs containing same principal on a host. In this scenario only one principal will be considered to be valid if a principal is added to keytab in a specif way using --rankey option. (The reason is due to different kvno of the principal in both keytabs while using --randkey option to add principal to keytab)
> For example if Namenode host and Storm UI Server are co-hosted. 
> spnego.service.keytab will have principal HTTP/hostname@EXAMPLE.COM which will be used by NameNode web UI.
> Storm UI daemon will also try to authenticate with the same principal but from a different keytab path and with different kvno.
> In this scenario the keytab that was created last with the principal will hold valid principal and the other daemon will fail to authenticate with kerberos authentication error.
> 
> 
> Diffs
> -----
> 
>   ambari-web/app/data/HDP2/secure_properties.js 10d1a41 
> 
> Diff: https://reviews.apache.org/r/26719/diff/
> 
> 
> Testing
> -------
> 
> tested e2e by securing a cluster
> 
> 
> Thanks,
> 
> Jaimin Jetly
> 
>

Re: Review Request 26719: Storm UI server should have the same default keytab value as of other components for spnego principal

Posted by Srimanth Gunturi <sr...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26719/#review56626
-----------------------------------------------------------

Ship it!


Ship It!

- Srimanth Gunturi


On Oct. 15, 2014, 12:41 a.m., Jaimin Jetly wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/26719/
> -----------------------------------------------------------
> 
> (Updated Oct. 15, 2014, 12:41 a.m.)
> 
> 
> Review request for Ambari, Srimanth Gunturi and Yusaku Sako.
> 
> 
> Bugs: AMBARI-7780
>     https://issues.apache.org/jira/browse/AMBARI-7780
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> The problem will occur when there are two different keytabs containing same principal on a host. In this scenario only one principal will be considered to be valid if a principal is added to keytab in a specif way using --rankey option. (The reason is due to different kvno of the principal in both keytabs while using --randkey option to add principal to keytab)
> For example if Namenode host and Storm UI Server are co-hosted. 
> spnego.service.keytab will have principal HTTP/hostname@EXAMPLE.COM which will be used by NameNode web UI.
> Storm UI daemon will also try to authenticate with the same principal but from a different keytab path and with different kvno.
> In this scenario the keytab that was created last with the principal will hold valid principal and the other daemon will fail to authenticate with kerberos authentication error.
> 
> 
> Diffs
> -----
> 
>   ambari-web/app/data/HDP2/secure_properties.js 10d1a41 
> 
> Diff: https://reviews.apache.org/r/26719/diff/
> 
> 
> Testing
> -------
> 
> tested e2e by securing a cluster
> 
> 
> Thanks,
> 
> Jaimin Jetly
> 
>