You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2015/02/26 07:36:05 UTC

[jira] [Commented] (AMBARI-9785) Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket.

    [ https://issues.apache.org/jira/browse/AMBARI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14337985#comment-14337985 ] 

Hadoop QA commented on AMBARI-9785:
-----------------------------------

{color:green}+1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12700930/AMBARI-9785_01.patch
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:green}+1 tests included{color}.  The patch appears to include 1 new or modified test files.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of javac compiler warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number of release audit warnings.

    {color:green}+1 core tests{color}.  The patch passed unit tests in ambari-server.

Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/1821//testReport/
Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/1821//console

This message is automatically generated.

> Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket.
> ------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-9785
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9785
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-agent
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Blocker
>              Labels: kerberos, keytabs
>             Fix For: 2.0.0
>
>         Attachments: AMBARI-9785_01.patch
>
>
> After enabling Kerberos, the root user has the spnego user set for it 
> {code}
> [root@c6501 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/c6501.ambari.apache.org@EXAMPLE.COM
> Valid starting     Expires            Service principal
> 02/18/15 22:14:51  02/19/15 22:14:51  krbtgt/EXAMPLE.COM@EXAMPLE.COM
> 	renew until 02/18/15 22:14:51
> {code}
> It appears that the issue is related to the agent-side scheduler and/or some job that is scheduled to run periodically. Apparently some job is kinit-ing with the SPNEGO identity as the running user (root in this case) without changing the ticket cache. Thus whenever the job runs the root user's ticket cache gets changed to contain the SPNEGO identity's ticket.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)