You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by "Jaimin D Jetly (JIRA)" <ji...@apache.org> on 2014/10/15 01:59:35 UTC

[jira] [Updated] (AMBARI-7780) Storm UI server should have the same default keytab value as of other components for spnego principal

     [ https://issues.apache.org/jira/browse/AMBARI-7780?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jaimin D Jetly updated AMBARI-7780:
-----------------------------------
    Description: 
The problem will occur when there are two different keytabs containing same principal on a host. In this scenario only one principal will be considered to be valid. (The reason is due to different kvno of the principal in both keytabs while using --randkey option to add principal to keytab)
For example if Namenode host and Storm UI Server are co-hosted. 
spnego.service.keytab will have principal HTTP/hostname@EXAMPLE.COM which will be used by NameNode web UI.
Storm UI daemon will also try to authenticate with the same principal but from a different keytab path and with different kvno.
In this scenario the keytab that was created last with the principal will hold valid principal and the other daemon will fail to authenticate with kerberos authentication error.

> Storm UI server should have the same default keytab value as of other components for spnego principal
> -----------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-7780
>                 URL: https://issues.apache.org/jira/browse/AMBARI-7780
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 1.7.0
>            Reporter: Jaimin D Jetly
>            Assignee: Jaimin D Jetly
>            Priority: Critical
>             Fix For: 1.7.0
>
>
> The problem will occur when there are two different keytabs containing same principal on a host. In this scenario only one principal will be considered to be valid. (The reason is due to different kvno of the principal in both keytabs while using --randkey option to add principal to keytab)
> For example if Namenode host and Storm UI Server are co-hosted. 
> spnego.service.keytab will have principal HTTP/hostname@EXAMPLE.COM which will be used by NameNode web UI.
> Storm UI daemon will also try to authenticate with the same principal but from a different keytab path and with different kvno.
> In this scenario the keytab that was created last with the principal will hold valid principal and the other daemon will fail to authenticate with kerberos authentication error.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)