You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by to...@apache.org on 2017/02/26 22:41:03 UTC
[1/2] kudu git commit: [security] added info on non-renewable authn
tokens
Repository: kudu
Updated Branches:
refs/heads/master ed2bc18de -> 0c3f82db1
[security] added info on non-renewable authn tokens
It's not possible to renew Kudu authn tokens. That information is
added into the description of the --authn_token_validity_seconds
command-line flag.
I also opened KUDU-1895 JIRA case for adding corresponding information
into end-user documentation.
Change-Id: I44b5aedb05803ffba7a22f8127b2edac60d3752c
Reviewed-on: http://gerrit.cloudera.org:8080/6122
Tested-by: Alexey Serbin <as...@cloudera.com>
Reviewed-by: Todd Lipcon <to...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/085f1e04
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/085f1e04
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/085f1e04
Branch: refs/heads/master
Commit: 085f1e04a8e9daca1bc5aa35666be507c7a800c8
Parents: ed2bc18
Author: Alexey Serbin <as...@cloudera.com>
Authored: Wed Feb 22 19:33:15 2017 -0800
Committer: Todd Lipcon <to...@apache.org>
Committed: Sun Feb 26 21:43:48 2017 +0000
----------------------------------------------------------------------
src/kudu/master/master.cc | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kudu/blob/085f1e04/src/kudu/master/master.cc
----------------------------------------------------------------------
diff --git a/src/kudu/master/master.cc b/src/kudu/master/master.cc
index 984f50a..eda44c7 100644
--- a/src/kudu/master/master.cc
+++ b/src/kudu/master/master.cc
@@ -60,9 +60,10 @@ TAG_FLAG(tsk_rotation_seconds, advanced);
TAG_FLAG(tsk_rotation_seconds, experimental);
DEFINE_int64(authn_token_validity_seconds, 60 * 60 * 24 * 7,
- "Period of time for which an issued authentication token is valid.");
-// TODO(PKI): docs for what actual effect this has, given we don't support
-// token renewal.
+ "Period of time for which an issued authentication token is valid. "
+ "It's not possible to renew a token, hence the token validity "
+ "interval defines the longest possible lifetime of an external "
+ "job which uses a token for authentication.");
TAG_FLAG(authn_token_validity_seconds, experimental);
using std::min;
[2/2] kudu git commit: security-itest: fix assertion for el6
Posted by to...@apache.org.
security-itest: fix assertion for el6
On el6, the error message when no Kerberos credentials are available
is a little bit different. This just fixes the assertion.
Change-Id: I2a118580ed67f3ead60980740b6bdbc8dfcb0f3e
Reviewed-on: http://gerrit.cloudera.org:8080/6157
Reviewed-by: Todd Lipcon <to...@apache.org>
Tested-by: Todd Lipcon <to...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/0c3f82db
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/0c3f82db
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/0c3f82db
Branch: refs/heads/master
Commit: 0c3f82db1f8602f8a9047dbf5493b3d4eb9d9524
Parents: 085f1e0
Author: Todd Lipcon <to...@apache.org>
Authored: Sun Feb 26 13:24:55 2017 -0800
Committer: Todd Lipcon <to...@apache.org>
Committed: Sun Feb 26 22:36:07 2017 +0000
----------------------------------------------------------------------
src/kudu/integration-tests/security-itest.cc | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kudu/blob/0c3f82db/src/kudu/integration-tests/security-itest.cc
----------------------------------------------------------------------
diff --git a/src/kudu/integration-tests/security-itest.cc b/src/kudu/integration-tests/security-itest.cc
index a3268ef..71b0d28 100644
--- a/src/kudu/integration-tests/security-itest.cc
+++ b/src/kudu/integration-tests/security-itest.cc
@@ -146,10 +146,13 @@ TEST_F(SecurityITest, TestNoKerberosCredentials) {
client::sp::shared_ptr<KuduClient> client;
Status s = cluster_->CreateClient(nullptr, &client);
+ // The error message differs on el6 from newer krb5 implementations,
+ // so we'll check for either one.
ASSERT_STR_MATCHES(s.ToString(),
"Not authorized: Could not connect to the cluster: "
"Client connection negotiation failed: client connection "
- "to .*: No Kerberos credentials available");
+ "to .*: (No Kerberos credentials available|"
+ "Credentials cache file.*not found)");
}
// Test cluster access by a user who is not authorized as a client.