You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@kudu.apache.org by to...@apache.org on 2017/02/26 22:41:03 UTC

[1/2] kudu git commit: [security] added info on non-renewable authn tokens

Repository: kudu
Updated Branches:
  refs/heads/master ed2bc18de -> 0c3f82db1


[security] added info on non-renewable authn tokens

It's not possible to renew Kudu authn tokens.  That information is
added into the description of the --authn_token_validity_seconds
command-line flag.

I also opened KUDU-1895 JIRA case for adding corresponding information
into end-user documentation.

Change-Id: I44b5aedb05803ffba7a22f8127b2edac60d3752c
Reviewed-on: http://gerrit.cloudera.org:8080/6122
Tested-by: Alexey Serbin <as...@cloudera.com>
Reviewed-by: Todd Lipcon <to...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/085f1e04
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/085f1e04
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/085f1e04

Branch: refs/heads/master
Commit: 085f1e04a8e9daca1bc5aa35666be507c7a800c8
Parents: ed2bc18
Author: Alexey Serbin <as...@cloudera.com>
Authored: Wed Feb 22 19:33:15 2017 -0800
Committer: Todd Lipcon <to...@apache.org>
Committed: Sun Feb 26 21:43:48 2017 +0000

----------------------------------------------------------------------
 src/kudu/master/master.cc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/085f1e04/src/kudu/master/master.cc
----------------------------------------------------------------------
diff --git a/src/kudu/master/master.cc b/src/kudu/master/master.cc
index 984f50a..eda44c7 100644
--- a/src/kudu/master/master.cc
+++ b/src/kudu/master/master.cc
@@ -60,9 +60,10 @@ TAG_FLAG(tsk_rotation_seconds, advanced);
 TAG_FLAG(tsk_rotation_seconds, experimental);
 
 DEFINE_int64(authn_token_validity_seconds, 60 * 60 * 24 * 7,
-             "Period of time for which an issued authentication token is valid.");
-// TODO(PKI): docs for what actual effect this has, given we don't support
-// token renewal.
+             "Period of time for which an issued authentication token is valid. "
+             "It's not possible to renew a token, hence the token validity "
+             "interval defines the longest possible lifetime of an external "
+             "job which uses a token for authentication.");
 TAG_FLAG(authn_token_validity_seconds, experimental);
 
 using std::min;

[2/2] kudu git commit: security-itest: fix assertion for el6

Posted by to...@apache.org.

security-itest: fix assertion for el6

On el6, the error message when no Kerberos credentials are available
is a little bit different. This just fixes the assertion.

Change-Id: I2a118580ed67f3ead60980740b6bdbc8dfcb0f3e
Reviewed-on: http://gerrit.cloudera.org:8080/6157
Reviewed-by: Todd Lipcon <to...@apache.org>
Tested-by: Todd Lipcon <to...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/0c3f82db
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/0c3f82db
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/0c3f82db

Branch: refs/heads/master
Commit: 0c3f82db1f8602f8a9047dbf5493b3d4eb9d9524
Parents: 085f1e0
Author: Todd Lipcon <to...@apache.org>
Authored: Sun Feb 26 13:24:55 2017 -0800
Committer: Todd Lipcon <to...@apache.org>
Committed: Sun Feb 26 22:36:07 2017 +0000

----------------------------------------------------------------------
 src/kudu/integration-tests/security-itest.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/0c3f82db/src/kudu/integration-tests/security-itest.cc
----------------------------------------------------------------------
diff --git a/src/kudu/integration-tests/security-itest.cc b/src/kudu/integration-tests/security-itest.cc
index a3268ef..71b0d28 100644
--- a/src/kudu/integration-tests/security-itest.cc
+++ b/src/kudu/integration-tests/security-itest.cc
@@ -146,10 +146,13 @@ TEST_F(SecurityITest, TestNoKerberosCredentials) {
 
   client::sp::shared_ptr<KuduClient> client;
   Status s = cluster_->CreateClient(nullptr, &client);
+  // The error message differs on el6 from newer krb5 implementations,
+  // so we'll check for either one.
   ASSERT_STR_MATCHES(s.ToString(),
                      "Not authorized: Could not connect to the cluster: "
                      "Client connection negotiation failed: client connection "
-                     "to .*: No Kerberos credentials available");
+                     "to .*: (No Kerberos credentials available|"
+                     "Credentials cache file.*not found)");
 }
 
 // Test cluster access by a user who is not authorized as a client.