You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Jeffrey E Rodriguez (JIRA)" <ji...@apache.org> on 2017/03/30 00:50:41 UTC
[jira] [Comment Edited] (KNOX-916) When REST endpoint enables
SPNEGO and there is valid kerberos ticket cache for knox user, REST call
through knox will show 401 error
[ https://issues.apache.org/jira/browse/KNOX-916?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15948166#comment-15948166 ]
Jeffrey E Rodriguez edited comment on KNOX-916 at 3/30/17 12:50 AM:
---------------------------------------------------------------------
Sarah, one issue about changing useTicketCache to false is that renewTGT would not work.
See:
https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
"
renewTGT:
Set this to true, if you want to renew the TGT. *If this is set, useTicketCache must also be set to true*; otherwise a configuration error will be returned."
Current setup for Knox is:
{code:title=Bar.java|borderStyle=solid}
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
renewTGT=true
doNotPrompt=true
useKeyTab=true
keyTab="/etc/knox/conf/knox.service.keytab"
principal="knox@EXAMPLE.COM"
isInitiator=true
storeKey=true
useTicketCache=true
client=true;
};
{code}
was (Author: jeffreyr97):
Sarah, one issue about changing useTicketCache to false is that renewTGT would not work.
See:
https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
"
renewTGT:
Set this to true, if you want to renew the TGT. *If this is set, useTicketCache must also be set to true*; otherwise a configuration error will be returned."
> When REST endpoint enables SPNEGO and there is valid kerberos ticket cache for knox user, REST call through knox will show 401 error
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KNOX-916
> URL: https://issues.apache.org/jira/browse/KNOX-916
> Project: Apache Knox
> Issue Type: Bug
> Affects Versions: 0.11.0
> Reporter: Shi Wang
> Assignee: Shi Wang
>
> For example, if webhdfs uses SPNEGO authentication, and curl through knox, su knoxuser and klist, if there is valid kerberos ticket cached for knoxuser, then it will show 401 unauthorized error. But if the cached ticket expired or do not have any cached ticket, could get 200 correct result.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)