You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@ambari.apache.org by Attila Magyar <am...@hortonworks.com> on 2017/05/30 15:21:37 UTC

Review Request 59637: Knox JAAS configuration file should not allow the Kerberos ticket cache to be used when establishing its identity on startup

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59637/
-----------------------------------------------------------

Review request for Ambari, Balázs Bence Sári, Robert Levas, and Sebastian Toader.


Bugs: AMBARI-21146
    https://issues.apache.org/jira/browse/AMBARI-21146


Repository: ambari


Description
-------

The JAAS configuration for Knox allows the interactive user's ticket cache to be used to establish the service's identity when starting up. This is problematic and potentially confusing. To prevent this, the JAAS config should be set as follows:


com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  renewTGT=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="/etc/security/keytabs/knox.service.keytab"
  principal="knox/c6403.ambari.apache.org@EXAMPLE.COM"
  storeKey=true
  useTicketCache=false;
};

Note: the keytab file and principal name values need to be set based on the relevant Kerberos configuration.


Diffs
-----

  ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/templates/krb5JAASLogin.conf.j2 fa3237b 
  ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/templates/krb5JAASLogin.conf.j2 fa3237b 


Diff: https://reviews.apache.org/r/59637/diff/1/


Testing
-------

manually:
  - Added Knox to a kerberized cluster
  - checked the content of the generted krb5JAASLogin.conf file (/etc/knox/2.6.1.0-125/0/krb5JAASLogin.conf)

Existing tests: 
----------------------------------------------------------------------
Ran 273 tests in 6.832s
OK
----------------------------------------------------------------------
Total run:1171
Total errors:0
Total failures:0
Ran 467 tests in 18.265s
OK

Results :
Tests run: 4981, Failures: 0, Errors: 0, Skipped: 39


Thanks,

Attila Magyar

Re: Review Request 59637: Knox JAAS configuration file should not allow the Kerberos ticket cache to be used when establishing its identity on startup

Posted by Sebastian Toader <st...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59637/#review176311
-----------------------------------------------------------


Ship it!




Ship It!

- Sebastian Toader


On May 30, 2017, 5:21 p.m., Attila Magyar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59637/
> -----------------------------------------------------------
> 
> (Updated May 30, 2017, 5:21 p.m.)
> 
> 
> Review request for Ambari, Balázs Bence Sári, Robert Levas, and Sebastian Toader.
> 
> 
> Bugs: AMBARI-21146
>     https://issues.apache.org/jira/browse/AMBARI-21146
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> The JAAS configuration for Knox allows the interactive user's ticket cache to be used to establish the service's identity when starting up. This is problematic and potentially confusing. To prevent this, the JAAS config should be set as follows:
> 
> 
> com.sun.security.jgss.initiate {
>   com.sun.security.auth.module.Krb5LoginModule required
>   renewTGT=false
>   doNotPrompt=true
>   useKeyTab=true
>   keyTab="/etc/security/keytabs/knox.service.keytab"
>   principal="knox/c6403.ambari.apache.org@EXAMPLE.COM"
>   storeKey=true
>   useTicketCache=false;
> };
> 
> Note: the keytab file and principal name values need to be set based on the relevant Kerberos configuration.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/templates/krb5JAASLogin.conf.j2 fa3237b 
>   ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/templates/krb5JAASLogin.conf.j2 fa3237b 
> 
> 
> Diff: https://reviews.apache.org/r/59637/diff/1/
> 
> 
> Testing
> -------
> 
> manually:
>   - Added Knox to a kerberized cluster
>   - checked the content of the generted krb5JAASLogin.conf file (/etc/knox/2.6.1.0-125/0/krb5JAASLogin.conf)
> 
> Existing tests: 
> ----------------------------------------------------------------------
> Ran 273 tests in 6.832s
> OK
> ----------------------------------------------------------------------
> Total run:1171
> Total errors:0
> Total failures:0
> Ran 467 tests in 18.265s
> OK
> 
> Results :
> Tests run: 4981, Failures: 0, Errors: 0, Skipped: 39
> 
> 
> Thanks,
> 
> Attila Magyar
> 
>

Re: Review Request 59637: Knox JAAS configuration file should not allow the Kerberos ticket cache to be used when establishing its identity on startup

Posted by Robert Levas <rl...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59637/#review176310
-----------------------------------------------------------


Ship it!




Ship It!

- Robert Levas


On May 30, 2017, 11:21 a.m., Attila Magyar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59637/
> -----------------------------------------------------------
> 
> (Updated May 30, 2017, 11:21 a.m.)
> 
> 
> Review request for Ambari, Balázs Bence Sári, Robert Levas, and Sebastian Toader.
> 
> 
> Bugs: AMBARI-21146
>     https://issues.apache.org/jira/browse/AMBARI-21146
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> The JAAS configuration for Knox allows the interactive user's ticket cache to be used to establish the service's identity when starting up. This is problematic and potentially confusing. To prevent this, the JAAS config should be set as follows:
> 
> 
> com.sun.security.jgss.initiate {
>   com.sun.security.auth.module.Krb5LoginModule required
>   renewTGT=false
>   doNotPrompt=true
>   useKeyTab=true
>   keyTab="/etc/security/keytabs/knox.service.keytab"
>   principal="knox/c6403.ambari.apache.org@EXAMPLE.COM"
>   storeKey=true
>   useTicketCache=false;
> };
> 
> Note: the keytab file and principal name values need to be set based on the relevant Kerberos configuration.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/templates/krb5JAASLogin.conf.j2 fa3237b 
>   ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/templates/krb5JAASLogin.conf.j2 fa3237b 
> 
> 
> Diff: https://reviews.apache.org/r/59637/diff/1/
> 
> 
> Testing
> -------
> 
> manually:
>   - Added Knox to a kerberized cluster
>   - checked the content of the generted krb5JAASLogin.conf file (/etc/knox/2.6.1.0-125/0/krb5JAASLogin.conf)
> 
> Existing tests: 
> ----------------------------------------------------------------------
> Ran 273 tests in 6.832s
> OK
> ----------------------------------------------------------------------
> Total run:1171
> Total errors:0
> Total failures:0
> Ran 467 tests in 18.265s
> OK
> 
> Results :
> Tests run: 4981, Failures: 0, Errors: 0, Skipped: 39
> 
> 
> Thanks,
> 
> Attila Magyar
> 
>