You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@ambari.apache.org by Attila Magyar <am...@hortonworks.com> on 2017/05/30 15:21:37 UTC
Review Request 59637: Knox JAAS configuration file should not allow
the
Kerberos ticket cache to be used when establishing its identity on startup
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59637/
-----------------------------------------------------------
Review request for Ambari, Balázs Bence Sári, Robert Levas, and Sebastian Toader.
Bugs: AMBARI-21146
https://issues.apache.org/jira/browse/AMBARI-21146
Repository: ambari
Description
-------
The JAAS configuration for Knox allows the interactive user's ticket cache to be used to establish the service's identity when starting up. This is problematic and potentially confusing. To prevent this, the JAAS config should be set as follows:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
renewTGT=false
doNotPrompt=true
useKeyTab=true
keyTab="/etc/security/keytabs/knox.service.keytab"
principal="knox/c6403.ambari.apache.org@EXAMPLE.COM"
storeKey=true
useTicketCache=false;
};
Note: the keytab file and principal name values need to be set based on the relevant Kerberos configuration.
Diffs
-----
ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/templates/krb5JAASLogin.conf.j2 fa3237b
ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/templates/krb5JAASLogin.conf.j2 fa3237b
Diff: https://reviews.apache.org/r/59637/diff/1/
Testing
-------
manually:
- Added Knox to a kerberized cluster
- checked the content of the generted krb5JAASLogin.conf file (/etc/knox/2.6.1.0-125/0/krb5JAASLogin.conf)
Existing tests:
----------------------------------------------------------------------
Ran 273 tests in 6.832s
OK
----------------------------------------------------------------------
Total run:1171
Total errors:0
Total failures:0
Ran 467 tests in 18.265s
OK
Results :
Tests run: 4981, Failures: 0, Errors: 0, Skipped: 39
Thanks,
Attila Magyar
Re: Review Request 59637: Knox JAAS configuration file should not
allow the
Kerberos ticket cache to be used when establishing its identity on startup
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59637/#review176311
-----------------------------------------------------------
Ship it!
Ship It!
- Sebastian Toader
On May 30, 2017, 5:21 p.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59637/
> -----------------------------------------------------------
>
> (Updated May 30, 2017, 5:21 p.m.)
>
>
> Review request for Ambari, Balázs Bence Sári, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-21146
> https://issues.apache.org/jira/browse/AMBARI-21146
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The JAAS configuration for Knox allows the interactive user's ticket cache to be used to establish the service's identity when starting up. This is problematic and potentially confusing. To prevent this, the JAAS config should be set as follows:
>
>
> com.sun.security.jgss.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> renewTGT=false
> doNotPrompt=true
> useKeyTab=true
> keyTab="/etc/security/keytabs/knox.service.keytab"
> principal="knox/c6403.ambari.apache.org@EXAMPLE.COM"
> storeKey=true
> useTicketCache=false;
> };
>
> Note: the keytab file and principal name values need to be set based on the relevant Kerberos configuration.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/templates/krb5JAASLogin.conf.j2 fa3237b
> ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/templates/krb5JAASLogin.conf.j2 fa3237b
>
>
> Diff: https://reviews.apache.org/r/59637/diff/1/
>
>
> Testing
> -------
>
> manually:
> - Added Knox to a kerberized cluster
> - checked the content of the generted krb5JAASLogin.conf file (/etc/knox/2.6.1.0-125/0/krb5JAASLogin.conf)
>
> Existing tests:
> ----------------------------------------------------------------------
> Ran 273 tests in 6.832s
> OK
> ----------------------------------------------------------------------
> Total run:1171
> Total errors:0
> Total failures:0
> Ran 467 tests in 18.265s
> OK
>
> Results :
> Tests run: 4981, Failures: 0, Errors: 0, Skipped: 39
>
>
> Thanks,
>
> Attila Magyar
>
>
Re: Review Request 59637: Knox JAAS configuration file should not
allow the
Kerberos ticket cache to be used when establishing its identity on startup
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59637/#review176310
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Levas
On May 30, 2017, 11:21 a.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59637/
> -----------------------------------------------------------
>
> (Updated May 30, 2017, 11:21 a.m.)
>
>
> Review request for Ambari, Balázs Bence Sári, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-21146
> https://issues.apache.org/jira/browse/AMBARI-21146
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The JAAS configuration for Knox allows the interactive user's ticket cache to be used to establish the service's identity when starting up. This is problematic and potentially confusing. To prevent this, the JAAS config should be set as follows:
>
>
> com.sun.security.jgss.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> renewTGT=false
> doNotPrompt=true
> useKeyTab=true
> keyTab="/etc/security/keytabs/knox.service.keytab"
> principal="knox/c6403.ambari.apache.org@EXAMPLE.COM"
> storeKey=true
> useTicketCache=false;
> };
>
> Note: the keytab file and principal name values need to be set based on the relevant Kerberos configuration.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/templates/krb5JAASLogin.conf.j2 fa3237b
> ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/templates/krb5JAASLogin.conf.j2 fa3237b
>
>
> Diff: https://reviews.apache.org/r/59637/diff/1/
>
>
> Testing
> -------
>
> manually:
> - Added Knox to a kerberized cluster
> - checked the content of the generted krb5JAASLogin.conf file (/etc/knox/2.6.1.0-125/0/krb5JAASLogin.conf)
>
> Existing tests:
> ----------------------------------------------------------------------
> Ran 273 tests in 6.832s
> OK
> ----------------------------------------------------------------------
> Total run:1171
> Total errors:0
> Total failures:0
> Ran 467 tests in 18.265s
> OK
>
> Results :
> Tests run: 4981, Failures: 0, Errors: 0, Skipped: 39
>
>
> Thanks,
>
> Attila Magyar
>
>