You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/05/07 20:48:42 UTC
Review Request 33952: Ambari uses users' interactive ticket cache
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/33952/
-----------------------------------------------------------
Review request for Ambari, Erik Bergenholtz, Sid Wagle, and Tom Beerbower.
Bugs: AMBARI-11001
https://issues.apache.org/jira/browse/AMBARI-11001
Repository: ambari
Description
-------
It appears that it is necessary to kinit prior to starting ambari-server, even after ambari-server setup-security (#3). It seems that this should be automatically handled by Ambari.
Ambari-server should NOT use the same ticket cache as the interactive user.
STR:
1. kinit
2. ambari-server start
3. verify that ambari-server can authenticate with ticket specified in #1
4. kdestroy
5. try to authenticate through Ambari again (it will not work)
#Solution#
Ensure JAAS Login works properly such that the Kerberos tickets for the account that executes Ambari is not relevant.
Diffs
-----
ambari-server/conf/unix/krb5JAASLogin.conf b667081
ambari-server/conf/windows/krb5JAASLogin.conf 2db9959
Diff: https://reviews.apache.org/r/33952/diff/
Testing
-------
Manually tested using the Ambari File View to ensure Kerberos authentication was perfromed via JAAS internal to Ambari and not relying on interactive user ticket cache
Thanks,
Robert Levas
Re: Review Request 33952: Ambari uses users' interactive ticket cache
Posted by Tom Beerbower <tb...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/33952/#review82909
-----------------------------------------------------------
Ship it!
Ship It!
- Tom Beerbower
On May 7, 2015, 6:48 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/33952/
> -----------------------------------------------------------
>
> (Updated May 7, 2015, 6:48 p.m.)
>
>
> Review request for Ambari, Erik Bergenholtz, Sid Wagle, and Tom Beerbower.
>
>
> Bugs: AMBARI-11001
> https://issues.apache.org/jira/browse/AMBARI-11001
>
>
> Repository: ambari
>
>
> Description
> -------
>
> It appears that it is necessary to kinit prior to starting ambari-server, even after ambari-server setup-security (#3). It seems that this should be automatically handled by Ambari.
>
> Ambari-server should NOT use the same ticket cache as the interactive user.
>
> STR:
> 1. kinit
> 2. ambari-server start
> 3. verify that ambari-server can authenticate with ticket specified in #1
> 4. kdestroy
> 5. try to authenticate through Ambari again (it will not work)
>
> #Solution#
> Ensure JAAS Login works properly such that the Kerberos tickets for the account that executes Ambari is not relevant.
>
>
> Diffs
> -----
>
> ambari-server/conf/unix/krb5JAASLogin.conf b667081
> ambari-server/conf/windows/krb5JAASLogin.conf 2db9959
>
> Diff: https://reviews.apache.org/r/33952/diff/
>
>
> Testing
> -------
>
> Manually tested using the Ambari File View to ensure Kerberos authentication was perfromed via JAAS internal to Ambari and not relying on interactive user ticket cache
>
>
> Thanks,
>
> Robert Levas
>
>