You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/05/07 20:48:42 UTC

Review Request 33952: Ambari uses users' interactive ticket cache

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/33952/
-----------------------------------------------------------

Review request for Ambari, Erik Bergenholtz, Sid Wagle, and Tom Beerbower.


Bugs: AMBARI-11001
    https://issues.apache.org/jira/browse/AMBARI-11001


Repository: ambari


Description
-------

It appears that it is necessary to kinit prior to starting ambari-server, even after ambari-server setup-security (#3). It seems that this should be automatically handled by Ambari. 

Ambari-server should NOT use the same ticket cache as the interactive user. 

STR:
1. kinit
2. ambari-server start
3. verify that ambari-server can authenticate with ticket specified in #1
4. kdestroy
5. try to authenticate through Ambari again (it will not work)

#Solution#
Ensure JAAS Login works properly such that the Kerberos tickets for the account that executes Ambari is not relevant.


Diffs
-----

  ambari-server/conf/unix/krb5JAASLogin.conf b667081 
  ambari-server/conf/windows/krb5JAASLogin.conf 2db9959 

Diff: https://reviews.apache.org/r/33952/diff/


Testing
-------

Manually tested using the Ambari File View to ensure Kerberos authentication was perfromed via JAAS internal to Ambari and not relying on interactive user ticket cache


Thanks,

Robert Levas

Re: Review Request 33952: Ambari uses users' interactive ticket cache

Posted by Tom Beerbower <tb...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/33952/#review82909
-----------------------------------------------------------

Ship it!


Ship It!

- Tom Beerbower


On May 7, 2015, 6:48 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/33952/
> -----------------------------------------------------------
> 
> (Updated May 7, 2015, 6:48 p.m.)
> 
> 
> Review request for Ambari, Erik Bergenholtz, Sid Wagle, and Tom Beerbower.
> 
> 
> Bugs: AMBARI-11001
>     https://issues.apache.org/jira/browse/AMBARI-11001
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> It appears that it is necessary to kinit prior to starting ambari-server, even after ambari-server setup-security (#3). It seems that this should be automatically handled by Ambari. 
> 
> Ambari-server should NOT use the same ticket cache as the interactive user. 
> 
> STR:
> 1. kinit
> 2. ambari-server start
> 3. verify that ambari-server can authenticate with ticket specified in #1
> 4. kdestroy
> 5. try to authenticate through Ambari again (it will not work)
> 
> #Solution#
> Ensure JAAS Login works properly such that the Kerberos tickets for the account that executes Ambari is not relevant.
> 
> 
> Diffs
> -----
> 
>   ambari-server/conf/unix/krb5JAASLogin.conf b667081 
>   ambari-server/conf/windows/krb5JAASLogin.conf 2db9959 
> 
> Diff: https://reviews.apache.org/r/33952/diff/
> 
> 
> Testing
> -------
> 
> Manually tested using the Ambari File View to ensure Kerberos authentication was perfromed via JAAS internal to Ambari and not relying on interactive user ticket cache
> 
> 
> Thanks,
> 
> Robert Levas
> 
>