You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@bigtop.apache.org by "Patrick Taylor Ramsey (Created) (JIRA)" <ji...@apache.org> on 2012/04/14 00:19:16 UTC
[jira] [Created] (BIGTOP-530) [puppet] We currently xst the HTTP
principal multiple times, each time invalidating the previous one
[puppet] We currently xst the HTTP principal multiple times, each time invalidating the previous one
----------------------------------------------------------------------------------------------------
Key: BIGTOP-530
URL: https://issues.apache.org/jira/browse/BIGTOP-530
Project: Bigtop
Issue Type: Bug
Reporter: Patrick Taylor Ramsey
Priority: Minor
The HTTP principal is required for SPNEGO, so we now generate it and then include it in all of the service keytabs. Unfortunately, we add it to these keytabs using kadmin's xst command, which generates a new set of credentials for the HTTP principal and invalidates the old ones. A more correct approach would be to export the credential once and then inject it into the service keytabs using ktutil (though that doesn't change the fact that the way we get the service keytabs onto the hadoop nodes is insecure). Attaching a patch that implements this approach.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (BIGTOP-530) [puppet] We currently xst the HTTP
principal multiple times, each time invalidating the previous one
Posted by "Roman Shaposhnik (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/BIGTOP-530?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Roman Shaposhnik updated BIGTOP-530:
------------------------------------
Fix Version/s: 0.4.0
> [puppet] We currently xst the HTTP principal multiple times, each time invalidating the previous one
> ----------------------------------------------------------------------------------------------------
>
> Key: BIGTOP-530
> URL: https://issues.apache.org/jira/browse/BIGTOP-530
> Project: Bigtop
> Issue Type: Bug
> Components: Deployment
> Affects Versions: 0.4.0
> Reporter: Patrick Taylor Ramsey
> Assignee: Patrick Taylor Ramsey
> Priority: Minor
> Fix For: 0.4.0
>
> Attachments: patch.txt
>
>
> The HTTP principal is required for SPNEGO, so we now generate it and then include it in all of the service keytabs. Unfortunately, we add it to these keytabs using kadmin's xst command, which generates a new set of credentials for the HTTP principal and invalidates the old ones. A more correct approach would be to export the credential once and then inject it into the service keytabs using ktutil (though that doesn't change the fact that the way we get the service keytabs onto the hadoop nodes is insecure). Attaching a patch that implements this approach.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (BIGTOP-530) [puppet] We currently xst the HTTP
principal multiple times, each time invalidating the previous one
Posted by "Patrick Taylor Ramsey (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/BIGTOP-530?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Patrick Taylor Ramsey updated BIGTOP-530:
-----------------------------------------
Attachment: patch.txt
> [puppet] We currently xst the HTTP principal multiple times, each time invalidating the previous one
> ----------------------------------------------------------------------------------------------------
>
> Key: BIGTOP-530
> URL: https://issues.apache.org/jira/browse/BIGTOP-530
> Project: Bigtop
> Issue Type: Bug
> Components: Deployment
> Affects Versions: 0.4.0
> Reporter: Patrick Taylor Ramsey
> Priority: Minor
> Attachments: patch.txt
>
>
> The HTTP principal is required for SPNEGO, so we now generate it and then include it in all of the service keytabs. Unfortunately, we add it to these keytabs using kadmin's xst command, which generates a new set of credentials for the HTTP principal and invalidates the old ones. A more correct approach would be to export the credential once and then inject it into the service keytabs using ktutil (though that doesn't change the fact that the way we get the service keytabs onto the hadoop nodes is insecure). Attaching a patch that implements this approach.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (BIGTOP-530) [puppet] We currently xst the HTTP
principal multiple times, each time invalidating the previous one
Posted by "Peter Linnell (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/BIGTOP-530?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13253830#comment-13253830 ]
Peter Linnell commented on BIGTOP-530:
--------------------------------------
+1 LGTM
> [puppet] We currently xst the HTTP principal multiple times, each time invalidating the previous one
> ----------------------------------------------------------------------------------------------------
>
> Key: BIGTOP-530
> URL: https://issues.apache.org/jira/browse/BIGTOP-530
> Project: Bigtop
> Issue Type: Bug
> Components: Deployment
> Affects Versions: 0.4.0
> Reporter: Patrick Taylor Ramsey
> Assignee: Patrick Taylor Ramsey
> Priority: Minor
> Attachments: patch.txt
>
>
> The HTTP principal is required for SPNEGO, so we now generate it and then include it in all of the service keytabs. Unfortunately, we add it to these keytabs using kadmin's xst command, which generates a new set of credentials for the HTTP principal and invalidates the old ones. A more correct approach would be to export the credential once and then inject it into the service keytabs using ktutil (though that doesn't change the fact that the way we get the service keytabs onto the hadoop nodes is insecure). Attaching a patch that implements this approach.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (BIGTOP-530) [puppet] We currently xst the HTTP
principal multiple times, each time invalidating the previous one
Posted by "Patrick Taylor Ramsey (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/BIGTOP-530?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Patrick Taylor Ramsey updated BIGTOP-530:
-----------------------------------------
Component/s: Deployment
Affects Version/s: 0.4.0
Assignee: Patrick Taylor Ramsey
> [puppet] We currently xst the HTTP principal multiple times, each time invalidating the previous one
> ----------------------------------------------------------------------------------------------------
>
> Key: BIGTOP-530
> URL: https://issues.apache.org/jira/browse/BIGTOP-530
> Project: Bigtop
> Issue Type: Bug
> Components: Deployment
> Affects Versions: 0.4.0
> Reporter: Patrick Taylor Ramsey
> Assignee: Patrick Taylor Ramsey
> Priority: Minor
> Attachments: patch.txt
>
>
> The HTTP principal is required for SPNEGO, so we now generate it and then include it in all of the service keytabs. Unfortunately, we add it to these keytabs using kadmin's xst command, which generates a new set of credentials for the HTTP principal and invalidates the old ones. A more correct approach would be to export the credential once and then inject it into the service keytabs using ktutil (though that doesn't change the fact that the way we get the service keytabs onto the hadoop nodes is insecure). Attaching a patch that implements this approach.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira