You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2015/02/22 23:53:12 UTC

[jira] [Updated] (AMBARI-9742) Kerberos: fails when entering admin principal with blank password

     [ https://issues.apache.org/jira/browse/AMBARI-9742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Levas updated AMBARI-9742:
---------------------------------
    Description: 
Note: I don't believe the below is specific to add host, but related to the prompting and how the set admin cred works in case of a blank password. I hit this during testing of add host though.

- install cluster, kerberize
- add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
- got to the review part of add host, click deploy
- prompted for admin creds (as expected)
- tried messing around by putting in bad creds and that seemed to work...
- expect when I put in the right admin cred principal name (admin/admin) but a blank password. I was surprised it allowed me to click save (because the password field was blank)
- so I click save, dialog disappears and I am cannot get it to re-prompt.
- this is what it PUT and the response was blank...
 
{code}
[{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
Response Headersview source
{code}

in ambari-server.log, nothing

{code}
17:58:05,860  INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null, hosts=[] }
{code}

- back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again

The overall issue is how the credentials are being validated.  If no password is being set, the command to test the credentials when using a MIT KDC generates the following command:
{code}
kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
{code}

The empty password ({{-w ""}}) in the command creates an interactive session where the command is waiting for data on STDIN, thus hanging the process.

An empty password should not cause the same behavior when using Active Directory.

  was:
Note: I don't believe the below is specific to add host, but related to the prompting and how the set admin cred works in case of a blank password. I hit this during testing of add host though.

- install cluster, kerberize
- add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
- got to the review part of add host, click deploy
- prompted for admin creds (as expected)
- tried messing around by putting in bad creds and that seemed to work...
- expect when I put in the right admin cred principal name (admin/admin) but a blank password. I was surprised it allowed me to click save (because the password field was blank)
- so I click save, dialog disappears and I am cannot get it to re-prompt.
- this is what it PUT and the response was blank...
 
{code}
[{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
Response Headersview source
{code}

in ambari-server.log, nothing

{code}
17:58:05,860  INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null, hosts=[] }
{code}

- back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again

The overall issue is how the credentials are being validated.  If no password is being set, the command to test the credentials when using a MIT KDC generates the following command:
{code}
kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
{code}

The empty password ({{-w ""}}) in the command creates an interactive session where the command is waiting for data on STDIN, thus hanging the process.

This most likely does not affect an Active Directory scenario.


> Kerberos: fails when entering admin principal with blank password 
> ------------------------------------------------------------------
>
>                 Key: AMBARI-9742
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9742
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>              Labels: kerberos
>             Fix For: 2.0.0
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> Note: I don't believe the below is specific to add host, but related to the prompting and how the set admin cred works in case of a blank password. I hit this during testing of add host though.
> - install cluster, kerberize
> - add host (be sure to use a new browser so you know it will prompt for kerb admin credentials)
> - got to the review part of add host, click deploy
> - prompted for admin creds (as expected)
> - tried messing around by putting in bad creds and that seemed to work...
> - expect when I put in the right admin cred principal name (admin/admin) but a blank password. I was surprised it allowed me to click save (because the password field was blank)
> - so I click save, dialog disappears and I am cannot get it to re-prompt.
> - this is what it PUT and the response was blank...
>  
> {code}
> [{"session_attributes":{"kerberos_admin":{"principal":"admin/admin","password":""}}}]:
> Response Headersview source
> {code}
> in ambari-server.log, nothing
> {code}
> 17:58:05,860  INFO [qtp1257282095-603] AmbariManagementControllerImpl:1171 - Received a updateCluster request, clusterId=2, clusterName=MyCluster, securityType=null, request={ clusterName=MyCluster, clusterId=2, provisioningState=null, securityType=null, stackVersion=HDP-2.2, desired_scv=null, hosts=[] }
> {code}
> - back in wizard doesn't solve it. had to completely exit wizard and ambari web to start again
> The overall issue is how the credentials are being validated.  If no password is being set, the command to test the credentials when using a MIT KDC generates the following command:
> {code}
> kadmin -p admin/admin -w "" -r EXAMPLE.COM -q 'get_principal admin/admin'
> {code}
> The empty password ({{-w ""}}) in the command creates an interactive session where the command is waiting for data on STDIN, thus hanging the process.
> An empty password should not cause the same behavior when using Active Directory.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)