You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by "Dapeng Sun (JIRA)" <ji...@apache.org> on 2015/09/25 09:16:04 UTC
[jira] [Comment Edited] (SENTRY-900) User could access sentry
metric info by curl without authorization
[ https://issues.apache.org/jira/browse/SENTRY-900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14907733#comment-14907733 ]
Dapeng Sun edited comment on SENTRY-900 at 9/25/15 7:15 AM:
------------------------------------------------------------
Committed to master. Thank Haodong and Colin.
was (Author: dapengsun):
Committed to master. Thank Colin.
> User could access sentry metric info by curl without authorization
> ------------------------------------------------------------------
>
> Key: SENTRY-900
> URL: https://issues.apache.org/jira/browse/SENTRY-900
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 1.6.0
> Environment: centos 6.5
> Reporter: Shishaodong
> Assignee: Dapeng Sun
> Priority: Critical
> Fix For: 1.7.0
>
> Attachments: SENTRY-900.001.patch
>
>
> 1.Configure /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = NOVALOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = true
> udp_preference_limit = 1000000
> allow_weak_crypto = true
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> [realms]
> NOVALOCAL = {
> kdc = server-XXXXX.novalocal
> admin_server = server-XXXXX.novalocal
> }
> [domain_realm]
> .novalocal = NOVALOCAL
> novalocal = NOVALOCAL
> Copy /etc/krb5.conf on KDC to all other cluster nodes
> 2.Configure /var/kerberos/krb5kdc/kdc.conf
> [kdcdefaults]
> kdc_ports = 88
> kdc_tcp_ports = 88
> [realms]
> NOVALOCAL = {
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> master_key_type = des3-hmac-sha1
> supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
> }
> 3.Specify the KDC encryption type
> des-cbc-md5
> 4.Generate sentry.service.we.authentication.kerberos.keytab
> kadmin -w 123456 -p kadmin/admin -q 'xst -k /opt/HTTP.keytab HTTP/server-2406.novalocal@NOVALOCAL'
> 5.Sentry Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml
> <property>
> <name>sentry.service.web.enable</name>
> <value>true</value>
> </property>
> <property>
> <name>sentry.service.web.port</name>
> <value>51000</value>
> </property>
> <property>
> <name>sentry.service.web.authentication.type</name>
> <value>KERBEROS</value>
> </property>
> <property>
> <name>sentry.service.web.authentication.kerberos.principal</name>
> <value>HTTP/server-2406.novalocal@NOVALOCAL</value>
> </property>
> <property>
> <name>sentry.service.web.authentication.kerberos.keytab</name>
> <value>/opt/HTTP.keytab</value>
> </property>
> <property>
> <name>sentry.service.web.authentication.allow.connect.users</name>
> <value>dong</value>
> </property>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)