You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2015/02/25 02:18:04 UTC
[jira] [Created] (AMBARI-9785) Root user has spnego (HTTP) kerberos
ticket set after Kerberos is enabled, root should have no ticket.
Robert Levas created AMBARI-9785:
------------------------------------
Summary: Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket.
Key: AMBARI-9785
URL: https://issues.apache.org/jira/browse/AMBARI-9785
Project: Ambari
Issue Type: Bug
Components: ambari-agent
Affects Versions: 2.0.0
Reporter: Robert Levas
Assignee: Robert Levas
Priority: Blocker
Fix For: 2.0.0
After enabling Kerberos, the root user has the spnego user set for it
{code}
[root@c6501 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/c6501.ambari.apache.org@EXAMPLE.COM
Valid starting Expires Service principal
02/18/15 22:14:51 02/19/15 22:14:51 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 02/18/15 22:14:51
{code}
It appears that the issue is related to the agent-side scheduler and/or some job that is scheduled to run periodically. Apparently some job is kinit-ing with the SPNEGO identity as the running user (root in this case) without changing the ticket cache. Thus whenever the job runs the root user's ticket cache gets changed to contain the SPNEGO identity's ticket.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)