You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-dev@hadoop.apache.org by Raghavendra Nandagopal <as...@gmail.com> on 2014/06/19 02:17:07 UTC

Renewable Ticket using Keytab through JAAS API

Hi,
   Checking if you had come across the same problem while implementing
security in Hadoop specifically auto ticket renewal.

   I am using a Key tab file with the below JAAS configuration.

com.sun.security.auth.module.Krb5LoginModule required
useKeyTab = true
useTicketCache = true
keyTab="xyz.keytab"
storeKey=true
principal="user/xyz.com"

The configuration works only if the Kinit is called before hand and the
ticket is present in the cache.  I am checking a condition for renewable
ticket using JAAS API and it works.

Now if I modify the JAAS configuration not to use ticket cache i.e., by
setting the useTicketCache = false then without calling Kinit and just
using the keyTab is failing to set the renewable flag although I am able to
get the ticket authenticated from the kerberos using JAAS API.  Below is
the JAAS configuration.

com.sun.security.auth.module.Krb5LoginModule required
useKeyTab = true
useTicketCache = false
keyTab="xyz.keytab"
storeKey=true
principal="user/xyz.com"

Please let me know how do we use keytab in JAAS API bypassing kinit command
and the renewable ticket flag is set.

Thanks,
Raghav