[
https://issues.apache.org/jira/browse/AIRFLOW-987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15925630#comment-15925630
]
Ruslan Dautkhanov edited comment on AIRFLOW-987 at 3/15/17 6:47 AM:
--------------------------------------------------------------------
kerberos.py:39 - it always gets principal and keytab from configuration
(airflow.cfg):
https://github.com/apache/incubator-airflow/blob/master/airflow/security/kerberos.py#L39
{code}
"-t", configuration.get('kerberos', 'keytab'), # specify keytab
"-c", configuration.get('kerberos', 'ccache'), # specify
credentials cache
{code}
Notice help for `airflow kerberos`:
{noformat}
$ airflow kerberos -h
[2017-03-15 00:40:12,215] {__init__.py:57} INFO - Using executor LocalExecutor
usage: airflow kerberos [-h] [-kt [KEYTAB]] [--pid [PID]] [-D]
[--stdout STDOUT] [--stderr STDERR] [-l LOG_FILE]
[principal]
{noformat}
One can think that you can provide principal and keytab as `airflow kerberos`
arguments - that's not true and it's a bug.
Although it's not a critical bug as I was able to make `airflow kerberos`
working just by adding kerberos section in airflow.cfg
`airflow kerberos -h` has to be corrected to reflect that `airflow kerberos`
doesn't actually accept principal and keytab as arguments.
Thank you.
was (Author: tagar):
kerberos.py:39 - it always gets principal and keytab from configuration
(airflow.cfg):
https://github.com/apache/incubator-airflow/blob/master/airflow/security/kerberos.py#L39
{code}
"-t", configuration.get('kerberos', 'keytab'), # specify keytab
"-c", configuration.get('kerberos', 'ccache'), # specify
credentials cache
{code}
Notice help for `airflow kerberos`:
{noformat}
$ airflow kerberos -h
[2017-03-15 00:40:12,215] {__init__.py:57} INFO - Using executor LocalExecutor
usage: airflow kerberos [-h] [-kt [KEYTAB]] [--pid [PID]] [-D]
[--stdout STDOUT] [--stderr STDERR] [-l LOG_FILE]
[principal]
{noformat}
One can think that you can provide principal and keytab as `airflow kerberos` -
that's not true and it's a bug.
Although it's not a critical bug as I was able to make `airflow kerberos`
working just by adding kerberos section in airflow.cfg
`airflow kerberos -h` has to be corrected to reflect that `airflow kerberos`
doesn't actually accept principal and keytab as arguments.
Thank you.
> `airflow kerberos` ignores --keytab and --principal arguments
> -------------------------------------------------------------
>
> Key: AIRFLOW-987
> URL: https://issues.apache.org/jira/browse/AIRFLOW-987
> Project: Apache Airflow
> Issue Type: Bug
> Components: security
> Affects Versions: Airflow 1.8
> Environment: 1.8-rc5
> Reporter: Ruslan Dautkhanov
> Assignee: Bolke de Bruin
> Labels: easyfix, kerberos, security
>
> No matter which arguments I pass to `airflow kerberos`,
> it always executes as `kinit -r 3600m -k -t airflow.keytab -c
> /tmp/airflow_krb5_ccache airflow`
> So it failes with expected "kinit: Keytab contains no suitable keys for
> [email protected] while getting initial credentials"
> Tried different arguments, -kt and --keytab, here's one of the runs (some
> lines wrapped for readability):
> {noformat}
> $ airflow kerberos -kt /home/rdautkha/.keytab [email protected]
> [2017-03-14 23:50:11,523] {__init__.py:57} INFO - Using executor LocalExecutor
> [2017-03-14 23:50:12,069] {kerberos.py:43} INFO - Reinitting kerberos from
> keytab:
> kinit -r 3600m -k -t airflow.keytab -c /tmp/airflow_krb5_ccache airflow
> [2017-03-14 23:50:12,080] {kerberos.py:55} ERROR -
> Couldn't reinit from keytab! `kinit' exited with 1.
> kinit: Keytab contains no suitable keys for [email protected]
> while getting initial credentials
> {noformat}
> 1.8-rc5
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
