[
https://issues.apache.org/jira/browse/AIRFLOW-3144?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kris Wilson updated AIRFLOW-3144:
---------------------------------
Description:
at Twitter, we recently ran into an issue where an Airflow user was passing the
wrong secrets file as their kerberos service principal keytab. Airflow happily
accepted this file (which contained plain old ascii text) as a keytab and then
broke at runtime with the following opaque log message:
{code:java}
[2018-10-01 23:45:14,976] ERROR in kerberos_ldap: Kerberos initialization error
for HTTP@$REDACTED: ('Cannot get sequence cursor from keytab', 2){code}
this made the problem unclear. rather than blindly accept any old file as a
keytab, it would be awesome if Airflow could run a validation step against the
keytab to confirm it's validity on startup by shelling out to either `klist` or
`kutil`.
was:
at Twitter, we recently ran into an issue where an Airflow user was passing the
wrong secrets file as their kerberos keytab. Airflow happily accepted this file
(which contained plain old ascii text) as a keytab and then broke at runtime
with the following opaque log message:
{code:java}
[2018-10-01 23:45:14,976] ERROR in kerberos_ldap: Kerberos initialization error
for HTTP@$REDACTED: ('Cannot get sequence cursor from keytab', 2){code}
this made the problem unclear. rather than blindly accept any old file as a
keytab, it would be awesome if Airflow could run a validation step against the
keytab to confirm it's validity on startup by shelling out to either `klist` or
`kutil`.
> Validate kerberos keytab on startup
> -----------------------------------
>
> Key: AIRFLOW-3144
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3144
> Project: Apache Airflow
> Issue Type: Improvement
> Components: authentication
> Reporter: Kris Wilson
> Priority: Minor
>
> at Twitter, we recently ran into an issue where an Airflow user was passing
> the wrong secrets file as their kerberos service principal keytab. Airflow
> happily accepted this file (which contained plain old ascii text) as a keytab
> and then broke at runtime with the following opaque log message:
>
> {code:java}
> [2018-10-01 23:45:14,976] ERROR in kerberos_ldap: Kerberos initialization
> error for HTTP@$REDACTED: ('Cannot get sequence cursor from keytab', 2){code}
>
> this made the problem unclear. rather than blindly accept any old file as a
> keytab, it would be awesome if Airflow could run a validation step against
> the keytab to confirm it's validity on startup by shelling out to either
> `klist` or `kutil`.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
