[
https://issues.apache.org/jira/browse/AIRFLOW-3144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16636630#comment-16636630
]
Ash Berlin-Taylor commented on AIRFLOW-3144:
--------------------------------------------
Sounds useful - is there an function in the kerberos library we are using that
we could use instead of shelling out?
> Validate kerberos keytab on startup
> -----------------------------------
>
> Key: AIRFLOW-3144
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3144
> Project: Apache Airflow
> Issue Type: Improvement
> Components: authentication
> Reporter: Kris Wilson
> Priority: Minor
>
> at Twitter, we recently ran into an issue where an Airflow user was passing
> the wrong secrets file as their kerberos service principal keytab. Airflow
> happily accepted this file (which contained plain old ascii text) as a keytab
> and then broke at runtime with the following opaque log message:
>
> {code:java}
> [2018-10-01 23:45:14,976] ERROR in kerberos_ldap: Kerberos initialization
> error for HTTP@$REDACTED: ('Cannot get sequence cursor from keytab', 2){code}
>
> this made the problem unclear. rather than blindly accept any old file as a
> keytab, it would be awesome if Airflow could run a validation step against
> the file to confirm it's validity on startup by shelling out to either
> `klist` or `kutil` (or using some equivalent lib).
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
