-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26719/
-----------------------------------------------------------
Review request for Ambari, Srimanth Gunturi and Yusaku Sako.
Bugs: AMBARI-7780
https://issues.apache.org/jira/browse/AMBARI-7780
Repository: ambari
Description
-------
The problem will occur when there are two different keytabs containing same
principal on a host. In this scenario only one principal will be considered to
be valid if a principal is added to keytab in a specif way using --rankey
option. (The reason is due to different kvno of the principal in both keytabs
while using --randkey option to add principal to keytab)
For example if Namenode host and Storm UI Server are co-hosted.
spnego.service.keytab will have principal HTTP/[email protected] which will
be used by NameNode web UI.
Storm UI daemon will also try to authenticate with the same principal but from
a different keytab path and with different kvno.
In this scenario the keytab that was created last with the principal will hold
valid principal and the other daemon will fail to authenticate with kerberos
authentication error.
Diffs
-----
ambari-web/app/data/HDP2/secure_properties.js 10d1a41
Diff: https://reviews.apache.org/r/26719/diff/
Testing
-------
tested e2e by securing a cluster
Thanks,
Jaimin Jetly
