----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/26719/#review56626 -----------------------------------------------------------
Ship it! Ship It! - Srimanth Gunturi On Oct. 15, 2014, 12:41 a.m., Jaimin Jetly wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/26719/ > ----------------------------------------------------------- > > (Updated Oct. 15, 2014, 12:41 a.m.) > > > Review request for Ambari, Srimanth Gunturi and Yusaku Sako. > > > Bugs: AMBARI-7780 > https://issues.apache.org/jira/browse/AMBARI-7780 > > > Repository: ambari > > > Description > ------- > > The problem will occur when there are two different keytabs containing same > principal on a host. In this scenario only one principal will be considered > to be valid if a principal is added to keytab in a specif way using --rankey > option. (The reason is due to different kvno of the principal in both keytabs > while using --randkey option to add principal to keytab) > For example if Namenode host and Storm UI Server are co-hosted. > spnego.service.keytab will have principal HTTP/[email protected] which > will be used by NameNode web UI. > Storm UI daemon will also try to authenticate with the same principal but > from a different keytab path and with different kvno. > In this scenario the keytab that was created last with the principal will > hold valid principal and the other daemon will fail to authenticate with > kerberos authentication error. > > > Diffs > ----- > > ambari-web/app/data/HDP2/secure_properties.js 10d1a41 > > Diff: https://reviews.apache.org/r/26719/diff/ > > > Testing > ------- > > tested e2e by securing a cluster > > > Thanks, > > Jaimin Jetly > >
