[jira] [Updated] (AMBARI-9785) Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket.

Wed, 25 Feb 2015 17:28:31 -0800 

     [ 
https://issues.apache.org/jira/browse/AMBARI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Levas updated AMBARI-9785:
---------------------------------
    Attachment: AMBARI-9785_01.patch

* Added get_klist_path to find the klist executable (like get_kinit_path)
* Updated alerts web_alert.py to use an alternate credentials cache file when 
kinit-ing and to kinit only when needed
* Updated alert_webhcat_server.py to use an alternate credentials cache file 
when kinit-ing and to kinit only when needed
* Updated alert_check_oozie_server.py to use an alternate credentials cache 
file when kinit-ing and to kinit only when needed
* Updated oozie_service.py to su to the oozie user when needed

Each update ensures that the root user's default credential cache is untouched 
during non-interactive Ambari-related processing

Patch File [^AMBARI-9785_01.patch]


> Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, 
> root should have no ticket.
> ------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-9785
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9785
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-agent
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Blocker
>              Labels: kerberos, keytabs
>             Fix For: 2.0.0
>
>         Attachments: AMBARI-9785_01.patch
>
>
> After enabling Kerberos, the root user has the spnego user set for it 
> {code}
> [root@c6501 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/[email protected]
> Valid starting     Expires            Service principal
> 02/18/15 22:14:51  02/19/15 22:14:51  krbtgt/[email protected]
>       renew until 02/18/15 22:14:51
> {code}
> It appears that the issue is related to the agent-side scheduler and/or some 
> job that is scheduled to run periodically. Apparently some job is kinit-ing 
> with the SPNEGO identity as the running user (root in this case) without 
> changing the ticket cache. Thus whenever the job runs the root user's ticket 
> cache gets changed to contain the SPNEGO identity's ticket.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to