[jira] [Commented] (AMBARI-9785) Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket.

Hudson (JIRA) Fri, 27 Feb 2015 19:11:19 -0800

    [ 
https://issues.apache.org/jira/browse/AMBARI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14341276#comment-14341276
 ]


Hudson commented on AMBARI-9785:
--------------------------------

FAILURE: Integrated in Ambari-trunk-Commit #1898 (See 
[https://builds.apache.org/job/Ambari-trunk-Commit/1898/])
AMBARI-9785. Root user has spnego (HTTP) kerberos ticket set after Kerberos is 
enabled, root should have no ticket. (rlevas) (rlevas: 
http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=4c222ce6fbc51ed4e42e9f2ad0946c84ff17ea48)
* 
ambari-server/src/test/resources/stacks/HDP/2.0.7/services/HIVE/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/YARN/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/HDFS/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/HBASE/package/scripts/params.py
* ambari-agent/src/main/python/ambari_agent/AlertSchedulerHandler.py
* 
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/NAGIOS/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KNOX/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/OOZIE/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/HDP/2.0.6.GlusterFS/services/YARN/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/SLIDER/package/scripts/params.py
* 
ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie_service.py
* 
ambari-server/src/test/resources/TestAmbaryServer.samples/dummy_stack/HIVE/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/HIVE/package/scripts/params.py
* 
ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_webhcat_server.py
* 
ambari-server/src/main/resources/stacks/HDP/2.1.GlusterFS/services/FALCON/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/OOZIE/package/files/alert_check_oozie_server.py
* 
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/HBASE/package/scripts/params.py
* 
ambari-server/src/test/resources/TestAmbaryServer.samples/dummy_common_services/HIVE/0.11.0.2.0.5.0/package/scripts/params.py
* 
ambari-common/src/main/python/resource_management/libraries/functions/__init__.py
* 
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/YARN/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/HDPWIN/2.1/services/YARN/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/HDFS/package/scripts/params.py
* 
ambari-common/src/main/python/resource_management/libraries/functions/get_kdestroy_path.py
* 
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/PIG/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/OOZIE/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/HDP/2.1.GlusterFS/services/YARN/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/HIVE/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/ZOOKEEPER/package/scripts/params.py
* ambari-agent/src/main/python/ambari_agent/alerts/web_alert.py
* 
ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/alerts/alert_check_oozie_server.py
* ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py
* 
ambari-common/src/main/python/resource_management/libraries/functions/get_kinit_path.py
* 
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/PIG/package/scripts/params.py
* 
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/WEBHCAT/package/files/alert_webhcat_server.py
* 
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/ZOOKEEPER/package/scripts/params.py


> Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, 
> root should have no ticket.
> ------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-9785
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9785
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-agent
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Blocker
>              Labels: kerberos, keytabs
>             Fix For: 2.0.0
>
>         Attachments: AMBARI-9785_01.patch, AMBARI-9785_02.patch, 
> AMBARI-9785_03.patch
>
>
> After enabling Kerberos, the root user has the spnego user set for it 
> {code}
> [root@c6501 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/[email protected]
> Valid starting     Expires            Service principal
> 02/18/15 22:14:51  02/19/15 22:14:51  krbtgt/[email protected]
>       renew until 02/18/15 22:14:51
> {code}
> It appears that the issue is related to the agent-side scheduler and/or some 
> job that is scheduled to run periodically. Apparently some job is kinit-ing 
> with the SPNEGO identity as the running user (root in this case) without 
> changing the ticket cache. Thus whenever the job runs the root user's ticket 
> cache gets changed to contain the SPNEGO identity's ticket.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (AMBARI-9785) Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket.

Reply via email to