[jira] [Commented] (KNOX-916) When REST endpoint enables SPNEGO and there is valid kerberos ticket cache for knox user, REST call through knox will show 401 error

Jeffrey E Rodriguez (JIRA) Wed, 29 Mar 2017 17:47:30 -0700

    [ 
https://issues.apache.org/jira/browse/KNOX-916?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15948166#comment-15948166
 ]


Jeffrey E  Rodriguez commented on KNOX-916:
-------------------------------------------

Sarah, one issue about changing useTicketCache to false is that renewTGT would 
not work.
See:
https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
"
renewTGT:
    Set this to true, if you want to renew the TGT. *If this is set, 
useTicketCache must also be set to true*; otherwise a configuration error will 
be returned."

> When REST endpoint enables SPNEGO and there is valid kerberos ticket cache 
> for knox user, REST call through knox will show 401 error
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KNOX-916
>                 URL: https://issues.apache.org/jira/browse/KNOX-916
>             Project: Apache Knox
>          Issue Type: Bug
>    Affects Versions: 0.11.0
>            Reporter: Shi Wang
>            Assignee: Shi Wang
>
> For example, if webhdfs uses SPNEGO authentication, and curl through knox, su 
> knoxuser and klist, if there is valid kerberos ticket cached for knoxuser, 
> then it will show 401 unauthorized error. But if the cached ticket expired or 
> do not have any cached ticket, could get 200 correct result.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (KNOX-916) When REST endpoint enables SPNEGO and there is valid kerberos ticket cache for knox user, REST call through knox will show 401 error

Reply via email to