[jira] [Comment Edited] (KNOX-916) When REST endpoint enables SPNEGO and there is valid kerberos ticket cache for knox user, REST call through knox will show 401 error

Wed, 29 Mar 2017 17:51:07 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-916?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15948166#comment-15948166
 ] 

Jeffrey E  Rodriguez edited comment on KNOX-916 at 3/30/17 12:50 AM:
---------------------------------------------------------------------

Sarah, one issue about changing useTicketCache to false is that renewTGT would 
not work.
See:
https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
"
renewTGT:
    Set this to true, if you want to renew the TGT. *If this is set, 
useTicketCache must also be set to true*; otherwise a configuration error will 
be returned."

Current setup for Knox is:
{code:title=Bar.java|borderStyle=solid}
com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    renewTGT=true
    doNotPrompt=true
    useKeyTab=true
    keyTab="/etc/knox/conf/knox.service.keytab"
    principal="[email protected]"
    isInitiator=true
    storeKey=true
    useTicketCache=true
    client=true;
};

{code}


was (Author: jeffreyr97):
Sarah, one issue about changing useTicketCache to false is that renewTGT would 
not work.
See:
https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
"
renewTGT:
    Set this to true, if you want to renew the TGT. *If this is set, 
useTicketCache must also be set to true*; otherwise a configuration error will 
be returned."

> When REST endpoint enables SPNEGO and there is valid kerberos ticket cache 
> for knox user, REST call through knox will show 401 error
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KNOX-916
>                 URL: https://issues.apache.org/jira/browse/KNOX-916
>             Project: Apache Knox
>          Issue Type: Bug
>    Affects Versions: 0.11.0
>            Reporter: Shi Wang
>            Assignee: Shi Wang
>
> For example, if webhdfs uses SPNEGO authentication, and curl through knox, su 
> knoxuser and klist, if there is valid kerberos ticket cached for knoxuser, 
> then it will show 401 unauthorized error. But if the cached ticket expired or 
> do not have any cached ticket, could get 200 correct result.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to