[jira] [Commented] (KNOX-916) When REST endpoint enables SPNEGO and there is valid kerberos ticket cache for knox user, REST call through knox will show 401 error

Jeffrey E Rodriguez (JIRA) Thu, 30 Mar 2017 13:48:12 -0700

    [ 
https://issues.apache.org/jira/browse/KNOX-916?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15949788#comment-15949788
 ]


Jeffrey E  Rodriguez commented on KNOX-916:
-------------------------------------------

Thanks again Larry. Maybe we could have had this conversation in the Knox user 
mail list instead of the body of a Jira, I said that because not many Knox 
users read the Jiras but monitor the mailing lists.
The only difference I see between using the cache TGT and renewing TGT vs. not 
chaching the TGT is during the short life refreshing of the TGT (TGT have two 
lifes, a short and a max). Having  Knox to renew using the cache is a local 
access to cache vs. in the other case of non-cache we obtain a new TGT sending 
a network request to KDC. (Knox will always do this operation but at the end of 
max life of TGT)
So in non-cache case we access the KDC at the end of the short life of the TGT, 
which is once a day.
In the cache case we access cache TGT and renew it (like kinit -R).
With all that said I think that if a user which  for  "whatever reason" wants 
to kinit as knox user, then it needs to restart knox for this to work(need to 
test that scenario).
For Knox to change its TGT cache behavior I would think we need to see a valid 
reason or advantage.



> When REST endpoint enables SPNEGO and there is valid kerberos ticket cache 
> for knox user, REST call through knox will show 401 error
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KNOX-916
>                 URL: https://issues.apache.org/jira/browse/KNOX-916
>             Project: Apache Knox
>          Issue Type: Bug
>    Affects Versions: 0.11.0
>            Reporter: Shi Wang
>            Assignee: Shi Wang
>
> For example, if webhdfs uses SPNEGO authentication, and curl through knox, su 
> knoxuser and klist, if there is valid kerberos ticket cached for knoxuser, 
> then it will show 401 unauthorized error. But if the cached ticket expired or 
> do not have any cached ticket, could get 200 correct result.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (KNOX-916) When REST endpoint enables SPNEGO and there is valid kerberos ticket cache for knox user, REST call through knox will show 401 error

Reply via email to