[jira] [Commented] (KNOX-916) When REST endpoint enables SPNEGO and there is valid kerberos ticket cache for knox user, REST call through knox will show 401 error

Fri, 31 Mar 2017 05:30:58 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-916?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15950784#comment-15950784
 ] 

Jeffrey E  Rodriguez commented on KNOX-916:
-------------------------------------------

Sarah. I was able to finally t setup a Kerberos cluster and my own KDC.

I tried your scenario and I am not able to reproduce.

You said:
 "can reproduce the error on a rh linux 6.8 machine by kinit knox principal 
(knox/_HOSTNAME) in my case. And then
curl -ik -u guest:guest-password -X GET 
https://knox_gateway:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS";

I am trying the same scenarios with RH 7.3 (not RH 6.8), and also I am using an 
existing user (guest is not a user that has a Kerberos principal by default if 
you are using Ambari so I presume you may have created it -- if you didn't you 
will always get a 403 Forbidden since there is no Kerberos principal for 
guest). I my case I added ambari-qa to ldap demo users ldiff.

I am able to:

 kinit    .. and then run
curl -v -k -u  ambari-qa:ambari-qa-password  
https://knox_gateway:8443/gateway/default/webhdfs/v1/tmp?op=LISTSTATUS at will 
many times
and don't get a 401

I've been tried to shorten the lifes for TGT but haven't being able to repro.

I think in your testcase maybe there are other causes to the issue than Jaas 
settings.




> When REST endpoint enables SPNEGO and there is valid kerberos ticket cache 
> for knox user, REST call through knox will show 401 error
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KNOX-916
>                 URL: https://issues.apache.org/jira/browse/KNOX-916
>             Project: Apache Knox
>          Issue Type: Bug
>    Affects Versions: 0.11.0
>            Reporter: Shi Wang
>            Assignee: Shi Wang
>
> For example, if webhdfs uses SPNEGO authentication, and curl through knox, su 
> knoxuser and klist, if there is valid kerberos ticket cached for knoxuser, 
> then it will show 401 unauthorized error. But if the cached ticket expired or 
> do not have any cached ticket, could get 200 correct result.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to