[
https://issues.apache.org/jira/browse/AMBARI-11001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15727419#comment-15727419
]
Eric Yang commented on AMBARI-11001:
------------------------------------
Hi Robert,
Krb5LoginModule will not have a thread to renew expired ticket, if
"renewTGT=false". I concur this code change is incorrect. The file browser or
Ambari functions should use doAs impersonation to interact with Hadoop
services. If ticket is not renewed, file browser function would stop working.
When end user present end user credential via SPNEGO ticket. Ambari suppose
have a list of acl list to the credential. However, receiving end user
credential and sending service credential to other services are two different
things. We like to understand the reason to disable service from renewing it
ticket. It seems like the wrong thing to do.
> Ambari uses users' interactive ticket cache
> -------------------------------------------
>
> Key: AMBARI-11001
> URL: https://issues.apache.org/jira/browse/AMBARI-11001
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.1.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Critical
> Labels: JAAS
> Fix For: 2.1.0
>
> Attachments: AMBARI-11001_01.patch
>
>
> It appears that it is necessary to kinit prior to starting ambari-server,
> even after ambari-server setup-security (#3). It seems that this should be
> automatically handled by Ambari.
> Ambari-server should NOT use the same ticket cache as the interactive user.
> STR:
> 1. kinit
> 2. ambari-server start
> 3. verify that ambari-server can authenticate with ticket specified in #1
> 4. kdestroy
> 5. try to authenticate through Ambari again (it will not work)
> *Solution*
> Ensure JAAS Login works properly such that the Kerberos tickets for the
> account that executes Ambari is not relevant.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
