[jira] [Commented] (AMBARI-11001) Ambari uses users' interactive ticket cache

Wed, 07 Dec 2016 02:14:32 -0800 

    [ 
https://issues.apache.org/jira/browse/AMBARI-11001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15728362#comment-15728362
 ] 

Robert Levas commented on AMBARI-11001:
---------------------------------------

[~eyang],

>From 
>https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html:

{quote}
renewTGT:
Set this to true, if you want to renew the TGT. If this is set, useTicketCache 
must also be set to true; otherwise a configuration error will be returned.
{quote}

{quote}
useTicketCache:
Set this to true, if you want the TGT to be obtained from the ticket cache. Set 
this option to false if you do not want this module to use the ticket cache. 
(Default is False). This module will search for the ticket cache in the 
following locations: On Solaris and Linux it will look for the ticket cache in 
/tmp/krb5cc_uid where the uid is numeric user identifier. If the ticket cache 
is not available in the above location, or if we are on a Windows platform, it 
will look for the cache as {user.home}{file.separator}krb5cc_{user.name}. You 
can override the ticket cache location by using ticketCache. For Windows, if a 
ticket cannot be retrieved from the file ticket cache, it will use Local 
Security Authority (LSA) API to get the TGT.
{quote}

Therefore setting {{renewTGT}} to {{true}} is invalid for this case. 


> Ambari uses users' interactive ticket cache
> -------------------------------------------
>
>                 Key: AMBARI-11001
>                 URL: https://issues.apache.org/jira/browse/AMBARI-11001
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>              Labels: JAAS
>             Fix For: 2.1.0
>
>         Attachments: AMBARI-11001_01.patch
>
>
> It appears that it is necessary to kinit prior to starting ambari-server, 
> even after ambari-server setup-security (#3). It seems that this should be 
> automatically handled by Ambari. 
> Ambari-server should NOT use the same ticket cache as the interactive user. 
> STR:
> 1. kinit
> 2. ambari-server start
> 3. verify that ambari-server can authenticate with ticket specified in #1
> 4. kdestroy
> 5. try to authenticate through Ambari again (it will not work)
> *Solution*
> Ensure JAAS Login works properly such that the Kerberos tickets for the 
> account that executes Ambari is not relevant.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to