Attila Magyar created AMBARI-21146:
--------------------------------------
Summary: Knox JAAS configuration file should not allow the
Kerberos ticket cache to be used when establishing its identity on startup
Key: AMBARI-21146
URL: https://issues.apache.org/jira/browse/AMBARI-21146
Project: Ambari
Issue Type: Bug
Affects Versions: 1.7.0
Reporter: Attila Magyar
Assignee: Attila Magyar
Fix For: 2.5.2
The JAAS configuration for Knox allows the interactive user's ticket cache to
be used to establish the service's identity when starting up. This is
problematic and potentially confusing. To prevent this, the JAAS config should
be set as follows:
{code}
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
renewTGT=false
doNotPrompt=true
useKeyTab=true
keyTab="/etc/security/keytabs/knox.service.keytab"
principal="knox/[email protected]"
storeKey=true
useTicketCache=false;
};
{code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
