[jira] [Updated] (AMBARI-21146) Knox JAAS configuration file should not allow the Kerberos ticket cache to be used when establishing its identity on startup

Attila Magyar (JIRA) Tue, 30 May 2017 06:52:03 -0700

     [ 
https://issues.apache.org/jira/browse/AMBARI-21146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Attila Magyar updated AMBARI-21146:
-----------------------------------
    Description: 
The JAAS configuration for Knox allows the interactive user's ticket cache to 
be used to establish the service's identity when starting up. This is 
problematic and potentially confusing. To prevent this, the JAAS config should 
be set as follows:

{code}
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  renewTGT=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="/etc/security/keytabs/knox.service.keytab"
  principal="knox/[email protected]"
  storeKey=true
  useTicketCache=false;
};
{code}

Note: the keytab file and principal name values need to be set based on the 
relevant Kerberos configuration.

  was:
The JAAS configuration for Knox allows the interactive user's ticket cache to 
be used to establish the service's identity when starting up. This is 
problematic and potentially confusing. To prevent this, the JAAS config should 
be set as follows:

{code}
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  renewTGT=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="/etc/security/keytabs/knox.service.keytab"
  principal="knox/[email protected]"
  storeKey=true
  useTicketCache=false;
};
{code}


> Knox JAAS configuration file should not allow the Kerberos ticket cache to be 
> used when establishing its identity on startup
> ----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-21146
>                 URL: https://issues.apache.org/jira/browse/AMBARI-21146
>             Project: Ambari
>          Issue Type: Bug
>    Affects Versions: 1.7.0
>            Reporter: Attila Magyar
>            Assignee: Attila Magyar
>             Fix For: 2.5.2
>
>
> The JAAS configuration for Knox allows the interactive user's ticket cache to 
> be used to establish the service's identity when starting up. This is 
> problematic and potentially confusing. To prevent this, the JAAS config 
> should be set as follows:
> {code}
> com.sun.security.jgss.initiate {
>   com.sun.security.auth.module.Krb5LoginModule required
>   renewTGT=false
>   doNotPrompt=true
>   useKeyTab=true
>   keyTab="/etc/security/keytabs/knox.service.keytab"
>   principal="knox/[email protected]"
>   storeKey=true
>   useTicketCache=false;
> };
> {code}
> Note: the keytab file and principal name values need to be set based on the 
> relevant Kerberos configuration.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (AMBARI-21146) Knox JAAS configuration file should not allow the Kerberos ticket cache to be used when establishing its identity on startup

Reply via email to