[
https://issues.apache.org/jira/browse/AMBARI-21146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Magyar updated AMBARI-21146:
-----------------------------------
Attachment: AMBARI-21146.patch
AMBARI-21146_branch2.5.patch
> Knox JAAS configuration file should not allow the Kerberos ticket cache to be
> used when establishing its identity on startup
> ----------------------------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-21146
> URL: https://issues.apache.org/jira/browse/AMBARI-21146
> Project: Ambari
> Issue Type: Bug
> Affects Versions: 1.7.0
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Fix For: 2.5.2
>
> Attachments: AMBARI-21146_branch2.5.patch, AMBARI-21146.patch
>
>
> The JAAS configuration for Knox allows the interactive user's ticket cache to
> be used to establish the service's identity when starting up. This is
> problematic and potentially confusing. To prevent this, the JAAS config
> should be set as follows:
> {code}
> com.sun.security.jgss.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> renewTGT=false
> doNotPrompt=true
> useKeyTab=true
> keyTab="/etc/security/keytabs/knox.service.keytab"
> principal="knox/[email protected]"
> storeKey=true
> useTicketCache=false;
> };
> {code}
> Note: the keytab file and principal name values need to be set based on the
> relevant Kerberos configuration.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
