[
https://issues.apache.org/jira/browse/AMBARI-21146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16042525#comment-16042525
]
Hudson commented on AMBARI-21146:
---------------------------------
FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #7589 (See
[https://builds.apache.org/job/Ambari-trunk-Commit/7589/])
AMBARI-21146. Knox JAAS configuration file should not allow the Kerberos
(adoroszlai:
[http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=e71f49e4ef30ff720ad4f8b7fb3823d68acd48cc])
* (edit)
ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/templates/krb5JAASLogin.conf.j2
* (edit)
ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/templates/krb5JAASLogin.conf.j2
> Knox JAAS configuration file should not allow the Kerberos ticket cache to be
> used when establishing its identity on startup
> ----------------------------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-21146
> URL: https://issues.apache.org/jira/browse/AMBARI-21146
> Project: Ambari
> Issue Type: Bug
> Affects Versions: 1.7.0
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Fix For: 2.5.2
>
> Attachments: AMBARI-21146_branch2.5.patch, AMBARI-21146.patch
>
>
> The JAAS configuration for Knox allows the interactive user's ticket cache to
> be used to establish the service's identity when starting up. This is
> problematic and potentially confusing. To prevent this, the JAAS config
> should be set as follows:
> {code}
> com.sun.security.jgss.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> renewTGT=false
> doNotPrompt=true
> useKeyTab=true
> keyTab="/etc/security/keytabs/knox.service.keytab"
> principal="knox/[email protected]"
> storeKey=true
> useTicketCache=false;
> };
> {code}
> Note: the keytab file and principal name values need to be set based on the
> relevant Kerberos configuration.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
