[jira] [Updated] (AMBARI-23431) After enabling Kerberos, the Ambari JAAS file is not updated

Thu, 12 Apr 2018 02:15:54 -0700 

     [ 
https://issues.apache.org/jira/browse/AMBARI-23431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sandor Molnar updated AMBARI-23431:
-----------------------------------
    Resolution: Fixed
        Status: Resolved  (was: Patch Available)

> After enabling Kerberos, the Ambari JAAS file is not updated
> ------------------------------------------------------------
>
>                 Key: AMBARI-23431
>                 URL: https://issues.apache.org/jira/browse/AMBARI-23431
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.7.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Critical
>              Labels: kerberos, pull-request-available, security
>             Fix For: 2.7.0
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> After enabling Kerberos, the Ambari JAAS file is not updated. This leads to 
> various errors like collecting JXM data from services:
> {noformat}
> 28 Mar 2018 15:40:29,041  WARN [ambari-metrics-retrieval-service-thread-4] 
> RequestTargetAuthentication:88 - NEGOTIATE authentication error: No valid 
> credentials provided (Mechanism level: No valid credentials provided 
> (Mechanism level: Attempt to obtain new INITIATE credentials fai
> led! (null)))
> 28 Mar 2018 15:40:29,042 ERROR [ambari-metrics-retrieval-service-thread-4] 
> AppCookieManager:122 - SPNego authentication failed, can not get hadoop.auth 
> cookie for URL: http://c7401.ambari.apache.org:50070/jmx
> 28 Mar 2018 15:40:29,042 ERROR [ambari-metrics-retrieval-service-thread-5] 
> AppCookieManager:122 - SPNego authentication failed, can not get hadoop.auth 
> cookie for URL: 
> http://c7401.ambari.apache.org:50070/jmx?get=Hadoop:service=NameNode,name=FSNamesystem::tag.HAState
> 2
> {noformat}
> The JAAS file as {{/etc/ambari-server/conf/krb5JAASLogin.conf}} is expected 
> to be updated to match the created Kerberos identity for the Ambari server, 
> but is not:
> The default values of
> {noformat}
>     ...
>     keyTab="/etc/security/keytabs/ambari.keytab"
>     principal="amb...@example.com"
>     ...
> {noformat}
> Should have been changed to
> {noformat}
>     ...
>     keyTab="/etc/security/keytabs/ambari.server.keytab"
>     principal="ambari-server...@example.com"
>     ...
> {noformat}
> After manually fixing this and restarting Ambari, the JMX requests 
> authenticated properly.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to