[GitHub] [metron] mmiklavc commented on issue #1382: METRON-2074: Script to handle TGT renewal with Storm and Kerberos enabled

Fri, 12 Apr 2019 18:36:07 -0700 

mmiklavc commented on issue #1382: METRON-2074: Script to handle TGT renewal 
with Storm and Kerberos enabled
URL: https://github.com/apache/metron/pull/1382#issuecomment-482765401
 
 
   # Test Instructions
   
   1. Run up full dev
   1. Setup Kerberos per the instructions in 
https://github.com/apache/metron/blob/master/metron-deployment/Kerberos-ambari-setup.md
   1. Modify the maxlife and maxrenewlife for your TGT. Here we're setting it 
to 3 and 4 minutes, respectively, but you can set the values even shorter for 
testing purposes.
       ```
       kadmin.local -q "modprinc -maxlife 3minutes 
krbtgt/[email protected]"
       kadmin.local -q "modprinc -maxrenewlife 4minutes 
krbtgt/[email protected]"
       ```
   1. Restart the bro parser topology. We'll focus on one topology for this 
exercise.
   1. Allow your max renew time to pass. If you look at your Storm bolt logs, 
you should see at least one renewal prior to expiration, e.g.
       ```
       2018-09-17 06:52:54.506 o.a.s.s.o.a.z.Login Thread-1 [INFO] Initiating 
logout for [email protected]
       2018-09-17 06:52:54.507 o.a.s.s.o.a.z.Login Thread-1 [INFO] Initiating 
re-login for [email protected]
       2018-09-17 06:52:54.521 o.a.s.s.o.a.z.Login Thread-1 [INFO] TGT valid 
starting at:        Mon Sep 17 06:53:17 UTC 2018
       2018-09-17 06:52:54.527 o.a.s.s.o.a.z.Login Thread-1 [INFO] TGT expires: 
                 Mon Sep 17 07:03:17 UTC 2018
       2018-09-17 06:52:54.527 o.a.s.s.o.a.z.Login Thread-1 [INFO] TGT refresh 
sleeping until: Mon Sep 17 07:01:29 UTC 2018
       ```
   1. You should also start to see error messages like the following in the 
Nimbus logs:
       ```
       2018-09-17 07:12:52.064 o.a.s.s.a.k.AutoTGT timer [INFO] Renewing TGT 
for [email protected]
       2018-09-17 07:12:52.064 o.a.s.s.a.k.AutoTGT timer [WARN] Failed to 
refresh TGT javax.security.auth.RefreshFailedException: This ticket is past its 
last renewal time.
       ```
   1. Run the tgt_renew.py script per the Kerberos README instructions in this 
PR and verify that you again start to see TGT login/renewal for 
[email protected]

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to