-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59637/
-----------------------------------------------------------
Review request for Ambari, Balázs Bence Sári, Robert Levas, and Sebastian
Toader.
Bugs: AMBARI-21146
https://issues.apache.org/jira/browse/AMBARI-21146
Repository: ambari
Description
-------
The JAAS configuration for Knox allows the interactive user's ticket cache to
be used to establish the service's identity when starting up. This is
problematic and potentially confusing. To prevent this, the JAAS config should
be set as follows:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
renewTGT=false
doNotPrompt=true
useKeyTab=true
keyTab="/etc/security/keytabs/knox.service.keytab"
principal="knox/[email protected]"
storeKey=true
useTicketCache=false;
};
Note: the keytab file and principal name values need to be set based on the
relevant Kerberos configuration.
Diffs
-----
ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/templates/krb5JAASLogin.conf.j2
fa3237b
ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/templates/krb5JAASLogin.conf.j2
fa3237b
Diff: https://reviews.apache.org/r/59637/diff/1/
Testing
-------
manually:
- Added Knox to a kerberized cluster
- checked the content of the generted krb5JAASLogin.conf file
(/etc/knox/2.6.1.0-125/0/krb5JAASLogin.conf)
Existing tests:
----------------------------------------------------------------------
Ran 273 tests in 6.832s
OK
----------------------------------------------------------------------
Total run:1171
Total errors:0
Total failures:0
Ran 467 tests in 18.265s
OK
Results :
Tests run: 4981, Failures: 0, Errors: 0, Skipped: 39
Thanks,
Attila Magyar
