Re: Review Request 59637: Knox JAAS configuration file should not allow the Kerberos ticket cache to be used when establishing its identity on startup

Tue, 30 May 2017 08:59:38 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59637/#review176311
-----------------------------------------------------------


Ship it!




Ship It!

- Sebastian Toader


On May 30, 2017, 5:21 p.m., Attila Magyar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59637/
> -----------------------------------------------------------
> 
> (Updated May 30, 2017, 5:21 p.m.)
> 
> 
> Review request for Ambari, Balázs Bence Sári, Robert Levas, and Sebastian 
> Toader.
> 
> 
> Bugs: AMBARI-21146
>     https://issues.apache.org/jira/browse/AMBARI-21146
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> The JAAS configuration for Knox allows the interactive user's ticket cache to 
> be used to establish the service's identity when starting up. This is 
> problematic and potentially confusing. To prevent this, the JAAS config 
> should be set as follows:
> 
> 
> com.sun.security.jgss.initiate {
>   com.sun.security.auth.module.Krb5LoginModule required
>   renewTGT=false
>   doNotPrompt=true
>   useKeyTab=true
>   keyTab="/etc/security/keytabs/knox.service.keytab"
>   principal="knox/[email protected]"
>   storeKey=true
>   useTicketCache=false;
> };
> 
> Note: the keytab file and principal name values need to be set based on the 
> relevant Kerberos configuration.
> 
> 
> Diffs
> -----
> 
>   
> ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/templates/krb5JAASLogin.conf.j2
>  fa3237b 
>   
> ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/templates/krb5JAASLogin.conf.j2
>  fa3237b 
> 
> 
> Diff: https://reviews.apache.org/r/59637/diff/1/
> 
> 
> Testing
> -------
> 
> manually:
>   - Added Knox to a kerberized cluster
>   - checked the content of the generted krb5JAASLogin.conf file 
> (/etc/knox/2.6.1.0-125/0/krb5JAASLogin.conf)
> 
> Existing tests: 
> ----------------------------------------------------------------------
> Ran 273 tests in 6.832s
> OK
> ----------------------------------------------------------------------
> Total run:1171
> Total errors:0
> Total failures:0
> Ran 467 tests in 18.265s
> OK
> 
> Results :
> Tests run: 4981, Failures: 0, Errors: 0, Skipped: 39
> 
> 
> Thanks,
> 
> Attila Magyar
> 
>

Reply via email to