Details
-
Bug
-
Status: Resolved
-
Blocker
-
Resolution: Fixed
-
2.4.0
Description
Kerberos identity definitions in Kerberos descriptors should explicitly declare a reference rather than rely on the identity's name attribute.
Currently, the set of Kerberos identities declared at a service-level or a component-level can contain identities with unique names. For example using:
"identities": [ { "name": "identity", "principal": { "value": "service/_HOST@${realm}", "configuration": "service-site/property1.principal", ... }, "keytab": { "file": "${keytab_dir}/service.service.keytab", "configuration": "service-site/property1.keytab", ... } }, { "name": "identity", "principal": { "value": "service/_HOST@${realm}", "configuration": "service-site/property2.principal", ... }, "keytab": { "file": "${keytab_dir}/service.service.keytab", "configuration": "service-site/property2.keytab", ... } } ]
Only the first "identity" principal is realized and the additional one is ignored, leaving the configurations service-site/property2.principal and service-site/property2.keytab untouched when Kerberos is enabled for the service.
To help this, the 2nd instance can be converted to a reference, overriding only the attributes the need to be changed - like the configurations.
"identities": [ { "name": "identity", "principal": { "value": "service/_HOST@${realm}", "configuration": "service-site/property1.principal", ... }, "keytab": { "file": "${keytab_dir}/service.service.keytab", "configuration": "service-site/property1.keytab", ... } }, { "name": "/SERVICE/identity", "principal": { "configuration": "service-site/property2.principal" }, "keytab": { "configuration": "service-site/property2.keytab" } } ]
This allows for both identity declarations to be realized, however this is limited to only the 2 instances. If a 3rd instance is needed (to set an additional configuration), it must look be:
{
"name": "/SERVICE/identity",
"principal": {
"configuration": "service-site/property3.principal"
},
"keytab": {
"configuration": "service-site/property3.keytab"
}
}
However since it's name is the same as the 2nd instance, it will be ignored.
If explicit references are specified, then multiple uniquely-named identity blocks will be allowed to reference the same base identity, effectively enabling the ability to declare unlimited configurations for the same identity definition:
"identities": [ { "name": "identity", "principal": { "value": "service/_HOST@${realm}", "configuration": "service-site/property1.principal", ... }, "keytab": { "file": "${keytab_dir}/service.service.keytab", "configuration": "service-site/property1.keytab", ... } }, { "name": "identitiy_reference1", "reference": "/SERVICE/identity", "principal": { "configuration": "service-site/property2.principal" }, "keytab": { "configuration": "service-site/property2.keytab" } }, { "name": "identitiy_reference2", "reference": "/SERVICE/identity", "principal": { "configuration": "service-site/property3.principal" }, "keytab": { "configuration": "service-site/property3.keytab" } } ]
NOTE: Backwards compatibility must be maintained when implementing this as to not break existing Kerberos descriptors. So identity block names the look like paths are to continue to be treated as references.
Attachments
Attachments
Issue Links
- links to
