[AMBARI-21146] Knox JAAS configuration file should not allow the Kerberos ticket cache to be used when establishing its identity on startup - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.7.0
Fix Version/s: 2.5.2
Component/s: None
Labels:
None

Description

The JAAS configuration for Knox allows the interactive user's ticket cache to be used to establish the service's identity when starting up. This is problematic and potentially confusing. To prevent this, the JAAS config should be set as follows:

com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  renewTGT=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="/etc/security/keytabs/knox.service.keytab"
  principal="knox/c6403.ambari.apache.org@EXAMPLE.COM"
  storeKey=true
  useTicketCache=false;
};

Note: the keytab file and principal name values need to be set based on the relevant Kerberos configuration.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-21146_branch2.5.patch
08/Jun/17 08:13
0.8 kB
Attila Magyar
AMBARI-21146.patch
08/Jun/17 08:13
2 kB
Attila Magyar

Issue Links

links to

review board

Activity

People

Assignee:: Attila Magyar

Reporter:: Attila Magyar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 30/May/17 13:49

Updated:: 08/Jun/17 10:27

Resolved:: 08/Jun/17 09:34