[AMBARI-9785] Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.0.0
Fix Version/s: 2.0.0
Component/s: ambari-agent
Labels:
- kerberos
- keytabs

Epic Link:
Ambari Automated Kerberization

Description

After enabling Kerberos, the root user has the spnego user set for it

[root@c6501 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/c6501.ambari.apache.org@EXAMPLE.COM

Valid starting     Expires            Service principal
02/18/15 22:14:51  02/19/15 22:14:51  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 02/18/15 22:14:51

It appears that the issue is related to the agent-side scheduler and/or some job that is scheduled to run periodically. Apparently some job is kinit-ing with the SPNEGO identity as the running user (root in this case) without changing the ticket cache. Thus whenever the job runs the root user's ticket cache gets changed to contain the SPNEGO identity's ticket.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-9785_03.patch
27/Feb/15 22:55
57 kB
Robert Levas
AMBARI-9785_02.patch
27/Feb/15 18:25
57 kB
Robert Levas
AMBARI-9785_01.patch
26/Feb/15 01:28
20 kB
Robert Levas

Issue Links

links to

ReviewBoard

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 25/Feb/15 01:17

Updated:: 28/Feb/15 03:10

Resolved:: 28/Feb/15 02:32