Bigtop
  1. Bigtop
  2. BIGTOP-530

[puppet] We currently xst the HTTP principal multiple times, each time invalidating the previous one

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 0.4.0
    • Fix Version/s: 0.4.0
    • Component/s: deployment
    • Labels:
      None

      Description

      The HTTP principal is required for SPNEGO, so we now generate it and then include it in all of the service keytabs. Unfortunately, we add it to these keytabs using kadmin's xst command, which generates a new set of credentials for the HTTP principal and invalidates the old ones. A more correct approach would be to export the credential once and then inject it into the service keytabs using ktutil (though that doesn't change the fact that the way we get the service keytabs onto the hadoop nodes is insecure). Attaching a patch that implements this approach.

      1. patch.txt
        5 kB
        Patrick Taylor Ramsey

        Activity

        Hide
        Peter Linnell added a comment -

        +1 LGTM

        Show
        Peter Linnell added a comment - +1 LGTM
        Hide
        Patrick Taylor Ramsey added a comment -

        Committed

        Show
        Patrick Taylor Ramsey added a comment - Committed

          People

          • Assignee:
            Patrick Taylor Ramsey
            Reporter:
            Patrick Taylor Ramsey
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development