Uploaded image for project: 'Sentry (Retired)'
  1. Sentry (Retired)
  2. SENTRY-900

User could access sentry metric info by curl without authorization

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 1.6.0
    • 1.7.0
    • Sentry
    • None

    • centos 6.5

    Description

      1.Configure /etc/krb5.conf

      [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
      [libdefaults]
      default_realm = NOVALOCAL
      dns_lookup_realm = false
      dns_lookup_kdc = false
      ticket_lifetime = 24h
      forwardable = true
      udp_preference_limit = 1000000
      allow_weak_crypto = true
      default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
      default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
      permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
      [realms]
      NOVALOCAL = {
      kdc = server-XXXXX.novalocal
      admin_server = server-XXXXX.novalocal
      }
      [domain_realm]
      .novalocal = NOVALOCAL
      novalocal = NOVALOCAL

      Copy /etc/krb5.conf on KDC to all other cluster nodes

      2.Configure /var/kerberos/krb5kdc/kdc.conf

      [kdcdefaults]
      kdc_ports = 88
      kdc_tcp_ports = 88
      [realms]
      NOVALOCAL = {
      acl_file = /var/kerberos/krb5kdc/kadm5.acl
      dict_file = /usr/share/dict/words
      admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
      master_key_type = des3-hmac-sha1
      supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
      }

      3.Specify the KDC encryption type
      des-cbc-md5

      4.Generate sentry.service.we.authentication.kerberos.keytab

      kadmin -w 123456 -p kadmin/admin -q 'xst -k /opt/HTTP.keytab HTTP/server-2406.novalocal@NOVALOCAL'

      5.Sentry Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml
      <property>
      <name>sentry.service.web.enable</name>
      <value>true</value>
      </property>
      <property>
      <name>sentry.service.web.port</name>
      <value>51000</value>
      </property>
      <property>
      <name>sentry.service.web.authentication.type</name>
      <value>KERBEROS</value>
      </property>
      <property>
      <name>sentry.service.web.authentication.kerberos.principal</name>
      <value>HTTP/server-2406.novalocal@NOVALOCAL</value>
      </property>
      <property>
      <name>sentry.service.web.authentication.kerberos.keytab</name>
      <value>/opt/HTTP.keytab</value>
      </property>
      <property>
      <name>sentry.service.web.authentication.allow.connect.users</name>
      <value>dong</value>
      </property>

      Attachments

        1. SENTRY-900.001.patch
          1 kB
          Dapeng Sun

        Activity

          People

            dapengsun Dapeng Sun
            shaodong Shishaodong
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: