[jira] [Created] (SENTRY-900) While list does not work well.All kerberos users can access to the Sentry webserve without authentication.

[Shishaodong (JIRA)]

Shishaodong created SENTRY-900:
----------------------------------

             Summary: While list does not work well.All kerberos users can 
access to the Sentry webserve without authentication.
                 Key: SENTRY-900
                 URL: https://issues.apache.org/jira/browse/SENTRY-900
             Project: Sentry
          Issue Type: Bug
          Components: Sentry
    Affects Versions: 1.6.0
         Environment: centos 6.5
            Reporter: Shishaodong
            Priority: Critical
             Fix For: 1.6.0


1.Configure /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = NOVALOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 1000000
allow_weak_crypto = true
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
NOVALOCAL = {
  kdc = server-XXXXX.novalocal
  admin_server = server-XXXXX.novalocal
}
[domain_realm]
.novalocal = NOVALOCAL
novalocal = NOVALOCAL

Copy /etc/krb5.conf on KDC to all other cluster nodes


2.Configure /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
NOVALOCAL = {
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  master_key_type = des3-hmac-sha1
  supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal 
des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
}


3.Specify the KDC encryption type
des-cbc-md5


4.Generate sentry.service.we.authentication.kerberos.keytab

kadmin -w 123456 -p kadmin/admin -q 'xst -k /opt/HTTP.keytab 
HTTP/server-2406.novalocal@NOVALOCAL'  


5.Sentry Service Advanced Configuration Snippet (Safety Valve) for 
sentry-site.xml 
<property>
     <name>sentry.service.web.enable</name>
     <value>true</value>
</property>
<property>
     <name>sentry.service.web.port</name>
     <value>51000</value>
</property>
<property>
     <name>sentry.service.web.authentication.type</name>
     <value>KERBEROS</value>
</property>
<property>
     <name>sentry.service.web.authentication.kerberos.principal</name>
     <value>HTTP/server-2406.novalocal@NOVALOCAL</value>
</property>
<property>
     <name>sentry.service.web.authentication.kerberos.keytab</name>
     <value>/opt/HTTP.keytab</value>
</property>
<property>
     <name>sentry.service.web.authentication.allow.connect.users</name>
     <value>dong</value>
</property>



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)