[jira] [Updated] (AMBARI-7780) Storm UI server should have the same default keytab value as of other components for spnego principal

Tue, 14 Oct 2014 17:00:01 -0700 

     [ 
https://issues.apache.org/jira/browse/AMBARI-7780?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jaimin D Jetly updated AMBARI-7780:
-----------------------------------
    Description: 
The problem will occur when there are two different keytabs containing same 
principal on a host. In this scenario only one principal will be considered to 
be valid. (The reason is due to different kvno of the principal in both keytabs 
while using --randkey option to add principal to keytab)
For example if Namenode host and Storm UI Server are co-hosted. 
spnego.service.keytab will have principal HTTP/[email protected] which will 
be used by NameNode web UI.
Storm UI daemon will also try to authenticate with the same principal but from 
a different keytab path and with different kvno.
In this scenario the keytab that was created last with the principal will hold 
valid principal and the other daemon will fail to authenticate with kerberos 
authentication error.

> Storm UI server should have the same default keytab value as of other 
> components for spnego principal
> -----------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-7780
>                 URL: https://issues.apache.org/jira/browse/AMBARI-7780
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 1.7.0
>            Reporter: Jaimin D Jetly
>            Assignee: Jaimin D Jetly
>            Priority: Critical
>             Fix For: 1.7.0
>
>
> The problem will occur when there are two different keytabs containing same 
> principal on a host. In this scenario only one principal will be considered 
> to be valid. (The reason is due to different kvno of the principal in both 
> keytabs while using --randkey option to add principal to keytab)
> For example if Namenode host and Storm UI Server are co-hosted. 
> spnego.service.keytab will have principal HTTP/[email protected] which 
> will be used by NameNode web UI.
> Storm UI daemon will also try to authenticate with the same principal but 
> from a different keytab path and with different kvno.
> In this scenario the keytab that was created last with the principal will 
> hold valid principal and the other daemon will fail to authenticate with 
> kerberos authentication error.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to