[
https://issues.apache.org/jira/browse/AMBARI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Levas updated AMBARI-9785:
---------------------------------
Attachment: AMBARI-9785_02.patch
Updates to address reviewer concerns and merge issues.
> Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled,
> root should have no ticket.
> ------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-9785
> URL: https://issues.apache.org/jira/browse/AMBARI-9785
> Project: Ambari
> Issue Type: Bug
> Components: ambari-agent
> Affects Versions: 2.0.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Blocker
> Labels: kerberos, keytabs
> Fix For: 2.0.0
>
> Attachments: AMBARI-9785_01.patch, AMBARI-9785_02.patch
>
>
> After enabling Kerberos, the root user has the spnego user set for it
> {code}
> [root@c6501 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/[email protected]
> Valid starting Expires Service principal
> 02/18/15 22:14:51 02/19/15 22:14:51 krbtgt/[email protected]
> renew until 02/18/15 22:14:51
> {code}
> It appears that the issue is related to the agent-side scheduler and/or some
> job that is scheduled to run periodically. Apparently some job is kinit-ing
> with the SPNEGO identity as the running user (root in this case) without
> changing the ticket cache. Thus whenever the job runs the root user's ticket
> cache gets changed to contain the SPNEGO identity's ticket.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
