Re: Review Request 31483: Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket.

Robert Levas Fri, 27 Feb 2015 10:27:57 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31483/
-----------------------------------------------------------


(Updated Feb. 27, 2015, 1:26 p.m.)


Review request for Ambari, Andrew Onischuk, Emil Anca, Jonathan Hurley, and 
Vitalyi Brodetskyi.


Changes
-------

Addresses reviewer concerns and applied changes due to merging conflicts


Bugs: AMBARI-9785
    https://issues.apache.org/jira/browse/AMBARI-9785


Repository: ambari


Description
-------

After enabling Kerberos, the root user has the spnego user set for it 

```
[root@c6501 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]

Valid starting     Expires            Service principal
02/18/15 22:14:51  02/19/15 22:14:51  krbtgt/[email protected]
        renew until 02/18/15 22:14:51
```

It appears that the issue is related to the agent-side scheduler and/or some 
job that is scheduled to run periodically. Apparently some job is kinit-ing 
with the SPNEGO identity as the running user (root in this case) without 
changing the ticket cache. Thus whenever the job runs the root user's ticket 
cache gets changed to contain the SPNEGO identity's ticket.

While investigating and solving the issue it was found that other credentials 
were added to this cache, overwriting what was there, during backround 
processing, as well.

Most of the issues were releated to _alert_ checking on web-based UI endpoints 
while configuring the environment for curl to use Kerberos authentication.  
Another place (in Oozie) was a failure to run a command as the `oozie` local 
user.

Solving this includes using an alternate credential cache when kinit-ing. While 
at it, the cached is checked to see if the tickets are expired (or even there) 
before kinit-ing.


Diffs (updated)
-----

  ambari-agent/src/main/python/ambari_agent/AlertSchedulerHandler.py a53201e 
  ambari-agent/src/main/python/ambari_agent/alerts/web_alert.py 5052ca0 
  
ambari-common/src/main/python/resource_management/libraries/functions/__init__.py
 6bcd7cd 
  
ambari-common/src/main/python/resource_management/libraries/functions/find_path.py
 PRE-CREATION 
  
ambari-common/src/main/python/resource_management/libraries/functions/get_kdestroy_path.py
 f6d7f78 
  
ambari-common/src/main/python/resource_management/libraries/functions/get_kinit_path.py
 98434a2 
  
ambari-common/src/main/python/resource_management/libraries/functions/get_klist_path.py
 PRE-CREATION 
  
ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_webhcat_server.py
 9773ec3 
  
ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/alerts/alert_check_oozie_server.py
 23a3482 
  
ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/oozie_service.py
 092149d 
  
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/HBASE/package/scripts/params.py
 f368703 
  
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/HDFS/package/scripts/params.py
 9fbce1d 
  
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/HIVE/package/scripts/params.py
 90235e9 
  
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/OOZIE/package/files/alert_check_oozie_server.py
 a5a066b 
  
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/OOZIE/package/scripts/params.py
 f13fbaf 
  
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/PIG/package/scripts/params.py
 b334f3b 
  
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/WEBHCAT/package/files/alert_webhcat_server.py
 970ddde 
  
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/YARN/package/scripts/params.py
 187ddc0 
  
ambari-server/src/main/resources/stacks/BIGTOP/0.8/services/ZOOKEEPER/package/scripts/params.py
 b668f67 
  
ambari-server/src/main/resources/stacks/HDP/2.0.6.GlusterFS/services/YARN/package/scripts/params.py
 0fdaf18 
  
ambari-server/src/main/resources/stacks/HDP/2.1.GlusterFS/services/FALCON/package/scripts/params.py
 056380b 
  
ambari-server/src/main/resources/stacks/HDP/2.1.GlusterFS/services/YARN/package/scripts/params.py
 0fdaf18 
  
ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/KNOX/package/scripts/params.py
 b11eddb 
  
ambari-server/src/main/resources/stacks/HDP/2.2.GlusterFS/services/SLIDER/package/scripts/params.py
 121bbd4 
  
ambari-server/src/main/resources/stacks/HDPWIN/2.1/services/YARN/package/scripts/params.py
 a548f98 
  
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/HBASE/package/scripts/params.py
 8c4f5e5 
  
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/HDFS/package/scripts/params.py
 ff61dd7 
  
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/HIVE/package/scripts/params.py
 a9a67f7 
  
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/NAGIOS/package/scripts/params.py
 5a0ffbb 
  
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/OOZIE/package/scripts/params.py
 7659529 
  
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/PIG/package/scripts/params.py
 60a9806 
  
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/YARN/package/scripts/params.py
 6e7f170 
  
ambari-server/src/main/resources/stacks/PHD/3.0.0.0/services/ZOOKEEPER/package/scripts/params.py
 9fa99b5 
  ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py 321a9c1 
  
ambari-server/src/test/resources/TestAmbaryServer.samples/dummy_common_services/HIVE/0.11.0.2.0.5.0/package/scripts/params.py
 0cf89be 
  
ambari-server/src/test/resources/TestAmbaryServer.samples/dummy_stack/HIVE/package/scripts/params.py
 0cf89be 
  
ambari-server/src/test/resources/stacks/HDP/2.0.7/services/HIVE/package/scripts/params.py
 648913b 

Diff: https://reviews.apache.org/r/31483/diff/


Testing
-------

Manually tested all services in test cluster to see which might have this 
issue. Found only OOZIE and HIVE issues and tests showed they are fixed and 
working as they should.

#Jenkins Test Results

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:12 h
[INFO] Finished at: 2015-02-26T06:35:45+00:00
[INFO] Final Memory: 44M/457M
[INFO] ------------------------------------------------------------------------


Thanks,

Robert Levas

Re: Review Request 31483: Root user has spnego (HTTP) kerberos ticket set after Kerberos is enabled, root should have no ticket.

Reply via email to