You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@oozie.apache.org by "Harsh J (JIRA)" <ji...@apache.org> on 2016/07/13 10:35:20 UTC

[jira] [Commented] (OOZIE-2413) Kerberos credentials can expire if the KDC is slow to respond

    [ https://issues.apache.org/jira/browse/OOZIE-2413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374807#comment-15374807 ] 

Harsh J commented on OOZIE-2413:
--------------------------------

Note that this issue can happen even in cases of a responsive KDC. The basic flaw is the second point of the description, in that except for MR1, HDFS, YARN, HBase clients, the rest (such as Hive HMS client or HS2 JDBC client) do not have mechanisms to ensure a valid TGT before making connection calls. With this change a presence of valid TGT in the memory gets ensured (with a new login where necessary) regardless of what form of client the credential system builds up.

> Kerberos credentials can expire if the KDC is slow to respond
> -------------------------------------------------------------
>
>                 Key: OOZIE-2413
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2413
>             Project: Oozie
>          Issue Type: Bug
>          Components: security
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>             Fix For: trunk
>
>         Attachments: OOZIE-2413.001.patch, OOZIE-2413.002.patch, OOZIE-2413.003.patch
>
>
> We've seen some very rare cases where Oozie gets a Kerberos error when trying to get delegation tokens via the {{Credentials}} mechanism (e.g. getting HS2 delegation tokens).
> We finally narrowed it down to slow KDC responses, so Oozie's Kerberos credentials have expired when it tries to get the delegation token.  The reason we don't see this with Hadoop clients (DFSClient for HDFS, JobClient for MR, etc) is because they call {{UserGroupInformation#checkTGTAndReloginFromKeytab()}} before trying to connect.  
> We should do a similar fix by calling {{UserGroupInformation#checkTGTAndReloginFromKeytab()}} before using a Credentials implementation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)