You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@oozie.apache.org by William Kang <wk...@linkedin.com.INVALID> on 2015/04/06 18:53:43 UTC

Oozie kerberos ticket renewal

Hi all,

When Oozie is set up to talk to secure hadoop cluster via Kerberos, does Oozie automatically renew its Kerberos ticket? I cannot find anywhere in the Oozie code about this mechanism, also look like no documentation on it. If no automatic Kerberos ticket renewal, does it mean I have to periodically restart Oozie to keep the ticket valid?

Thanks,
William

Re: Oozie kerberos ticket renewal

Posted by Mohammad Islam <mi...@yahoo.com.INVALID>.

William,Can you please send the whole stack trace?
Regards,Mohammad 


     On Monday, April 6, 2015 1:04 PM, William Kang <wk...@linkedin.com.INVALID> wrote:
   

 Thanks Robert for the reply. In our setup, the following error will happen
every day around same time (and have to restart Oozie to fix it). Looks to
us Oozie is not doing the automatic Kerberos ticket renewal. Any idea what
might cause this? Thanks for the input.

Error: E0501 : E0501: Could not perform authorization operation, Failed on
local exception: java.io.IOException: Couldn't setup connection for
oozie/[domain]@[DOMAIN] to [name node box]/[name node box ip]:9000; Host
Details : local host is: "[oozie box]/[oozie box ip]"; destination host
is: "[name node box]":9000;


William



On 4/6/15, 10:46 AM, "Robert Kanter" <rk...@cloudera.com> wrote:

>Hi William,
>
>Oozie automatically renews the Kerberos ticket.  IIRC, it happens at 80%
>of
>lifetime.  You won't see this in the Oozie code because it's handled by
>hadoop-auth, which is the package Oozie uses for most security/kerberos
>stuff.
>
>- Robert
>
>On Mon, Apr 6, 2015 at 9:53 AM, William Kang <wk...@linkedin.com.invalid>
>wrote:
>
>> Hi all,
>>
>> When Oozie is set up to talk to secure hadoop cluster via Kerberos, does
>> Oozie automatically renew its Kerberos ticket? I cannot find anywhere in
>> the Oozie code about this mechanism, also look like no documentation on
>>it.
>> If no automatic Kerberos ticket renewal, does it mean I have to
>> periodically restart Oozie to keep the ticket valid?
>>
>> Thanks,
>> William
>>
>>

Re: Oozie kerberos ticket renewal

Posted by William Kang <wk...@linkedin.com.INVALID>.

Thanks Robert for the reply. In our setup, the following error will happen
every day around same time (and have to restart Oozie to fix it). Looks to
us Oozie is not doing the automatic Kerberos ticket renewal. Any idea what
might cause this? Thanks for the input.

Error: E0501 : E0501: Could not perform authorization operation, Failed on
local exception: java.io.IOException: Couldn't setup connection for
oozie/[domain]@[DOMAIN] to [name node box]/[name node box ip]:9000; Host
Details : local host is: "[oozie box]/[oozie box ip]"; destination host
is: "[name node box]":9000;


William



On 4/6/15, 10:46 AM, "Robert Kanter" <rk...@cloudera.com> wrote:

>Hi William,
>
>Oozie automatically renews the Kerberos ticket.  IIRC, it happens at 80%
>of
>lifetime.  You won't see this in the Oozie code because it's handled by
>hadoop-auth, which is the package Oozie uses for most security/kerberos
>stuff.
>
>- Robert
>
>On Mon, Apr 6, 2015 at 9:53 AM, William Kang <wk...@linkedin.com.invalid>
>wrote:
>
>> Hi all,
>>
>> When Oozie is set up to talk to secure hadoop cluster via Kerberos, does
>> Oozie automatically renew its Kerberos ticket? I cannot find anywhere in
>> the Oozie code about this mechanism, also look like no documentation on
>>it.
>> If no automatic Kerberos ticket renewal, does it mean I have to
>> periodically restart Oozie to keep the ticket valid?
>>
>> Thanks,
>> William
>>
>>

Re: Oozie kerberos ticket renewal

Posted by Robert Kanter <rk...@cloudera.com>.

Hi William,

Oozie automatically renews the Kerberos ticket.  IIRC, it happens at 80% of
lifetime.  You won't see this in the Oozie code because it's handled by
hadoop-auth, which is the package Oozie uses for most security/kerberos
stuff.

- Robert

On Mon, Apr 6, 2015 at 9:53 AM, William Kang <wk...@linkedin.com.invalid>
wrote:

> Hi all,
>
> When Oozie is set up to talk to secure hadoop cluster via Kerberos, does
> Oozie automatically renew its Kerberos ticket? I cannot find anywhere in
> the Oozie code about this mechanism, also look like no documentation on it.
> If no automatic Kerberos ticket renewal, does it mean I have to
> periodically restart Oozie to keep the ticket valid?
>
> Thanks,
> William
>
>