You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hbase.apache.org by "Sandeep Guggilam (Jira)" <ji...@apache.org> on 2020/07/24 02:14:00 UTC

[jira] [Created] (HBASE-24768) Clear service kerberos ticket in case of SASL failures from server side

Sandeep Guggilam created HBASE-24768:
----------------------------------------

             Summary: Clear service kerberos ticket in case of SASL failures from server side
                 Key: HBASE-24768
                 URL: https://issues.apache.org/jira/browse/HBASE-24768
             Project: HBase
          Issue Type: Bug
            Reporter: Sandeep Guggilam
            Assignee: Sandeep Guggilam


We setup a SASL connection using different mechanisms like Digest, Kerberos from master to RS for various activities like region assignment etc. In case of SASL connect failures, we try to dispose of the SaslRpcClient and try to relogin from the keytab on the client side. However the relogin from keytab method doesn't clear off the service ticket cached in memory unless TGT is about to expire within a timeframe.

This actually causes an issue where there is a keytab refresh that happens because of expiry  on the RS server and throws a SASL connect error when Master reaches out to the RS server with the cached service ticket that no longer works with the new refreshed keytab. We might need to clear off the service ticket cached as there could be a credential refresh on the RS server side when handling connect failures



--
This message was sent by Atlassian Jira
(v8.3.4#803005)