You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Geoffrey Jacoby (Jira)" <ji...@apache.org> on 2022/08/02 23:49:00 UTC
[jira] [Assigned] (HBASE-24768) Clear cached service kerberos ticket in case of SASL failures thrown from server side
[ https://issues.apache.org/jira/browse/HBASE-24768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Geoffrey Jacoby reassigned HBASE-24768:
---------------------------------------
Assignee: Sandeep Guggilam
> Clear cached service kerberos ticket in case of SASL failures thrown from server side
> -------------------------------------------------------------------------------------
>
> Key: HBASE-24768
> URL: https://issues.apache.org/jira/browse/HBASE-24768
> Project: HBase
> Issue Type: Bug
> Reporter: Sandeep Guggilam
> Assignee: Sandeep Guggilam
> Priority: Major
> Fix For: 1.7.0
>
>
> We setup a SASL connection using different mechanisms like Digest, Kerberos from master to RS for various activities like region assignment etc. In case of SASL connect failures, we try to dispose of the SaslRpcClient and try to relogin from the keytab on the client side. However the relogin from keytab method doesn't clear off the service ticket cached in memory unless TGT is about to expire within a timeframe.
> This actually causes an issue where there is a keytab refresh that happens because of expiry on the RS server and throws a SASL connect error when Master reaches out to the RS server with the cached service ticket that no longer works with the new refreshed keytab. We might need to clear off the service ticket cached as there could be a credential refresh on the RS server side when handling connect failures
--
This message was sent by Atlassian Jira
(v8.20.10#820010)