You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kudu.apache.org by "Todd Lipcon (JIRA)" <ji...@apache.org> on 2018/01/18 02:16:00 UTC

[jira] [Created] (KUDU-2264) Java client should re-login from ticket cache when ticket is expiring

Todd Lipcon created KUDU-2264:
---------------------------------

             Summary: Java client should re-login from ticket cache when ticket is expiring
                 Key: KUDU-2264
                 URL: https://issues.apache.org/jira/browse/KUDU-2264
             Project: Kudu
          Issue Type: Improvement
          Components: client, java, security
    Affects Versions: 1.6.0, 1.5.0, 1.4.0, 1.3.1
            Reporter: Todd Lipcon
            Assignee: Todd Lipcon


Currently, if the Kudu client is used from a thread that has no JAAS Subject with Kerberos credentials, it will log in from the user's ticket cache (in a configurable location).

However, if that original ticket expires, then the client will never re-read the ticket cache. Instead, it will start to get authentication failures, even if the underlying ticket cache on disk has been updated with new credentials.

This causes big issues in Impala -- Impala starts a thread which reacquires tickets from its keytab and writes them into its ticket cache, but with existing versions of Kudu, the client won't pick up these new tickets. Impala also currently caches Kudu clients "forever". So, after 30 days (or whatever the ticket lifetime is), Impala will become unable to query Kudu.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)