[jira] [Commented] (AMBARI-15324) Kerberos Tickets Expire Too Frequently For Alerts

["Hudson (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/AMBARI-15324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15186016#comment-15186016 ] 

Hudson commented on AMBARI-15324:
---------------------------------

SUCCESS: Integrated in Ambari-branch-2.2 #484 (See [https://builds.apache.org/job/Ambari-branch-2.2/484/])
AMBARI-15324 - Kerberos Tickets Expire Too Frequently For Alerts (jhurley: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=91da52f0fe92b33059e5997a2a0523df09e7ce10])
* ambari-agent/src/main/python/ambari_agent/alerts/port_alert.py
* ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/alerts/alert_metrics_deviation.py
* ambari-agent/src/main/python/ambari_agent/alerts/script_alert.py
* ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/alerts/alert_nodemanager_health.py
* ambari-agent/conf/windows/ambari-agent.ini
* ambari-agent/src/main/python/ambari_agent/alerts/web_alert.py
* ambari-agent/src/test/python/ambari_agent/TestScriptAlert.py
* ambari-agent/src/main/python/ambari_agent/alerts/metric_alert.py
* ambari-agent/src/test/python/ambari_agent/TestBaseAlert.py
* ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/alerts/alert_checkpoint_time.py
* ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py
* ambari-agent/src/main/python/ambari_agent/alerts/recovery_alert.py
* ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/alerts/alert_upgrade_finalized.py
* ambari-agent/src/main/python/ambari_agent/Controller.py
* ambari-agent/src/main/python/ambari_agent/AlertSchedulerHandler.py
* ambari-agent/src/test/python/ambari_agent/TestAlerts.py
* ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/alerts/alert_nodemanagers_summary.py
* ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/alerts/alert_ha_namenode_health.py
* ambari-agent/src/test/python/ambari_agent/TestPortAlert.py
* ambari-agent/src/main/python/ambari_agent/alerts/base_alert.py
* ambari-agent/src/test/python/ambari_agent/TestAlertSchedulerHandler.py
* ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_webhcat_server.py
* ambari-agent/src/test/python/ambari_agent/TestMetricAlert.py
* ambari-agent/conf/unix/ambari-agent.ini


> Kerberos Tickets Expire Too Frequently For Alerts
> -------------------------------------------------
>
>                 Key: AMBARI-15324
>                 URL: https://issues.apache.org/jira/browse/AMBARI-15324
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-agent
>    Affects Versions: 2.1.0
>            Reporter: Jonathan Hurley
>            Assignee: Jonathan Hurley
>            Priority: Critical
>             Fix For: 2.2.2
>
>         Attachments: AMBARI-15324.patch
>
>
> When a cluster has been Kerberized, alerts use the {{curl_krb_request}} module in order to make requests using SPNEGO negotiation.
> Normally this would involve calling {{kinit}} and then invoking the {{curl}} command to use the acquired ticket. However, because alerts run often on fixed intervals, this would mean that the KDC would be flooded with requests every minute.
> To alleviate this problem, {{curl_krb_request}} uses {{klist}} to inspect the {{KRB5CCNAME}} cache. Only if an invalid ticket is found is {{kinit}} invoked. Additionally, {{kinit}} is invoked with a fixed ticket lifetime of 5 minutes. Since many alerts run on 5-minute intervals, this causes boundary issues.
> To workaround these problems while continuing to leverage the cache, {{curl_krb_request}} should be changed to:
> - Use the default ticket expiry configured for Kerberos in {{krb5.conf}}
> - Employ in-memory tracking of the last time {{kinit}} was called so that it can be invoked before hitting the boundary of the ticket's expiration time



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)