falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pallavi Rao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FALCON-2325) Kerberos Service Key refresh does not happen
Date Wed, 21 Feb 2018 07:23:00 GMT

    [ https://issues.apache.org/jira/browse/FALCON-2325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16371045#comment-16371045
] 

Pallavi Rao commented on FALCON-2325:
-------------------------------------

The only advantage of the method, checkTGTAndReloginFromKeytab() as opposed to 

loginUserFromKeytab()

is that the method doesn't attempt actual login till the token is close to expiry (80% of
ticket life has elapsed).

Upon, investigation found that 

UserGroupInformation.checkTGTAndReloginFromKeytab() has the following check:
{quote}if (isSecurityEnabled() && this.user.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS
&& this.isKeytab)
{quote}
this.isKeytab consistently returns false, although initial login uses keytab. As a result,
this method call becomes a no-op.

 

The workaround to overcome this is to do a regular login, loginUserFromKeytab() instead of  checkTGTAndReloginFromKeytab(),
till the issue is addressed in hadoop-auth.

 

> Kerberos Service Key refresh does not happen
> --------------------------------------------
>
>                 Key: FALCON-2325
>                 URL: https://issues.apache.org/jira/browse/FALCON-2325
>             Project: Falcon
>          Issue Type: Bug
>            Reporter: Pallavi Rao
>            Assignee: Pallavi Rao
>            Priority: Major
>
> For both Prism and Falcon Servers, Kerberos ticket does not get refreshed although, 
> AuthenticationInitializationService, does a 
> checkTGTAndReloginFromKeytab() periodically.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message