storm-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bobby Evans <bo...@apache.org>
Subject Re: Storm Kerberos starting topology fails with "The TGT found is not renewable"
Date Fri, 12 Jan 2018 15:15:12 GMT
If you don't need kerberos authentication in your worker you can just
remove AutoTGT from the topology.auto-credentials list.  It is the one that
is blowing up with issues.

If you do need TGT creds there is no way to configure that check off.  This
is because without the renewal it is likely that you will need to push a
new TGT to your topology every few hours instead of once a day, but all fo
that depends on how you have configured your krb5.conf both locally on your
box and also on the kdc.

How to fix the issue is hard to tell, because the kerberos configuration is
not always simple.  One issue that we have run into similar to this was
that we had been using 'yes' in our krb5.conf in some places instead of
'true'.  Apparently the mit command line tools and libraries accept both,
but java parses yes as a boolean and turns it into a false.  You might want
to check there.

Beyond that I really don't know what it could be.

Thanks,

Bobby

On Thu, Jan 11, 2018 at 4:47 PM prakash r <rprakashdoss@gmail.com> wrote:

> Thanks Ethan
>
> Yes i have verified the ticket used one is correct.
>
> If you can recollect the fix, please share us.
>
> Regards,
> Prakash R
>
> On Fri, Jan 12, 2018 at 9:42 AM, Ethan Li <ethanopensource@gmail.com>
> wrote:
>
>> Hi Prakash,
>>
>> It might sound silly but did you check if the ticket you think you are
>> using is the one that’s actually being used. I fixed the “The TGT found is
>> not renewable” problem in my use case before but sorry I couldn’t remember
>> the details.
>>
>> Best,
>> Ethan
>>
>> On Jan 11, 2018, at 3:10 PM, prakash r <rprakashdoss@gmail.com> wrote:
>>
>> Hello All,
>>
>> Any suggestion on this ?
>>
>> *Is there anyway we can avoid this TGT Renewal check or how to resolve.*
>>
>> Regards,
>> Prakash R
>>
>> On Tue, Jan 9, 2018 at 3:31 PM, prakash r <rprakashdoss@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> We are facing issue with starting a topology when Storm is kerberosed.
>>>
>>> 1189 [main] INFO o.a.s.s.a.AuthUtils - Got AutoCreds
>>> [org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2]
>>>
>>> 1189 [main] INFO  o.a.s.StormSubmitter - Running org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2
>>> Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException:
The TGT found is not renewable
>>> 	at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:103)
>>> 	at org.apache.storm.StormSubmitter.populateCredentials(StormSubmitter.java:94)
>>> 	at org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214)
>>> 	at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310)
>>> 	at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
>>> 	at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
>>> Caused by: java.lang.RuntimeException: The TGT found is not renewable
>>> 	at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:94)
>>>
>>>  ... 5 more
>>>
>>> When we check the Keberos Principal which as R Flag as well.
>>>
>>> We tried even regenerating the keytabs, this problem is not resolved.
>>>
>>> When we submit from new keytab principal, this is working fine.
>>>
>>> *Can you please suggest, is there anyway we can avoid this TGT Renewal
>>> check or how to resolve.*
>>>
>>> *OS version :*
>>> Red Hat Enterprise Linux Server release 7.4 (Maipo)
>>>
>>>
>>> *Problematic principal details :*
>>> [storm@cbro-test-stm1 ~]$ klist -f
>>> Ticket cache: FILE:/tmp/krb5cc_1021
>>> Default principal: storm-xxxx_master@XXXXXX.COM
>>>
>>> Valid starting       Expires              Service principal
>>> 01/06/2018 22:30:40  01/07/2018 08:30:40  krbtgt/XXXXXX.COM@XXXXXX.COM
>>>         renew until 01/12/2018 13:54:47, Flags: FRIAT
>>>
>>>
>>>
>>> *Working principal details :*
>>> [metron@cbro-test-edg4 ~]$ klist -f
>>> Ticket cache: FILE:/tmp/krb5cc_1024
>>> Default principal: metron@XXXXXX.COM
>>>
>>> Valid starting       Expires              Service principal
>>> 01/09/2018 15:28:47  01/10/2018 01:28:47  krbtgt/XXXXXX.COM@XXXXXX.COM
>>>         renew until 01/16/2018 15:28:47, Flags: FRIA
>>>
>>>
>>> Regards,
>>> Prakash R
>>>
>>
>>
>>
>

Mime
View raw message