storm-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prakash r <rprakashd...@gmail.com>
Subject Re: Storm Kerberos starting topology fails with "The TGT found is not renewable"
Date Fri, 12 Jan 2018 23:59:39 GMT
Thanks Bobby for your time.
We cannot disable kerberos authentication,  will have re-look the krb5.conf
of both KDC & client machines, to check if anything suspicious.

Will get back if any queries, thanks

Regards,
Prakash R

On Sat, Jan 13, 2018 at 2:15 AM, Bobby Evans <bobby@apache.org> wrote:

> If you don't need kerberos authentication in your worker you can just
> remove AutoTGT from the topology.auto-credentials list.  It is the one that
> is blowing up with issues.
>
> If you do need TGT creds there is no way to configure that check off.
> This is because without the renewal it is likely that you will need to push
> a new TGT to your topology every few hours instead of once a day, but all
> fo that depends on how you have configured your krb5.conf both locally on
> your box and also on the kdc.
>
> How to fix the issue is hard to tell, because the kerberos configuration
> is not always simple.  One issue that we have run into similar to this was
> that we had been using 'yes' in our krb5.conf in some places instead of
> 'true'.  Apparently the mit command line tools and libraries accept both,
> but java parses yes as a boolean and turns it into a false.  You might want
> to check there.
>
> Beyond that I really don't know what it could be.
>
> Thanks,
>
> Bobby
>
>
> On Thu, Jan 11, 2018 at 4:47 PM prakash r <rprakashdoss@gmail.com> wrote:
>
>> Thanks Ethan
>>
>> Yes i have verified the ticket used one is correct.
>>
>> If you can recollect the fix, please share us.
>>
>> Regards,
>> Prakash R
>>
>> On Fri, Jan 12, 2018 at 9:42 AM, Ethan Li <ethanopensource@gmail.com>
>> wrote:
>>
>>> Hi Prakash,
>>>
>>> It might sound silly but did you check if the ticket you think you are
>>> using is the one that’s actually being used. I fixed the “The TGT found is
>>> not renewable” problem in my use case before but sorry I couldn’t remember
>>> the details.
>>>
>>> Best,
>>> Ethan
>>>
>>> On Jan 11, 2018, at 3:10 PM, prakash r <rprakashdoss@gmail.com> wrote:
>>>
>>> Hello All,
>>>
>>> Any suggestion on this ?
>>>
>>> *Is there anyway we can avoid this TGT Renewal check or how to resolve.*
>>>
>>> Regards,
>>> Prakash R
>>>
>>> On Tue, Jan 9, 2018 at 3:31 PM, prakash r <rprakashdoss@gmail.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> We are facing issue with starting a topology when Storm is kerberosed.
>>>>
>>>> 1189 [main] INFO o.a.s.s.a.AuthUtils - Got AutoCreds
>>>> [org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2]
>>>>
>>>> 1189 [main] INFO  o.a.s.StormSubmitter - Running org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2
>>>> Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException:
The TGT found is not renewable
>>>> 	at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:103)
>>>> 	at org.apache.storm.StormSubmitter.populateCredentials(StormSubmitter.java:94)
>>>> 	at org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214)
>>>> 	at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310)
>>>> 	at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
>>>> 	at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
>>>> Caused by: java.lang.RuntimeException: The TGT found is not renewable
>>>> 	at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:94)
>>>>
>>>>  ... 5 more
>>>>
>>>> When we check the Keberos Principal which as R Flag as well.
>>>>
>>>> We tried even regenerating the keytabs, this problem is not resolved.
>>>>
>>>> When we submit from new keytab principal, this is working fine.
>>>>
>>>> *Can you please suggest, is there anyway we can avoid this TGT Renewal
>>>> check or how to resolve.*
>>>>
>>>> *OS version :*
>>>> Red Hat Enterprise Linux Server release 7.4 (Maipo)
>>>>
>>>>
>>>> *Problematic principal details :*
>>>> [storm@cbro-test-stm1 ~]$ klist -f
>>>> Ticket cache: FILE:/tmp/krb5cc_1021
>>>> Default principal: storm-xxxx_master@XXXXXX.COM
>>>>
>>>> Valid starting       Expires              Service principal
>>>> 01/06/2018 22:30:40  01/07/2018 08:30:40  krbtgt/XXXXXX.COM@XXXXXX.COM
>>>>         renew until 01/12/2018 13:54:47, Flags: FRIAT
>>>>
>>>>
>>>>
>>>> *Working principal details :*
>>>> [metron@cbro-test-edg4 ~]$ klist -f
>>>> Ticket cache: FILE:/tmp/krb5cc_1024
>>>> Default principal: metron@XXXXXX.COM
>>>>
>>>> Valid starting       Expires              Service principal
>>>> 01/09/2018 15:28:47  01/10/2018 01:28:47  krbtgt/XXXXXX.COM@XXXXXX.COM
>>>>         renew until 01/16/2018 15:28:47, Flags: FRIA
>>>>
>>>>
>>>> Regards,
>>>> Prakash R
>>>>
>>>
>>>
>>>
>>

Mime
View raw message