[ https://issues.apache.org/jira/browse/HADOOP-12559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15059045#comment-15059045 ]
Xiaoyu Yao commented on HADOOP-12559: ------------------------------------- Thanks [~zhz] for working on this. The stack I've seen so far are similar to [~qwertymaniac] attached earlier. {code} Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:306) org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:196) at {code} When JDK does not do the authentication implicitly, KerberosAuthenticator#doSpnegoSequence is called. doSpnegoSequence() has an assumption that the current default principal in the Kerberos cache (normally set via kinit). Does the added currentUGI#checkTGTAndReloginFromKeytab() solve the problem by satisfying this assumption? If not, we might just get lucky that JDK does the authentication. I would also suggest that we add a unit test to ensure doSpnegoSequence() working correctly with the fix? There are also some pending discussions around this in HADOOP-10850, HADOOP-10453, etc, which helps to fully understand the problem. Correct me if I'm wrong, I thought the problem was the following login inside doSpnegoSequence() did not have correct keytab for hdfs(nn) in this case. {code} AccessControlContext context = AccessController.getContext(); Subject subject = Subject.getSubject(context); if (subject == null || (subject.getPrivateCredentials(KerberosKey.class).isEmpty() && subject.getPrivateCredentials(KerberosTicket.class).isEmpty())) { LOG.debug("No subject in context, logging in"); subject = new Subject(); LoginContext login = new LoginContext("", subject, null, new KerberosConfiguration()); login.login(); } {code} > KMS connection failures should trigger TGT renewal > -------------------------------------------------- > > Key: HADOOP-12559 > URL: https://issues.apache.org/jira/browse/HADOOP-12559 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.7.1 > Reporter: Zhe Zhang > Assignee: Zhe Zhang > Attachments: HADOOP-12559.00.patch, HADOOP-12559.01.patch, > HADOOP-12559.02.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)