[jira] [Commented] (HADOOP-12559) KMS connection failures should trigger TGT renewal

Tue, 15 Dec 2015 15:02:01 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15059045#comment-15059045
 ] 

Xiaoyu Yao commented on HADOOP-12559:
-------------------------------------

Thanks [~zhz] for working on this. The stack I've seen so far are similar to 
[~qwertymaniac] attached earlier.  
{code}
Caused by: 
org.apache.hadoop.security.authentication.client.AuthenticationException: 
GSSException: No valid credentials provided (Mechanism level: Failed to find 
any Kerberos tgt)
        at 
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:306)
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:196)
        at 
{code}

When JDK does not do the authentication implicitly, 
KerberosAuthenticator#doSpnegoSequence is called. doSpnegoSequence() has an 
assumption that the current default principal in the Kerberos cache (normally 
set via kinit).  Does the added currentUGI#checkTGTAndReloginFromKeytab() solve 
the problem by satisfying this assumption? If not, we might just get lucky that 
JDK does the authentication. I would also suggest that we add a unit test to 
ensure doSpnegoSequence() working correctly with the fix? There are also some 
pending discussions around this in HADOOP-10850, HADOOP-10453, etc, which helps 
to fully understand the problem.

Correct me if I'm wrong, I thought the problem was the following login inside 
doSpnegoSequence() did not have correct keytab for hdfs(nn) in this case. 

{code}
   AccessControlContext context = AccessController.getContext();
      Subject subject = Subject.getSubject(context);
      if (subject == null
          || (subject.getPrivateCredentials(KerberosKey.class).isEmpty()
              && 
subject.getPrivateCredentials(KerberosTicket.class).isEmpty())) {
        LOG.debug("No subject in context, logging in");
        subject = new Subject();
        LoginContext login = new LoginContext("", subject,
            null, new KerberosConfiguration());
        login.login();
      }
{code}



> KMS connection failures should trigger TGT renewal
> --------------------------------------------------
>
>                 Key: HADOOP-12559
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12559
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.1
>            Reporter: Zhe Zhang
>            Assignee: Zhe Zhang
>         Attachments: HADOOP-12559.00.patch, HADOOP-12559.01.patch, 
> HADOOP-12559.02.patch
>
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to