[
https://issues.apache.org/jira/browse/HADOOP-12559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zhe Zhang updated HADOOP-12559:
-------------------------------
Attachment: HADOOP-12559.03.patch
Thanks [~xyao] for the suggestion. I'm attaching a new patch with a unit test
to emulate an expired TGT. Without calling {{checkTGTAndReloginFromKeytab}},
the {{getKeys}} call will fail complaining that TGT has expired. I tried other
KP calls with the same conclusion.
The test uses 6 mins {{MAX_TICKET_LIFETIME}}. With a smaller value, KDC
initialization fails with error "start time is later than end time".
bq. doSpnegoSequence() has an assumption that the current default principal in
the Kerberos cache (normally set via kinit). Does the added
currentUGI#checkTGTAndReloginFromKeytab() solve the problem by satisfying this
assumption?
This patch actually addresses an orthogonal issue: the current default
principal is in the Kerberos cache, but the TGT has expired. Have you seen a
case where the TGT has not expired, but {{doSpnegoSequence}} still fails? If so
we should address that issue separately.
> KMS connection failures should trigger TGT renewal
> --------------------------------------------------
>
> Key: HADOOP-12559
> URL: https://issues.apache.org/jira/browse/HADOOP-12559
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.1
> Reporter: Zhe Zhang
> Assignee: Zhe Zhang
> Attachments: HADOOP-12559.00.patch, HADOOP-12559.01.patch,
> HADOOP-12559.02.patch, HADOOP-12559.03.patch
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
