[jira] [Commented] (HADOOP-12559) KMS connection failures should trigger TGT renewal

Tue, 22 Dec 2015 00:53:16 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15067770#comment-15067770
 ] 

Xiaoyu Yao commented on HADOOP-12559:
-------------------------------------

Thanks [~zhz] for updating the patch with additional. I agree with your 
analysis that this patch can handle the case where the current user is 
authenticated by KERBEROS with its Kerberos principle available in keytab but 
not in TGT cache (not login or expired). However, I think the currentUgi below 
should be actualUgi to handle the proxy user case. 

{code}
currentUgi.checkTGTAndReloginFromKeytab();
{code}

The original comment I made is on a different use case where the currentUser is 
authenticated by TOKEN, e.g., a  user token passed from distcp mappers on HDFS 
datanode when using webhdfs + KMS. When DN talks to KMS with the user token, it 
won't be able to do SPNEGO based authentication. The additional 
UGI#checkTGTAndReloginFromKeytab in KMSClientProvider will be a no-op in this 
case as the token based user won't have its Kerberos principle in local keytab 
or TGT cache, which failed later in doSpnego with a similar stack. I will open 
a separate JIRA for that.

Regarding simulating kerberos ticket timeout, I can do that with 'kinit -l' on 
a MIT KDC as shown below. The issue seems like a limitation of 
org.apache.directory.server.kerberos.kdc.KdcServer used by miniKDC. If there is 
no obvious solution for that, I'm fine without unit test as long we comment on 
this JIRA about the validation that have been done before commit.  

{code}
[ambari-qa@c6402 vagrant]$ kinit -l 1m -kt 
/etc/security/keytabs/smokeuser.headless.keytab ambari-qa-hd...@example.com
[ambari-qa@c6402 vagrant]$ klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: ambari-qa-hd...@example.com

Valid starting     Expires            Service principal
12/22/15 08:41:04  12/22/15 08:42:04  krbtgt/example....@example.com
        renew until 12/22/15 08:41:04
{code}

> KMS connection failures should trigger TGT renewal
> --------------------------------------------------
>
>                 Key: HADOOP-12559
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12559
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.1
>            Reporter: Zhe Zhang
>            Assignee: Zhe Zhang
>         Attachments: HADOOP-12559.00.patch, HADOOP-12559.01.patch, 
> HADOOP-12559.02.patch, HADOOP-12559.03.patch, HADOOP-12559.04.patch
>
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to