Sandeep Guggilam created HBASE-24768:
----------------------------------------
Summary: Clear service kerberos ticket in case of SASL failures
from server side
Key: HBASE-24768
URL: https://issues.apache.org/jira/browse/HBASE-24768
Project: HBase
Issue Type: Bug
Reporter: Sandeep Guggilam
Assignee: Sandeep Guggilam
We setup a SASL connection using different mechanisms like Digest, Kerberos
from master to RS for various activities like region assignment etc. In case of
SASL connect failures, we try to dispose of the SaslRpcClient and try to
relogin from the keytab on the client side. However the relogin from keytab
method doesn't clear off the service ticket cached in memory unless TGT is
about to expire within a timeframe.
This actually causes an issue where there is a keytab refresh that happens
because of expiry on the RS server and throws a SASL connect error when Master
reaches out to the RS server with the cached service ticket that no longer
works with the new refreshed keytab. We might need to clear off the service
ticket cached as there could be a credential refresh on the RS server side when
handling connect failures
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
