[
https://issues.apache.org/jira/browse/OOZIE-2413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated OOZIE-2413:
---------------------------------
Attachment: OOZIE-2413.002.patch
It shouldn't be a problem to call the method more frequently than needed
because it does some checks to see if it makes sense to actually relogin at
this point or if it should do a no-op. However, it's probably cleaner to
abstract it out like you said and just call it once per action.
The 002 patch does that.
> Kerberos credentials can expire if the KDC is slow to respond
> -------------------------------------------------------------
>
> Key: OOZIE-2413
> URL: https://issues.apache.org/jira/browse/OOZIE-2413
> Project: Oozie
> Issue Type: Bug
> Components: security
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Fix For: trunk
>
> Attachments: OOZIE-2413.001.patch, OOZIE-2413.002.patch
>
>
> We've seen some very rare cases where Oozie gets a Kerberos error when trying
> to get delegation tokens via the {{Credentials}} mechanism (e.g. getting HS2
> delegation tokens).
> We finally narrowed it down to slow KDC responses, so Oozie's Kerberos
> credentials have expired when it tries to get the delegation token. The
> reason we don't see this with Hadoop clients (DFSClient for HDFS, JobClient
> for MR, etc) is because they call
> {{UserGroupInformation#checkTGTAndReloginFromKeytab()}} before trying to
> connect.
> We should do a similar fix by calling
> {{UserGroupInformation#checkTGTAndReloginFromKeytab()}} before using a
> Credentials implementation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
