Review Request 63738: TagSync should reuse kerberos ticket in REST calls to Ranger Admin

Abhay Kulkarni Fri, 10 Nov 2017 10:49:22 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63738/
-----------------------------------------------------------


Review request for ranger, Madhan Neethiraj and Ramesh Mani.


Bugs: RANGER-1883
    https://issues.apache.org/jira/browse/RANGER-1883


Repository: ranger


Description
-------

TagSync sends tags to Ranger Admin via REST API. In a kerberized environment, 
tagsync obtains a kerberos ticket for each REST API call. This can cause 
excessive (and unnecessary) calls to KDC. This can be avoided by reusing the 
ticket obtained and renewing the ticket when necessary.


Diffs
-----

  
tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
 b1225c2 


Diff: https://reviews.apache.org/r/63738/diff/1/


Testing
-------

Tested in local, secure VM. With this patch, there are a lot fewer requests to 
get TGTs, indicated by the following log in /var/log/krb5kdc.log file.

localhost.localdomain krb5kdc1637: AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: 
ISSUE: authtime 1510254596, etypes {rep=18 tkt=18 ses=18}, 
rangertagsync/[email protected] for 
krbtgt/[email protected]


Thanks,

Abhay Kulkarni

Review Request 63738: TagSync should reuse kerberos ticket in REST calls to Ranger Admin

Reply via email to