[jira] [Resolved] (IMPALA-6726) Catalog server's kerberos ticket gets deleted after 'ticket_lifetime' on SLES11

Thu, 29 Mar 2018 08:34:22 -0700 

     [ 
https://issues.apache.org/jira/browse/IMPALA-6726?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sailesh Mukil resolved IMPALA-6726.
-----------------------------------
       Resolution: Fixed
    Fix Version/s: Impala 2.12.0

> Catalog server's kerberos ticket gets deleted after 'ticket_lifetime' on 
> SLES11
> -------------------------------------------------------------------------------
>
>                 Key: IMPALA-6726
>                 URL: https://issues.apache.org/jira/browse/IMPALA-6726
>             Project: IMPALA
>          Issue Type: Sub-task
>          Components: Security
>    Affects Versions: Impala 2.11.0, Impala 2.12.0
>            Reporter: Sailesh Mukil
>            Assignee: Michael Ho
>            Priority: Blocker
>              Labels: kerberos, security
>             Fix For: Impala 2.12.0
>
>
> On SLES11, it was noticed that after 'ticket_lifetime', the kerberos ticket 
> gets deleted by the Java krb5 library. [~mikesbrown] noticed this from 2.11, 
> and we confirmed that it shows up in 2.12 as well.
> I turned on the Java kerberos debug logging and found this in the log 
> messages:
> {noformat}
> W0322 07:51:43.617998 12118 UserGroupInformation.java:1403] Not attempting to 
> re-login since the last re-login was attempted less than 60 seconds before. 
> Last Login=1521730246019
> >>>DEBUG <CCacheInputStream>  client principal is 
> >>>impala/mikeb-sles11-1.vpc.cloudera....@vpc.cloudera.com
> >>>DEBUG <CCacheInputStream> server principal is 
> >>>krbtgt/vpc.cloudera....@vpc.cloudera.com
> >>>DEBUG <CCacheInputStream> key type: 16
> >>>DEBUG <CCacheInputStream> auth time: Thu Mar 22 07:21:58 PDT 2018
> >>>DEBUG <CCacheInputStream> start time: Thu Mar 22 07:51:46 PDT 2018
> >>>DEBUG <CCacheInputStream> end time: Thu Mar 22 07:51:58 PDT 2018
> >>>DEBUG <CCacheInputStream> renew_till time: Thu Mar 22 07:51:58 PDT 2018
> >>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL;
> Found ticket for impala/mikeb-sles11-1.vpc.cloudera....@vpc.cloudera.com to 
> go to krbtgt/vpc.cloudera....@vpc.cloudera.com expiring on Thu Mar 22 
> 07:51:58 PDT 2018
> Removed and destroyed the expired Ticket
> Destroyed KerberosTicket
> W0322 07:52:04.195199 12201 UserGroupInformation.java:1920] 
> PriviledgedActionException 
> as:impala/mikeb-sles11-1.vpc.cloudera....@vpc.cloudera.com (auth:KERBEROS) 
> cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by 
> GSSException: No valid credentials provided (Mechanism level: Failed to find 
> any Kerberos tgt)]
> W0322 07:52:04.200016 12201 UserGroupInformation.java:1403] Not attempting to 
> re-login since the last re-login was attempted less than 60 seconds before. 
> Last Login=1521730306038
> {noformat}
> The backend ticket acquisition thread however keeps running and claiming to 
> have re-acquired a ticket every 'ticket_lifetime' period.
> I tried turning off the 'use_kudu_kinit' flag and this bug didn't show up in 
> that mode.
> Still investigating the bug.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to