[jira] [Updated] (IMPALA-8844) Decouple tgt renewal thread from Keberos configuration.

Wed, 07 Aug 2019 10:45:26 -0700 


     [ 
https://issues.apache.org/jira/browse/IMPALA-8844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

bharath v updated IMPALA-8844:
------------------------------
    Summary: Decouple tgt renewal thread from Keberos configuration.  (was: 
Decouple kinit renewal thread from Keberos configuration.)

> Decouple tgt renewal thread from Keberos configuration.
> -------------------------------------------------------
>
>                 Key: IMPALA-8844
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8844
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Backend
>    Affects Versions: Impala 3.2.0
>            Reporter: bharath v
>            Priority: Major
>
> Currently, Impala starts a kinit renewal thread only when kerberos is 
> enabled, 
> {noformat}
> Status SecureAuthProvider::Start() {
>       // True for kerberos internal use
>       if (needs_kinit_) {
>         DCHECK(is_internal_);
>         DCHECK(!principal_.empty());
>         // IMPALA-8154: Disable any Kerberos auth_to_local mappings.
>         FLAGS_use_system_auth_to_local = false;
>         // Starts a thread that periodically does a 'kinit'. The thread lives 
> as long as the
>         // process does.
>         
> KUDU_RETURN_IF_ERROR(kudu::security::InitKerberosForServer(principal_, 
> keytab_file_,
>         FLAGS_krb5_ccname, false), "Could not init kerberos"); <==== starts 
> the thread
>         LOG(INFO) << "Kerberos ticket granted to " << principal_;
>       }
> {noformat}
> There can be cases where Impala's internal connections are *not* kerberized 
> but communication with external components like HMS/Ranger/Atlas could be 
> kerberized. In such setups, Impala process doesn't have a tgt initialized 
> resulting in failing connections to these components.
> We could start with decoupling the kinit thread from the kerberos 
> configuration and have it run in cases where any communication is kerberized 
> (use a flag?). 



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

Reply via email to