[ https://issues.apache.org/jira/browse/IMPALA-8844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
bharath v updated IMPALA-8844: ------------------------------ Summary: Decouple tgt renewal thread from Keberos configuration. (was: Decouple kinit renewal thread from Keberos configuration.) > Decouple tgt renewal thread from Keberos configuration. > ------------------------------------------------------- > > Key: IMPALA-8844 > URL: https://issues.apache.org/jira/browse/IMPALA-8844 > Project: IMPALA > Issue Type: Improvement > Components: Backend > Affects Versions: Impala 3.2.0 > Reporter: bharath v > Priority: Major > > Currently, Impala starts a kinit renewal thread only when kerberos is > enabled, > {noformat} > Status SecureAuthProvider::Start() { > // True for kerberos internal use > if (needs_kinit_) { > DCHECK(is_internal_); > DCHECK(!principal_.empty()); > // IMPALA-8154: Disable any Kerberos auth_to_local mappings. > FLAGS_use_system_auth_to_local = false; > // Starts a thread that periodically does a 'kinit'. The thread lives > as long as the > // process does. > > KUDU_RETURN_IF_ERROR(kudu::security::InitKerberosForServer(principal_, > keytab_file_, > FLAGS_krb5_ccname, false), "Could not init kerberos"); <==== starts > the thread > LOG(INFO) << "Kerberos ticket granted to " << principal_; > } > {noformat} > There can be cases where Impala's internal connections are *not* kerberized > but communication with external components like HMS/Ranger/Atlas could be > kerberized. In such setups, Impala process doesn't have a tgt initialized > resulting in failing connections to these components. > We could start with decoupling the kinit thread from the kerberos > configuration and have it run in cases where any communication is kerberized > (use a flag?). -- This message was sent by Atlassian JIRA (v7.6.14#76016) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org