Update, cherrypicking the fix from NIFI-5134 into 1.6.0 looks good to resolve hive connectionpool tgt renew/fetch issue we're seeing. Thanks again to Shawn and Bryan for the pointers, and to Jeff for the original PR.
patw On Wed, Dec 19, 2018 at 5:22 PM Shawn Weeks <swe...@weeksconsulting.us> wrote: > It’s nifi-5134 that fixes this issue. Prior to that the hive connection > pool did not renew its Kerberos ticket correctly. > > Sent from my iPhone > > On Dec 19, 2018, at 5:15 PM, Pat White <patwh...@oath.com> wrote: > > Thanks much Bryan and Shawn, we're currently on 1.6.0 with some > cherrypicks from 1.8.0 jiras. > Will check the archives as mentioned, thanks again. > > patw > > On Wed, Dec 19, 2018 at 4:45 PM Shawn Weeks <swe...@weeksconsulting.us> > wrote: > >> There is a bug for this but I’m not sure which release fixed it. >> Something after 1.5 I think. The patch is in the hortonworks hdf 3.1.2 >> release. >> >> If you go search for me in the archives I mentioned it a few months back. >> >> Thanks >> Shawn >> >> Sent from my iPhone >> >> > On Dec 19, 2018, at 3:59 PM, Pat White <patwh...@oath.com> wrote: >> > >> > Hi Folks, >> > >> > Using kerberos auth in Nifi clusters communicating with hdfs and for >> hive access, the ticket life is 24 hours. Hdfs works fine, however we're >> seeing issues with hive where the tgt doesn't seem to renew, or fetch a new >> ticket, as the 24hr limit approaches. Hence, hive access works fine until >> the 24hrs expires and then fails to authenticate. For example, a >> SelectHiveQL processor using the Hive Database Connection Pooling Service >> will work for 24 hours after a cluster restart but then fail with: >> > >> > org.ietf.jgss.GSSException: No valid credentials provided >> > (Mechanism level: Failed to find any Kerberos tgt) >> > >> > Enabled krb debugging, which shows the ticket is found but no renew, or >> new fetch attempt, seems to have been made. Krb docs discuss setting >> javax.security.auth.useSubjectCredsOnly=false in order to allow the >> underlying mechanism to obtain credentials, however the bootstrap.conf >> explicitly sets this to 'true', to inhibit JAAS from using any fallback >> methods to authenticate. >> > >> > Trying an experiment with useSubjectCredsOnly=false but would >> appreciate if anyone has some guidance on this, how to get hive's >> connection pools to renew tgt or fetch a new ticket ? Thank you. >> > >> > patw >> > >> > >> > >> >
