Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-9359

Recover gracefully from corrupt kerberos credential cache

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Impala 3.3.0
    • Fix Version/s: Impala 3.4.0
    • Component/s: Security
    • Labels:
    • Epic Color:
      ghx-label-8

      Description

      1. Start up a kerberized Impala cluster
      2. Corrupt the kerberos ticket cache used by impala /tmp/krb5cc_impala_internal
      3. Observe queries fail. The details depend a lot on timing, etc. I have seen communication failures between impalads and with other systems, e.g. HDFS.
      4. The system will stay wedge in this state indefinitely

      We have seen this happen once in production from /tmp filling up.

      I prototyped a fix that amounts to re-running Kinit() to blow away the broken credential cache. It needs more work to be production-ready

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                tarmstrong Tim Armstrong
                Reporter:
                tarmstrong Tim Armstrong
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: