Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-2264

Java client should re-login from ticket cache when ticket is expiring

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.3.1, 1.4.0, 1.5.0, 1.6.0
    • Fix Version/s: 1.7.0
    • Component/s: client, java, security
    • Labels:
      None

      Description

      Currently, if the Kudu client is used from a thread that has no JAAS Subject with Kerberos credentials, it will log in from the user's ticket cache (in a configurable location).

      However, if that original ticket expires, then the client will never re-read the ticket cache. Instead, it will start to get authentication failures, even if the underlying ticket cache on disk has been updated with new credentials.

      This causes big issues in Impala – Impala starts a thread which reacquires tickets from its keytab and writes them into its ticket cache, but with existing versions of Kudu, the client won't pick up these new tickets. Impala also currently caches Kudu clients "forever". So, after 30 days (or whatever the ticket lifetime is), Impala will become unable to query Kudu.

        Attachments

          Activity

            People

            • Assignee:
              tlipcon Todd Lipcon
              Reporter:
              tlipcon Todd Lipcon
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: