Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-3050

Recover gracefully from corrupt kerberos credential cache

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.11.1
    • Fix Version/s: 1.12.0
    • Component/s: security
    • Labels:
      None

      Description

      This was originally filed as IMPALA-9359, but the code is copied from Kudu.

      The proposed change is to ensure that the kerberos renewal thread (running the RenewThread() function) can recover if the kerberos credential cache is corrupted. We saw this scenario once where /tmp filled up, the cache file was somehow corrupted, and the daemon got wedged, unable to establish connections once its tickets expired.

      I prototyped a fix where it reruns Kinit() to reinitialize the cache when it encounters an error opening the cache.

      We may also want to adjust the backoff algorithm (since it backs off exponentially with no real upper bound) and improve logging so that there is more visibility into how the renewal thread is backing off.

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              tarmstrong Tim Armstrong
              Reporter:
              tarmstrong Tim Armstrong

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment