Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-2413

Kerberos credentials can expire if the KDC is slow to respond

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: trunk
    • Fix Version/s: 4.3.0
    • Component/s: security
    • Labels:
      None

      Description

      We've seen some very rare cases where Oozie gets a Kerberos error when trying to get delegation tokens via the Credentials mechanism (e.g. getting HS2 delegation tokens).

      We finally narrowed it down to slow KDC responses, so Oozie's Kerberos credentials have expired when it tries to get the delegation token. The reason we don't see this with Hadoop clients (DFSClient for HDFS, JobClient for MR, etc) is because they call UserGroupInformation#checkTGTAndReloginFromKeytab() before trying to connect.

      We should do a similar fix by calling UserGroupInformation#checkTGTAndReloginFromKeytab() before using a Credentials implementation.

        Attachments

        1. OOZIE-2413.001.patch
          1.0 kB
          Robert Kanter
        2. OOZIE-2413.002.patch
          2 kB
          Robert Kanter
        3. OOZIE-2413.003.patch
          2 kB
          Robert Kanter

          Activity

            People

            • Assignee:
              rkanter Robert Kanter
              Reporter:
              rkanter Robert Kanter
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: