Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-2413

Kerberos credentials can expire if the KDC is slow to respond

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • trunk
    • 4.3.0
    • security
    • None

    Description

      We've seen some very rare cases where Oozie gets a Kerberos error when trying to get delegation tokens via the Credentials mechanism (e.g. getting HS2 delegation tokens).

      We finally narrowed it down to slow KDC responses, so Oozie's Kerberos credentials have expired when it tries to get the delegation token. The reason we don't see this with Hadoop clients (DFSClient for HDFS, JobClient for MR, etc) is because they call UserGroupInformation#checkTGTAndReloginFromKeytab() before trying to connect.

      We should do a similar fix by calling UserGroupInformation#checkTGTAndReloginFromKeytab() before using a Credentials implementation.

      Attachments

        1. OOZIE-2413.001.patch
          1.0 kB
          Robert Kanter
        2. OOZIE-2413.002.patch
          2 kB
          Robert Kanter
        3. OOZIE-2413.003.patch
          2 kB
          Robert Kanter

        Activity

          People

            rkanter Robert Kanter
            rkanter Robert Kanter
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: