Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-2485

Oozie client keeps trying to use expired auth token

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • trunk
    • 4.3.0
    • client, security
    • None

    Description

      When using Hadoop 2.4.0 or later, the Oozie client doesn't update the auth token when it expires. The client doesn't typically give you an error because it will still fallback and authenticate via Kerberos or Pseudo. However, this is inefficient.

      This appears to be due to HADOOP-10301, which made an incompatible change with how the AuthHandler tells the Authenticator when a token has expired. It used to give a 401 when the token expired, but now it will do SPNEGO (if you have Kerberos credentials) and return a new token, all in the same call. Oozie client's code doesn't handle that case.

      With Pseudo Auth, it behaves a little differently and you now get a 403 on that first call, but it doesn't give you a new token.

      Attachments

        1. OOZIE-2485.001.patch
          11 kB
          Robert Kanter

        Issue Links

          is broken by

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-10301 AuthenticationFilter should return Forbidden for failed authentication

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              rkanter Robert Kanter
              rkanter Robert Kanter
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: