Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
2.0.0, 1.2.3, 2.1.0
-
None
Description
When hadoop security is enabled,
https://github.com/apache/storm/blob/master/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java#L199-L209
AutoTGT will invoke "loginUserFromSubject", and it will spawn a TGT renewal thread ("TGT Renewer for <username>").
https://github.com/apache/hadoop/blob/branch-2.8.5/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L928-L957
which will eventually invoke system command "kinit -R", and then fail with the exception
org.apache.hadoop.util.Shell$ExitCodeException: kinit: Credentials cache file '/tmp/krb5cc_xxx' not found while renewing credentials at org.apache.hadoop.util.Shell.runCommand(Shell.java:1004) ~[stormjar.jar:?] at org.apache.hadoop.util.Shell.run(Shell.java:898) ~[stormjar.jar:?] at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:1213) ~[stormjar.jar:?] at org.apache.hadoop.util.Shell.execCommand(Shell.java:1307) ~[stormjar.jar:?] at org.apache.hadoop.util.Shell.execCommand(Shell.java:1289) ~[stormjar.jar:?] at org.apache.hadoop.security.UserGroupInformation$1.run(UserGroupInformation.java:1011) [stormjar.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
"kinit" will never work from worker process since Storm don't keep TGT in local cache. Instead, TGT is saved in zookeeper and in memory of Worker process.
This exception is confusing but not harmful to topologies. And the TGT renewal thread will eventually abort.
It's better to find a real solution for it. But for now we can document what might happen in AutoTGT code.
To be clear, we still need loginUserFromSubject or some sort but we don't want to spawn TGT renewal thread. This is found with hadoop-2.8.5. Other versions are similar. But it can also change in the future release.
Attachments
Issue Links
- is related to
-
STORM-3656 Change handling of Hadoop TGT renewal exception
-
- Resolved
-
- links to
