Repository: oozie Updated Branches: refs/heads/master 2fb0f0e9a -> 92b388280
OOZIE-2413 Kerberos credentials can expire if the KDC is slow to respond (rkanter) Project: http://git-wip-us.apache.org/repos/asf/oozie/repo Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/92b38828 Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/92b38828 Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/92b38828 Branch: refs/heads/master Commit: 92b3882805166604b9fd7287b1a90c77939064bd Parents: 2fb0f0e Author: Robert Kanter <[email protected]> Authored: Mon Dec 7 10:51:55 2015 -0800 Committer: Robert Kanter <[email protected]> Committed: Mon Dec 7 10:52:13 2015 -0800 ---------------------------------------------------------------------- .../oozie/action/hadoop/CredentialsProvider.java | 15 +++++++++++++++ .../oozie/action/hadoop/JavaActionExecutor.java | 2 ++ 2 files changed, 17 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/oozie/blob/92b38828/core/src/main/java/org/apache/oozie/action/hadoop/CredentialsProvider.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/action/hadoop/CredentialsProvider.java b/core/src/main/java/org/apache/oozie/action/hadoop/CredentialsProvider.java index ddf7fd4..6fe22fb 100644 --- a/core/src/main/java/org/apache/oozie/action/hadoop/CredentialsProvider.java +++ b/core/src/main/java/org/apache/oozie/action/hadoop/CredentialsProvider.java @@ -19,11 +19,14 @@ package org.apache.oozie.action.hadoop; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.ReflectionUtils; import org.apache.oozie.service.ConfigurationService; import org.apache.oozie.service.Services; import org.apache.oozie.util.XLog; +import java.io.IOException; + public class CredentialsProvider { Credentials cred; String type; @@ -73,6 +76,18 @@ public class CredentialsProvider { } /** + * Relogs into Kerberos using the Keytab for the Oozie server user. This should be called before attempting to get delegation + * tokens via {@link Credentials} implementations to ensure that the Kerberos credentials are current and won't expire too soon. + * + * @throws IOException + */ + public static void ensureKerberosLogin() throws IOException { + LOG.debug("About to relogin from keytab"); + UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab(); + LOG.debug("Relogin from keytab successful"); + } + + /** * To trim string * * @param str http://git-wip-us.apache.org/repos/asf/oozie/blob/92b38828/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java b/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java index f92d18c..c7cbdae 100644 --- a/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java +++ b/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java @@ -1221,6 +1221,8 @@ public class JavaActionExecutor extends ActionExecutor { HashMap<String, CredentialsProperties> credPropertiesMap) throws Exception { if (context != null && action != null && credPropertiesMap != null) { + // Make sure we're logged into Kerberos; if not, or near expiration, it will relogin + CredentialsProvider.ensureKerberosLogin(); for (Entry<String, CredentialsProperties> entry : credPropertiesMap.entrySet()) { String credName = entry.getKey(); CredentialsProperties credProps = entry.getValue();
