[
https://issues.apache.org/jira/browse/HADOOP-12559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zhe Zhang updated HADOOP-12559:
-------------------------------
Attachment: HADOOP-12559.05.patch
Thanks for the helpful discussion Xiaoyu. I don't think it's easy to bypass the
KDC limitation and efficiently emulate a short TGT lifetime. Following the
suggestion I have removed the unit test in v05 patch. It's a good catch that we
should use {{actualUgi}} when renewing TGT.
I've verified with the following test code (in the context of {{TestKMS}}):
{code}
@Test
public void testTGTRenewal() throws Exception {
tearDownMiniKdc();
Properties kdcConf = MiniKdc.createConf();
kdcConf.setProperty(MiniKdc.MAX_TICKET_LIFETIME, "360000");
setUpMiniKdc(kdcConf);
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir();
conf = createBaseKMSConf(testDir);
conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab",
keytab.getAbsolutePath());
conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
final String keyA = "key_a";
final String keyD = "key_d";
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyA + ".ALL", "*");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyD + ".ALL", "*");
writeConf(testDir, conf);
runServer(null, null, testDir, new KMSCallable<Void>() {
@Override
public Void call() throws Exception {
final Configuration conf = new Configuration();
conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64);
final URI uri = createKMSUri(getKMSUrl());
UserGroupInformation.
loginUserFromKeytab("client", keytab.getAbsolutePath());
try {
KeyProvider kp = createProvider(uri, conf);
Thread.sleep(360000);
kp.getKeys();
} catch (Exception ex) {
String errMsg = ex.getMessage();
System.out.println(errMsg);
if (errMsg.contains("Failed to find any Kerberos tgt")) {
Assert.fail("TGT expired");
}
}
return null;
}
});
}
{code}
The test passes with the patch, but fails without it, with the same complain
that Harsh commented above:
{code}
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
{code}
> KMS connection failures should trigger TGT renewal
> --------------------------------------------------
>
> Key: HADOOP-12559
> URL: https://issues.apache.org/jira/browse/HADOOP-12559
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.1
> Reporter: Zhe Zhang
> Assignee: Zhe Zhang
> Attachments: HADOOP-12559.00.patch, HADOOP-12559.01.patch,
> HADOOP-12559.02.patch, HADOOP-12559.03.patch, HADOOP-12559.04.patch,
> HADOOP-12559.05.patch
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
