[ https://issues.apache.org/jira/browse/HADOOP-12559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zhe Zhang updated HADOOP-12559: ------------------------------- Attachment: HADOOP-12559.05.patch Thanks for the helpful discussion Xiaoyu. I don't think it's easy to bypass the KDC limitation and efficiently emulate a short TGT lifetime. Following the suggestion I have removed the unit test in v05 patch. It's a good catch that we should use {{actualUgi}} when renewing TGT. I've verified with the following test code (in the context of {{TestKMS}}): {code} @Test public void testTGTRenewal() throws Exception { tearDownMiniKdc(); Properties kdcConf = MiniKdc.createConf(); kdcConf.setProperty(MiniKdc.MAX_TICKET_LIFETIME, "360000"); setUpMiniKdc(kdcConf); Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); final File testDir = getTestDir(); conf = createBaseKMSConf(testDir); conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath()); conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost"); conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT"); final String keyA = "key_a"; final String keyD = "key_d"; conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyA + ".ALL", "*"); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyD + ".ALL", "*"); writeConf(testDir, conf); runServer(null, null, testDir, new KMSCallable<Void>() { @Override public Void call() throws Exception { final Configuration conf = new Configuration(); conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64); final URI uri = createKMSUri(getKMSUrl()); UserGroupInformation. loginUserFromKeytab("client", keytab.getAbsolutePath()); try { KeyProvider kp = createProvider(uri, conf); Thread.sleep(360000); kp.getKeys(); } catch (Exception ex) { String errMsg = ex.getMessage(); System.out.println(errMsg); if (errMsg.contains("Failed to find any Kerberos tgt")) { Assert.fail("TGT expired"); } } return null; } }); } {code} The test passes with the patch, but fails without it, with the same complain that Harsh commented above: {code} org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) {code} > KMS connection failures should trigger TGT renewal > -------------------------------------------------- > > Key: HADOOP-12559 > URL: https://issues.apache.org/jira/browse/HADOOP-12559 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.7.1 > Reporter: Zhe Zhang > Assignee: Zhe Zhang > Attachments: HADOOP-12559.00.patch, HADOOP-12559.01.patch, > HADOOP-12559.02.patch, HADOOP-12559.03.patch, HADOOP-12559.04.patch, > HADOOP-12559.05.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)