[
https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13583223#comment-13583223
]
Daryn Sharp commented on HADOOP-9317:
-------------------------------------
As background for the motivation: In some production environments we have
hundreds of job launches every few mins. The launches may perform dozens of
hadoop commands before actually submitting the job. We are seeing a huge
failure rate, necessitating unnecessary retry loops, because of this kinit
issue whether it be explicitly by the user or implicitly by hadoop's background
renewal. As the job load is increased, we are seeing more and more failures
that are "breaking through" the retry loop.
@Aaron:
I have not tested with IBM's java. If you have convenient access, would you be
able to test it for me? On the bright side, even if it's broken, it won't be a
problem unless the user sets the KRB5KEYTAB env to activate the new code. If
it is broken, could I file another jira to make it work for IBM's java?
@Allen:
Yes, kinit will regardless of -R, unlink the file, open/write the principal,
open/write the TGT. So your suggestion won't work because concurrent launches
issuing the kinit will still result in the race condition where one process may
be issuing the kinit while another is trying to run hadoop commands. Obtaining
a new TGT for every launch would place tremendously more pressure on the KDC,
thus why this change tries the ticket cache, falls back to the keytab, and
updates the ticket cache if it had to fallback.
> User cannot specify a kerberos keytab for commands
> --------------------------------------------------
>
> Key: HADOOP-9317
> URL: https://issues.apache.org/jira/browse/HADOOP-9317
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Critical
> Attachments: HADOOP-9317.branch-23.patch,
> HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch,
> HADOOP-9317.patch
>
>
> {{UserGroupInformation}} only allows kerberos users to be logged in via the
> ticket cache when running hadoop commands. {{UGI}} allows a keytab to be
> used, but it's only exposed programatically. This forces keytab-based users
> running hadoop commands to periodically issue a kinit from the keytab. A
> race condition exists during the kinit when the ticket cache is deleted and
> re-created. Hadoop commands will fail when the ticket cache does not
> momentarily exist.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
