[
https://issues.apache.org/jira/browse/HADOOP-9850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13732863#comment-13732863
]
Daryn Sharp commented on HADOOP-9850:
-------------------------------------
It works. Manually tested by instrumenting UGI.getLoginUser to destroy the TGT
after keytab login. Connecting to a service generated the expected no TGT
exception, then the client did a relogin from the keytab, and successfully
connected.
> RPC kerberos errors don't trigger relogin
> -----------------------------------------
>
> Key: HADOOP-9850
> URL: https://issues.apache.org/jira/browse/HADOOP-9850
> Project: Hadoop Common
> Issue Type: Bug
> Components: ipc
> Affects Versions: 3.0.0, 2.1.0-beta
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-9850.patch
>
>
> Hadoop auto-renews a ticket cache TGT. However, a TGT acquired via keytab is
> just allowed to expire. To compensate, any exception during a kerberos RPC
> connection triggers a relogin.
> Prior to HADOOP-9698, the RPC client "knew" the SASL client was attempting
> authMethod kerberos. Now the SASL client negotiates and returns the
> authMethod to the RPC Client. When an exception occurs, such as TGT expired,
> the Client doesn't know what the SASL client was attempting so no relogin is
> attempted. After 24 hours, keytab based services that act as clients (ex. RM
> for token renewal) go dead.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
