[
https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Allen Wittenauer updated HADOOP-9317:
-------------------------------------
Status: Open (was: Patch Available)
bq. So your suggestion won't work because concurrent launches issuing the
kinit will still result in the race condition where one process may be issuing
the kinit while another is trying to run hadoop commands.
If you look at the sample script I wrote, we should be using a different
credential cache per invocation, thus removing the race condition.
In any case, cancelling the patch since it no longer applies.
> User cannot specify a kerberos keytab for commands
> --------------------------------------------------
>
> Key: HADOOP-9317
> URL: https://issues.apache.org/jira/browse/HADOOP-9317
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.0.0-alpha, 0.23.0, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Critical
> Attachments: HADOOP-9317.branch-23.patch,
> HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch,
> HADOOP-9317.patch, HADOOP-9317.patch
>
>
> {{UserGroupInformation}} only allows kerberos users to be logged in via the
> ticket cache when running hadoop commands. {{UGI}} allows a keytab to be
> used, but it's only exposed programatically. This forces keytab-based users
> running hadoop commands to periodically issue a kinit from the keytab. A
> race condition exists during the kinit when the ticket cache is deleted and
> re-created. Hadoop commands will fail when the ticket cache does not
> momentarily exist.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
