Robert Kanter created OOZIE-2413:
------------------------------------
Summary: Kerberos credentials can expire if the KDC is slow to
respond
Key: OOZIE-2413
URL: https://issues.apache.org/jira/browse/OOZIE-2413
Project: Oozie
Issue Type: Bug
Components: security
Affects Versions: trunk
Reporter: Robert Kanter
Assignee: Robert Kanter
Fix For: trunk
We've seen some very rare cases where Oozie gets a Kerberos error when trying
to get delegation tokens via the {{Credentials}} mechanism (e.g. getting HS2
delegation tokens).
We finally narrowed it down to slow KDC responses, so Oozie's Kerberos
credentials have expired when it tries to get the delegation token. The reason
we don't see this with Hadoop clients (DFSClient for HDFS, JobClient for MR,
etc) is because they call
{{UserGroupInformation#checkTGTAndReloginFromKeytab()}} before trying to
connect.
We should do a similar fix by calling
{{UserGroupInformation#checkTGTAndReloginFromKeytab()}} before using a
Credentials implementation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
