[
https://issues.apache.org/jira/browse/OOZIE-2485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15188075#comment-15188075
]
Robert Kanter commented on OOZIE-2485:
--------------------------------------
I spent a ton of time looking into this. Unfortunately, it's very tricky
because different versions of hadoop-auth do slightly different things. I have
a fix that I believe works for everything. I'm currently trying to get MiniKDC
working so I can have unit tests that use Kerberos for this. I'll try to post
a patch by the end of the week; if I can't get MiniKDC working by then, I'll
give up on it.
> Oozie client keeps trying to use expired auth token
> ---------------------------------------------------
>
> Key: OOZIE-2485
> URL: https://issues.apache.org/jira/browse/OOZIE-2485
> Project: Oozie
> Issue Type: Bug
> Components: client, security
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Blocker
> Fix For: trunk
>
>
> When using Hadoop 2.4.0 or later, the Oozie client doesn't update the auth
> token when it expires. The client doesn't typically give you an error
> because it will still fallback and authenticate via Kerberos or Pseudo.
> However, this is inefficient.
> This appears to be due to HADOOP-10301, which made an incompatible change
> with how the AuthHandler tells the Authenticator when a token has expired.
> It used to give a 401 when the token expired, but now it will do SPNEGO (if
> you have Kerberos credentials) and return a new token, all in the same call.
> Oozie client's code doesn't handle that case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
