[
https://issues.apache.org/jira/browse/OOZIE-2485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated OOZIE-2485:
---------------------------------
Description:
When using Hadoop 2.4.0 or later, the Oozie client doesn't update the auth
token when it expires. The client doesn't typically give you an error because
it will still fallback and authenticate via Kerberos or Pseudo. However, this
is inefficient.
This appears to be due to HADOOP-10301, which made an incompatible change with
how the AuthHandler tells the Authenticator when a token has expired. It used
to give a 401 when the token expired, but now it will do SPNEGO (if you have
Kerberos credentials) and return a new token, all in the same call. Oozie
client's code doesn't handle that case.
With Pseudo Auth, it behaves a little differently and you now get a 403 on that
first call, but it doesn't give you a new token.
was:
When using Hadoop 2.4.0 or later, the Oozie client doesn't update the auth
token when it expires. The client doesn't typically give you an error because
it will still fallback and authenticate via Kerberos or Pseudo. However, this
is inefficient.
This appears to be due to HADOOP-10301, which made an incompatible change with
how the AuthHandler tells the Authenticator when a token has expired. It used
to give a 401 when the token expired, but now it will do SPNEGO (if you have
Kerberos credentials) and return a new token, all in the same call. Oozie
client's code doesn't handle that case.
> Oozie client keeps trying to use expired auth token
> ---------------------------------------------------
>
> Key: OOZIE-2485
> URL: https://issues.apache.org/jira/browse/OOZIE-2485
> Project: Oozie
> Issue Type: Bug
> Components: client, security
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Blocker
> Fix For: trunk
>
>
> When using Hadoop 2.4.0 or later, the Oozie client doesn't update the auth
> token when it expires. The client doesn't typically give you an error
> because it will still fallback and authenticate via Kerberos or Pseudo.
> However, this is inefficient.
> This appears to be due to HADOOP-10301, which made an incompatible change
> with how the AuthHandler tells the Authenticator when a token has expired.
> It used to give a 401 when the token expired, but now it will do SPNEGO (if
> you have Kerberos credentials) and return a new token, all in the same call.
> Oozie client's code doesn't handle that case.
> With Pseudo Auth, it behaves a little differently and you now get a 403 on
> that first call, but it doesn't give you a new token.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
