[
https://issues.apache.org/jira/browse/OOZIE-2413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374807#comment-15374807
]
Harsh J commented on OOZIE-2413:
--------------------------------
Note that this issue can happen even in cases of a responsive KDC. The basic
flaw is the second point of the description, in that except for MR1, HDFS,
YARN, HBase clients, the rest (such as Hive HMS client or HS2 JDBC client) do
not have mechanisms to ensure a valid TGT before making connection calls. With
this change a presence of valid TGT in the memory gets ensured (with a new
login where necessary) regardless of what form of client the credential system
builds up.
> Kerberos credentials can expire if the KDC is slow to respond
> -------------------------------------------------------------
>
> Key: OOZIE-2413
> URL: https://issues.apache.org/jira/browse/OOZIE-2413
> Project: Oozie
> Issue Type: Bug
> Components: security
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Fix For: trunk
>
> Attachments: OOZIE-2413.001.patch, OOZIE-2413.002.patch,
> OOZIE-2413.003.patch
>
>
> We've seen some very rare cases where Oozie gets a Kerberos error when trying
> to get delegation tokens via the {{Credentials}} mechanism (e.g. getting HS2
> delegation tokens).
> We finally narrowed it down to slow KDC responses, so Oozie's Kerberos
> credentials have expired when it tries to get the delegation token. The
> reason we don't see this with Hadoop clients (DFSClient for HDFS, JobClient
> for MR, etc) is because they call
> {{UserGroupInformation#checkTGTAndReloginFromKeytab()}} before trying to
> connect.
> We should do a similar fix by calling
> {{UserGroupInformation#checkTGTAndReloginFromKeytab()}} before using a
> Credentials implementation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
