[
https://issues.apache.org/jira/browse/HDFS-17740?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Calvin Kirs updated HDFS-17740:
-------------------------------
Description:
When using the hadoop.security.kerberos.ticket.cache.path configuration for
Kerberos authentication, the Hadoop client is able to authenticate successfully
when a valid ticket is available at the specified cache path. However, after
the ticket expires, the client fails to automatically reload a new ticket from
the cache path, even though the ticket has been renewed by an external process
(e.g., a cron job that periodically runs kinit). This results in authentication
errors when performing operations on Hadoop, such as querying HDFS.
{code:java}
Configuration conf=getConf(ticketPath);
UserGroupInformation.setConfiguration(conf);
UserGroupInformation
ugi=UserGroupInformation.getUGIFromTicketCache(ticketPath,null);
while(true){
Thread.sleep(60000);
ugi.doAs((PrivilegedAction<Object>) ()->{
FileSystem fs= null;
try {
fs = FileSystem.get(conf);
} catch (IOException e) {
throw new RuntimeException(e);
}
FileStatus[] ss = null;
try {
ss = fs.listStatus(new Path("hdfs://hdfs-cluster/"));
} catch (IOException e) {
throw new RuntimeException(e);
}
});{code}
*Expected Behavior:*
The Hadoop client should automatically detect the expiration of the Kerberos
ticket and reload a new ticket from the specified ticket.cache.path, ensuring
seamless authentication after the ticket expires, without requiring manual
intervention.
> The Kerberos authentication using ticket.cache.path does not automatically
> reload a new ticket after the existing ticket expires.
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: HDFS-17740
> URL: https://issues.apache.org/jira/browse/HDFS-17740
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: hdfs-client
> Reporter: Calvin Kirs
> Priority: Major
>
> When using the hadoop.security.kerberos.ticket.cache.path configuration for
> Kerberos authentication, the Hadoop client is able to authenticate
> successfully when a valid ticket is available at the specified cache path.
> However, after the ticket expires, the client fails to automatically reload a
> new ticket from the cache path, even though the ticket has been renewed by an
> external process (e.g., a cron job that periodically runs kinit). This
> results in authentication errors when performing operations on Hadoop, such
> as querying HDFS.
>
>
> {code:java}
> Configuration conf=getConf(ticketPath);
> UserGroupInformation.setConfiguration(conf);
> UserGroupInformation
> ugi=UserGroupInformation.getUGIFromTicketCache(ticketPath,null);
> while(true){
> Thread.sleep(60000);
> ugi.doAs((PrivilegedAction<Object>) ()->{
> FileSystem fs= null;
> try {
> fs = FileSystem.get(conf);
> } catch (IOException e) {
> throw new RuntimeException(e);
> }
> FileStatus[] ss = null;
> try {
> ss = fs.listStatus(new Path("hdfs://hdfs-cluster/"));
> } catch (IOException e) {
> throw new RuntimeException(e);
> }
> });{code}
>
> *Expected Behavior:*
> The Hadoop client should automatically detect the expiration of the Kerberos
> ticket and reload a new ticket from the specified ticket.cache.path, ensuring
> seamless authentication after the ticket expires, without requiring manual
> intervention.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
