[
https://issues.apache.org/jira/browse/HDFS-17740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17930099#comment-17930099
]
Calvin Kirs commented on HDFS-17740:
------------------------------------
I found that HDFS authentication fails with an automatic retry mechanism,
{code:java}
if (Connection.this.shouldAuthenticateOverKrb()) {
if (currRetries < maxRetries) {
Client.LOG.debug("Exception encountered while connecting to the server
{}", Connection.this.remoteId, ex);
if (UserGroupInformation.isLoginKeytabBased()) {
UserGroupInformation.getLoginUser().reloginFromKeytab();
} else if (UserGroupInformation.isLoginTicketBased()) {
UserGroupInformation.getLoginUser().reloginFromTicketCache();
}
Thread.sleep((long)(rand.nextInt(5000) + 1));
return null;
} else {
String msg = "Couldn't setup connection for " +
UserGroupInformation.getLoginUser().getUserName() + " to " +
Connection.this.remoteId;
Client.LOG.warn(msg, ex);
throw
NetUtils.wrapException(Connection.this.remoteId.getAddress().getHostName(),
Connection.this.remoteId.getAddress().getPort(), NetUtils.getHostname(), 0, ex);
}{code}
so when I set the UGI with the ticket authentication to {{{}logUser{}}},
{code:java}
UserGroupInformation ugi=UserGroupInformation.getBestUGI(ticketPath,null);
UserGroupInformation.setLoginUser(ugi); {code}
it works fine. However, I have another program using {{{}libhdfs{}}}, and I'm
wondering what I should do in this case, since it doesn't seem to have a
{{setLoginUser}} method.
> The Kerberos authentication using ticket.cache.path does not automatically
> reload a new ticket after the existing ticket expires.
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: HDFS-17740
> URL: https://issues.apache.org/jira/browse/HDFS-17740
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: hdfs-client
> Reporter: Calvin Kirs
> Priority: Major
>
> When using the hadoop.security.kerberos.ticket.cache.path configuration for
> Kerberos authentication, the Hadoop client is able to authenticate
> successfully when a valid ticket is available at the specified cache path.
> However, after the ticket expires, the client fails to automatically reload a
> new ticket from the cache path, even though the ticket has been renewed by an
> external process (e.g., a cron job that periodically runs kinit). This
> results in authentication errors when performing operations on Hadoop, such
> as querying HDFS.
>
>
> {code:java}
> Configuration conf=getConf(ticketPath);
> UserGroupInformation.setConfiguration(conf);
> UserGroupInformation
> ugi=UserGroupInformation.getUGIFromTicketCache(ticketPath,null);
> while(true){
> Thread.sleep(60000);
> ugi.doAs((PrivilegedAction<Object>) ()->{
> FileSystem fs= null;
> try {
> fs = FileSystem.get(conf);
> } catch (IOException e) {
> throw new RuntimeException(e);
> }
> FileStatus[] ss = null;
> try {
> ss = fs.listStatus(new Path("hdfs://hdfs-cluster/"));
> } catch (IOException e) {
> throw new RuntimeException(e);
> }
> });{code}
>
> *Expected Behavior:*
> The Hadoop client should automatically detect the expiration of the Kerberos
> ticket and reload a new ticket from the specified ticket.cache.path, ensuring
> seamless authentication after the ticket expires, without requiring manual
> intervention.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
