[
https://issues.apache.org/jira/browse/HDFS-4548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13620029#comment-13620029
]
Alejandro Abdelnur commented on HDFS-4548:
------------------------------------------
Looking a bit more ....
I think WebHdfsFileSystem should not trigger a relogin from keytab.
The UGI should, in using keytab, set renewTGT=true. This will make the JDK to
renew automatically the ticket. as a reference, hadoop-auth is doing this for
the KerberosAuthenticationHandler.
AFAIK, the logic in UGI to force a relogin is there for kinit-ed sessions,
which are be relogin automatically by the JDK.
So, it seems to me, the fix should be:
* remove all checkTGTAndReloginFromKeytab() calls from WebHddfsFileSystem
* make the UGI.checkTGTAndReloginFromKeytab() a NOP (for backwards compat)
* make UGI to set renewTGT=true for keytab sessions
> Webhdfs doesn't renegotiate SPNEGO token
> ----------------------------------------
>
> Key: HDFS-4548
> URL: https://issues.apache.org/jira/browse/HDFS-4548
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Affects Versions: 2.0.0-alpha, 3.0.0, 0.23.7
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch,
> HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch,
> HDFS-4548.branch-23.patch, HDFS-4548.patch, HDFS-4548.patch, HDFS-4548.patch,
> HDFS-4548.patch, HDFS-4548.patch
>
>
> When the webhdfs SPNEGO token expires, the fs doesn't attempt to renegotiate
> a new SPNEGO token. This renders webhdfs unusable for daemons that are
> logged in via a keytab which would allow a new SPNEGO token to be generated.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
