[jira] [Commented] (HDFS-4548) Webhdfs doesn't renegotiate SPNEGO token

Tue, 02 Apr 2013 12:27:17 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-4548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13620161#comment-13620161
 ] 

Daryn Sharp commented on HDFS-4548:
-----------------------------------

That's not how it works, so I believe hadoop-auth may be working only because 
something else is quietly doing the relogin...

The renewTGT option is only applicable when using a ticket cache.  It will fail 
if the ticket cache option is not enabled.  The option causes a TGT obtained 
from the ticket cache during login to be renewed before its stuffed into the 
Subject.  Afterwards, there is no automatic background renewal triggered by 
this option.  You have to relogin via a LoginContext to allow the kerberos 
login module to do the renewal.

The UGI has relogin logic for both ticket cache and keytab.  Relogin from the 
ticket cache triggers the renewTGT upon re-login.  Relogin from the keytab gets 
a new TGT.  The latter is critical for daemons.  RPC automatically issues a 
relogin for connection errors, so webhdfs just like hftp, must do the relogin 
themselves.

I haven't changed the behavior of webhdfs, but rather moved relogin to a common 
place.  The goal here is minimal change to make webhdfs usable beyond 10h.  The 
proposed changes appear predicated on a misunderstanding, so are you ok with 
this patch?

(Aside: I already plan to streamline all the relogin methods into a single 
relogin as part of my stalled, but soon to be resumed, SASL work)
                
> Webhdfs doesn't renegotiate SPNEGO token
> ----------------------------------------
>
>                 Key: HDFS-4548
>                 URL: https://issues.apache.org/jira/browse/HDFS-4548
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>    Affects Versions: 2.0.0-alpha, 3.0.0, 0.23.7
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch, 
> HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch, 
> HDFS-4548.branch-23.patch, HDFS-4548.patch, HDFS-4548.patch, HDFS-4548.patch, 
> HDFS-4548.patch, HDFS-4548.patch
>
>
> When the webhdfs SPNEGO token expires, the fs doesn't attempt to renegotiate 
> a new SPNEGO token.  This renders webhdfs unusable for daemons that are 
> logged in via a keytab which would allow a new SPNEGO token to be generated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to