[jira] [Commented] (HDFS-4548) Webhdfs doesn't renegotiate SPNEGO token

Tue, 02 Apr 2013 15:53:17 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-4548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13620383#comment-13620383
 ] 

Daryn Sharp commented on HDFS-4548:
-----------------------------------

bq. then the JDK does the renewal for you. that is how hadoop-auth works on the 
server side.
Hmm, your experience with hadoop-auth and the JDK automatically renewing TGTs 
made me doubt myself.  I looked at the source for {{Krb5LoginModule}} and the 
{{renewTGT}} option is only used inside a conditional for the ticket cache.  If 
enabled, and a TGT is in the ticket cache, it will issue a _one time_ renewal.  
If it's from a keytab, no renewal is performed.  Do you know where it's 
scheduling future renewals?

bq. Back to UGI, UGI has a thread that triggers the relogin, why do we need to 
call it explicitly?

The UGI renewal thread is only spawned for ticket cache logins, not keytab 
logins.  That's why hftp, webhdfs, and RPC have to check if a keytab user needs 
to be re-logged in.  It's less than ideal, and I'd like to make it better, but 
it's a tangent to this blocker...
                
> Webhdfs doesn't renegotiate SPNEGO token
> ----------------------------------------
>
>                 Key: HDFS-4548
>                 URL: https://issues.apache.org/jira/browse/HDFS-4548
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>    Affects Versions: 2.0.0-alpha, 3.0.0, 0.23.7
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch, 
> HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch, 
> HDFS-4548.branch-23.patch, HDFS-4548.patch, HDFS-4548.patch, HDFS-4548.patch, 
> HDFS-4548.patch, HDFS-4548.patch
>
>
> When the webhdfs SPNEGO token expires, the fs doesn't attempt to renegotiate 
> a new SPNEGO token.  This renders webhdfs unusable for daemons that are 
> logged in via a keytab which would allow a new SPNEGO token to be generated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to