[
https://issues.apache.org/jira/browse/AMBARI-15324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jonathan Hurley updated AMBARI-15324:
-------------------------------------
Status: Patch Available (was: Open)
> Kerberos Tickets Expire Too Frequently For Alerts
> -------------------------------------------------
>
> Key: AMBARI-15324
> URL: https://issues.apache.org/jira/browse/AMBARI-15324
> Project: Ambari
> Issue Type: Bug
> Components: ambari-agent
> Affects Versions: 2.1.0
> Reporter: Jonathan Hurley
> Assignee: Jonathan Hurley
> Priority: Critical
> Fix For: 2.2.2
>
> Attachments: AMBARI-15324.patch
>
>
> When a cluster has been Kerberized, alerts use the {{curl_krb_request}}
> module in order to make requests using SPNEGO negotiation.
> Normally this would involve calling {{kinit}} and then invoking the {{curl}}
> command to use the acquired ticket. However, because alerts run often on
> fixed intervals, this would mean that the KDC would be flooded with requests
> every minute.
> To alleviate this problem, {{curl_krb_request}} uses {{klist}} to inspect the
> {{KRB5CCNAME}} cache. Only if an invalid ticket is found is {{kinit}}
> invoked. Additionally, {{kinit}} is invoked with a fixed ticket lifetime of 5
> minutes. Since many alerts run on 5-minute intervals, this causes boundary
> issues.
> To workaround these problems while continuing to leverage the cache,
> {{curl_krb_request}} should be changed to:
> - Use the default ticket expiry configured for Kerberos in {{krb5.conf}}
> - Employ in-memory tracking of the last time {{kinit}} was called so that it
> can be invoked before hitting the boundary of the ticket's expiration time
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
