[jira] [Created] (IMPALA-6726) Catalog server's kerberos ticket gets deleted after 'ticket_lifetime' on SLES11

Thu, 22 Mar 2018 17:36:02 -0700 

Sailesh Mukil created IMPALA-6726:
-------------------------------------

             Summary: Catalog server's kerberos ticket gets deleted after 
'ticket_lifetime' on SLES11
                 Key: IMPALA-6726
                 URL: https://issues.apache.org/jira/browse/IMPALA-6726
             Project: IMPALA
          Issue Type: Bug
          Components: Security
    Affects Versions: Impala 2.11.0
            Reporter: Sailesh Mukil


On SLES11, it was noticed that after 'ticket_lifetime', the kerberos ticket 
gets deleted by the Java krb5 library. [~mikesbrown] noticed this from 5.14, 
and we confirmed that it shows up in 5.15 as well.

I turned on the Java kerberos debug logging and found this in the log messages:
{noformat}
W0322 07:51:43.617998 12118 UserGroupInformation.java:1403] Not attempting to 
re-login since the last re-login was attempted less than 60 seconds before. 
Last Login=1521730246019
>>>DEBUG <CCacheInputStream>  client principal is 
>>>impala/[email protected]
>>>DEBUG <CCacheInputStream> server principal is 
>>>krbtgt/[email protected]
>>>DEBUG <CCacheInputStream> key type: 16
>>>DEBUG <CCacheInputStream> auth time: Thu Mar 22 07:21:58 PDT 2018
>>>DEBUG <CCacheInputStream> start time: Thu Mar 22 07:51:46 PDT 2018
>>>DEBUG <CCacheInputStream> end time: Thu Mar 22 07:51:58 PDT 2018
>>>DEBUG <CCacheInputStream> renew_till time: Thu Mar 22 07:51:58 PDT 2018
>>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL;
Found ticket for impala/[email protected] to go 
to krbtgt/[email protected] expiring on Thu Mar 22 07:51:58 PDT 
2018
Removed and destroyed the expired Ticket
Destroyed KerberosTicket
W0322 07:52:04.195199 12201 UserGroupInformation.java:1920] 
PriviledgedActionException 
as:impala/[email protected] (auth:KERBEROS) 
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Failed to find 
any Kerberos tgt)]
W0322 07:52:04.200016 12201 UserGroupInformation.java:1403] Not attempting to 
re-login since the last re-login was attempted less than 60 seconds before. 
Last Login=1521730306038
{noformat}

The backend ticket acquisition thread however keeps running and claiming to 
have re-acquired a ticket every 'ticket_lifetime' period.

I tried turning off the 'use_kudu_kinit' flag and this bug didn't show up in 
that mode.

Still investigating the bug.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to