Jason Fehr created KUDU-3739:
--------------------------------
Summary: Enable Configurable Kerberos TGT Reinitialization Time
Key: KUDU-3739
URL: https://issues.apache.org/jira/browse/KUDU-3739
Project: Kudu
Issue Type: Bug
Components: security
Reporter: Jason Fehr
When Kerberos is enabled, Kudu starts a thread that obtains a new TGT before
the old TGT expires. The [code to calculate renewal
time|https://github.com/apache/kudu/blob/0a63f0318421e4ec58f79e3c185b496db8025d42/src/kudu/security/init.cc#L187-L221]
is hardcoded to try between 5 minutes and 5 seconds before the TGT expires.
This timing has the potential to cause auth failures when non-renewable TGTs
are used by the [Java Hadoop Kerberos
client|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L1075]
as the TGT may not be recreated in enough time for the Java Hadoop Kerberos
client to pick it up.
Add the ability to configure both the new renewal interval and the backoff
renewal interval
[here|https://github.com/apache/kudu/blob/0a63f0318421e4ec58f79e3c185b496db8025d42/src/kudu/security/init.cc#L187-L221].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
