-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44472/
-----------------------------------------------------------

(Updated March 8, 2016, 9:43 a.m.)


Review request for Ambari, Alejandro Fernandez and Robert Levas.


Changes
-------

Addressed comments about alert labels in log messages.


Bugs: AMBARI-15324
    https://issues.apache.org/jira/browse/AMBARI-15324


Repository: ambari


Description
-------

When a cluster has been Kerberized, alerts use the {{curl_krb_request}} module 
in order to make requests using SPNEGO negotiation.

Normally this would involve calling {{kinit}} and then invoking the {{curl}} 
command to use the acquired ticket. However, because alerts run often on fixed 
intervals, this would mean that the KDC would be flooded with requests every 
minute.

To alleviate this problem, {{curl_krb_request}} uses {{klist}} to inspect the 
{{KRB5CCNAME}} cache. Only if an invalid ticket is found is {{kinit}} invoked. 
Additionally, {{kinit}} is invoked with a fixed ticket lifetime of 5 minutes. 
Since many alerts run on 5-minute intervals, this causes boundary issues.

To workaround these problems while continuing to leverage the cache, 
{{curl_krb_request}} should be changed to:
- Use the default ticket expiry configured for Kerberos in {{krb5.conf}}
- Employ in-memory tracking of the last time {{kinit}} was called so that it 
can be invoked before hitting the boundary of the ticket's expiration time


Diffs (updated)
-----

  
ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py
 1ccc45f 

Diff: https://reviews.apache.org/r/44472/diff/


Testing
-------

Deployed changes to a cluster with frequent 401's and "Cannot decode JSON" 
messages. 

----------------------------------------------------------------------
Total run:924
Total errors:0
Total failures:0
OK


Thanks,

Jonathan Hurley

Reply via email to