Hi Folks, Using kerberos auth in Nifi clusters communicating with hdfs and for hive access, the ticket life is 24 hours. Hdfs works fine, however we're seeing issues with hive where the tgt doesn't seem to renew, or fetch a new ticket, as the 24hr limit approaches. Hence, hive access works fine until the 24hrs expires and then fails to authenticate. For example, a SelectHiveQL processor using the Hive Database Connection Pooling Service will work for 24 hours after a cluster restart but then fail with:
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) Enabled krb debugging, which shows the ticket is found but no renew, or new fetch attempt, seems to have been made. Krb docs discuss setting javax.security.auth.useSubjectCredsOnly=false in order to allow the underlying mechanism to obtain credentials, however the bootstrap.conf explicitly sets this to 'true', to inhibit JAAS from using any fallback methods to authenticate. Trying an experiment with useSubjectCredsOnly=false but would appreciate if anyone has some guidance on this, how to get hive's connection pools to renew tgt or fetch a new ticket ? Thank you. patw
