There is a bug for this but I’m not sure which release fixed it. Something after 1.5 I think. The patch is in the hortonworks hdf 3.1.2 release.
If you go search for me in the archives I mentioned it a few months back. Thanks Shawn Sent from my iPhone > On Dec 19, 2018, at 3:59 PM, Pat White <[email protected]> wrote: > > Hi Folks, > > Using kerberos auth in Nifi clusters communicating with hdfs and for hive > access, the ticket life is 24 hours. Hdfs works fine, however we're seeing > issues with hive where the tgt doesn't seem to renew, or fetch a new ticket, > as the 24hr limit approaches. Hence, hive access works fine until the 24hrs > expires and then fails to authenticate. For example, a SelectHiveQL processor > using the Hive Database Connection Pooling Service will work for 24 hours > after a cluster restart but then fail with: > > org.ietf.jgss.GSSException: No valid credentials provided > (Mechanism level: Failed to find any Kerberos tgt) > > Enabled krb debugging, which shows the ticket is found but no renew, or new > fetch attempt, seems to have been made. Krb docs discuss setting > javax.security.auth.useSubjectCredsOnly=false in order to allow the > underlying mechanism to obtain credentials, however the bootstrap.conf > explicitly sets this to 'true', to inhibit JAAS from using any fallback > methods to authenticate. > > Trying an experiment with useSubjectCredsOnly=false but would appreciate if > anyone has some guidance on this, how to get hive's connection pools to renew > tgt or fetch a new ticket ? Thank you. > > patw > > >
