Thanks much Bryan and Shawn, we're currently on 1.6.0 with some cherrypicks from 1.8.0 jiras. Will check the archives as mentioned, thanks again.
patw On Wed, Dec 19, 2018 at 4:45 PM Shawn Weeks <[email protected]> wrote: > There is a bug for this but I’m not sure which release fixed it. Something > after 1.5 I think. The patch is in the hortonworks hdf 3.1.2 release. > > If you go search for me in the archives I mentioned it a few months back. > > Thanks > Shawn > > Sent from my iPhone > > > On Dec 19, 2018, at 3:59 PM, Pat White <[email protected]> wrote: > > > > Hi Folks, > > > > Using kerberos auth in Nifi clusters communicating with hdfs and for > hive access, the ticket life is 24 hours. Hdfs works fine, however we're > seeing issues with hive where the tgt doesn't seem to renew, or fetch a new > ticket, as the 24hr limit approaches. Hence, hive access works fine until > the 24hrs expires and then fails to authenticate. For example, a > SelectHiveQL processor using the Hive Database Connection Pooling Service > will work for 24 hours after a cluster restart but then fail with: > > > > org.ietf.jgss.GSSException: No valid credentials provided > > (Mechanism level: Failed to find any Kerberos tgt) > > > > Enabled krb debugging, which shows the ticket is found but no renew, or > new fetch attempt, seems to have been made. Krb docs discuss setting > javax.security.auth.useSubjectCredsOnly=false in order to allow the > underlying mechanism to obtain credentials, however the bootstrap.conf > explicitly sets this to 'true', to inhibit JAAS from using any fallback > methods to authenticate. > > > > Trying an experiment with useSubjectCredsOnly=false but would appreciate > if anyone has some guidance on this, how to get hive's connection pools to > renew tgt or fetch a new ticket ? Thank you. > > > > patw > > > > > > >
