accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-4069) Services failing to renew Kerberos ticket
Date Thu, 03 Dec 2015 14:45:11 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-4069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15037862#comment-15037862
] 

ASF GitHub Bot commented on ACCUMULO-4069:
------------------------------------------

Github user ohshazbot commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/57#discussion_r46558805
  
    --- Diff: server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
---
    @@ -93,4 +95,41 @@ public static String getServerPrincipal(String configuredPrincipal)
{
           throw new RuntimeException("Could not convert configured server principal: " +
configuredPrincipal, e);
         }
       }
    +
    +  /**
    +   * Start a thread that periodically attempts to renew the current Kerberos user's ticket.
    +   *
    +   * @param ugi
    +   *    The current Kerberos user.
    +   * @param renewalPeriod
    +   *    The amount of time between attempting renewals.
    +   */
    +  static void startTicketRenewalThread(final UserGroupInformation ugi, final long renewalPeriod)
{
    +    Thread t = new Daemon(new LoggingRunnable(renewalLog, new Runnable() {
    --- End diff --
    
    Can we prevent this thread from even running if there is no kerberos involved?


> Services failing to renew Kerberos ticket
> -----------------------------------------
>
>                 Key: ACCUMULO-4069
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4069
>             Project: Accumulo
>          Issue Type: Bug
>          Components: gc, master, monitor, tserver
>    Affects Versions: 1.5.4, 1.6.4, 1.7.0
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Blocker
>              Labels: kerberos
>             Fix For: 1.6.5, 1.7.1, 1.8.0
>
>
> Got a report from a user that Accumulo services were dying after a period of time that
was suspiciously similar to the Kerberos ticket lifetime.
> A Kerberos ticket lifetime is the amount of time that the ticket is valid (obtained from
password or keytab). There is also a renewable lifetime associate with each ticket. Within
the renewable lifetime duration, clients can "renew" their ticket for another "ticket lifetime"
duration. For each, a lifetime of one day and a renewable lifetime of seven days: a ticket
is valid for one day, but clients can renew that ticket up to 6 days after the original ticket
expires.
> I do recall seeing a line of code in our services that has a comment saying it should
spawn a thread specifically for this purpose, but I don't ever recall seeing that thread in
thread dumps. My hunch is that the thread just isn't getting launched and we're not doing
renewals



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message