accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-4069) Services failing to renew Kerberos ticket
Date Thu, 03 Dec 2015 16:16:10 GMT


ASF GitHub Bot commented on ACCUMULO-4069:

Github user joshelser commented on a diff in the pull request:
    --- Diff: server/base/src/main/java/org/apache/accumulo/server/security/
    @@ -93,4 +95,41 @@ public static String getServerPrincipal(String configuredPrincipal)
           throw new RuntimeException("Could not convert configured server principal: " +
configuredPrincipal, e);
    +  /**
    +   * Start a thread that periodically attempts to renew the current Kerberos user's ticket.
    +   *
    +   * @param ugi
    +   *    The current Kerberos user.
    +   * @param renewalPeriod
    +   *    The amount of time between attempting renewals.
    +   */
    +  static void startTicketRenewalThread(final UserGroupInformation ugi, final long renewalPeriod)
    +    Thread t = new Daemon(new LoggingRunnable(renewalLog, new Runnable() {
    --- End diff --
    `SecuityUtil#serverLogin(AccumuloConfiguration)` aborts quickly if we're not actually
running with Kerberos. So, no, this thread already won't run if the servers aren't configured
to run with Kerberos.

> Services failing to renew Kerberos ticket
> -----------------------------------------
>                 Key: ACCUMULO-4069
>                 URL:
>             Project: Accumulo
>          Issue Type: Bug
>          Components: gc, master, monitor, tserver
>    Affects Versions: 1.5.4, 1.6.4, 1.7.0
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Blocker
>              Labels: kerberos
>             Fix For: 1.6.5, 1.7.1, 1.8.0
> Got a report from a user that Accumulo services were dying after a period of time that
was suspiciously similar to the Kerberos ticket lifetime.
> A Kerberos ticket lifetime is the amount of time that the ticket is valid (obtained from
password or keytab). There is also a renewable lifetime associate with each ticket. Within
the renewable lifetime duration, clients can "renew" their ticket for another "ticket lifetime"
duration. For each, a lifetime of one day and a renewable lifetime of seven days: a ticket
is valid for one day, but clients can renew that ticket up to 6 days after the original ticket
> I do recall seeing a line of code in our services that has a comment saying it should
spawn a thread specifically for this purpose, but I don't ever recall seeing that thread in
thread dumps. My hunch is that the thread just isn't getting launched and we're not doing

This message was sent by Atlassian JIRA

View raw message