accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-4069) Services failing to renew Kerberos ticket
Date Thu, 03 Dec 2015 16:17:11 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-4069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15038014#comment-15038014
] 

ASF GitHub Bot commented on ACCUMULO-4069:
------------------------------------------

Github user joshelser commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/57#discussion_r46572392
  
    --- Diff: server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
---
    @@ -49,11 +52,10 @@ public static void serverLogin(AccumuloConfiguration acuConf) {
     
         if (login(principalConfig, keyTab)) {
           try {
    -        // This spawns a thread to periodically renew the logged in (accumulo) user
    -        UserGroupInformation.getLoginUser();
    +        startTicketRenewalThread(UserGroupInformation.getCurrentUser(), acuConf.getTimeInMillis(Property.GENERAL_KERBEROS_RENEWAL_PERIOD));
    --- End diff --
    
    > Do we want to start with UserGroupInformation.getCurrentUser
    
    I'm not sure what you mean by "start with". It's just a getter -- there is no renewal
for keytab-based logins.


> Services failing to renew Kerberos ticket
> -----------------------------------------
>
>                 Key: ACCUMULO-4069
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4069
>             Project: Accumulo
>          Issue Type: Bug
>          Components: gc, master, monitor, tserver
>    Affects Versions: 1.5.4, 1.6.4, 1.7.0
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Blocker
>              Labels: kerberos
>             Fix For: 1.6.5, 1.7.1, 1.8.0
>
>
> Got a report from a user that Accumulo services were dying after a period of time that
was suspiciously similar to the Kerberos ticket lifetime.
> A Kerberos ticket lifetime is the amount of time that the ticket is valid (obtained from
password or keytab). There is also a renewable lifetime associate with each ticket. Within
the renewable lifetime duration, clients can "renew" their ticket for another "ticket lifetime"
duration. For each, a lifetime of one day and a renewable lifetime of seven days: a ticket
is valid for one day, but clients can renew that ticket up to 6 days after the original ticket
expires.
> I do recall seeing a line of code in our services that has a comment saying it should
spawn a thread specifically for this purpose, but I don't ever recall seeing that thread in
thread dumps. My hunch is that the thread just isn't getting launched and we're not doing
renewals



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message