Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 51482200CB5 for ; Wed, 12 Jul 2017 21:43:50 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 4FB80169B91; Wed, 12 Jul 2017 19:43:50 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 71235169B8D for ; Wed, 12 Jul 2017 21:43:49 +0200 (CEST) Received: (qmail 778 invoked by uid 500); 12 Jul 2017 19:43:48 -0000 Mailing-List: contact user-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@accumulo.apache.org Delivered-To: mailing list user@accumulo.apache.org Received: (qmail 768 invoked by uid 99); 12 Jul 2017 19:43:48 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Jul 2017 19:43:48 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 2C6F8195B55 for ; Wed, 12 Jul 2017 19:43:48 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -2.397 X-Spam-Level: X-Spam-Status: No, score=-2.397 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudera.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id QFsfa-xqqjoL for ; Wed, 12 Jul 2017 19:43:46 +0000 (UTC) Received: from mail-qk0-f175.google.com (mail-qk0-f175.google.com [209.85.220.175]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id BDA7E62770 for ; Wed, 12 Jul 2017 19:37:41 +0000 (UTC) Received: by mail-qk0-f175.google.com with SMTP id 16so33487165qkg.2 for ; Wed, 12 Jul 2017 12:37:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudera.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=9aZ45460Xc54pZKrxNmJrNB+v5XJ3zeurKOfhG87fJU=; b=fM3kxwADugkZrilwRzRmXg4pkGIGQj8tq3a4/8eOST1wSkguWuybB9ucu8aO1G3yKy sEakd9Bhrv6OAVkHWfFMCIi9YsZDzSeICZPxv4ciAwZuSDt4h9tElWbAUOgmXDlFofUP Oz1TohrTFhmVLwjN3mTRt4nry6wBB3forBPdQY0cvvEaqKqmeg8Z0yWha5flaBKx3gmm zeUWYGM7g/qFYt8XqUBfQz8ELHMIq3sQLu7+HcTHP2GyTTcr6W9os6wH3DXXH/8WnVM1 2jZnXmIw+PbDYiml1Kj62CWImUEQ33JMnkgcwrVhOAuwWIrEy0TmoCCOCOQHxy7/Yq3F ROFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=9aZ45460Xc54pZKrxNmJrNB+v5XJ3zeurKOfhG87fJU=; b=dmWrXR9igEaBKw4qyDrz+aPsITaTuFS6FSoMDIgzVXiCXPSSSkwVxQqueu7AFiFMdg V2m77R4T9v8LCv0vB9yzjaE+ISvqYb9Iv1+8Mi9yEmA78Qs/tSjZw7YLYD3wuDMniIA/ MJVSimUu2aa2vdzO3IR6NZ1Vmw2sf+wGLMon2HaWq0OcjGWV4M19C2+T3jN6Q+cBV+eH NNvN2jJ1phPvZXI63/846rWDlV/L1cJvlIlvPF+k8g+vInyljQxkWEYG35B/MN1p4NYA dQqMvWVkA2yoSMIxkJC3Vmg4vDn+z485tC430MFWSYeaUd2bfnW0+3+Ltf7sWfL60DaM Y3oA== X-Gm-Message-State: AIVw112Q0HjLPVU7Q0AwesGRR745Lzy6DObhnY3wdH1JX/6MCJUsH4Ea EdZ6Uc2BOsnD5QoKVt+TZNTtZU8iNcRUOSo= X-Received: by 10.55.133.69 with SMTP id h66mr223312qkd.153.1499888261078; Wed, 12 Jul 2017 12:37:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.237.36.210 with HTTP; Wed, 12 Jul 2017 12:37:20 -0700 (PDT) In-Reply-To: References: <24f525a3-24db-e5f2-6ca0-22e53feb1da9@gmail.com> From: Sean Busbey Date: Wed, 12 Jul 2017 14:37:20 -0500 Message-ID: Subject: Re: Kerberos ticket renewal To: Accumulo User List Content-Type: text/plain; charset="UTF-8" archived-at: Wed, 12 Jul 2017 19:43:50 -0000 Hi James! It sounds like you may need to chase things down with your vendor, since the precise combination of patches included will make looking at things hard for the community. On Wed, Jul 12, 2017 at 11:01 AM, James Srinivasan wrote: > Hi, > > So I've fired off a thread to perform the periodic > checkTGTAndReloginFromKeytab call which seems to be running, but the > connection still fails with GSS errors after precisely 10 hours. > > While I am running 1.7.0, it seems the vendor included the > ACCUMULO-4069 patch, and immediately after the exception is thrown I > see a log entry "Performing ticket-cache-based Kerberos re-login". > However, it should be using a keytab - have turned up the logging to > 11 and will leave running overnight... > > James > > On 11 July 2017 at 16:17, Josh Elser wrote: >> Nope, you've got it exactly right! That's the code I would've pointed you at >> to copy :) >> >> If/when you do get to long-running MR jobs, see the >> "general.delegation.token.*" configuration properties in this table[1]. I >> think the docs are citing that one delegation token is valid for 7 days, but >> it's been a long time since writing/testing that code. >> >> - Josh >> >> [1] >> https://accumulo.apache.org/1.8/accumulo_user_manual.html#_server_configuration_2 >> >> On 7/11/17 1:25 AM, James Srinivasan wrote: >>> >>> Thanks both. I can't (easily) upgrade beyond 1.7.0, but have raised a >>> support case with our Hadoop distribution vendor. >>> >>> I'm not (yet) worried about expiration with MapReduce - for now I'll >>> try to keep such jobs to under 24h! Outside MR, sounds like I just >>> need to periodically call >>> UserGroupInformation.checkTGTAndReloginFromKeytab like >>> >>> >>> https://github.com/apache/accumulo/blob/master/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java#L121 >>> >>> Or is the TGT associated with an Accumulo KerberosToken separate? >>> >>> Thanks, >>> >>> James >>> >>> On 11 July 2017 at 02:59, Josh Elser wrote: >>>> >>>> No, you are (likely) not running into ACCUMULO-4069. What you've >>>> described sounds like your client's ticket expired. Accumulo does not >>>> spawn any ticket renewal on the behalf of clients. >>>> >>>> Hadoop's UGI code will automatically spawn a renewal thread when you >>>> log in using a ticket cache. This does not happen automatically when >>>> you use a keytab (I have no explanation as to why this is). This is >>>> the most likely cause of your error and something you need to correct >>>> in your application (spawn a thread to renew your application's >>>> ticket). >>>> >>>> If you are using MapReduce, you have yet another layer of indirection >>>> with DelegationTokens, but that's probably not what you're seeing (as >>>> DelegationTokens don't actually have a Kerberos TGT). >>>> >>>> On Mon, Jul 10, 2017 at 5:42 PM, Christopher wrote: >>>>> >>>>> It certainly sounds like the same issue. I'd recommend upgrading to the >>>>> latest 1.7.3 (currently the latest 1.7 version) to include all the bugs >>>>> we've found and fixed in that release line. >>>>> >>>>> On Mon, Jul 10, 2017 at 5:50 AM James Srinivasan >>>>> wrote: >>>>>> >>>>>> >>>>>> I'm using Accumulo 1.7.0 and finding that after some period of time >>>>>> (>8 hours, <3 days - happened over the weekend) my ingest fails with >>>>>> errors regarding "Failed to find any Kerberos tgt". My guess is that >>>>>> the ticket from the keytab has expired, and needs to be renewed - from >>>>>> memory, I had seen a Kerberos tgt renewer thread running in my client, >>>>>> so assumed it happened automagically. Is that the case? Perhaps I am >>>>>> hitting this bug? https://issues.apache.org/jira/browse/ACCUMULO-4069 >>>>>> >>>>>> Thanks, >>>>>> >>>>>> James -- busbey