ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Hurley (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-15324) Kerberos Tickets Expire Too Frequently For Alerts
Date Tue, 08 Mar 2016 20:00:42 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-15324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jonathan Hurley updated AMBARI-15324:
-------------------------------------
    Attachment: AMBARI-15324.patch

> Kerberos Tickets Expire Too Frequently For Alerts
> -------------------------------------------------
>
>                 Key: AMBARI-15324
>                 URL: https://issues.apache.org/jira/browse/AMBARI-15324
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-agent
>    Affects Versions: 2.1.0
>            Reporter: Jonathan Hurley
>            Assignee: Jonathan Hurley
>            Priority: Critical
>             Fix For: 2.2.2
>
>         Attachments: AMBARI-15324.patch
>
>
> When a cluster has been Kerberized, alerts use the {{curl_krb_request}} module in order
to make requests using SPNEGO negotiation.
> Normally this would involve calling {{kinit}} and then invoking the {{curl}} command
to use the acquired ticket. However, because alerts run often on fixed intervals, this would
mean that the KDC would be flooded with requests every minute.
> To alleviate this problem, {{curl_krb_request}} uses {{klist}} to inspect the {{KRB5CCNAME}}
cache. Only if an invalid ticket is found is {{kinit}} invoked. Additionally, {{kinit}} is
invoked with a fixed ticket lifetime of 5 minutes. Since many alerts run on 5-minute intervals,
this causes boundary issues.
> To workaround these problems while continuing to leverage the cache, {{curl_krb_request}}
should be changed to:
> - Use the default ticket expiry configured for Kerberos in {{krb5.conf}}
> - Employ in-memory tracking of the last time {{kinit}} was called so that it can be invoked
before hitting the boundary of the ticket's expiration time



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message