falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Venkat Ranganathan (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (FALCON-2025) Periodic revalidation of kerberos credentials should be done on loginUser
Date Tue, 14 Jun 2016 00:53:57 GMT

     [ https://issues.apache.org/jira/browse/FALCON-2025?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Venkat Ranganathan updated FALCON-2025:
---------------------------------------
    Description: 
For some users, Falcon server fails to perform any operations on workflow engine after the
kerberos credentials expire. Falcon server revalidates the credentials from keytab on access
saying ugi.checkTGTAndReloginFromKeytab(), but this operation will not work when ugi belongs
to proxy user. The relogin should be done on UserGroupInformation.getLoginUser() for the falcon
credentials to be renewed. 

Also, there is a periodic relogin thread which just needed to call the checkTGTAndRelogin
alone instead of trampling Subject.

The error looks as follows.
{code}
falcon instance -list -type process -name procName 
log4j:WARN No appenders could be found for logger (org.apache.hadoop.security.authentication.client.KerberosAuthenticator).

log4j:WARN Please initialize the log4j system properly. 
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. 
ERROR: Bad Request;default/org.apache.falcon.FalconWebException::org.apache.falcon.FalconException:
java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)]; Host Details : local host is: "machine.test.group/<IP
Addr>"; destination host is: "machine.test.group":8020; 
{code} 

  was:
For some users, Falcon server fails to perform any operations on workflow engine after the
kerberos credentials expire. Falcon server periodically revalidates the credentials from keytab
saying ugi.checkTGTAndReloginFromKeytab(), but this operation will not work when ugi belongs
to proxy user. The relogin should be done on UserGroupInformation.getLoginUser() for the falcon
credentials to be renewed. 

The error looks as follows.
{code}
falcon instance -list -type process -name procName 
log4j:WARN No appenders could be found for logger (org.apache.hadoop.security.authentication.client.KerberosAuthenticator).

log4j:WARN Please initialize the log4j system properly. 
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. 
ERROR: Bad Request;default/org.apache.falcon.FalconWebException::org.apache.falcon.FalconException:
java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)]; Host Details : local host is: "machine.test.group/<IP
Addr>"; destination host is: "machine.test.group":8020; 
{code} 


> Periodic revalidation of kerberos credentials should be done on loginUser
> -------------------------------------------------------------------------
>
>                 Key: FALCON-2025
>                 URL: https://issues.apache.org/jira/browse/FALCON-2025
>             Project: Falcon
>          Issue Type: Bug
>            Reporter: Balu Vellanki
>            Assignee: Balu Vellanki
>             Fix For: trunk, 0.10
>
>
> For some users, Falcon server fails to perform any operations on workflow engine after
the kerberos credentials expire. Falcon server revalidates the credentials from keytab on
access saying ugi.checkTGTAndReloginFromKeytab(), but this operation will not work when ugi
belongs to proxy user. The relogin should be done on UserGroupInformation.getLoginUser() for
the falcon credentials to be renewed. 
> Also, there is a periodic relogin thread which just needed to call the checkTGTAndRelogin
alone instead of trampling Subject.
> The error looks as follows.
> {code}
> falcon instance -list -type process -name procName 
> log4j:WARN No appenders could be found for logger (org.apache.hadoop.security.authentication.client.KerberosAuthenticator).

> log4j:WARN Please initialize the log4j system properly. 
> log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. 
> ERROR: Bad Request;default/org.apache.falcon.FalconWebException::org.apache.falcon.FalconException:
java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)]; Host Details : local host is: "machine.test.group/<IP
Addr>"; destination host is: "machine.test.group":8020; 
> {code} 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message