hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yu Gao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9969) TGT expiration doesn't trigger Kerberos relogin
Date Tue, 17 Sep 2013 00:30:51 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13769020#comment-13769020
] 

Yu Gao commented on HADOOP-9969:
--------------------------------

When TGT expired, client trying to access NameNode got this error:
WARN org.apache.hadoop.ipc.Client: Exception encountered while connecting to the server :
javax.security.sasl.SaslException: Failure to initialize security context [Caused by org.ietf.jgss.GSSException,
major code: 8, minor code: 0
	major string: Credential expired
	minor string: Kerberos credential has expired]

And method org.apache.hadoop.ipc.Client.Connection.shouldAuthenticateOverKrb()returned false
since the authMethod got from sasl client was SIMPLE, so relogin never happened
                
> TGT expiration doesn't trigger Kerberos relogin
> -----------------------------------------------
>
>                 Key: HADOOP-9969
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9969
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: ipc, security
>    Affects Versions: 2.1.0-beta
>            Reporter: Yu Gao
>
> In HADOOP 9698 & HADOOP 9850, RPC client and Sasl client have been changed to respect
the auth method advertised from server, instead of blindly attempting the configured one at
client side. However, when TGT has expired, an exception will be thrown from SaslRpcClient#createSaslClient(SaslAuth
authType), and at this time the authMethod still holds the initial value which is SIMPLE and
never has a chance to be updated with the expected one requested by server, so kerberos relogin
will not happen.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message