hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yu Gao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9969) TGT expiration doesn't trigger Kerberos relogin
Date Fri, 25 Sep 2015 01:53:04 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14907372#comment-14907372
] 

Yu Gao commented on HADOOP-9969:
--------------------------------

This is because IBM JDK behaves differently when initializing SaslClient in Sasl.createSaslClient,
which requires valid kerberos credentials in place, even before the server and client start
the negotiation. While Oracle JDK seems not checking credentials until evaluateChallenge is
called.

> TGT expiration doesn't trigger Kerberos relogin
> -----------------------------------------------
>
>                 Key: HADOOP-9969
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9969
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: ipc, security
>    Affects Versions: 2.1.0-beta
>            Reporter: Yu Gao
>         Attachments: HADOOP-9969.patch, JobTracker.log
>
>
> In HADOOP-9698 & HADOOP-9850, RPC client and Sasl client have been changed to respect
the auth method advertised from server, instead of blindly attempting the configured one at
client side. However, when TGT has expired, an exception will be thrown from SaslRpcClient#createSaslClient(SaslAuth
authType), and at this time the authMethod still holds the initial value which is SIMPLE and
never has a chance to be updated with the expected one requested by server, so kerberos relogin
will not happen.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message