hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhe Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-12559) KMS connection failures should trigger TGT renewal
Date Tue, 22 Dec 2015 23:46:46 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-12559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Zhe Zhang updated HADOOP-12559:
    Attachment: HADOOP-12559.05.patch

Thanks for the helpful discussion Xiaoyu. I don't think it's easy to bypass the KDC limitation
and efficiently emulate a short TGT lifetime. Following the suggestion I have removed the
unit test in v05 patch. It's a good catch that we should use {{actualUgi}} when renewing TGT.

I've verified with the following test code (in the context of {{TestKMS}}):
  public void testTGTRenewal() throws Exception {
    Properties kdcConf = MiniKdc.createConf();
    kdcConf.setProperty(MiniKdc.MAX_TICKET_LIFETIME, "360000");

    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    final File testDir = getTestDir();
    conf = createBaseKMSConf(testDir);
    conf.set("hadoop.kms.authentication.type", "kerberos");
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");

    final String keyA = "key_a";
    final String keyD = "key_d";
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyA + ".ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyD + ".ALL", "*");

    writeConf(testDir, conf);

    runServer(null, null, testDir, new KMSCallable<Void>() {
      public Void call() throws Exception {
        final Configuration conf = new Configuration();
        conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64);
        final URI uri = createKMSUri(getKMSUrl());
            loginUserFromKeytab("client", keytab.getAbsolutePath());
        try {
          KeyProvider kp = createProvider(uri, conf);
        } catch (Exception ex) {
          String errMsg = ex.getMessage();
          if (errMsg.contains("Failed to find any Kerberos tgt")) {
            Assert.fail("TGT expired");

        return null;

The test passes with the patch, but fails without it, with the same complain that Harsh commented
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No
valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)

> KMS connection failures should trigger TGT renewal
> --------------------------------------------------
>                 Key: HADOOP-12559
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12559
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.1
>            Reporter: Zhe Zhang
>            Assignee: Zhe Zhang
>         Attachments: HADOOP-12559.00.patch, HADOOP-12559.01.patch, HADOOP-12559.02.patch,
HADOOP-12559.03.patch, HADOOP-12559.04.patch, HADOOP-12559.05.patch

This message was sent by Atlassian JIRA

View raw message