hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-4548) Webhdfs doesn't renegotiate SPNEGO token
Date Tue, 02 Apr 2013 19:27:17 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13620161#comment-13620161

Daryn Sharp commented on HDFS-4548:

That's not how it works, so I believe hadoop-auth may be working only because something else
is quietly doing the relogin...

The renewTGT option is only applicable when using a ticket cache.  It will fail if the ticket
cache option is not enabled.  The option causes a TGT obtained from the ticket cache during
login to be renewed before its stuffed into the Subject.  Afterwards, there is no automatic
background renewal triggered by this option.  You have to relogin via a LoginContext to allow
the kerberos login module to do the renewal.

The UGI has relogin logic for both ticket cache and keytab.  Relogin from the ticket cache
triggers the renewTGT upon re-login.  Relogin from the keytab gets a new TGT.  The latter
is critical for daemons.  RPC automatically issues a relogin for connection errors, so webhdfs
just like hftp, must do the relogin themselves.

I haven't changed the behavior of webhdfs, but rather moved relogin to a common place.  The
goal here is minimal change to make webhdfs usable beyond 10h.  The proposed changes appear
predicated on a misunderstanding, so are you ok with this patch?

(Aside: I already plan to streamline all the relogin methods into a single relogin as part
of my stalled, but soon to be resumed, SASL work)
> Webhdfs doesn't renegotiate SPNEGO token
> ----------------------------------------
>                 Key: HDFS-4548
>                 URL: https://issues.apache.org/jira/browse/HDFS-4548
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>    Affects Versions: 2.0.0-alpha, 3.0.0, 0.23.7
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch,
HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch, HDFS-4548.patch, HDFS-4548.patch, HDFS-4548.patch,
HDFS-4548.patch, HDFS-4548.patch
> When the webhdfs SPNEGO token expires, the fs doesn't attempt to renegotiate a new SPNEGO
token.  This renders webhdfs unusable for daemons that are logged in via a keytab which would
allow a new SPNEGO token to be generated.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message