hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-4548) Webhdfs doesn't renegotiate SPNEGO token
Date Tue, 02 Apr 2013 22:53:16 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13620383#comment-13620383

Daryn Sharp commented on HDFS-4548:

bq. then the JDK does the renewal for you. that is how hadoop-auth works on the server side.
Hmm, your experience with hadoop-auth and the JDK automatically renewing TGTs made me doubt
myself.  I looked at the source for {{Krb5LoginModule}} and the {{renewTGT}} option is only
used inside a conditional for the ticket cache.  If enabled, and a TGT is in the ticket cache,
it will issue a _one time_ renewal.  If it's from a keytab, no renewal is performed.  Do you
know where it's scheduling future renewals?

bq. Back to UGI, UGI has a thread that triggers the relogin, why do we need to call it explicitly?

The UGI renewal thread is only spawned for ticket cache logins, not keytab logins.  That's
why hftp, webhdfs, and RPC have to check if a keytab user needs to be re-logged in.  It's
less than ideal, and I'd like to make it better, but it's a tangent to this blocker...
> Webhdfs doesn't renegotiate SPNEGO token
> ----------------------------------------
>                 Key: HDFS-4548
>                 URL: https://issues.apache.org/jira/browse/HDFS-4548
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>    Affects Versions: 2.0.0-alpha, 3.0.0, 0.23.7
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch,
HDFS-4548.branch-23.patch, HDFS-4548.branch-23.patch, HDFS-4548.patch, HDFS-4548.patch, HDFS-4548.patch,
HDFS-4548.patch, HDFS-4548.patch
> When the webhdfs SPNEGO token expires, the fs doesn't attempt to renegotiate a new SPNEGO
token.  This renders webhdfs unusable for daemons that are logged in via a keytab which would
allow a new SPNEGO token to be generated.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message