ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhay Kulkarni <akulka...@hortonworks.com>
Subject Review Request 63738: TagSync should reuse kerberos ticket in REST calls to Ranger Admin
Date Fri, 10 Nov 2017 18:49:06 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63738/
-----------------------------------------------------------

Review request for ranger, Madhan Neethiraj and Ramesh Mani.


Bugs: RANGER-1883
    https://issues.apache.org/jira/browse/RANGER-1883


Repository: ranger


Description
-------

TagSync sends tags to Ranger Admin via REST API. In a kerberized environment, tagsync obtains
a kerberos ticket for each REST API call. This can cause excessive (and unnecessary) calls
to KDC. This can be avoided by reusing the ticket obtained and renewing the ticket when necessary.


Diffs
-----

  tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java b1225c2



Diff: https://reviews.apache.org/r/63738/diff/1/


Testing
-------

Tested in local, secure VM. With this patch, there are a lot fewer requests to get TGTs, indicated
by the following log in /var/log/krb5kdc.log file.

localhost.localdomain krb5kdc1637: AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime
1510254596, etypes {rep=18 tkt=18 ses=18}, rangertagsync/localhost.localdomain@EXAMPLE.COM
for krbtgt/EXAMPLE.COM@EXAMPLE.COM


Thanks,

Abhay Kulkarni


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message