GitHub user prabhjyotsingh reopened a pull request:
https://github.com/apache/zeppelin/pull/2407
[ZEPPELIN-1907] Shell Interpreter does not renew ticket on secure cluster
### What is this PR for?
Kerberos ticket and renew lifetime are set to 1 hour. On accessing secure
Hadoop from shell interpreter, it does kinit and returns result successfully
but after 1 hour, the ticket gets expired and Hadoop list fails with below
exception.
```
%sh
hadoop fs -ls /
17/01/05 09:29:45 WARN ipc.Client: Exception encountered while connecting
to the server :
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
at
org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)
at
org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:595)
at org.apache.hadoop.ipc.Client$Connection.access$2000(Client.java:397)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:762)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:758)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
at
org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:757)
at org.apache.hadoop.ipc.Client$Connection.access$3200(Client.java:397)
at org.apache.hadoop.ipc.Client.getConnection(Client.java:1618)
at org.apache.hadoop.ipc.Client.call(Client.java:1449)
at org.apache.hadoop.ipc.Client.call(Client.java:1396)
at
org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:233)
at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source)
ls: Failed on local exception: java.io.IOException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos
tgt)]; Host Details : local host is: "zeppelin1.hwxblr.com/10.0.1.57";
destination host is: "zeppelin1.hwxblr.com":8020;
ExitValue: 1
```
### What type of PR is it?
[Bug Fix]
### What is the Jira issue?
* [ZEPPELIN-1907](https://issues.apache.org/jira/browse/ZEPPELIN-1907)
### How should this be tested?
On a Kerberos enabled cluster, run this paragraph
```
%sh
hdfs dfs -ls /user/zeppelin/
```
Wait for key-tab to expire (or run `kdestroy`), and re-run the same
paragraph.
### Screenshots (if appropriate)
Before:
<img width="1438" alt="screen shot 2017-06-13 at 3 44 30 pm"
src="https://user-images.githubusercontent.com/674497/27078184-511ed810-5050-11e7-8afa-90247f33047a.png";>
After:
<img width="1438" alt="screen shot 2017-06-13 at 3 44 04 pm"
src="https://user-images.githubusercontent.com/674497/27078183-5109d690-5050-11e7-82e4-d79a5e98295f.png";>
### Questions:
* Does the licenses files need update?
* Is there breaking changes for older versions?
* Does this needs documentation?
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/prabhjyotsingh/zeppelin ZEPPELIN-1907
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/2407.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2407
----
commit ab823d3ee9373c38f5f083d3471adf351c9177a2
Author: Prabhjyot Singh <[email protected]>
Date: 2017-06-13T10:18:44Z
relogin using keytab, and append message for the same
commit 7c539ef2eb943b30befc97bd5a15120e8d9ee42e
Author: Prabhjyot Singh <[email protected]>
Date: 2017-06-13T14:11:11Z
add null check
commit ee741e483aaaa5b94104baa530dcdc8933d6d8ae
Author: Prabhjyot Singh <[email protected]>
Date: 2017-06-14T11:26:19Z
@zjffdu review comments
commit 856c8716eccf81a5dc3d1eee94cba8a9a498c1e9
Author: Prabhjyot Singh <[email protected]>
Date: 2017-06-15T13:18:13Z
renew token periodically
commit df6645a64b571766876c4bba8724180ccef33968
Author: Prabhjyot Singh <[email protected]>
Date: 2017-06-16T03:20:28Z
add KerberosInterpreter and move kinit loginc there.
commit 72b32ae25fcb2d66675c3ffd7cfe1dcf2ca888cc
Author: Prabhjyot Singh <[email protected]>
Date: 2017-06-16T04:01:51Z
add java doc
commit 96bfdfe97d7a08104f5856e29dad77a073a0dff5
Author: Prabhjyot Singh <[email protected]>
Date: 2017-06-16T07:34:11Z
log more error
commit 289b7d34608ec50654f9a33dfae32be9bdaacbeb
Author: Prabhjyot Singh <[email protected]>
Date: 2017-06-16T07:40:11Z
reset kinitFailCount on successful renew.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
![https://user-images.githubusercontent.com/674497/27078184-511ed810-5050-11e7-8afa-90247f33047a.png"](https://user-images.githubusercontent.com/674497/27078184-511ed810-5050-11e7-8afa-90247f33047a.png"){kind=link}
![https://user-images.githubusercontent.com/674497/27078183-5109d690-5050-11e7-82e4-d79a5e98295f.png"](https://user-images.githubusercontent.com/674497/27078183-5109d690-5050-11e7-82e4-d79a5e98295f.png"){kind=link}