[jira] [Resolved] (HDFS-17740) The Kerberos authentication using ticket.cache.path does not automatically reload a new ticket after the existing ticket expires.

Thu, 13 Mar 2025 01:01:01 -0700 


     [ 
https://issues.apache.org/jira/browse/HDFS-17740?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Calvin Kirs resolved HDFS-17740.
--------------------------------
    Resolution: Not A Problem

> The Kerberos authentication using ticket.cache.path does not automatically 
> reload a new ticket after the existing ticket expires.
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-17740
>                 URL: https://issues.apache.org/jira/browse/HDFS-17740
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: hdfs-client, libhdfs
>            Reporter: Calvin Kirs
>            Priority: Major
>
> When using the hadoop.security.kerberos.ticket.cache.path configuration for 
> Kerberos authentication, the Hadoop client is able to authenticate 
> successfully when a valid ticket is available at the specified cache path. 
> However, after the ticket expires, the client fails to automatically reload a 
> new ticket from the cache path, even though the ticket has been renewed by an 
> external process (e.g., a cron job that periodically runs kinit). This 
> results in authentication errors when performing operations on Hadoop, such 
> as querying HDFS.
>  
>  
> {code:java}
> Configuration conf=getConf(ticketPath); 
> UserGroupInformation.setConfiguration(conf); 
> UserGroupInformation 
> ugi=UserGroupInformation.getUGIFromTicketCache(ticketPath,null); 
> while(true){ 
> Thread.sleep(60000); 
> ugi.doAs((PrivilegedAction<Object>) ()->{ 
> FileSystem fs= null;
> try {
>     fs = FileSystem.get(conf);
> } catch (IOException e) {
>     throw new RuntimeException(e);
> }
> FileStatus[] ss = null;
> try {
>     ss = fs.listStatus(new Path("hdfs://hdfs-cluster/"));
> } catch (IOException e) {
>     throw new RuntimeException(e);
> }
> });{code}
>  
> *Expected Behavior:*
> The Hadoop client should automatically detect the expiration of the Kerberos 
> ticket and reload a new ticket from the specified ticket.cache.path, ensuring 
> seamless authentication after the ticket expires, without requiring manual 
> intervention.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to