Support Questions
Find answers, ask questions, and share your expertise

Hadoop Java and infinite Kerberos TGT TGS

New Contributor

when some Client application connects to Hadoop service so this Client asks KDC each time it makes request to acceptor service. ex: hdfs dfs -ls /tmp

Also Hadoop service ask another Hadoop service (usually HTTP SPN) I don't know why but I guess it is some status request-response. ex. hdfs/host1@REALM for HTTP/host2@REALM

If I do thousands of request my KDC server goes mad for request amount.

I attempted to create my simple Java client and server application and during the stress-testing I got same KDC DDoS.

 

I checked Kerberos (GSS) mechanism in another server and application for example PostgreSQL server and psql client app and Apache Web server and curl. Both of them are written on C++. So I cannot configure JAAS config. Also I have to execute kinit each 24 hours for psql application when I get Ticket expired error. Those application create some ticket cache (klist) and re-use for each request.

 

I thought Java is not supported Kerberos and I was stuck until I found official Oracle article https://docs.oracle.com/en/java/javase/11/security/accessing-native-gss-api.html

I did kinit for both of app session and defined KRB_KTNAME for keytab then I executed with jgss.native argument. It was the wonder I got only one TGT and TGS for my Java server in KDC logs.

Thousands of additional requests with no KDC activity.

I tried for many of different Java applications so it's the only solution for initiator and acceptor mode.

 

How to use JGSS in Cloudera core? And why it asks KDC too often because one TGT and TGS for 24 hours?

0 REPLIES 0