Created on 08-29-2016 12:11 PM - edited 09-16-2022 03:37 AM
Hi Folks ,
Appreciate your help here!!
I have a secured cluster with Kerberos where I am using root user and performing TGT with hive keytab and hive principal .
even I am having the proper TGT session when I am doing hadoop fs -ls / , I am getting the WARN
WARN security.UserGroupInformation: Exception encountered while running the renewal command. Aborting renew thread. ExitCodeException exitCode=1: kinit: Ticket expired while renewing credentials
and resulting hadoop files .
I want to know why the warning is coming even TGT session exist.
Thanks,
JAvvaji
Created 08-29-2016 03:26 PM
How are you obtaining the ticket? 'kinit -R'? If you run the 'klist' command does the ticket have same values for its "valid starting" and "renew until" times? If so, the ticket is non-renewable. The warning might be indicating that.
Note that whether or not you can obtain renewable tickets depends on a KDC-wide setting, as well as a per-principal setting for both the principal in question and the Ticket Granting Ticket (TGT) service principal for the realm.
For example, for a MIT KDC, there is krb5.conf setting:
Created 08-30-2016 08:46 AM
Thanks Ameet for the info !!
To obtain ticket i will go with kinit -kt <keytab> <principal> . What is this "Kinit -R "
Yes , Klist for me giving both same values for "valid starting" and "renew until" times . so the ticket is non -renewable and to get rid of the above warn , what configuraion should I add to Krb5.conf . please let me know this
renew_lifetime = 7d
forwardable = true
ticket_lifetime = 24h
above are mine configuration krb5.conf and i don't see the setting "renewable = true" .
so based on my conf , ticket session last for 24hrs and what exactly that renew_lifetime = 7 days ??
I simply do kinit once 24 hrs completes for a ticket .
Created 08-30-2016 10:30 PM
The kinit command can renew and/or obtain the Kerberos ticket. I believe the warning is telling the ticket is expired and can't be renewed even if you wanted to. Try a
kdestroy
to prior to
kinit -kt <keytab> <prin.>
see if the warning goes away.
Regarding your question about ticket lifetime vs ticket renewable, here's how I'd summarize it:
The ticket cannot be used at the end of the ticket lifetime. If the renewable lifetime is longer than ticket lifetime (like yours), the user holding the ticket, can renew the ticket before the ticket lifetime or renewal time expires. If renewed, the fresh ticket will have a new lifetime dating to the current time but renewals are constrained by renew lifetime.
Created 09-01-2016 03:50 AM
@Ameet :
I am not seeing the warning when I do kinit -kt <keytab> <princ> which means when I renew the ticket lifetime for next 24 Hrs .
But within the ticket lifetime I am seeing the WARN and hadoop Dirs when I try to access hadoop fs -ls / So I don't understand why this WARN coming .
My tickets are non renewable , and I am not doing Kinit -R but when I try to access hadoop fs -ls / I am seeing WARN .
Anything related to Delegation token refresh ??