Support Questions

Find answers, ask questions, and share your expertise

how to set dfs.namenode.delegation.token.renew-interval in gui, set in advanced configuration snippets but not working

avatar
Explorer

How should I set dfs.namenode.delegation.token.renew-interval & 

dfs.namenode.delegation.token.max-lifetime in gui of Cloudera Manager for HDFS ?

 

I have set them in advanced configuration snippets for HDFS Service Advanced Configuration Snippet ( safety valve) for hdfs-site.xml

 

Thanks

10 REPLIES 10

avatar
Guru

Hi @GrahamB ,

 

Could you please share your environment information? For example, what is CM/CDH version?

Also, could you please share the details about the safety valve you added? The "HDFS Service Advanced Configuration Snippet (Safety Valve) for hdfs-site.xml" seems to be the right place. Did you make sure to deploy the client configuration after saving the changes?

 

You said it did not work, what do you mean exactly?

  • Were you not able to save the configuration changes from CM UI?
  • Were you not able to deploy the client configuration after saved it?
  • Or after you set the values, it did not work for certain functions which you expected to work after setting the safety valve?

Thanks,

Li

Li Wang, Technical Solution Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

Community Guidelines

How to use the forum

avatar
Explorer
Using the Cloudera Quick StartVM, version 5.13.0-0

I set the interval 60000 and the mx lifetime to 300000

Tried to deploy, restart the whole system etc with no luck.

I see the values in the config on disk.

I’m trying to test what happens if our client kerberos keytab becomes invalid, i.e. someone changes the password.

I have tried changing the values but it appears to use the same values i.e. 1 day for interval as during testing that is when it attempted to use the old client keytab to re-auth.

Thanks

avatar
Guru

Hi @GrahamB ,

 

I am not sure if you are modifying the right configuration to achieve your goal. I suggest you taking a look at this blog in regarding to delegation token:

https://blog.cloudera.com/hadoop-delegation-tokens-explained/

 

Thanks,

Li

Li Wang, Technical Solution Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

Community Guidelines

How to use the forum

avatar
Explorer
I’ve already read that article and it doesn’t tell you how to set the interval & max-lifetime and verify that those values are being used.

avatar
Guru

Hi @GrahamB ,

 

You may want to download the client configuration file for HDFS service to confirm whether your changes are applied:

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cm_mc_client_config.html

 

However, my point is whether setting those two values are the right methods for the testing scenarios you are trying to achieve.

 

Thanks,
Li

 

 

Li Wang, Technical Solution Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

Community Guidelines

How to use the forum

avatar
Explorer
I have checked the files and the values that I have changed are there but I do not observe any change in behaviour.

It seems a valid way to test myself. I’m trying to test what happens if the password for the kerberos principal for the client is changed and the key tab is invalid.

Currently I need to wait for 24 hours ( the default time of the renewal of the delegation token ) to see the expiry of the token and attempt to re-aith with a now invalid key tab.

Is there another way to test ?

Thanks

avatar
Master Mentor

@GrahamB 

 

No you don't need to wait for 24 hours to destroy a kerberos ticket you will need to run on the Kerberos server  as the user  

Check valid ticketTo list all of the entries in the default credentials cache

$ klist 

You should have some out here

To delete the default credentials cache for the user

$  kdestroy

Then to obtain a ticket-granting ticket with a lifetime of 10 hours, which is renewable for five days, type:
$ kinit -l 10h -r 5d your_principal

 

HTH

 

avatar
Explorer
That isn’t what I mentioned. I’m waiting for the delegation Token to expire to attempt a re-with with Kerberos.

avatar
New Contributor

Hi, I have the same experience. I set it, I see that it is kicked in:

 

<property>
  <name>dfs.namenode.delegation.token.renew-interval</name>
  <value>36000000</value>
  <source>hdfs-site.xml</source>
</property>

 

But when submitting spark application the log still says 24h instead of 10h:

 

INFO - 20/06/16 07:41:40 INFO security.HadoopFSDelegationTokenProvider: Renewal interval is 86400000 for token HDFS_DELEGATION_TOKEN

 

 Did you manage to find a solution?