Support Questions

Using the Cloudera Quick StartVM, version 5.13.0-0

I set the interval 60000 and the mx lifetime to 300000

Tried to deploy, restart the whole system etc with no luck.

I see the values in the config on disk.

I’m trying to test what happens if our client kerberos keytab becomes invalid, i.e. someone changes the password.

I have tried changing the values but it appears to use the same values i.e. 1 day for interval as during testing that is when it attempted to use the old client keytab to re-auth.

Thanks

Hi @GrahamB ,

 

I am not sure if you are modifying the right configuration to achieve your goal. I suggest you taking a look at this blog in regarding to delegation token:

https://blog.cloudera.com/hadoop-delegation-tokens-explained/

 

Thanks,

Li

I’ve already read that article and it doesn’t tell you how to set the interval & max-lifetime and verify that those values are being used.

Hi @GrahamB ,

 

You may want to download the client configuration file for HDFS service to confirm whether your changes are applied:

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cm_mc_client_config.html

 

However, my point is whether setting those two values are the right methods for the testing scenarios you are trying to achieve.

 

Thanks,
Li

 

 

I have checked the files and the values that I have changed are there but I do not observe any change in behaviour.

It seems a valid way to test myself. I’m trying to test what happens if the password for the kerberos principal for the client is changed and the key tab is invalid.

Currently I need to wait for 24 hours ( the default time of the renewal of the delegation token ) to see the expiry of the token and attempt to re-aith with a now invalid key tab.

Is there another way to test ?

Thanks

@GrahamB 

 

No you don't need to wait for 24 hours to destroy a kerberos ticket you will need to run on the Kerberos server  as the user  

Check valid ticketTo list all of the entries in the default credentials cache

$ klist 

You should have some out here

To delete the default credentials cache for the user

$  kdestroy

Then to obtain a ticket-granting ticket with a lifetime of 10 hours, which is renewable for five days, type:
$ kinit -l 10h -r 5d your_principal

 

HTH

 

That isn’t what I mentioned. I’m waiting for the delegation Token to expire to attempt a re-with with Kerberos.

Hi, I have the same experience. I set it, I see that it is kicked in:

 

<property>
  <name>dfs.namenode.delegation.token.renew-interval</name>
  <value>36000000</value>
  <source>hdfs-site.xml</source>
</property>

 

But when submitting spark application the log still says 24h instead of 10h:

 

INFO - 20/06/16 07:41:40 INFO security.HadoopFSDelegationTokenProvider: Renewal interval is 86400000 for token HDFS_DELEGATION_TOKEN

 

 Did you manage to find a solution?