Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-9359

Recover gracefully from corrupt kerberos credential cache

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • Impala 3.3.0
    • Impala 3.4.0
    • Security
    • ghx-label-8

    Description

      1. Start up a kerberized Impala cluster
      2. Corrupt the kerberos ticket cache used by impala /tmp/krb5cc_impala_internal
      3. Observe queries fail. The details depend a lot on timing, etc. I have seen communication failures between impalads and with other systems, e.g. HDFS.
      4. The system will stay wedge in this state indefinitely

      We have seen this happen once in production from /tmp filling up.

      I prototyped a fix that amounts to re-running Kinit() to blow away the broken credential cache. It needs more work to be production-ready

      Attachments

        Issue Links

          depends upon

          Improvement - An improvement or enhancement to an existing feature or task. KUDU-3050 Recover gracefully from corrupt kerberos credential cache

          • Major - Major loss of function.
          • Resolved
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. IMPALA-5385 Print appropriate error for failed TGT creation due to /tmp being full

          • Major - Major loss of function.
          • Resolved
          is related to

          Improvement - An improvement or enhancement to an existing feature or task. IMPALA-9367 Allow specifying MEMORY kerberos credential cache

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              tarmstrong Tim Armstrong
              tarmstrong Tim Armstrong
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: