FALCON-2025 Periodic revalidation of kerberos credentials should be d…

…one on loginUser Author: bvellanki <bvellanki@hortonworks.com> Reviewers: "sandeepSamudrala <sandysmdl@gmail.com>, Praveen Adlakha <adlakha.praveen@gmail.com>, Sowmya Ramesh <sowmya_kr@apache.org>, Venkat Ranganathan <venkat@hortonworks.com>" Closes #183 from bvellanki/FALCON-2025
apache · Jun 14, 2016 · 00a07d5 · 00a07d5
1 parent 7183416
commit 00a07d5
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 7 deletions.
diff --git a/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java b/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java
@@ -262,7 +262,9 @@ private void validateInputs(UserGroupInformation ugi, final URI uri,
 
         try {
             if (UserGroupInformation.isSecurityEnabled()) {
-                ugi.checkTGTAndReloginFromKeytab();
+                LOG.debug("Revalidating Auth Token with auth method {}",
+                        UserGroupInformation.getLoginUser().getAuthenticationMethod().name());
+                UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
             }
         } catch (IOException ioe) {
             throw new FalconException("Exception while getting FileSystem. Unable to check TGT for user "

diff --git a/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java b/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java
@@ -67,6 +67,7 @@ public class AuthenticationInitializationService implements FalconService {
 
     private Timer timer = new Timer();
     private static final String SERVICE_NAME = "Authentication initialization service";
+    private static final long DEFAULT_VALIDATE_FREQUENCY_SECS = 86300;
 
     @Override
     public String getName() {
@@ -83,8 +84,13 @@ public void init() throws FalconException {
             String authTokenValidity = StartupProperties.get().getProperty(AUTH_TOKEN_VALIDITY_SECONDS);
             long validateFrequency;
             try {
+                // -100 so that revalidation is done before expiry.
                 validateFrequency = (StringUtils.isNotEmpty(authTokenValidity))
-                        ? Long.parseLong(authTokenValidity) : 86400;
+                        ? (Long.parseLong(authTokenValidity) - 100) : DEFAULT_VALIDATE_FREQUENCY_SECS;
+                if (validateFrequency < 0) {
+                    throw new NumberFormatException("Value provided for startup property \""
+                            + AUTH_TOKEN_VALIDITY_SECONDS + "\" should be greater than 100.");
+                }
             } catch (NumberFormatException nfe) {
                 throw new FalconException("Invalid value provided for startup property \""
                         + AUTH_TOKEN_VALIDITY_SECONDS + "\", please provide a valid long number", nfe);
@@ -149,12 +155,12 @@ private static class TokenValidationThread extends TimerTask {
         @Override
         public void run() {
             try {
-                LOG.info("Validating Auth Token: {}", new Date());
-                initializeKerberos();
+                LOG.debug("Revalidating Auth Token at : {} with auth method {}", new Date(),
+                        UserGroupInformation.getLoginUser().getAuthenticationMethod().name());
+                UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
             } catch (Throwable t) {
-                LOG.error("Error in Auth Token Validation task: ", t);
-                GenericAlert.initializeKerberosFailed(
-                        "Exception in Auth Token Validation : ", t);
+                LOG.error("Error in Auth Token revalidation task: ", t);
+                GenericAlert.initializeKerberosFailed("Exception in Auth Token revalidation : ", t);
             }
         }
     }