[GitHub] zeppelin pull request #2407: [ZEPPELIN-1907] Shell Interpreter does not rene...

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin pull request #2407: [ZEPPELIN-1907] Shell Interpreter does not rene...

prabhjyotsingh
GitHub user prabhjyotsingh opened a pull request:

    https://github.com/apache/zeppelin/pull/2407

    [ZEPPELIN-1907] Shell Interpreter does not renew ticket on secure cluster

    ### What is this PR for?
    Kerberos ticket and renew lifetime are set to 1 hour. On accessing secure Hadoop from shell interpreter, it does kinit and returns result successfully but after 1 hour, the ticket gets expired and Hadoop list fails with below exception.
   
    ```
    %sh
    hadoop fs -ls /
   
    17/01/05 09:29:45 WARN ipc.Client: Exception encountered while connecting to the server :
    javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
    at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)
    at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:595)
    at org.apache.hadoop.ipc.Client$Connection.access$2000(Client.java:397)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:762)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:758)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
    at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:757)
    at org.apache.hadoop.ipc.Client$Connection.access$3200(Client.java:397)
    at org.apache.hadoop.ipc.Client.getConnection(Client.java:1618)
    at org.apache.hadoop.ipc.Client.call(Client.java:1449)
    at org.apache.hadoop.ipc.Client.call(Client.java:1396)
    at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:233)
    at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source)
    ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "zeppelin1.hwxblr.com/10.0.1.57"; destination host is: "zeppelin1.hwxblr.com":8020;
    ExitValue: 1
    ```
   
    ### What type of PR is it?
    [Bug Fix]
   
    ### What is the Jira issue?
    * [ZEPPELIN-1907](https://issues.apache.org/jira/browse/ZEPPELIN-1907)
   
    ### How should this be tested?
    On a Kerberos enabled cluster, run this paragraph
    ```
    %sh
    hdfs dfs -ls /user/zeppelin/
    ```
    Wait for key-tab to expire (or run `kdestroy`), and re-run the same paragraph.
   
    ### Screenshots (if appropriate)
    Before:
    <img width="1438" alt="screen shot 2017-06-13 at 3 44 30 pm" src="https://user-images.githubusercontent.com/674497/27078184-511ed810-5050-11e7-8afa-90247f33047a.png">
   
    After:
    <img width="1438" alt="screen shot 2017-06-13 at 3 44 04 pm" src="https://user-images.githubusercontent.com/674497/27078183-5109d690-5050-11e7-82e4-d79a5e98295f.png">
   
   
    ### Questions:
    * Does the licenses files need update?
    * Is there breaking changes for older versions?
    * Does this needs documentation?


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/prabhjyotsingh/zeppelin ZEPPELIN-1907

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zeppelin/pull/2407.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2407
   
----
commit ab823d3ee9373c38f5f083d3471adf351c9177a2
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-13T10:18:44Z

    relogin using keytab, and append message for the same

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin pull request #2407: [ZEPPELIN-1907] Shell Interpreter does not rene...

prabhjyotsingh
Github user prabhjyotsingh closed the pull request at:

    https://github.com/apache/zeppelin/pull/2407


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin pull request #2407: [ZEPPELIN-1907] Shell Interpreter does not rene...

prabhjyotsingh
In reply to this post by prabhjyotsingh
GitHub user prabhjyotsingh reopened a pull request:

    https://github.com/apache/zeppelin/pull/2407

    [ZEPPELIN-1907] Shell Interpreter does not renew ticket on secure cluster

    ### What is this PR for?
    Kerberos ticket and renew lifetime are set to 1 hour. On accessing secure Hadoop from shell interpreter, it does kinit and returns result successfully but after 1 hour, the ticket gets expired and Hadoop list fails with below exception.
   
    ```
    %sh
    hadoop fs -ls /
   
    17/01/05 09:29:45 WARN ipc.Client: Exception encountered while connecting to the server :
    javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
    at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)
    at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:595)
    at org.apache.hadoop.ipc.Client$Connection.access$2000(Client.java:397)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:762)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:758)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
    at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:757)
    at org.apache.hadoop.ipc.Client$Connection.access$3200(Client.java:397)
    at org.apache.hadoop.ipc.Client.getConnection(Client.java:1618)
    at org.apache.hadoop.ipc.Client.call(Client.java:1449)
    at org.apache.hadoop.ipc.Client.call(Client.java:1396)
    at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:233)
    at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source)
    ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "zeppelin1.hwxblr.com/10.0.1.57"; destination host is: "zeppelin1.hwxblr.com":8020;
    ExitValue: 1
    ```
   
    ### What type of PR is it?
    [Bug Fix]
   
    ### What is the Jira issue?
    * [ZEPPELIN-1907](https://issues.apache.org/jira/browse/ZEPPELIN-1907)
   
    ### How should this be tested?
    On a Kerberos enabled cluster, run this paragraph
    ```
    %sh
    hdfs dfs -ls /user/zeppelin/
    ```
    Wait for key-tab to expire (or run `kdestroy`), and re-run the same paragraph.
   
    ### Screenshots (if appropriate)
    Before:
    <img width="1438" alt="screen shot 2017-06-13 at 3 44 30 pm" src="https://user-images.githubusercontent.com/674497/27078184-511ed810-5050-11e7-8afa-90247f33047a.png">
   
    After:
    <img width="1438" alt="screen shot 2017-06-13 at 3 44 04 pm" src="https://user-images.githubusercontent.com/674497/27078183-5109d690-5050-11e7-82e4-d79a5e98295f.png">
   
   
    ### Questions:
    * Does the licenses files need update?
    * Is there breaking changes for older versions?
    * Does this needs documentation?


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/prabhjyotsingh/zeppelin ZEPPELIN-1907

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zeppelin/pull/2407.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2407
   
----
commit ab823d3ee9373c38f5f083d3471adf351c9177a2
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-13T10:18:44Z

    relogin using keytab, and append message for the same

commit 7c539ef2eb943b30befc97bd5a15120e8d9ee42e
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-13T14:11:11Z

    add null check

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user zjffdu commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    @prabhjyotsingh I left one minor comment. Besides that I found 1 other issues.  
   
    * Code duplication and inconsistency between `ShellInterpreter` and `ShellSecurityImpl`. Both of these 2 classes will create DefaultExecutor and do the real  shell execution. But it seems the command in `ShellSecurityImpl` can not be canceled, because it is not put in `executors`. It would be better to put the common logic together.
   
    But this issue is not related with this ticket, could be done in another ticket.
   



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    @zjffdu Yes make sense I have created a JIRA (https://issues.apache.org/jira/browse/ZEPPELIN-2646) for it, I'll handle it in a different PR.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin pull request #2407: [ZEPPELIN-1907] Shell Interpreter does not rene...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user prabhjyotsingh closed the pull request at:

    https://github.com/apache/zeppelin/pull/2407


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin pull request #2407: [ZEPPELIN-1907] Shell Interpreter does not rene...

prabhjyotsingh
In reply to this post by prabhjyotsingh
GitHub user prabhjyotsingh reopened a pull request:

    https://github.com/apache/zeppelin/pull/2407

    [ZEPPELIN-1907] Shell Interpreter does not renew ticket on secure cluster

    ### What is this PR for?
    Kerberos ticket and renew lifetime are set to 1 hour. On accessing secure Hadoop from shell interpreter, it does kinit and returns result successfully but after 1 hour, the ticket gets expired and Hadoop list fails with below exception.
   
    ```
    %sh
    hadoop fs -ls /
   
    17/01/05 09:29:45 WARN ipc.Client: Exception encountered while connecting to the server :
    javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
    at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)
    at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:595)
    at org.apache.hadoop.ipc.Client$Connection.access$2000(Client.java:397)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:762)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:758)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
    at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:757)
    at org.apache.hadoop.ipc.Client$Connection.access$3200(Client.java:397)
    at org.apache.hadoop.ipc.Client.getConnection(Client.java:1618)
    at org.apache.hadoop.ipc.Client.call(Client.java:1449)
    at org.apache.hadoop.ipc.Client.call(Client.java:1396)
    at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:233)
    at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source)
    ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "zeppelin1.hwxblr.com/10.0.1.57"; destination host is: "zeppelin1.hwxblr.com":8020;
    ExitValue: 1
    ```
   
    ### What type of PR is it?
    [Bug Fix]
   
    ### What is the Jira issue?
    * [ZEPPELIN-1907](https://issues.apache.org/jira/browse/ZEPPELIN-1907)
   
    ### How should this be tested?
    On a Kerberos enabled cluster, run this paragraph
    ```
    %sh
    hdfs dfs -ls /user/zeppelin/
    ```
    Wait for key-tab to expire (or run `kdestroy`), and re-run the same paragraph.
   
    ### Screenshots (if appropriate)
    Before:
    <img width="1438" alt="screen shot 2017-06-13 at 3 44 30 pm" src="https://user-images.githubusercontent.com/674497/27078184-511ed810-5050-11e7-8afa-90247f33047a.png">
   
    After:
    <img width="1438" alt="screen shot 2017-06-13 at 3 44 04 pm" src="https://user-images.githubusercontent.com/674497/27078183-5109d690-5050-11e7-82e4-d79a5e98295f.png">
   
   
    ### Questions:
    * Does the licenses files need update?
    * Is there breaking changes for older versions?
    * Does this needs documentation?


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/prabhjyotsingh/zeppelin ZEPPELIN-1907

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zeppelin/pull/2407.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2407
   
----
commit ab823d3ee9373c38f5f083d3471adf351c9177a2
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-13T10:18:44Z

    relogin using keytab, and append message for the same

commit 7c539ef2eb943b30befc97bd5a15120e8d9ee42e
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-13T14:11:11Z

    add null check

commit ee741e483aaaa5b94104baa530dcdc8933d6d8ae
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-14T11:26:19Z

    @zjffdu review comments

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    @felixcheung I like the idea of renewing token periodically, do you think we should have both "if fail then renew" and "renew token periodically", or just renewing token periodically is sufficient?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    @felixcheung have pushed another change that will just renew token periodically. If this looks good, will implement the same for JDBC interpreter as well and fix the CI.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user felixcheung commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    How about the addition of a secured/Kerberosize interpreter as a base class that individual interpreter can inherit from as applicable?
   



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    @felixcheung  have implemented your feedback, will update the doc in a while.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin pull request #2407: [ZEPPELIN-1907] Shell Interpreter does not rene...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user prabhjyotsingh closed the pull request at:

    https://github.com/apache/zeppelin/pull/2407


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin pull request #2407: [ZEPPELIN-1907] Shell Interpreter does not rene...

prabhjyotsingh
In reply to this post by prabhjyotsingh
GitHub user prabhjyotsingh reopened a pull request:

    https://github.com/apache/zeppelin/pull/2407

    [ZEPPELIN-1907] Shell Interpreter does not renew ticket on secure cluster

    ### What is this PR for?
    Kerberos ticket and renew lifetime are set to 1 hour. On accessing secure Hadoop from shell interpreter, it does kinit and returns result successfully but after 1 hour, the ticket gets expired and Hadoop list fails with below exception.
   
    ```
    %sh
    hadoop fs -ls /
   
    17/01/05 09:29:45 WARN ipc.Client: Exception encountered while connecting to the server :
    javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
    at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)
    at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:595)
    at org.apache.hadoop.ipc.Client$Connection.access$2000(Client.java:397)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:762)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:758)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
    at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:757)
    at org.apache.hadoop.ipc.Client$Connection.access$3200(Client.java:397)
    at org.apache.hadoop.ipc.Client.getConnection(Client.java:1618)
    at org.apache.hadoop.ipc.Client.call(Client.java:1449)
    at org.apache.hadoop.ipc.Client.call(Client.java:1396)
    at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:233)
    at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source)
    ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "zeppelin1.hwxblr.com/10.0.1.57"; destination host is: "zeppelin1.hwxblr.com":8020;
    ExitValue: 1
    ```
   
    ### What type of PR is it?
    [Bug Fix]
   
    ### What is the Jira issue?
    * [ZEPPELIN-1907](https://issues.apache.org/jira/browse/ZEPPELIN-1907)
   
    ### How should this be tested?
    On a Kerberos enabled cluster, run this paragraph
    ```
    %sh
    hdfs dfs -ls /user/zeppelin/
    ```
    Wait for key-tab to expire (or run `kdestroy`), and re-run the same paragraph.
   
    ### Screenshots (if appropriate)
    Before:
    <img width="1438" alt="screen shot 2017-06-13 at 3 44 30 pm" src="https://user-images.githubusercontent.com/674497/27078184-511ed810-5050-11e7-8afa-90247f33047a.png">
   
    After:
    <img width="1438" alt="screen shot 2017-06-13 at 3 44 04 pm" src="https://user-images.githubusercontent.com/674497/27078183-5109d690-5050-11e7-82e4-d79a5e98295f.png">
   
   
    ### Questions:
    * Does the licenses files need update?
    * Is there breaking changes for older versions?
    * Does this needs documentation?


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/prabhjyotsingh/zeppelin ZEPPELIN-1907

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zeppelin/pull/2407.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2407
   
----
commit ab823d3ee9373c38f5f083d3471adf351c9177a2
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-13T10:18:44Z

    relogin using keytab, and append message for the same

commit 7c539ef2eb943b30befc97bd5a15120e8d9ee42e
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-13T14:11:11Z

    add null check

commit ee741e483aaaa5b94104baa530dcdc8933d6d8ae
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-14T11:26:19Z

    @zjffdu review comments

commit 856c8716eccf81a5dc3d1eee94cba8a9a498c1e9
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-15T13:18:13Z

    renew token periodically

commit df6645a64b571766876c4bba8724180ccef33968
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-16T03:20:28Z

    add KerberosInterpreter and move kinit loginc there.

commit 72b32ae25fcb2d66675c3ffd7cfe1dcf2ca888cc
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-16T04:01:51Z

    add java doc

commit 96bfdfe97d7a08104f5856e29dad77a073a0dff5
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-16T07:34:11Z

    log more error

commit 289b7d34608ec50654f9a33dfae32be9bdaacbeb
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-16T07:40:11Z

    reset kinitFailCount on successful renew.

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    @felixcheung have handled your review comments, except https://github.com/apache/zeppelin/pull/2407#discussion_r122361683 as KERBEROS_REFRESH_INTERVAL is configurable and is documented [here](https://github.com/apache/zeppelin/pull/2407/files#diff-5a017ebfb7e890a2b475f9c8c7844fb0R71) as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    @felixcheung ping


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user felixcheung commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    ` follow by bash to indicate the code block type
    Sorry github really doesn't like backtick - so it's hard for me to write it out here. See other md for example.
   



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    Thank you @felixcheung. I see it now, it makes a lot of difference.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    Will merge this if no more discussion.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user zjffdu commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    @prabhjyotsingh @felixcheung I thought about this again. I don't have concern on this PR, but have concern on how user should interact with shell interpreter interpreter.  I think the shell interpreter should behave as close as bash terminal of linux. That means the user should call `kinit` if he want to run shell command in kerberized cluster just as he did in linux shell terminal. For now, the shell interpreter of zeppelin share the same keytab/principal for all users even when in isolated and impersonated mode which is a big security hole.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2407: [ZEPPELIN-1907] Shell Interpreter does not renew ticke...

prabhjyotsingh
In reply to this post by prabhjyotsingh
Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/2407
 
    IMO, this is just one less hassle. A user whoever configures Zeppelin with this configuration i.e. have a keytab/principal configured and enable "user impersonation", is aware that this keytab file is being share with various users, and if (s)he doesn't want this behaviour they can always fall back to the default option (which is not configuring any).
    The reason shell interpreter does this is to make this operation seamless (just like JDBC, Livy, etc.) and when we finally have user level interpreter setting (each user have their own interpreter setting), they can configure their private keytab/principal and it will continue to work.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
12