How does Kerberos handle multiple TGT request in the same node for the same service and for the same client?

Question

For my understanding in a Kerberos Architecture, a client needs to get a particular Ticket-Granting-Ticket (TGT) from the Authentication Server to be able to interact with a service. Those TGT contains:

• client ID
• client network address
• ticket validity period
• client/TGS session key.

I got this from here

Let's imagine I have a Master Workflow which contains: pig, hive and spark files I will need three different TGT, one per service, to use them all sucessfully.

One of the elements in the TGT is the ticket validity period. Let's imagine this is set to 8 hours.

For my understanding, if the master workflow needs, let's say, 10 hours to complete, it may fail after the 8th hour, since the validity of the ticket will be over.

So, as I understand, it will be necessary to refresh every 8 hours this TGT to communicate with the service without issues.

Now I was thinking as a possible approach to have a background process refreshing this TGT every 8 hours, so the client will have for any necessary service always a valid TGS session key.

A possible problem with this approach is that may be a gap between this refreshing, even a 30 seconds gap or 1 minute gap for any delay, which may cause the client being with an invalid TGS session key.

My question: Is it possible to refresh this TGS session key every 6 hours, which mean get a new TGT with the previous one is still valid? And what happens if you make this TGT request when an valid one still exists? is the old one replaced/descarted, are both stored in the client or is this new request just ignored?

I am completely new at this, so if there other ways to handle this issue please let me know.

Answer 1

Yes, you can update your program to use this keytab rather than relying on a TGT to already exist in the cache. This is done by using the UserGroupInformation class from the Hadoop Security package.

val configuration = new Configuration
configuration.addResource("/etc/hadoop/conf/hdfs-site.xml")
UserGroupInformation.setConfiguration(configuration)

UserGroupInformation.getCurrentUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS)
UserGroupInformation.loginUserFromKeytabAndReturnUGI(
  "hadoop.kerberos.principal", " path of hadoop.kerberos.keytab file")
  .doAs(new PrivilegedExceptionAction[Unit]() {
    @Override
    def run(): Unit = {

      // logic

    }
  })

Above we specify the name of our service principal and the path to the keytab file we generated. As long as that keytab is valid our program will use the desired service principal for all actions, regardless of whether or not the user running the program has already authenticated and received a TGT.