Using Kerberos with Hadoop to enable HDFS Security, you should be familiar with the concept of a user being given a 'ticket' that has an expiration date.
The default configuration for kerberos is to set a 'Maximum Renewal Time' of 00:00:00. This is the ammount of time that is 'added' to the time that the ticket was issued. So if your ticket was issued on Jan 27 2014 15:25:38, then you will have (Jan 27 2014 15:25:38 + Renewal Time) until you cannot renew the ticket. This default setting makes it impossible to renew any tickets granted, and instead they need to be kdestoryed and re-issued.
In order to fix this, you need to log into the kerberos principal database using kadmin or kadmin.local on the KDC. Use the following command for a principal named, 'hdfs@EXAMPLE.COM'
modprinc -maxrenewlife 1week hdfs@EXAMPLE.COMYou will then be able to look at the principal's information:
kadmin.local: getprinc hdfs@EXAMPLE.COM
You will still need to use 'kdestroy' and 'kinit' to get a new ticket, since the old one cannot be renewed. However, your new ticket will be renewable for a week. It should also be noted that when adding a new principal to the database, the default Renewal time will be obtained from the ticket granting server's Principal (krbtgt/EXAMPLE.COM@EXAMPLE.COM). If you want all users added in the future to have a week long renewal period, you will need to modify that principal as well.Principal: hdfs@EXAMPLE.COMExpiration date: [never]Last password change: Sat Jan 25 21:33:34 EST 2014Password expiration date: [none]Maximum ticket life: 1 day 00:00:00Maximum renewable life: 7 days 00:00:00Last modified: Tue Jan 28 11:19:59 EST 2014 (root/admin@EXAMPLE.COM)Last successful authentication: [never]Last failed authentication: [never]Failed password attempts: 0Number of keys: 4Key: vno 1, aes256-cts-hmac-sha1-96, no saltKey: vno 1, aes128-cts-hmac-sha1-96, no saltKey: vno 1, des3-cbc-sha1, no saltKey: vno 1, arcfour-hmac, no saltMKey: vno 1