phoenix-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <josh.el...@gmail.com>
Subject Re: Kerberos ticket renewal
Date Tue, 22 Mar 2016 04:06:06 GMT
Keytab-based logins do not automatically spawn a renewal thread in 
Hadoop's UserGroupInformation library, IIRC. HBase's RPC implementation 
does try to automatically re-login, but if you are not actively making 
RPCs, you may miss the window in which you are allowed to perform a renewal.

Commonly, you would launch your own thread to perform the renewal. This 
is something we could probably make better inside Phoenix's client. You 
could add something like the following to run periodically inside your 
application (after instantiating the Phoenix Driver):

`UserGroupInformation.checkTGTAndReloginFromKeytab()`

Sergey Soldatov wrote:
> Where do you see this error? Is it the client side? Ideally you don't
> need to renew ticket since Phoenix Driver gets the required
> information (principal name and keytab path) from jdbc connection
> string and performs User.login itself.
>
> Thanks,
> Sergey
>
> On Wed, Mar 16, 2016 at 11:02 AM, Sanooj Padmakumar<p.sanooj@gmail.com>  wrote:
>> This is the error in the log when it fails
>>
>> ERROR org.apache.hadoop.security.UserGroupInformation -
>> PriviledgedActionException as:<principal here>  (auth:KERBEROS)
>> cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
>> GSSException: No valid credentials provided (Mechanism level: Failed to find
>> any Kerberos tgt)]
>>
>> On Wed, Mar 16, 2016 at 8:35 PM, Sanooj Padmakumar<p.sanooj@gmail.com>
>> wrote:
>>> Hi Anil
>>>
>>> Thanks for your reply.
>>>
>>> We do not do anything explicitly in the code to do the ticket renwal ,
>>> what we do is run a cron job for the user for which the ticket has to be
>>> renewed.  But with this approach we need a restart to get the thing going
>>> after the ticket expiry
>>>
>>> We use the following connection url for getting the phoenix connection
>>> jdbc:phoenix:<zkhosts>:<zkport>:/hbase:<kerberos principal>:<path
to
>>> keytab>
>>>
>>> This along with the entries in hbase-site.xml&  core-site.xml are passed
>>> to the connection object
>>>
>>> Thanks
>>> Sanooj Padmakumar
>>>
>>> On Tue, Mar 15, 2016 at 12:04 AM, anil gupta<anilgupta84@gmail.com>
>>> wrote:
>>>> Hi,
>>>>
>>>> At my previous job, we had web-services fetching data from a secure hbase
>>>> cluster. We never needed to renew the lease by restarting webserver. Our
app
>>>> used to renew the ticket. I think, Phoenix/HBase already handles renewing
>>>> ticket. Maybe you need to look into your kerberos environment settings. 
How
>>>> are you authenticating with Phoenix/HBase?
>>>> Sorry, I dont remember the exact kerberos setting that we had.
>>>>
>>>> HTH,
>>>> Anil Gupta
>>>>
>>>> On Mon, Mar 14, 2016 at 11:00 AM, Sanooj Padmakumar<p.sanooj@gmail.com>
>>>> wrote:
>>>>> Hi
>>>>>
>>>>> We have a rest style micro service application fetching data from hbase
>>>>> using Phoenix. The cluster is kerberos secured and we run a cron to renew
>>>>> the kerberos ticket on the machine where the micro service is deployed.
>>>>>
>>>>> But it always needs a restart of micro service java process to get the
>>>>> kerberos ticket working once after its expired.
>>>>>
>>>>> Is there a way I can avoid this restart?
>>>>>
>>>>> Any pointers will be very helpful. Thanks
>>>>>
>>>>> PS : We have a Solr based micro service which works without a restart.
>>>>>
>>>>> Regards
>>>>> Sanooj
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks&  Regards,
>>>> Anil Gupta
>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Sanooj Padmakumar
>>
>>
>>
>> --
>> Thanks,
>> Sanooj Padmakumar

Mime
View raw message