phoenix-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <josh.el...@gmail.com>
Subject Re: Kerberos ticket renewal
Date Thu, 24 Mar 2016 16:21:02 GMT
Also, setting -Dsun.security.krb5.debug=true when you launch your Java 
application will give you lots of very helpful information about what is 
happening "under the hood".

Sanooj Padmakumar wrote:
> Thanks Josh and everyone else .. Shall try this suggestion
>
> On 22 Mar 2016 09:36, "Josh Elser" <josh.elser@gmail.com
> <mailto:josh.elser@gmail.com>> wrote:
>
>     Keytab-based logins do not automatically spawn a renewal thread in
>     Hadoop's UserGroupInformation library, IIRC. HBase's RPC
>     implementation does try to automatically re-login, but if you are
>     not actively making RPCs, you may miss the window in which you are
>     allowed to perform a renewal.
>
>     Commonly, you would launch your own thread to perform the renewal.
>     This is something we could probably make better inside Phoenix's
>     client. You could add something like the following to run
>     periodically inside your application (after instantiating the
>     Phoenix Driver):
>
>     `UserGroupInformation.checkTGTAndReloginFromKeytab()`
>
>     Sergey Soldatov wrote:
>
>         Where do you see this error? Is it the client side? Ideally you
>         don't
>         need to renew ticket since Phoenix Driver gets the required
>         information (principal name and keytab path) from jdbc connection
>         string and performs User.login itself.
>
>         Thanks,
>         Sergey
>
>         On Wed, Mar 16, 2016 at 11:02 AM, Sanooj
>         Padmakumar<p.sanooj@gmail.com <mailto:p.sanooj@gmail.com>>  wrote:
>
>             This is the error in the log when it fails
>
>             ERROR org.apache.hadoop.security.UserGroupInformation -
>             PriviledgedActionException as:<principal here>  (auth:KERBEROS)
>             cause:javax.security.sasl.SaslException: GSS initiate failed
>             [Caused by
>             GSSException: No valid credentials provided (Mechanism
>             level: Failed to find
>             any Kerberos tgt)]
>
>             On Wed, Mar 16, 2016 at 8:35 PM, Sanooj
>             Padmakumar<p.sanooj@gmail.com <mailto:p.sanooj@gmail.com>>
>             wrote:
>
>                 Hi Anil
>
>                 Thanks for your reply.
>
>                 We do not do anything explicitly in the code to do the
>                 ticket renwal ,
>                 what we do is run a cron job for the user for which the
>                 ticket has to be
>                 renewed.  But with this approach we need a restart to
>                 get the thing going
>                 after the ticket expiry
>
>                 We use the following connection url for getting the
>                 phoenix connection
>                 jdbc:phoenix:<zkhosts>:<zkport>:/hbase:<kerberos
>                 principal>:<path to
>                 keytab>
>
>                 This along with the entries in hbase-site.xml&
>                 core-site.xml are passed
>                 to the connection object
>
>                 Thanks
>                 Sanooj Padmakumar
>
>                 On Tue, Mar 15, 2016 at 12:04 AM, anil
>                 gupta<anilgupta84@gmail.com <mailto:anilgupta84@gmail.com>>
>                 wrote:
>
>                     Hi,
>
>                     At my previous job, we had web-services fetching
>                     data from a secure hbase
>                     cluster. We never needed to renew the lease by
>                     restarting webserver. Our app
>                     used to renew the ticket. I think, Phoenix/HBase
>                     already handles renewing
>                     ticket. Maybe you need to look into your kerberos
>                     environment settings.  How
>                     are you authenticating with Phoenix/HBase?
>                     Sorry, I dont remember the exact kerberos setting
>                     that we had.
>
>                     HTH,
>                     Anil Gupta
>
>                     On Mon, Mar 14, 2016 at 11:00 AM, Sanooj
>                     Padmakumar<p.sanooj@gmail.com
>                     <mailto:p.sanooj@gmail.com>>
>                     wrote:
>
>                         Hi
>
>                         We have a rest style micro service application
>                         fetching data from hbase
>                         using Phoenix. The cluster is kerberos secured
>                         and we run a cron to renew
>                         the kerberos ticket on the machine where the
>                         micro service is deployed.
>
>                         But it always needs a restart of micro service
>                         java process to get the
>                         kerberos ticket working once after its expired.
>
>                         Is there a way I can avoid this restart?
>
>                         Any pointers will be very helpful. Thanks
>
>                         PS : We have a Solr based micro service which
>                         works without a restart.
>
>                         Regards
>                         Sanooj
>
>
>
>
>                     --
>                     Thanks&  Regards,
>                     Anil Gupta
>
>
>
>
>                 --
>                 Thanks,
>                 Sanooj Padmakumar
>
>
>
>
>             --
>             Thanks,
>             Sanooj Padmakumar
>

Mime
View raw message