phoenix-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanooj Padmakumar <p.san...@gmail.com>
Subject Re: Kerberos ticket renewal
Date Tue, 22 Mar 2016 17:23:52 GMT
Thanks Josh and everyone else .. Shall try this suggestion
On 22 Mar 2016 09:36, "Josh Elser" <josh.elser@gmail.com> wrote:

> Keytab-based logins do not automatically spawn a renewal thread in
> Hadoop's UserGroupInformation library, IIRC. HBase's RPC implementation
> does try to automatically re-login, but if you are not actively making
> RPCs, you may miss the window in which you are allowed to perform a renewal.
>
> Commonly, you would launch your own thread to perform the renewal. This is
> something we could probably make better inside Phoenix's client. You could
> add something like the following to run periodically inside your
> application (after instantiating the Phoenix Driver):
>
> `UserGroupInformation.checkTGTAndReloginFromKeytab()`
>
> Sergey Soldatov wrote:
>
>> Where do you see this error? Is it the client side? Ideally you don't
>> need to renew ticket since Phoenix Driver gets the required
>> information (principal name and keytab path) from jdbc connection
>> string and performs User.login itself.
>>
>> Thanks,
>> Sergey
>>
>> On Wed, Mar 16, 2016 at 11:02 AM, Sanooj Padmakumar<p.sanooj@gmail.com>
>> wrote:
>>
>>> This is the error in the log when it fails
>>>
>>> ERROR org.apache.hadoop.security.UserGroupInformation -
>>> PriviledgedActionException as:<principal here>  (auth:KERBEROS)
>>> cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
>>> GSSException: No valid credentials provided (Mechanism level: Failed to
>>> find
>>> any Kerberos tgt)]
>>>
>>> On Wed, Mar 16, 2016 at 8:35 PM, Sanooj Padmakumar<p.sanooj@gmail.com>
>>> wrote:
>>>
>>>> Hi Anil
>>>>
>>>> Thanks for your reply.
>>>>
>>>> We do not do anything explicitly in the code to do the ticket renwal ,
>>>> what we do is run a cron job for the user for which the ticket has to be
>>>> renewed.  But with this approach we need a restart to get the thing
>>>> going
>>>> after the ticket expiry
>>>>
>>>> We use the following connection url for getting the phoenix connection
>>>> jdbc:phoenix:<zkhosts>:<zkport>:/hbase:<kerberos principal>:<path
to
>>>> keytab>
>>>>
>>>> This along with the entries in hbase-site.xml&  core-site.xml are passed
>>>> to the connection object
>>>>
>>>> Thanks
>>>> Sanooj Padmakumar
>>>>
>>>> On Tue, Mar 15, 2016 at 12:04 AM, anil gupta<anilgupta84@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> At my previous job, we had web-services fetching data from a secure
>>>>> hbase
>>>>> cluster. We never needed to renew the lease by restarting webserver.
>>>>> Our app
>>>>> used to renew the ticket. I think, Phoenix/HBase already handles
>>>>> renewing
>>>>> ticket. Maybe you need to look into your kerberos environment
>>>>> settings.  How
>>>>> are you authenticating with Phoenix/HBase?
>>>>> Sorry, I dont remember the exact kerberos setting that we had.
>>>>>
>>>>> HTH,
>>>>> Anil Gupta
>>>>>
>>>>> On Mon, Mar 14, 2016 at 11:00 AM, Sanooj Padmakumar<p.sanooj@gmail.com
>>>>> >
>>>>> wrote:
>>>>>
>>>>>> Hi
>>>>>>
>>>>>> We have a rest style micro service application fetching data from
>>>>>> hbase
>>>>>> using Phoenix. The cluster is kerberos secured and we run a cron
to
>>>>>> renew
>>>>>> the kerberos ticket on the machine where the micro service is
>>>>>> deployed.
>>>>>>
>>>>>> But it always needs a restart of micro service java process to get
the
>>>>>> kerberos ticket working once after its expired.
>>>>>>
>>>>>> Is there a way I can avoid this restart?
>>>>>>
>>>>>> Any pointers will be very helpful. Thanks
>>>>>>
>>>>>> PS : We have a Solr based micro service which works without a restart.
>>>>>>
>>>>>> Regards
>>>>>> Sanooj
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks&  Regards,
>>>>> Anil Gupta
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks,
>>>> Sanooj Padmakumar
>>>>
>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Sanooj Padmakumar
>>>
>>

Mime
View raw message