Hi Eric, If you configure
hbase.master.keytab.file hbase.master.kerberos.principal hbase.regionserver.keytab.file hbase.regionserver.kerberos.principal in your hbase-site.xml, then the master and region server processes should login from the keytab files on startup, as Todd mentions. It's also my understanding that they don't need a renewal thread in that case. The RPC client just tries a relogin from the keytab in the case of a connection error. Can you describe a bit more what you're seeing so that we can understand the context? Gary On Sun, Sep 11, 2011 at 3:13 PM, Todd Lipcon <t...@cloudera.com> wrote: > Hi Eric, > > Could you please explain more fully what you mean by this? The daemons > generally run using keytabs, not user credentials, and thus shouldn't > need the explicit TGT Renewer, right? > > -Todd > > On Sun, Sep 11, 2011 at 11:04 AM, Eric Yang <eric...@gmail.com> wrote: > > Hi all, > > > > Hortonworks has a patch for secure append for Apache Hadoop 0.20.205 to > work with HBase 0.90.x. However, secure Hadoop and HBase would work until > kerberos token expires. There is currently no code that renews kerberos > token in HBase. Hence, it is possible to add a cron job to periodically > renew the HBase user token to keep the system running. What does the > community think about having a setup script for cron job as part of HBase > upcoming minor release, and fix the token renewal in HBase code for the next > major version. On the other hand, would the community accept the token > renewal code in HBase as part of the upcoming 0.90.5 release? If yes, what > is the time line for 0.90.5? > > > > regards, > > Eric > > > > -- > Todd Lipcon > Software Engineer, Cloudera >