[
https://issues.apache.org/jira/browse/HBASE-17827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15943895#comment-15943895
]
Gary Helmling commented on HBASE-17827:
---------------------------------------
bq. Are you still going to use the same chore mechanism to re-login, from
cache, even the cache has limited lifetime?
No, for logins from the credential cache, a background thread in
UserGroupInformation will renew the TGT up to the ticket lifetime. So there's
nothing for the chore to do here. The idea is to just have getAuthChore()
return null, same as if security is not configured, and let the normal UGI
login from credential cache happen. I'll put up a patch later today.
> Client tools relying on AuthUtil.getAuthChore() break credential cache login
> ----------------------------------------------------------------------------
>
> Key: HBASE-17827
> URL: https://issues.apache.org/jira/browse/HBASE-17827
> Project: HBase
> Issue Type: Bug
> Components: canary, security
> Reporter: Gary Helmling
> Assignee: Gary Helmling
> Priority: Critical
>
> Client tools, such as Canary, which make use of keytab based logins with
> AuthUtil.getAuthChore() do not allow any way to continue without a
> keytab-based login when security is enabled. Currently, when security is
> enabled and the configuration lacks {{hbase.client.keytab.file}}, these tools
> would fail with:
> {noformat}
> ERROR hbase.AuthUtil: Error while trying to perform the initial login:
> Running in secure mode, but config doesn't have a keytab
> java.io.IOException: Running in secure mode, but config doesn't have a keytab
> at
> org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:239)
> at
> org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:420)
> at org.apache.hadoop.hbase.security.User.login(User.java:258)
> at
> org.apache.hadoop.hbase.security.UserProvider.login(UserProvider.java:197)
> at org.apache.hadoop.hbase.AuthUtil.getAuthChore(AuthUtil.java:98)
> at org.apache.hadoop.hbase.tool.Canary.run(Canary.java:589)
> at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
> at org.apache.hadoop.hbase.tool.Canary.main(Canary.java:1327)
> Exception in thread "main" java.io.IOException: Running in secure mode, but
> config doesn't have a keytab
> at
> org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:239)
> at
> org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:420)
> at org.apache.hadoop.hbase.security.User.login(User.java:258)
> at
> org.apache.hadoop.hbase.security.UserProvider.login(UserProvider.java:197)
> at org.apache.hadoop.hbase.AuthUtil.getAuthChore(AuthUtil.java:98)
> at org.apache.hadoop.hbase.tool.Canary.run(Canary.java:589)
> at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
> at org.apache.hadoop.hbase.tool.Canary.main(Canary.java:1327)
> {noformat}
> These tools should still work with the default credential-cache login, at
> least when a client keytab is not configured.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
