Hi Cheney,
If you are obtaining kerberos credentials outside of your program (ie.
kinit), then you can use k5start, which will run your program after
performing a kinit and has a variety of options to relogin periodically.
If you use UGI.loginFromKeytab(), then if you get an authentication failure
performing a remote connection, the HBase client will automatically try to
relogin from the keytab file. So your program should not need to do any to
explicitly refresh the kerberos tgt.
On Tue, Jul 1, 2014 at 10:16 PM, anil gupta <anilgupt...@gmail.com> wrote:
> Hi Cheney,
>
> If you are using a java client and using kinit way to login then i don't
> have much idea about handling long running clients.
> We run long running clients using UserGroupInformation to login to cluster.
> I dont know the very specifics but it think there is a kerberos setting
> where you can setup in such a way that Ticket auto-renews. We run this
> client ranging from 2-4 weeks without any problem of security. Hope this
> helps.
>
> Thanks,
> Anil Gupta
>
>
> On Tue, Jul 1, 2014 at 7:12 PM, Cheney Sun <sun.che...@gmail.com> wrote:
>
> > Thanks Gary, Anil.
> >
> > Add this statement 'UserGroupInformation.setConfiguration(hbaseConf);'
> can
> > resolve the problem.
> >
> > I'm using the kinit way to login KDC. But I wonder if I switch to calling
> > UserGroupInformation.loginFromKeytab() in code, does it need to be
> > called periodically for a long running program, since the TGT obtained
> from
> > KDC will expire?
> >
> > Thanks,
> > Cheney
> >
> >
> > On Wed, Jul 2, 2014 at 1:20 AM, Gary Helmling <ghelml...@gmail.com>
> wrote:
> >
> > > Hi Cheney,
> > >
> > > Did you obtain kerberos credentials before running your program, either
> > by
> > > calling kinit before running the program, or by calling
> > > UserGroupInformation.loginFromKeytab() in your code?
> > >
> > >
> > > On Tue, Jul 1, 2014 at 8:44 AM, Cheney Sun <sun.che...@gmail.com>
> wrote:
> > >
> > > > Hello all,
> > > >
> > > > I have setup a security hbase/hdfs/zookeeper, which was confirmed and
> > > work
> > > > normally.
> > > > I wrote a Java program to get/put data to a table and package the
> > > > core-site.xml / hbase-site.xml (which are obtained from the secure
> > > cluster)
> > > > into the jar file, and it worked correctly.
> > > >
> > > > But when I removed the core-site.xml and hbase-site.xml from the jar,
> > and
> > > > instead, I use the Configuration API to set the relevant settings in
> > the
> > > > program as below,
> > > > Configuration hbaseConf = HBaseConfiguration.create(hadoopConf);
> > > > hbaseConf.set("hbase.zookeeper.quorum","slave-nodex");
> > > > hbaseConf.set("hbase.zookeeper.property.clientPort", "2181");
> > > > hbaseConf.set("hbase.rpc.engine",
> > > > "org.apache.hadoop.hbase.ipc.SecureRpcEngine");
> > > > hbaseConf.set("hbase.security.authentication", "kerberos");
> > > > hbaseConf.set("hbase.master.kerberos.principal", "hbase/_
> > h...@hadoop.com
> > > > <h...@hadoop.qiyi.com>");
> > > >
> > hbaseConf.set("hbase.master.keytab.file","/etc/hbase/conf/hbase.keytab");
> > > > hbaseConf.set("hbase.regionserver.kerberos.principal", "hbase/_
> > > > h...@hadoop.com <h...@hadoop.qiyi.com>");
> > > >
> > > >
> > >
> >
> hbaseConf.set("hbase.regionserver.keytab.file","/etc/hbase/conf/hbase.keytab");
> > > > hbaseConf.set("hadoop.security.authentication", "kerberos");
> > > > hbaseConf.set("hadoop.security.authorization", "true");
> > > >
> > > > It failed getting authenticated to access to the hbase with the error
> > > > message as:
> > > > org.apache.hadoop.ipc.RemoteException: Authentication is required
> > > > at
> org.apache.hadoop.hbase.ipc.HBaseClient.call(HBaseClient.java:1021)
> > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na]
> > > > at
> > > >
> > > >
> > >
> >
> org.apache.hadoop.hbase.ipc.SecureRpcEngine$Invoker.invoke(SecureRpcEngine.java:164)
> > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na]
> > > > at com.sun.proxy.$Proxy7.getProtocolVersion(Unknown Source) ~[na:na]
> > > >
> > > > It looks like the settings through API in code doesn't work. Is is a
> > > known
> > > > issue or am I wrong somewhere?
> > > >
> > > > Thanks,
> > > > Cheney
> > > >
> > >
> >
>
>
>
> --
> Thanks & Regards,
> Anil Gupta
>
