A relogin from the keytab will happen in RpcClientImpl.Connection.handleSaslConnectionFailure(). So if the Thrift server fails to establish a connection to a regionserver to relay a client request, it should perform a relogin from the configured keytab. This is a bit indirect though, and there may be a window where your credentials can expire if you are trying to use kerberos to authenticate Thrift clients and don't have any requests coming in.
Using something like AuthUtil.getAuthChore() method would work, though the current implementation is hard-coded to use configurations for "hbase.client.(keytab.file|kerberos.principal)", so would need to be extended to allow plugging in the config keys for the thrift server. Alternately, I provided a patch to https://issues.apache.org/jira/browse/HADOOP-9567 to have UserGroupInformation launch a background renewal thread for keytab based logins, but that doesn't seem to be gaining any traction. On Sun, Jun 25, 2017 at 10:35 PM Jerry He <[email protected]> wrote: > Let's go to the JIRA ticket you opened. > Please describe the problem more over there. For example, give the > exception or stack trace and where it comes from. > > Thanks, > > Jerry > > On Wed, Jun 21, 2017 at 12:15 AM, Steen Manniche <[email protected]> > wrote: > > I understand that the ticket renewal logic might be called indirectly > > through some process/module that the thrift server is importing or > > using, but after a thorough spelunking around the code-base, I was not > > able to find any path to ticket renewal logic. Which is why I turned > > to the list :) > > > > On Wed, Jun 21, 2017 at 5:06 AM, Jerry He <[email protected]> wrote: > >> The right code can be hard to find and may not be even in the Thrift > module. > >> > >> Did you encounter any problem, e.g. the Thrift server giving out errors > due > >> to expired Kerberos ticket? > >> > >> Thanks, > >> > >> Jerry > >> > >> On Tue, Jun 20, 2017 at 11:05 AM, Steen Manniche <[email protected]> > wrote: > >> > >>> Hi Ted, > >>> > >>> thanks for the feedback. I created HBASE-18243 > >>> > >>> Best regards, > >>> Steen > >>> > >>> On Tue, Jun 20, 2017 at 5:03 PM, Ted Yu <[email protected]> wrote: > >>> > I didn't find ticket renewal logic either. > >>> > > >>> > I think we can use facility similar to AuthUtil#getAuthChore(). > >>> > > >>> > Mind logging a JIRA ? > >>> > > >>> > On Tue, Jun 20, 2017 at 4:17 AM, Steen Manniche <[email protected]> > >>> wrote: > >>> > > >>> >> Hi all, > >>> >> > >>> >> I have been looking through the hbase-thrift code looking for where > >>> >> the server performs renewals of kerberos tickets for the provided > >>> >> principal/keytab. I cannot seem to find any trace of this? > >>> >> > >>> >> As an example, the hadoop-common provides the class > >>> >> UserGroupInformation, which exposes the method > >>> >> checkTGTAndReloginFromKeytab. I can see that the ThriftServerRunner > >>> >> has a handle to the class > >>> >> (https://github.com/apache/hbase/blob/master/hbase- > >>> >> thrift/src/main/java/org/apache/hadoop/hbase/thrift/ > >>> >> ThriftServerRunner.java#L205), > >>> >> but I do not see the ticket renewal logic being called anywhere. Am > I > >>> >> missing something about how this works? > >>> >> > >>> >> > >>> >> Thanks for the time and best regards, > >>> >> Steen > >>> >> > >>> >
