Thanks for the write up, Gary.
In ThriftServer :
userProvider.login("hbase.thrift.keytab.file",
"hbase.thrift.kerberos.principal", host);
Looks like AuthUtil#getAuthChore() can be enhanced to support thrift thru
existing config keys.
w.r.t. HADOOP-9567, maybe reference this thread on the JIRA so that it gets
attention from hadoop community ?
Cheers
On Mon, Jun 26, 2017 at 4:20 PM, Gary Helmling <[email protected]> wrote:
> A relogin from the keytab will happen in
> RpcClientImpl.Connection.handleSaslConnectionFailure(). So if the Thrift
> server fails to establish a connection to a regionserver to relay a client
> request, it should perform a relogin from the configured keytab. This is a
> bit indirect though, and there may be a window where your credentials can
> expire if you are trying to use kerberos to authenticate Thrift clients and
> don't have any requests coming in.
>
> Using something like AuthUtil.getAuthChore() method would work, though the
> current implementation is hard-coded to use configurations for
> "hbase.client.(keytab.file|kerberos.principal)", so would need to be
> extended to allow plugging in the config keys for the thrift server.
>
> Alternately, I provided a patch to
> https://issues.apache.org/jira/browse/HADOOP-9567 to have
> UserGroupInformation launch a background renewal thread for keytab based
> logins, but that doesn't seem to be gaining any traction.
>
> On Sun, Jun 25, 2017 at 10:35 PM Jerry He <[email protected]> wrote:
>
> > Let's go to the JIRA ticket you opened.
> > Please describe the problem more over there. For example, give the
> > exception or stack trace and where it comes from.
> >
> > Thanks,
> >
> > Jerry
> >
> > On Wed, Jun 21, 2017 at 12:15 AM, Steen Manniche <[email protected]>
> > wrote:
> > > I understand that the ticket renewal logic might be called indirectly
> > > through some process/module that the thrift server is importing or
> > > using, but after a thorough spelunking around the code-base, I was not
> > > able to find any path to ticket renewal logic. Which is why I turned
> > > to the list :)
> > >
> > > On Wed, Jun 21, 2017 at 5:06 AM, Jerry He <[email protected]> wrote:
> > >> The right code can be hard to find and may not be even in the Thrift
> > module.
> > >>
> > >> Did you encounter any problem, e.g. the Thrift server giving out
> errors
> > due
> > >> to expired Kerberos ticket?
> > >>
> > >> Thanks,
> > >>
> > >> Jerry
> > >>
> > >> On Tue, Jun 20, 2017 at 11:05 AM, Steen Manniche <[email protected]>
> > wrote:
> > >>
> > >>> Hi Ted,
> > >>>
> > >>> thanks for the feedback. I created HBASE-18243
> > >>>
> > >>> Best regards,
> > >>> Steen
> > >>>
> > >>> On Tue, Jun 20, 2017 at 5:03 PM, Ted Yu <[email protected]> wrote:
> > >>> > I didn't find ticket renewal logic either.
> > >>> >
> > >>> > I think we can use facility similar to AuthUtil#getAuthChore().
> > >>> >
> > >>> > Mind logging a JIRA ?
> > >>> >
> > >>> > On Tue, Jun 20, 2017 at 4:17 AM, Steen Manniche <
> [email protected]>
> > >>> wrote:
> > >>> >
> > >>> >> Hi all,
> > >>> >>
> > >>> >> I have been looking through the hbase-thrift code looking for
> where
> > >>> >> the server performs renewals of kerberos tickets for the provided
> > >>> >> principal/keytab. I cannot seem to find any trace of this?
> > >>> >>
> > >>> >> As an example, the hadoop-common provides the class
> > >>> >> UserGroupInformation, which exposes the method
> > >>> >> checkTGTAndReloginFromKeytab. I can see that the
> ThriftServerRunner
> > >>> >> has a handle to the class
> > >>> >> (https://github.com/apache/hbase/blob/master/hbase-
> > >>> >> thrift/src/main/java/org/apache/hadoop/hbase/thrift/
> > >>> >> ThriftServerRunner.java#L205),
> > >>> >> but I do not see the ticket renewal logic being called anywhere.
> Am
> > I
> > >>> >> missing something about how this works?
> > >>> >>
> > >>> >>
> > >>> >> Thanks for the time and best regards,
> > >>> >> Steen
> > >>> >>
> > >>>
> >
>
