Also, setting -Dsun.security.krb5.debug=true when you launch your Java
application will give you lots of very helpful information about what is
happening "under the hood".
Sanooj Padmakumar wrote:
Thanks Josh and everyone else .. Shall try this suggestion
On 22 Mar 2016 09:36, "Josh Elser" <josh.el...@gmail.com
<mailto:josh.el...@gmail.com>> wrote:
Keytab-based logins do not automatically spawn a renewal thread in
Hadoop's UserGroupInformation library, IIRC. HBase's RPC
implementation does try to automatically re-login, but if you are
not actively making RPCs, you may miss the window in which you are
allowed to perform a renewal.
Commonly, you would launch your own thread to perform the renewal.
This is something we could probably make better inside Phoenix's
client. You could add something like the following to run
periodically inside your application (after instantiating the
Phoenix Driver):
`UserGroupInformation.checkTGTAndReloginFromKeytab()`
Sergey Soldatov wrote:
Where do you see this error? Is it the client side? Ideally you
don't
need to renew ticket since Phoenix Driver gets the required
information (principal name and keytab path) from jdbc connection
string and performs User.login itself.
Thanks,
Sergey
On Wed, Mar 16, 2016 at 11:02 AM, Sanooj
Padmakumar<p.san...@gmail.com <mailto:p.san...@gmail.com>> wrote:
This is the error in the log when it fails
ERROR org.apache.hadoop.security.UserGroupInformation -
PriviledgedActionException as:<principal here> (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed
[Caused by
GSSException: No valid credentials provided (Mechanism
level: Failed to find
any Kerberos tgt)]
On Wed, Mar 16, 2016 at 8:35 PM, Sanooj
Padmakumar<p.san...@gmail.com <mailto:p.san...@gmail.com>>
wrote:
Hi Anil
Thanks for your reply.
We do not do anything explicitly in the code to do the
ticket renwal ,
what we do is run a cron job for the user for which the
ticket has to be
renewed. But with this approach we need a restart to
get the thing going
after the ticket expiry
We use the following connection url for getting the
phoenix connection
jdbc:phoenix:<zkhosts>:<zkport>:/hbase:<kerberos
principal>:<path to
keytab>
This along with the entries in hbase-site.xml&
core-site.xml are passed
to the connection object
Thanks
Sanooj Padmakumar
On Tue, Mar 15, 2016 at 12:04 AM, anil
gupta<anilgupt...@gmail.com <mailto:anilgupt...@gmail.com>>
wrote:
Hi,
At my previous job, we had web-services fetching
data from a secure hbase
cluster. We never needed to renew the lease by
restarting webserver. Our app
used to renew the ticket. I think, Phoenix/HBase
already handles renewing
ticket. Maybe you need to look into your kerberos
environment settings. How
are you authenticating with Phoenix/HBase?
Sorry, I dont remember the exact kerberos setting
that we had.
HTH,
Anil Gupta
On Mon, Mar 14, 2016 at 11:00 AM, Sanooj
Padmakumar<p.san...@gmail.com
<mailto:p.san...@gmail.com>>
wrote:
Hi
We have a rest style micro service application
fetching data from hbase
using Phoenix. The cluster is kerberos secured
and we run a cron to renew
the kerberos ticket on the machine where the
micro service is deployed.
But it always needs a restart of micro service
java process to get the
kerberos ticket working once after its expired.
Is there a way I can avoid this restart?
Any pointers will be very helpful. Thanks
PS : We have a Solr based micro service which
works without a restart.
Regards
Sanooj
--
Thanks& Regards,
Anil Gupta
--
Thanks,
Sanooj Padmakumar
--
Thanks,
Sanooj Padmakumar