HBase+Kerberos: UserGroupInformation logging in from keytab expires?

谁说胖子不能爱 提交于 2020-01-07 00:58:15

问题


We are using the method UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, keytab) to authenticate a Java program to write to a remote HBase cluster. When the application first starts up we are all good and it's talking to HBase happily.

The krb5.conf ticket_lifetime is set to 24 hours, and what seems to happen after 24 hours is that the "TGT expires" and we start seeing exceptions like this: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

We don't have any relogin logic. I always thought logging in from keytab shouldn't require us to write any additional code to relogin since it's handled by the RpcClient. But here are a few weird things:

  1. Looks like some mechanism to relogin is kicking in but not doing anything, I'm not sure what method it tries to use org.apache.hadoop.security.UserGroupInformation Not attempting to re-login since the last re-login was attempted less than 600 seconds before.

  2. When initially authenticated via keytab, isFromKeytab() returns FALSE! I wonder if this is why it's not trying to use reloginFromKeytab() and tries to look at the cache?

Should we try to catch the exception and use checkTGTAndReloginFromKeytab() or do something like this?

         if (UserGroupInformation.isLoginKeytabBased()) {
            UserGroupInformation.getLoginUser().reloginFromKeytab();
          } else if (UserGroupInformation.isLoginTicketBased()) {
            UserGroupInformation.getLoginUser().reloginFromTicketCache();
          }

Any help is appreciated!

Jason

来源:https://stackoverflow.com/questions/38213377/hbasekerberos-usergroupinformation-logging-in-from-keytab-expires

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!