问题
We are using the method UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, keytab)
to authenticate a Java program to write to a remote HBase cluster. When the application first starts up we are all good and it's talking to HBase happily.
The krb5.conf ticket_lifetime is set to 24 hours, and what seems to happen after 24 hours is that the "TGT expires" and we start seeing exceptions like this: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
We don't have any relogin logic. I always thought logging in from keytab shouldn't require us to write any additional code to relogin since it's handled by the RpcClient. But here are a few weird things:
Looks like some mechanism to relogin is kicking in but not doing anything, I'm not sure what method it tries to use
org.apache.hadoop.security.UserGroupInformation Not attempting to re-login since the last re-login was attempted less than 600 seconds before.When initially authenticated via keytab,
isFromKeytab()returns FALSE! I wonder if this is why it's not trying to use reloginFromKeytab() and tries to look at the cache?
Should we try to catch the exception and use checkTGTAndReloginFromKeytab() or do something like this?
if (UserGroupInformation.isLoginKeytabBased()) {
UserGroupInformation.getLoginUser().reloginFromKeytab();
} else if (UserGroupInformation.isLoginTicketBased()) {
UserGroupInformation.getLoginUser().reloginFromTicketCache();
}
Any help is appreciated!
Jason
来源:https://stackoverflow.com/questions/38213377/hbasekerberos-usergroupinformation-logging-in-from-keytab-expires