[
https://issues.apache.org/jira/browse/PHOENIX-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15446582#comment-15446582
]
ASF GitHub Bot commented on PHOENIX-3216:
-----------------------------------------
Github user dbahir commented on the issue:
https://github.com/apache/phoenix/pull/203
Regarding the renewal, I understand from,
http://stackoverflow.com/questions/34616676/should-i-call-ugi-checktgtandreloginfromkeytab-before-every-action-on-hadoop,
that the RPC layer takes care of that.
I am trying to fix the scenario in which multiple threads call
loginUserFromKeytab concurrently and then the renewal process no longer works
as expected.
An example of that scenario is a storm topology that has multiple
HBase/Phoenix/HDFS bolts in the same JVM. When the topology starts it will
initialize all bolts which will execute a login from each one, when that
happens the renewal no longer works. If only one login happens the renewal
works properly.
In regarding to Phoenix, we came got into a similar situation with a
multi-threaded application that caused loginUserFromKeytab to be called
concurrently. The code change was made to protect that and works.
Your concern regarding security is correct.
I looked into PHOENIX-3189 which i was not aware of. The fix can be folded
into it however we would need to handle synchronization of the
loginUserFromKeytab if multple instances of the driver are created.
> Kerberos ticket is not renewed when using Kerberos authentication with
> Phoenix JDBC driver
> ------------------------------------------------------------------------------------------
>
> Key: PHOENIX-3216
> URL: https://issues.apache.org/jira/browse/PHOENIX-3216
> Project: Phoenix
> Issue Type: Bug
> Affects Versions: 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.5.2, 4.8.0
> Environment: Kerberized
> Reporter: Dan Bahir
> Assignee: Dan Bahir
> Fix For: 4.9.0, 4.8.1
>
>
> When using Phoenix jdbc driver in a Kerberized environment and logging in
> with a keytab is not automatically renewed.
> Expected:The ticket will be automatically renewed and the Phoenix driver will
> be able to write to the database.
> Actual: The ticket is not renewed and driver loses access to the database.
> 2016-08-15 00:00:59.738 WARN AbstractRpcClient
> [hconnection-0x4763c727-metaLookup-shared--pool1-t686] - Exception
> encountered
> while connecting to the server : javax.security.sasl.Sa
> slException: GSS initiate failed [Caused by GSSException: No valid
> credentials
> provided (Mechanism level: Failed to find any Kerberos tgt)]
> 2016-08-15 00:00:59.739 ERROR AbstractRpcClient
> [hconnection-0x4763c727-metaLookup-shared--pool1-t686] - SASL authentication
> failed. The most likely cause is missing or invalid crede
> ntials. Consider 'kinit'.
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException:
> No valid credentials provided (Mechanism level: Failed to find any Kerberos
> tgt)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java
> :211)
> at
> org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClie
> nt.java:179)
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClie
> ntImpl.java:611)
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$600(RpcClientImpl.ja
> va:156)
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:73
> 7)
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:73
> 4)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.ja
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
