[ https://issues.apache.org/jira/browse/PHOENIX-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15446582#comment-15446582 ]
ASF GitHub Bot commented on PHOENIX-3216: ----------------------------------------- Github user dbahir commented on the issue: https://github.com/apache/phoenix/pull/203 Regarding the renewal, I understand from, http://stackoverflow.com/questions/34616676/should-i-call-ugi-checktgtandreloginfromkeytab-before-every-action-on-hadoop, that the RPC layer takes care of that. I am trying to fix the scenario in which multiple threads call loginUserFromKeytab concurrently and then the renewal process no longer works as expected. An example of that scenario is a storm topology that has multiple HBase/Phoenix/HDFS bolts in the same JVM. When the topology starts it will initialize all bolts which will execute a login from each one, when that happens the renewal no longer works. If only one login happens the renewal works properly. In regarding to Phoenix, we came got into a similar situation with a multi-threaded application that caused loginUserFromKeytab to be called concurrently. The code change was made to protect that and works. Your concern regarding security is correct. I looked into PHOENIX-3189 which i was not aware of. The fix can be folded into it however we would need to handle synchronization of the loginUserFromKeytab if multple instances of the driver are created. > Kerberos ticket is not renewed when using Kerberos authentication with > Phoenix JDBC driver > ------------------------------------------------------------------------------------------ > > Key: PHOENIX-3216 > URL: https://issues.apache.org/jira/browse/PHOENIX-3216 > Project: Phoenix > Issue Type: Bug > Affects Versions: 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.5.2, 4.8.0 > Environment: Kerberized > Reporter: Dan Bahir > Assignee: Dan Bahir > Fix For: 4.9.0, 4.8.1 > > > When using Phoenix jdbc driver in a Kerberized environment and logging in > with a keytab is not automatically renewed. > Expected:The ticket will be automatically renewed and the Phoenix driver will > be able to write to the database. > Actual: The ticket is not renewed and driver loses access to the database. > 2016-08-15 00:00:59.738 WARN AbstractRpcClient > [hconnection-0x4763c727-metaLookup-shared--pool1-t686] - Exception > encountered > while connecting to the server : javax.security.sasl.Sa > slException: GSS initiate failed [Caused by GSSException: No valid > credentials > provided (Mechanism level: Failed to find any Kerberos tgt)] > 2016-08-15 00:00:59.739 ERROR AbstractRpcClient > [hconnection-0x4763c727-metaLookup-shared--pool1-t686] - SASL authentication > failed. The most likely cause is missing or invalid crede > ntials. Consider 'kinit'. > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: > No valid credentials provided (Mechanism level: Failed to find any Kerberos > tgt)] > at > com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java > :211) > at > org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClie > nt.java:179) > at > org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClie > ntImpl.java:611) > at > org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$600(RpcClientImpl.ja > va:156) > at > org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:73 > 7) > at > org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:73 > 4) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.ja -- This message was sent by Atlassian JIRA (v6.3.4#6332)