[ https://issues.apache.org/jira/browse/HBASE-17827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15939473#comment-15939473 ]
Jerry He commented on HBASE-17827: ---------------------------------- I think either of your approaches looks fine. Are you still going to use the same chore mechanism to re-login, from cache, even the cache has limited lifetime? > Client tools relying on AuthUtil.getAuthChore() break credential cache login > ---------------------------------------------------------------------------- > > Key: HBASE-17827 > URL: https://issues.apache.org/jira/browse/HBASE-17827 > Project: HBase > Issue Type: Bug > Components: canary, security > Reporter: Gary Helmling > Assignee: Gary Helmling > Priority: Critical > > Client tools, such as Canary, which make use of keytab based logins with > AuthUtil.getAuthChore() do not allow any way to continue without a > keytab-based login when security is enabled. Currently, when security is > enabled and the configuration lacks {{hbase.client.keytab.file}}, these tools > would fail with: > {noformat} > ERROR hbase.AuthUtil: Error while trying to perform the initial login: > Running in secure mode, but config doesn't have a keytab > java.io.IOException: Running in secure mode, but config doesn't have a keytab > at > org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:239) > at > org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:420) > at org.apache.hadoop.hbase.security.User.login(User.java:258) > at > org.apache.hadoop.hbase.security.UserProvider.login(UserProvider.java:197) > at org.apache.hadoop.hbase.AuthUtil.getAuthChore(AuthUtil.java:98) > at org.apache.hadoop.hbase.tool.Canary.run(Canary.java:589) > at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70) > at org.apache.hadoop.hbase.tool.Canary.main(Canary.java:1327) > Exception in thread "main" java.io.IOException: Running in secure mode, but > config doesn't have a keytab > at > org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:239) > at > org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:420) > at org.apache.hadoop.hbase.security.User.login(User.java:258) > at > org.apache.hadoop.hbase.security.UserProvider.login(UserProvider.java:197) > at org.apache.hadoop.hbase.AuthUtil.getAuthChore(AuthUtil.java:98) > at org.apache.hadoop.hbase.tool.Canary.run(Canary.java:589) > at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70) > at org.apache.hadoop.hbase.tool.Canary.main(Canary.java:1327) > {noformat} > These tools should still work with the default credential-cache login, at > least when a client keytab is not configured. -- This message was sent by Atlassian JIRA (v6.3.15#6346)