[jira] [Commented] (HBASE-18243) HBase Thrift server lacks logic for renewing kerberos tickets

Wed, 28 Jun 2017 08:18:24 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-18243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16066674#comment-16066674
 ] 

Josh Elser commented on HBASE-18243:
------------------------------------

bq. Starting the thrift server with a jaas configuration file which has 
instructions to not use a ticket cache (useTicketCache=false, but instead use a 
keytab (useKeyTab=true and values for keyTab and principal) seems to have 
solved the problem for us.

The JAAS configuration file is only used by the ZooKeeper client code. Most 
likely, because the Thrift server has an open ZK connection that is using the 
same credentials as your Thrift server, the re-login mechanism invoked by JAAS 
is keeping the credentials available for the Thrift server too.

In other words, while making this change does make sense that it solves the 
problem, it's not the correct solution. We should have a thread inside of the 
Thrift server specifically devoted to doing ticket renewal.

> HBase Thrift server lacks logic for renewing kerberos tickets
> -------------------------------------------------------------
>
>                 Key: HBASE-18243
>                 URL: https://issues.apache.org/jira/browse/HBASE-18243
>             Project: HBase
>          Issue Type: Bug
>          Components: Thrift
>    Affects Versions: 2.0.0, 1.1.2
>            Reporter: Steen Manniche
>            Priority: Minor
>              Labels: security
>
> I have been looking through the hbase-thrift code looking for where
> the server performs renewals of kerberos tickets for the provided
> principal/keytab. There seems to be no logic in place for renewing tickets.
> The hadoop-common provides the class
> UserGroupInformation, which exposes the method
> {{checkTGTAndReloginFromKeytab}}. I can see that the {{ThriftServerRunner}} 
> class
> has a handle to the class
> (https://github.com/apache/hbase/blob/master/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java#L205),
> but I do not see the ticket renewal logic being called anywhere.
> A possible workaround is to renew the ticket outside the java process.
> The documentation on the {{checkTGTAndReloginFromKeytab}} states that if the 
> ticket is still valid, a call to the method is essentially a no-op.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to