Hi Cheney, If you are using a java client and using kinit way to login then i don't have much idea about handling long running clients. We run long running clients using UserGroupInformation to login to cluster. I dont know the very specifics but it think there is a kerberos setting where you can setup in such a way that Ticket auto-renews. We run this client ranging from 2-4 weeks without any problem of security. Hope this helps.
Thanks, Anil Gupta On Tue, Jul 1, 2014 at 7:12 PM, Cheney Sun <[email protected]> wrote: > Thanks Gary, Anil. > > Add this statement 'UserGroupInformation.setConfiguration(hbaseConf);' can > resolve the problem. > > I'm using the kinit way to login KDC. But I wonder if I switch to calling > UserGroupInformation.loginFromKeytab() in code, does it need to be > called periodically for a long running program, since the TGT obtained from > KDC will expire? > > Thanks, > Cheney > > > On Wed, Jul 2, 2014 at 1:20 AM, Gary Helmling <[email protected]> wrote: > > > Hi Cheney, > > > > Did you obtain kerberos credentials before running your program, either > by > > calling kinit before running the program, or by calling > > UserGroupInformation.loginFromKeytab() in your code? > > > > > > On Tue, Jul 1, 2014 at 8:44 AM, Cheney Sun <[email protected]> wrote: > > > > > Hello all, > > > > > > I have setup a security hbase/hdfs/zookeeper, which was confirmed and > > work > > > normally. > > > I wrote a Java program to get/put data to a table and package the > > > core-site.xml / hbase-site.xml (which are obtained from the secure > > cluster) > > > into the jar file, and it worked correctly. > > > > > > But when I removed the core-site.xml and hbase-site.xml from the jar, > and > > > instead, I use the Configuration API to set the relevant settings in > the > > > program as below, > > > Configuration hbaseConf = HBaseConfiguration.create(hadoopConf); > > > hbaseConf.set("hbase.zookeeper.quorum","slave-nodex"); > > > hbaseConf.set("hbase.zookeeper.property.clientPort", "2181"); > > > hbaseConf.set("hbase.rpc.engine", > > > "org.apache.hadoop.hbase.ipc.SecureRpcEngine"); > > > hbaseConf.set("hbase.security.authentication", "kerberos"); > > > hbaseConf.set("hbase.master.kerberos.principal", "hbase/_ > [email protected] > > > <[email protected]>"); > > > > hbaseConf.set("hbase.master.keytab.file","/etc/hbase/conf/hbase.keytab"); > > > hbaseConf.set("hbase.regionserver.kerberos.principal", "hbase/_ > > > [email protected] <[email protected]>"); > > > > > > > > > hbaseConf.set("hbase.regionserver.keytab.file","/etc/hbase/conf/hbase.keytab"); > > > hbaseConf.set("hadoop.security.authentication", "kerberos"); > > > hbaseConf.set("hadoop.security.authorization", "true"); > > > > > > It failed getting authenticated to access to the hbase with the error > > > message as: > > > org.apache.hadoop.ipc.RemoteException: Authentication is required > > > at org.apache.hadoop.hbase.ipc.HBaseClient.call(HBaseClient.java:1021) > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na] > > > at > > > > > > > > > org.apache.hadoop.hbase.ipc.SecureRpcEngine$Invoker.invoke(SecureRpcEngine.java:164) > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na] > > > at com.sun.proxy.$Proxy7.getProtocolVersion(Unknown Source) ~[na:na] > > > > > > It looks like the settings through API in code doesn't work. Is is a > > known > > > issue or am I wrong somewhere? > > > > > > Thanks, > > > Cheney > > > > > > -- Thanks & Regards, Anil Gupta
