Thanks Anil for your reply. When we use kinit way, we also use a crontab script to renew the ticket periodically in order to keep the local ticket cache valid. Maybe we can also consider using UserGroupInformation to login to cluster, just as you did, but we must make sure the ticket is auto-renewed, coz our long running client need work in 7 * 24.
On Wed, Jul 2, 2014 at 1:16 PM, anil gupta <[email protected]> wrote: > Hi Cheney, > > If you are using a java client and using kinit way to login then i don't > have much idea about handling long running clients. > We run long running clients using UserGroupInformation to login to cluster. > I dont know the very specifics but it think there is a kerberos setting > where you can setup in such a way that Ticket auto-renews. We run this > client ranging from 2-4 weeks without any problem of security. Hope this > helps. > > Thanks, > Anil Gupta > > > On Tue, Jul 1, 2014 at 7:12 PM, Cheney Sun <[email protected]> wrote: > > > Thanks Gary, Anil. > > > > Add this statement 'UserGroupInformation.setConfiguration(hbaseConf);' > can > > resolve the problem. > > > > I'm using the kinit way to login KDC. But I wonder if I switch to calling > > UserGroupInformation.loginFromKeytab() in code, does it need to be > > called periodically for a long running program, since the TGT obtained > from > > KDC will expire? > > > > Thanks, > > Cheney > > > > > > On Wed, Jul 2, 2014 at 1:20 AM, Gary Helmling <[email protected]> > wrote: > > > > > Hi Cheney, > > > > > > Did you obtain kerberos credentials before running your program, either > > by > > > calling kinit before running the program, or by calling > > > UserGroupInformation.loginFromKeytab() in your code? > > > > > > > > > On Tue, Jul 1, 2014 at 8:44 AM, Cheney Sun <[email protected]> > wrote: > > > > > > > Hello all, > > > > > > > > I have setup a security hbase/hdfs/zookeeper, which was confirmed and > > > work > > > > normally. > > > > I wrote a Java program to get/put data to a table and package the > > > > core-site.xml / hbase-site.xml (which are obtained from the secure > > > cluster) > > > > into the jar file, and it worked correctly. > > > > > > > > But when I removed the core-site.xml and hbase-site.xml from the jar, > > and > > > > instead, I use the Configuration API to set the relevant settings in > > the > > > > program as below, > > > > Configuration hbaseConf = HBaseConfiguration.create(hadoopConf); > > > > hbaseConf.set("hbase.zookeeper.quorum","slave-nodex"); > > > > hbaseConf.set("hbase.zookeeper.property.clientPort", "2181"); > > > > hbaseConf.set("hbase.rpc.engine", > > > > "org.apache.hadoop.hbase.ipc.SecureRpcEngine"); > > > > hbaseConf.set("hbase.security.authentication", "kerberos"); > > > > hbaseConf.set("hbase.master.kerberos.principal", "hbase/_ > > [email protected] > > > > <[email protected]>"); > > > > > > hbaseConf.set("hbase.master.keytab.file","/etc/hbase/conf/hbase.keytab"); > > > > hbaseConf.set("hbase.regionserver.kerberos.principal", "hbase/_ > > > > [email protected] <[email protected]>"); > > > > > > > > > > > > > > hbaseConf.set("hbase.regionserver.keytab.file","/etc/hbase/conf/hbase.keytab"); > > > > hbaseConf.set("hadoop.security.authentication", "kerberos"); > > > > hbaseConf.set("hadoop.security.authorization", "true"); > > > > > > > > It failed getting authenticated to access to the hbase with the error > > > > message as: > > > > org.apache.hadoop.ipc.RemoteException: Authentication is required > > > > at > org.apache.hadoop.hbase.ipc.HBaseClient.call(HBaseClient.java:1021) > > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na] > > > > at > > > > > > > > > > > > > > org.apache.hadoop.hbase.ipc.SecureRpcEngine$Invoker.invoke(SecureRpcEngine.java:164) > > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na] > > > > at com.sun.proxy.$Proxy7.getProtocolVersion(Unknown Source) ~[na:na] > > > > > > > > It looks like the settings through API in code doesn't work. Is is a > > > known > > > > issue or am I wrong somewhere? > > > > > > > > Thanks, > > > > Cheney > > > > > > > > > > > > > -- > Thanks & Regards, > Anil Gupta >
