Thanks Gary. The second way is more meaningful for us. We will try that.
On Wed, Jul 2, 2014 at 1:56 PM, Gary Helmling <[email protected]> wrote: > Hi Cheney, > > If you are obtaining kerberos credentials outside of your program (ie. > kinit), then you can use k5start, which will run your program after > performing a kinit and has a variety of options to relogin periodically. > > If you use UGI.loginFromKeytab(), then if you get an authentication failure > performing a remote connection, the HBase client will automatically try to > relogin from the keytab file. So your program should not need to do any to > explicitly refresh the kerberos tgt. > > > On Tue, Jul 1, 2014 at 10:16 PM, anil gupta <[email protected]> wrote: > > > Hi Cheney, > > > > If you are using a java client and using kinit way to login then i don't > > have much idea about handling long running clients. > > We run long running clients using UserGroupInformation to login to > cluster. > > I dont know the very specifics but it think there is a kerberos setting > > where you can setup in such a way that Ticket auto-renews. We run this > > client ranging from 2-4 weeks without any problem of security. Hope this > > helps. > > > > Thanks, > > Anil Gupta > > > > > > On Tue, Jul 1, 2014 at 7:12 PM, Cheney Sun <[email protected]> wrote: > > > > > Thanks Gary, Anil. > > > > > > Add this statement 'UserGroupInformation.setConfiguration(hbaseConf);' > > can > > > resolve the problem. > > > > > > I'm using the kinit way to login KDC. But I wonder if I switch to > calling > > > UserGroupInformation.loginFromKeytab() in code, does it need to be > > > called periodically for a long running program, since the TGT obtained > > from > > > KDC will expire? > > > > > > Thanks, > > > Cheney > > > > > > > > > On Wed, Jul 2, 2014 at 1:20 AM, Gary Helmling <[email protected]> > > wrote: > > > > > > > Hi Cheney, > > > > > > > > Did you obtain kerberos credentials before running your program, > either > > > by > > > > calling kinit before running the program, or by calling > > > > UserGroupInformation.loginFromKeytab() in your code? > > > > > > > > > > > > On Tue, Jul 1, 2014 at 8:44 AM, Cheney Sun <[email protected]> > > wrote: > > > > > > > > > Hello all, > > > > > > > > > > I have setup a security hbase/hdfs/zookeeper, which was confirmed > and > > > > work > > > > > normally. > > > > > I wrote a Java program to get/put data to a table and package the > > > > > core-site.xml / hbase-site.xml (which are obtained from the secure > > > > cluster) > > > > > into the jar file, and it worked correctly. > > > > > > > > > > But when I removed the core-site.xml and hbase-site.xml from the > jar, > > > and > > > > > instead, I use the Configuration API to set the relevant settings > in > > > the > > > > > program as below, > > > > > Configuration hbaseConf = HBaseConfiguration.create(hadoopConf); > > > > > hbaseConf.set("hbase.zookeeper.quorum","slave-nodex"); > > > > > hbaseConf.set("hbase.zookeeper.property.clientPort", "2181"); > > > > > hbaseConf.set("hbase.rpc.engine", > > > > > "org.apache.hadoop.hbase.ipc.SecureRpcEngine"); > > > > > hbaseConf.set("hbase.security.authentication", "kerberos"); > > > > > hbaseConf.set("hbase.master.kerberos.principal", "hbase/_ > > > [email protected] > > > > > <[email protected]>"); > > > > > > > > > hbaseConf.set("hbase.master.keytab.file","/etc/hbase/conf/hbase.keytab"); > > > > > hbaseConf.set("hbase.regionserver.kerberos.principal", "hbase/_ > > > > > [email protected] <[email protected]>"); > > > > > > > > > > > > > > > > > > > > hbaseConf.set("hbase.regionserver.keytab.file","/etc/hbase/conf/hbase.keytab"); > > > > > hbaseConf.set("hadoop.security.authentication", "kerberos"); > > > > > hbaseConf.set("hadoop.security.authorization", "true"); > > > > > > > > > > It failed getting authenticated to access to the hbase with the > error > > > > > message as: > > > > > org.apache.hadoop.ipc.RemoteException: Authentication is required > > > > > at > > org.apache.hadoop.hbase.ipc.HBaseClient.call(HBaseClient.java:1021) > > > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.hadoop.hbase.ipc.SecureRpcEngine$Invoker.invoke(SecureRpcEngine.java:164) > > > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na] > > > > > at com.sun.proxy.$Proxy7.getProtocolVersion(Unknown Source) > ~[na:na] > > > > > > > > > > It looks like the settings through API in code doesn't work. Is is > a > > > > known > > > > > issue or am I wrong somewhere? > > > > > > > > > > Thanks, > > > > > Cheney > > > > > > > > > > > > > > > > > > > > -- > > Thanks & Regards, > > Anil Gupta > > >
