Keytab-based logins do not automatically spawn a renewal thread in
Hadoop's UserGroupInformation library, IIRC. HBase's RPC implementation
does try to automatically re-login, but if you are not actively making
RPCs, you may miss the window in which you are allowed to perform a renewal.
Commonly, you would launch your own thread to perform the renewal. This
is something we could probably make better inside Phoenix's client. You
could add something like the following to run periodically inside your
application (after instantiating the Phoenix Driver):
`UserGroupInformation.checkTGTAndReloginFromKeytab()`
Sergey Soldatov wrote:
Where do you see this error? Is it the client side? Ideally you don't
need to renew ticket since Phoenix Driver gets the required
information (principal name and keytab path) from jdbc connection
string and performs User.login itself.
Thanks,
Sergey
On Wed, Mar 16, 2016 at 11:02 AM, Sanooj Padmakumar<p.san...@gmail.com> wrote:
This is the error in the log when it fails
ERROR org.apache.hadoop.security.UserGroupInformation -
PriviledgedActionException as:<principal here> (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)]
On Wed, Mar 16, 2016 at 8:35 PM, Sanooj Padmakumar<p.san...@gmail.com>
wrote:
Hi Anil
Thanks for your reply.
We do not do anything explicitly in the code to do the ticket renwal ,
what we do is run a cron job for the user for which the ticket has to be
renewed. But with this approach we need a restart to get the thing going
after the ticket expiry
We use the following connection url for getting the phoenix connection
jdbc:phoenix:<zkhosts>:<zkport>:/hbase:<kerberos principal>:<path to
keytab>
This along with the entries in hbase-site.xml& core-site.xml are passed
to the connection object
Thanks
Sanooj Padmakumar
On Tue, Mar 15, 2016 at 12:04 AM, anil gupta<anilgupt...@gmail.com>
wrote:
Hi,
At my previous job, we had web-services fetching data from a secure hbase
cluster. We never needed to renew the lease by restarting webserver. Our app
used to renew the ticket. I think, Phoenix/HBase already handles renewing
ticket. Maybe you need to look into your kerberos environment settings. How
are you authenticating with Phoenix/HBase?
Sorry, I dont remember the exact kerberos setting that we had.
HTH,
Anil Gupta
On Mon, Mar 14, 2016 at 11:00 AM, Sanooj Padmakumar<p.san...@gmail.com>
wrote:
Hi
We have a rest style micro service application fetching data from hbase
using Phoenix. The cluster is kerberos secured and we run a cron to renew
the kerberos ticket on the machine where the micro service is deployed.
But it always needs a restart of micro service java process to get the
kerberos ticket working once after its expired.
Is there a way I can avoid this restart?
Any pointers will be very helpful. Thanks
PS : We have a Solr based micro service which works without a restart.
Regards
Sanooj
--
Thanks& Regards,
Anil Gupta
--
Thanks,
Sanooj Padmakumar
--
Thanks,
Sanooj Padmakumar
