hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cheney Sun <sun.che...@gmail.com>
Subject Re: problem access security hbase
Date Wed, 02 Jul 2014 06:08:38 GMT
Thanks Gary. The second way is more meaningful for us. We will try that.


On Wed, Jul 2, 2014 at 1:56 PM, Gary Helmling <ghelmling@gmail.com> wrote:

> Hi Cheney,
>
> If you are obtaining kerberos credentials outside of your program (ie.
> kinit), then you can use k5start, which will run your program after
> performing a kinit and has a variety of options to relogin periodically.
>
> If you use UGI.loginFromKeytab(), then if you get an authentication failure
> performing a remote connection, the HBase client will automatically try to
> relogin from the keytab file.  So your program should not need to do any to
> explicitly refresh the kerberos tgt.
>
>
> On Tue, Jul 1, 2014 at 10:16 PM, anil gupta <anilgupta84@gmail.com> wrote:
>
> > Hi Cheney,
> >
> > If you are using a java client and using kinit way to login then i don't
> > have much idea about handling long running clients.
> > We run long running clients using UserGroupInformation to login to
> cluster.
> > I dont know the very specifics but it think there is a kerberos setting
> > where you can setup in such a way that Ticket auto-renews. We run this
> > client ranging from 2-4 weeks without any problem of security. Hope this
> > helps.
> >
> > Thanks,
> > Anil Gupta
> >
> >
> > On Tue, Jul 1, 2014 at 7:12 PM, Cheney Sun <sun.cheney@gmail.com> wrote:
> >
> > > Thanks Gary, Anil.
> > >
> > > Add this statement 'UserGroupInformation.setConfiguration(hbaseConf);'
> > can
> > > resolve the problem.
> > >
> > > I'm using the kinit way to login KDC. But I wonder if I switch to
> calling
> > > UserGroupInformation.loginFromKeytab() in code, does it need to be
> > > called periodically for a long running program, since the TGT obtained
> > from
> > > KDC will expire?
> > >
> > > Thanks,
> > > Cheney
> > >
> > >
> > > On Wed, Jul 2, 2014 at 1:20 AM, Gary Helmling <ghelmling@gmail.com>
> > wrote:
> > >
> > > > Hi Cheney,
> > > >
> > > > Did you obtain kerberos credentials before running your program,
> either
> > > by
> > > > calling kinit before running the program, or by calling
> > > > UserGroupInformation.loginFromKeytab() in your code?
> > > >
> > > >
> > > > On Tue, Jul 1, 2014 at 8:44 AM, Cheney Sun <sun.cheney@gmail.com>
> > wrote:
> > > >
> > > > > Hello all,
> > > > >
> > > > > I have setup a security hbase/hdfs/zookeeper, which was confirmed
> and
> > > > work
> > > > > normally.
> > > > > I wrote a Java program to get/put data to a table and package the
> > > > > core-site.xml / hbase-site.xml (which are obtained from the secure
> > > > cluster)
> > > > > into the jar file, and it worked correctly.
> > > > >
> > > > > But when I removed the core-site.xml and hbase-site.xml from the
> jar,
> > > and
> > > > > instead, I use the Configuration API to set the relevant settings
> in
> > > the
> > > > > program as below,
> > > > > Configuration hbaseConf = HBaseConfiguration.create(hadoopConf);
> > > > > hbaseConf.set("hbase.zookeeper.quorum","slave-nodex");
> > > > > hbaseConf.set("hbase.zookeeper.property.clientPort", "2181");
> > > > > hbaseConf.set("hbase.rpc.engine",
> > > > > "org.apache.hadoop.hbase.ipc.SecureRpcEngine");
> > > > > hbaseConf.set("hbase.security.authentication", "kerberos");
> > > > > hbaseConf.set("hbase.master.kerberos.principal", "hbase/_
> > > HOST@HADOOP.COM
> > > > > <HOST@HADOOP.QIYI.COM>");
> > > > >
> > >
> hbaseConf.set("hbase.master.keytab.file","/etc/hbase/conf/hbase.keytab");
> > > > > hbaseConf.set("hbase.regionserver.kerberos.principal", "hbase/_
> > > > > HOST@HADOOP.COM <HOST@HADOOP.QIYI.COM>");
> > > > >
> > > > >
> > > >
> > >
> >
> hbaseConf.set("hbase.regionserver.keytab.file","/etc/hbase/conf/hbase.keytab");
> > > > > hbaseConf.set("hadoop.security.authentication", "kerberos");
> > > > > hbaseConf.set("hadoop.security.authorization", "true");
> > > > >
> > > > > It failed getting authenticated to access to the hbase with the
> error
> > > > > message as:
> > > > > org.apache.hadoop.ipc.RemoteException: Authentication is required
> > > > > at
> > org.apache.hadoop.hbase.ipc.HBaseClient.call(HBaseClient.java:1021)
> > > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na]
> > > > >  at
> > > > >
> > > > >
> > > >
> > >
> >
> org.apache.hadoop.hbase.ipc.SecureRpcEngine$Invoker.invoke(SecureRpcEngine.java:164)
> > > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na]
> > > > > at com.sun.proxy.$Proxy7.getProtocolVersion(Unknown Source)
> ~[na:na]
> > > > >
> > > > > It looks like the settings through API in code doesn't work. Is is
> a
> > > > known
> > > > > issue or am I wrong somewhere?
> > > > >
> > > > > Thanks,
> > > > > Cheney
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > Thanks & Regards,
> > Anil Gupta
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message