hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Helmling <ghelml...@gmail.com>
Subject Re: Thrift server kerberos ticket refresh
Date Mon, 26 Jun 2017 23:20:13 GMT
A relogin from the keytab will happen in
RpcClientImpl.Connection.handleSaslConnectionFailure().  So if the Thrift
server fails to establish a connection to a regionserver to relay a client
request, it should perform a relogin from the configured keytab.  This is a
bit indirect though, and there may be a window where your credentials can
expire if you are trying to use kerberos to authenticate Thrift clients and
don't have any requests coming in.

Using something like AuthUtil.getAuthChore() method would work, though the
current implementation is hard-coded to use configurations for
"hbase.client.(keytab.file|kerberos.principal)", so would need to be
extended to allow plugging in the config keys for the thrift server.

Alternately, I provided a patch to
https://issues.apache.org/jira/browse/HADOOP-9567 to have
UserGroupInformation launch a background renewal thread for keytab based
logins, but that doesn't seem to be gaining any traction.

On Sun, Jun 25, 2017 at 10:35 PM Jerry He <jerryjch@gmail.com> wrote:

> Let's go to the JIRA ticket you opened.
> Please describe the problem more over there.  For example, give the
> exception or stack trace and where it comes from.
>
> Thanks,
>
> Jerry
>
> On Wed, Jun 21, 2017 at 12:15 AM, Steen Manniche <boxunbox@gmail.com>
> wrote:
> > I understand that the ticket renewal logic might be called indirectly
> > through some process/module that the thrift server is importing or
> > using, but after a thorough spelunking around the code-base, I was not
> > able to find any path to ticket renewal logic. Which is why I turned
> > to the list :)
> >
> > On Wed, Jun 21, 2017 at 5:06 AM, Jerry He <jerryjch@gmail.com> wrote:
> >> The right code can be hard to find and may not be even in the Thrift
> module.
> >>
> >> Did you encounter any problem, e.g. the Thrift server giving out errors
> due
> >> to expired Kerberos ticket?
> >>
> >> Thanks,
> >>
> >> Jerry
> >>
> >> On Tue, Jun 20, 2017 at 11:05 AM, Steen Manniche <boxunbox@gmail.com>
> wrote:
> >>
> >>> Hi Ted,
> >>>
> >>> thanks for the feedback. I created HBASE-18243
> >>>
> >>> Best regards,
> >>> Steen
> >>>
> >>> On Tue, Jun 20, 2017 at 5:03 PM, Ted Yu <yuzhihong@gmail.com> wrote:
> >>> > I didn't find ticket renewal logic either.
> >>> >
> >>> > I think we can use facility similar to AuthUtil#getAuthChore().
> >>> >
> >>> > Mind logging a JIRA ?
> >>> >
> >>> > On Tue, Jun 20, 2017 at 4:17 AM, Steen Manniche <boxunbox@gmail.com>
> >>> wrote:
> >>> >
> >>> >> Hi all,
> >>> >>
> >>> >> I have been looking through the hbase-thrift code looking for where
> >>> >> the server performs renewals of kerberos tickets for the provided
> >>> >> principal/keytab. I cannot seem to find any trace of this?
> >>> >>
> >>> >> As an example, the hadoop-common provides the class
> >>> >> UserGroupInformation, which exposes the method
> >>> >> checkTGTAndReloginFromKeytab. I can see that the ThriftServerRunner
> >>> >> has a handle to the class
> >>> >> (https://github.com/apache/hbase/blob/master/hbase-
> >>> >> thrift/src/main/java/org/apache/hadoop/hbase/thrift/
> >>> >> ThriftServerRunner.java#L205),
> >>> >> but I do not see the ticket renewal logic being called anywhere.
Am
> I
> >>> >> missing something about how this works?
> >>> >>
> >>> >>
> >>> >> Thanks for the time and best regards,
> >>> >> Steen
> >>> >>
> >>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message