Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B53E4200BAD for ; Tue, 11 Oct 2016 00:28:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B3DC4160AEB; Mon, 10 Oct 2016 22:28:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 0379B160AE1 for ; Tue, 11 Oct 2016 00:28:21 +0200 (CEST) Received: (qmail 74532 invoked by uid 500); 10 Oct 2016 22:28:21 -0000 Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jira@apache.org Delivered-To: mailing list notifications@accumulo.apache.org Received: (qmail 74503 invoked by uid 99); 10 Oct 2016 22:28:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Oct 2016 22:28:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id ABF6A2C0D55 for ; Mon, 10 Oct 2016 22:28:20 +0000 (UTC) Date: Mon, 10 Oct 2016 22:28:20 +0000 (UTC) From: "Josh Elser (JIRA)" To: notifications@accumulo.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (ACCUMULO-4493) Shell should be able to use keytab login MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 10 Oct 2016 22:28:22 -0000 [ https://issues.apache.org/jira/browse/ACCUMULO-4493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15563735#comment-15563735 ] Josh Elser commented on ACCUMULO-4493: -------------------------------------- bq. Do you know if it's possible to renew outside the shell process to get things going again for a long-running shell? It.. should be. I don't think I've ever tried to do this, but we should have access to the ticket cache (either in the default location or via the {{KRB5CCNAME}} environment variable), which should be all that we need. There is a call {{UserGroupInformation#reloginFromTicketCache()}}, but I'm not sure how (if at all) UGI would know about the ticket in the ticket cache (from the kinit). Might be some sort of disconnect since it's essentially found automatically by JAAS (instead of explicitly logged-in by the Accumulo shell). bq. Users should be able to launch the shell in a kerberos deployment using a keytab. So really, we're just adding another argument to the shell to let the user provide a keytab and then do a normal login+renewal? Makes sense. > Shell should be able to use keytab login > ---------------------------------------- > > Key: ACCUMULO-4493 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4493 > Project: Accumulo > Issue Type: New Feature > Components: shell > Reporter: Sean Busbey > Priority: Minor > Fix For: 2.0.0 > > > Users should be able to launch the shell in a kerberos deployment using a keytab. > current workaround: use the system shell to kinit with the keytab, then launch the shell, then kdestroy > Workaround doesn't allow re-login from keytab for long running shell. -- This message was sent by Atlassian JIRA (v6.3.4#6332)