hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Yang <ey...@hortonworks.com>
Subject Re: Secure Hadoop and non-secure HBase
Date Mon, 12 Sep 2011 01:00:53 GMT
Hi Gary,

This is exactly what I missed.  Without those settings in my hbase-site.xml, I saw these messages
in regional server log file:

2011-09-09 17:28:14,172 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection for hbase@TEST.EXAMPLE.COM
2011-09-09 17:28:14,172 WARN org.apache.hadoop.hdfs.DFSClient: Problem renewing lease for
java.io.IOException: Call to hrt8n37.cc1.ygridcore.net/ failed on local
exception: java.io.IOException: Couldn't setup connection forhbase@TEST.EXAMPLE.COM to nn/hrt8n37.cc1.ygridcore.net@TEST.EXAMPLE.COM
       at org.apache.hadoop.ipc.Client.wrapException(Client.java:1104)
       at org.apache.hadoop.ipc.Client.call(Client.java:1072)
       at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:225)
       at $Proxy9.renewLease(Unknown Source)
       at sun.reflect.GeneratedMethodAccessor11.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:82)
       at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:59)
       at $Proxy9.renewLease(Unknown Source)
       at org.apache.hadoop.hdfs.DFSClient$LeaseChecker.renew(DFSClient.java:1176)
       at org.apache.hadoop.hdfs.DFSClient$LeaseChecker.run(DFSClient.java:1188)
       at java.lang.Thread.run(Thread.java:619)

The region server can respond query but data is not committed to HDFS.  I manually run kinit
on the command line, and the log shows:

2011-09-09 17:28:50,466 INFO org.apache.hadoop.security.UserGroupInformation: Initiating logout
2011-09-09 17:28:50,466 INFO org.apache.hadoop.security.UserGroupInformation: Initiating re-login

I will put the keytab and kerberos.principal in the configuration file to verify token renewal
in HBase.  Thank you.


On Sep 11, 2011, at 3:57 PM, Gary Helmling wrote:

> Hi Eric,
> If you configure
> hbase.master.keytab.file
> hbase.master.kerberos.principal
> hbase.regionserver.keytab.file
> hbase.regionserver.kerberos.principal
> in your hbase-site.xml, then the master and region server processes should
> login from the keytab files on startup, as Todd mentions.  It's also my
> understanding that they don't need a renewal thread in that case.  The RPC
> client just tries a relogin from the keytab in the case of a connection
> error.
> Can you describe a bit more what you're seeing so that we can understand the
> context?
> Gary
> On Sun, Sep 11, 2011 at 3:13 PM, Todd Lipcon <todd@cloudera.com> wrote:
>> Hi Eric,
>> Could you please explain more fully what you mean by this? The daemons
>> generally run using keytabs, not user credentials, and thus shouldn't
>> need the explicit TGT Renewer, right?
>> -Todd
>> On Sun, Sep 11, 2011 at 11:04 AM, Eric Yang <eric818@gmail.com> wrote:
>>> Hi all,
>>> Hortonworks has a patch for secure append for Apache Hadoop 0.20.205 to
>> work with HBase 0.90.x.  However, secure Hadoop and HBase would work until
>> kerberos token expires.  There is currently no code that renews kerberos
>> token in HBase.  Hence, it is possible to add a cron job to periodically
>> renew the HBase user token to keep the system running.  What does the
>> community think about having a setup script for cron job as part of HBase
>> upcoming minor release, and fix the token renewal in HBase code for the next
>> major version.  On the other hand, would the community accept the token
>> renewal code in HBase as part of the upcoming 0.90.5 release?  If yes, what
>> is the time line for 0.90.5?
>>> regards,
>>> Eric
>> --
>> Todd Lipcon
>> Software Engineer, Cloudera

View raw message