hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-18243) HBase Thrift server lacks logic for renewing kerberos tickets
Date Wed, 28 Jun 2017 15:18:00 GMT

    [ https://issues.apache.org/jira/browse/HBASE-18243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16066674#comment-16066674

Josh Elser commented on HBASE-18243:

bq. Starting the thrift server with a jaas configuration file which has instructions to not
use a ticket cache (useTicketCache=false, but instead use a keytab (useKeyTab=true and values
for keyTab and principal) seems to have solved the problem for us.

The JAAS configuration file is only used by the ZooKeeper client code. Most likely, because
the Thrift server has an open ZK connection that is using the same credentials as your Thrift
server, the re-login mechanism invoked by JAAS is keeping the credentials available for the
Thrift server too.

In other words, while making this change does make sense that it solves the problem, it's
not the correct solution. We should have a thread inside of the Thrift server specifically
devoted to doing ticket renewal.

> HBase Thrift server lacks logic for renewing kerberos tickets
> -------------------------------------------------------------
>                 Key: HBASE-18243
>                 URL: https://issues.apache.org/jira/browse/HBASE-18243
>             Project: HBase
>          Issue Type: Bug
>          Components: Thrift
>    Affects Versions: 2.0.0, 1.1.2
>            Reporter: Steen Manniche
>            Priority: Minor
>              Labels: security
> I have been looking through the hbase-thrift code looking for where
> the server performs renewals of kerberos tickets for the provided
> principal/keytab. There seems to be no logic in place for renewing tickets.
> The hadoop-common provides the class
> UserGroupInformation, which exposes the method
> {{checkTGTAndReloginFromKeytab}}. I can see that the {{ThriftServerRunner}} class
> has a handle to the class
> (https://github.com/apache/hbase/blob/master/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java#L205),
> but I do not see the ticket renewal logic being called anywhere.
> A possible workaround is to renew the ticket outside the java process.
> The documentation on the {{checkTGTAndReloginFromKeytab}} states that if the ticket is
still valid, a call to the method is essentially a no-op.

This message was sent by Atlassian JIRA

View raw message