Return-Path: X-Original-To: apmail-hbase-user-archive@www.apache.org Delivered-To: apmail-hbase-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 008721107C for ; Wed, 2 Jul 2014 06:09:05 +0000 (UTC) Received: (qmail 80778 invoked by uid 500); 2 Jul 2014 06:09:03 -0000 Delivered-To: apmail-hbase-user-archive@hbase.apache.org Received: (qmail 80705 invoked by uid 500); 2 Jul 2014 06:09:03 -0000 Mailing-List: contact user-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hbase.apache.org Delivered-To: mailing list user@hbase.apache.org Received: (qmail 80693 invoked by uid 99); 2 Jul 2014 06:09:03 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jul 2014 06:09:02 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of sun.cheney@gmail.com designates 209.85.216.44 as permitted sender) Received: from [209.85.216.44] (HELO mail-qa0-f44.google.com) (209.85.216.44) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jul 2014 06:08:58 +0000 Received: by mail-qa0-f44.google.com with SMTP id hw13so8577113qab.17 for ; Tue, 01 Jul 2014 23:08:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=hEddOy7cRmXNBAeRd9W5gWx7DEMwuvRxaXY6vMXXOk8=; b=kjhCRr6RPBwEcQUQuT2/8y8A+OwJMVB/8YDkEluUMq3ngwo7p4miZRJKNviUHLjo7F PilqhGeJxxIQ/d5yJX6MBThC3g2ugmx6yOS+W4p1iVYyLAx+KyYzJ6ClZx2tLKDMLPJV Q/Tq6GAKWmfzsCefAhLNc1OcvpYz2QIbaFB+YnJDB4wFTvIlAsX9rjGHYGHx7qYy76es ZJ4MaE+GWQM5WnIR5qSAWmabzDSz3nHoDPSHKXt/8omiyOok+zyQmJgasHMXpOLE0DYU IPGoLv5f00SPf39I2BnYATAjOikIuEuqIqjq2IaoVDJ3pJF+CDUmeGIrxeRQv4iHydh+ gLLg== MIME-Version: 1.0 X-Received: by 10.224.123.202 with SMTP id q10mr6960948qar.79.1404281318250; Tue, 01 Jul 2014 23:08:38 -0700 (PDT) Received: by 10.140.30.70 with HTTP; Tue, 1 Jul 2014 23:08:38 -0700 (PDT) In-Reply-To: References: Date: Wed, 2 Jul 2014 14:08:38 +0800 Message-ID: Subject: Re: problem access security hbase From: Cheney Sun To: "user@hbase.apache.org" Content-Type: multipart/alternative; boundary=047d7bdc8e20239e7504fd2fb9be X-Virus-Checked: Checked by ClamAV on apache.org --047d7bdc8e20239e7504fd2fb9be Content-Type: text/plain; charset=UTF-8 Thanks Gary. The second way is more meaningful for us. We will try that. On Wed, Jul 2, 2014 at 1:56 PM, Gary Helmling wrote: > Hi Cheney, > > If you are obtaining kerberos credentials outside of your program (ie. > kinit), then you can use k5start, which will run your program after > performing a kinit and has a variety of options to relogin periodically. > > If you use UGI.loginFromKeytab(), then if you get an authentication failure > performing a remote connection, the HBase client will automatically try to > relogin from the keytab file. So your program should not need to do any to > explicitly refresh the kerberos tgt. > > > On Tue, Jul 1, 2014 at 10:16 PM, anil gupta wrote: > > > Hi Cheney, > > > > If you are using a java client and using kinit way to login then i don't > > have much idea about handling long running clients. > > We run long running clients using UserGroupInformation to login to > cluster. > > I dont know the very specifics but it think there is a kerberos setting > > where you can setup in such a way that Ticket auto-renews. We run this > > client ranging from 2-4 weeks without any problem of security. Hope this > > helps. > > > > Thanks, > > Anil Gupta > > > > > > On Tue, Jul 1, 2014 at 7:12 PM, Cheney Sun wrote: > > > > > Thanks Gary, Anil. > > > > > > Add this statement 'UserGroupInformation.setConfiguration(hbaseConf);' > > can > > > resolve the problem. > > > > > > I'm using the kinit way to login KDC. But I wonder if I switch to > calling > > > UserGroupInformation.loginFromKeytab() in code, does it need to be > > > called periodically for a long running program, since the TGT obtained > > from > > > KDC will expire? > > > > > > Thanks, > > > Cheney > > > > > > > > > On Wed, Jul 2, 2014 at 1:20 AM, Gary Helmling > > wrote: > > > > > > > Hi Cheney, > > > > > > > > Did you obtain kerberos credentials before running your program, > either > > > by > > > > calling kinit before running the program, or by calling > > > > UserGroupInformation.loginFromKeytab() in your code? > > > > > > > > > > > > On Tue, Jul 1, 2014 at 8:44 AM, Cheney Sun > > wrote: > > > > > > > > > Hello all, > > > > > > > > > > I have setup a security hbase/hdfs/zookeeper, which was confirmed > and > > > > work > > > > > normally. > > > > > I wrote a Java program to get/put data to a table and package the > > > > > core-site.xml / hbase-site.xml (which are obtained from the secure > > > > cluster) > > > > > into the jar file, and it worked correctly. > > > > > > > > > > But when I removed the core-site.xml and hbase-site.xml from the > jar, > > > and > > > > > instead, I use the Configuration API to set the relevant settings > in > > > the > > > > > program as below, > > > > > Configuration hbaseConf = HBaseConfiguration.create(hadoopConf); > > > > > hbaseConf.set("hbase.zookeeper.quorum","slave-nodex"); > > > > > hbaseConf.set("hbase.zookeeper.property.clientPort", "2181"); > > > > > hbaseConf.set("hbase.rpc.engine", > > > > > "org.apache.hadoop.hbase.ipc.SecureRpcEngine"); > > > > > hbaseConf.set("hbase.security.authentication", "kerberos"); > > > > > hbaseConf.set("hbase.master.kerberos.principal", "hbase/_ > > > HOST@HADOOP.COM > > > > > "); > > > > > > > > > hbaseConf.set("hbase.master.keytab.file","/etc/hbase/conf/hbase.keytab"); > > > > > hbaseConf.set("hbase.regionserver.kerberos.principal", "hbase/_ > > > > > HOST@HADOOP.COM "); > > > > > > > > > > > > > > > > > > > > hbaseConf.set("hbase.regionserver.keytab.file","/etc/hbase/conf/hbase.keytab"); > > > > > hbaseConf.set("hadoop.security.authentication", "kerberos"); > > > > > hbaseConf.set("hadoop.security.authorization", "true"); > > > > > > > > > > It failed getting authenticated to access to the hbase with the > error > > > > > message as: > > > > > org.apache.hadoop.ipc.RemoteException: Authentication is required > > > > > at > > org.apache.hadoop.hbase.ipc.HBaseClient.call(HBaseClient.java:1021) > > > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.hadoop.hbase.ipc.SecureRpcEngine$Invoker.invoke(SecureRpcEngine.java:164) > > > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na] > > > > > at com.sun.proxy.$Proxy7.getProtocolVersion(Unknown Source) > ~[na:na] > > > > > > > > > > It looks like the settings through API in code doesn't work. Is is > a > > > > known > > > > > issue or am I wrong somewhere? > > > > > > > > > > Thanks, > > > > > Cheney > > > > > > > > > > > > > > > > > > > > -- > > Thanks & Regards, > > Anil Gupta > > > --047d7bdc8e20239e7504fd2fb9be--