hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From schausson <schaus...@softera.fr>
Subject Re: HBase connection "expiration" on kerberized cluster
Date Mon, 07 Aug 2017 07:55:36 GMT
Hi Sean,

Unfortunately, couldn't solve my issue ... 
Below is the code of my utility class in charge of logging in and creating
an HBase connection. I added the AuthUtil stuff as suggested in your answer,
but probably missed something :(

My web service basically invokes GetHBaseConnection() method, and uses
returned connection to read/write data from/to HBase.
At application startup, everything is fine : it successfully logs in,
creates the HBase connection and my web service returns proper data.
The problem comes up if I wait for a long while (> ticket lifetime). Then,
when I invoke again my web service, I face the previously mentionned
warnings and get a socket timeout error...
When I look at the AuthUtil.getAuthChore() source code, it invokes
ugi.checkTGTAndReloginFromKeytab() and this is also what I do in the
background thread that I create when logging in (cf SpawnAutoRenewalThread()
method below)

Just to make it clear : in your answer, you wrote "you'll need to provide a
keytab that HBase can use to renew kerberos access over time.". Does it mean
that I have to provide a specific keytab for hbase or can I use a single
keytab for everything ?

In the end, should I stop trying to reuse my hbase connection and re-create
it every time (whatever the heavy cost of re-creating it) ? 

Sorry about my "newbie" questions, but I feel really confused about all this

Thanks for your help


PS : Note that if I remove hbase requests from my web service and "just"
perform some HDFS operations (listing files from a folder for instance),
everything works fine, even if I wait for a long while, so the point is
hbase related.


private static Configuration configuration;
private static boolean loggedOnCluster = false;
private static Connection connection = null;
private static ChoreService choreService = null;
private static Configuration GetConfiguration() throws IOException {
	if (configuration == null) {
		configuration = HBaseConfiguration.create();
		configuration.set("hbase.client.kerberos.principal", "myuser@myDomain");
		configuration.set("hbase.client.keytab.file", "/path/to/myuser/keytab");
	return configuration;

public static Connection GetHbaseConnection() {
	try {
		if (!loggedOnCluster) {
			Configuration conf = GetConfiguration();
			String userAccount = conf.get("hbase.client.kerberos.principal");
			String keyTabPath = conf.get("hbase.client.keytab.file");
			UserGroupInformation.loginUserFromKeytab(userAccount, keyTabPath);
			loggedOnCluster = true;
	} catch (IOException e) {
		LOGGER.error("!! Error while login in !!");

	if (connection == null || connection.isClosed() || connection.isAborted())
		try {
			final Configuration conf = GetConfiguration();
			final ScheduledChore authChore = AuthUtil.getAuthChore(conf);
			if (authChore != null) {
				choreService = new ChoreService("MY_APPLICATION");
			connection = ConnectionFactory.createConnection(conf);
		} catch (IOException ex) {
			LOGGER.error("!! Could not obtain connection to HBase !!");
			connection = null;
	return connection;

private static void SpawnAutoRenewalThread() throws IOException {
	Thread t = new Thread(new Runnable() {
		public void run() {
			while (true) {
				try {
				} catch (IOException e1) {
				try {
				} catch (InterruptedException e) {
	t.setName("TGT Renewer for current user" +

View this message in context: http://apache-hbase.679495.n3.nabble.com/HBase-connection-expiration-on-kerberized-cluster-tp4089493p4089549.html
Sent from the HBase User mailing list archive at Nabble.com.

View raw message