phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-3216) Kerberos ticket is not renewed when using Kerberos authentication with Phoenix JDBC driver
Date Mon, 29 Aug 2016 18:37:20 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15446694#comment-15446694
] 

ASF GitHub Bot commented on PHOENIX-3216:
-----------------------------------------

Github user joshelser commented on the issue:

    https://github.com/apache/phoenix/pull/203
  
    > Regarding the renewal, I understand from, http://stackoverflow.com/questions/34616676/should-i-call-ugi-checktgtandreloginfromkeytab-before-every-action-on-hadoop,
that the RPC layer takes care of that.
    
    Well, if you're talking to HDFS directly it would take care of it :). But we're talking
about accessing HBase here. I'm not sure if the same holds true. I know there is something
similar in the HBase RPC level, but I'd have to find it again in code to double check.
    
    > I am trying to fix the scenario in which multiple threads call loginUserFromKeytab
concurrently and then the renewal process no longer works as expected. 
    > If only one login happens the renewal works properly.
    
    Is this the same principal over and over again? Are you essentially providing the same
principal and keytab in the JDBC URL, expecting Phoenix to do everything for you instead of
doing the login in Storm?
    
    > Your concern regarding security is correct.
    
    Ok. I would like to redirect your efforts to PHOENIX-3189 then. We cannot sacrifice security
for multi-threading (as you can already handle the Kerberos login yourself). Can you take
a look at the changes I have staged on #191? If this is the above case I outlined, we can
add some concurrency control to prevent concurrent logins from happening.
    
    > you can see that this class is not thread safe and not designed to have different
users login in the same JVM as loginUser is defined in this way.
    
    Phoenix itself is not well-designed to support concurrent (different) users accessing
HBase because of how UGI works. If your application (Storm) needs to provide this functionality,
Storm should perform logins itself, cache the UGI instances, and use {{UGI.doAs(..)}} instead
of relying on the static state in UGI.


> Kerberos ticket is not renewed when using Kerberos authentication with Phoenix JDBC driver
> ------------------------------------------------------------------------------------------
>
>                 Key: PHOENIX-3216
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3216
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.5.2, 4.8.0
>         Environment: Kerberized
>            Reporter: Dan Bahir
>            Assignee: Dan Bahir
>             Fix For: 4.9.0, 4.8.1
>
>
> When using Phoenix jdbc driver in a Kerberized environment and logging in with a keytab
is not automatically renewed.
> Expected:The ticket will be automatically renewed and the Phoenix driver will be able
to write to the database.
> Actual: The ticket is not renewed and driver loses access to the database.
> 2016-08-15 00:00:59.738 WARN  AbstractRpcClient 
> [hconnection-0x4763c727-metaLookup-shared--pool1-t686] - Exception encountered 
> while connecting to the server : javax.security.sasl.Sa
> slException: GSS initiate failed [Caused by GSSException: No valid credentials 
> provided (Mechanism level: Failed to find any Kerberos tgt)]
> 2016-08-15 00:00:59.739 ERROR AbstractRpcClient 
> [hconnection-0x4763c727-metaLookup-shared--pool1-t686] - SASL authentication 
> failed. The most likely cause is missing or invalid crede
> ntials. Consider 'kinit'.
> javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
> No valid credentials provided (Mechanism level: Failed to find any Kerberos 
> tgt)]
>         at 
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java
> :211)
>         at 
> org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClie
> nt.java:179)
>         at 
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClie
> ntImpl.java:611)
>         at 
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$600(RpcClientImpl.ja
> va:156)
>         at 
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:73
> 7)
>         at 
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:73
> 4)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.ja



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message