You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@pig.apache.org by Niels Basjes <Ni...@basjes.nl> on 2016/01/06 15:35:33 UTC

Login with Kerberos keytab ?

Hi,

When I run a Pig job on a Kerberos secured cluster it uses the tickets
obtained from the kinit I did just before starting the job.
In some cases the job will run for a longer time than the max renew time of
the kerberos tickets.

In other Yarn applications (like Apache Flink) I can login using a Kerberos
keytab file on a secure cluster by doing something like this in my Java
code:

System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");

UserGroupInformation.loginUserFromKeytab("nbasjes@XXXXX.NET",
"/home/nbasjes/.krb/nbasjes.keytab");


I checked the source of Pig and couldn't find any reference to logging in
with a keytab file.


How can I use a keytab file to authenticate a pig job on a secure cluster?
Or is this for which I should submit a feature request?

-- 
Best regards / Met vriendelijke groeten,

Niels Basjes

Re: Login with Kerberos keytab ?

Posted by Niels Basjes <Ni...@basjes.nl>.

Hi Rohini,

I created a jira : https://issues.apache.org/jira/browse/PIG-4796

Niels Basjes

On Tue, Jan 19, 2016 at 7:19 AM, Rohini Palaniswamy <rohini.aditya@gmail.com
> wrote:

>  Can't you set up a cron to kinit periodically?  If you need pig to do it,
> it will have to be a new jira. None of the clients (hadoop, pig, hive) do
> it now.
>
> On Wed, Jan 6, 2016 at 6:35 AM, Niels Basjes <Ni...@basjes.nl> wrote:
>
> > Hi,
> >
> > When I run a Pig job on a Kerberos secured cluster it uses the tickets
> > obtained from the kinit I did just before starting the job.
> > In some cases the job will run for a longer time than the max renew time
> of
> > the kerberos tickets.
> >
> > In other Yarn applications (like Apache Flink) I can login using a
> Kerberos
> > keytab file on a secure cluster by doing something like this in my Java
> > code:
> >
> > System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
> >
> > UserGroupInformation.loginUserFromKeytab("nbasjes@XXXXX.NET",
> > "/home/nbasjes/.krb/nbasjes.keytab");
> >
> >
> > I checked the source of Pig and couldn't find any reference to logging in
> > with a keytab file.
> >
> >
> > How can I use a keytab file to authenticate a pig job on a secure
> cluster?
> > Or is this for which I should submit a feature request?
> >
> > --
> > Best regards / Met vriendelijke groeten,
> >
> > Niels Basjes
> >
>



-- 
Best regards / Met vriendelijke groeten,

Niels Basjes

Re: Login with Kerberos keytab ?

Posted by Niels Basjes <ni...@basj.es>.

Ok, thanks.
I'll see if I can come up with a viable way of doing this.

Niels
On 19 Jan 2016 07:20, "Rohini Palaniswamy" <ro...@gmail.com> wrote:

>  Can't you set up a cron to kinit periodically?  If you need pig to do it,
> it will have to be a new jira. None of the clients (hadoop, pig, hive) do
> it now.
>
> On Wed, Jan 6, 2016 at 6:35 AM, Niels Basjes <Ni...@basjes.nl> wrote:
>
> > Hi,
> >
> > When I run a Pig job on a Kerberos secured cluster it uses the tickets
> > obtained from the kinit I did just before starting the job.
> > In some cases the job will run for a longer time than the max renew time
> of
> > the kerberos tickets.
> >
> > In other Yarn applications (like Apache Flink) I can login using a
> Kerberos
> > keytab file on a secure cluster by doing something like this in my Java
> > code:
> >
> > System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
> >
> > UserGroupInformation.loginUserFromKeytab("nbasjes@XXXXX.NET",
> > "/home/nbasjes/.krb/nbasjes.keytab");
> >
> >
> > I checked the source of Pig and couldn't find any reference to logging in
> > with a keytab file.
> >
> >
> > How can I use a keytab file to authenticate a pig job on a secure
> cluster?
> > Or is this for which I should submit a feature request?
> >
> > --
> > Best regards / Met vriendelijke groeten,
> >
> > Niels Basjes
> >
>

Re: Login with Kerberos keytab ?

Posted by Rohini Palaniswamy <ro...@gmail.com>.

 Can't you set up a cron to kinit periodically?  If you need pig to do it,
it will have to be a new jira. None of the clients (hadoop, pig, hive) do
it now.

On Wed, Jan 6, 2016 at 6:35 AM, Niels Basjes <Ni...@basjes.nl> wrote:

> Hi,
>
> When I run a Pig job on a Kerberos secured cluster it uses the tickets
> obtained from the kinit I did just before starting the job.
> In some cases the job will run for a longer time than the max renew time of
> the kerberos tickets.
>
> In other Yarn applications (like Apache Flink) I can login using a Kerberos
> keytab file on a secure cluster by doing something like this in my Java
> code:
>
> System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
>
> UserGroupInformation.loginUserFromKeytab("nbasjes@XXXXX.NET",
> "/home/nbasjes/.krb/nbasjes.keytab");
>
>
> I checked the source of Pig and couldn't find any reference to logging in
> with a keytab file.
>
>
> How can I use a keytab file to authenticate a pig job on a secure cluster?
> Or is this for which I should submit a feature request?
>
> --
> Best regards / Met vriendelijke groeten,
>
> Niels Basjes
>