You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@pig.apache.org by Niels Basjes <Ni...@basjes.nl> on 2016/01/06 15:35:33 UTC
Login with Kerberos keytab ?
Hi,
When I run a Pig job on a Kerberos secured cluster it uses the tickets
obtained from the kinit I did just before starting the job.
In some cases the job will run for a longer time than the max renew time of
the kerberos tickets.
In other Yarn applications (like Apache Flink) I can login using a Kerberos
keytab file on a secure cluster by doing something like this in my Java
code:
System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
UserGroupInformation.loginUserFromKeytab("nbasjes@XXXXX.NET",
"/home/nbasjes/.krb/nbasjes.keytab");
I checked the source of Pig and couldn't find any reference to logging in
with a keytab file.
How can I use a keytab file to authenticate a pig job on a secure cluster?
Or is this for which I should submit a feature request?
--
Best regards / Met vriendelijke groeten,
Niels Basjes
Re: Login with Kerberos keytab ?
Posted by Niels Basjes <Ni...@basjes.nl>.
Hi Rohini,
I created a jira : https://issues.apache.org/jira/browse/PIG-4796
Niels Basjes
On Tue, Jan 19, 2016 at 7:19 AM, Rohini Palaniswamy <rohini.aditya@gmail.com
> wrote:
> Can't you set up a cron to kinit periodically? If you need pig to do it,
> it will have to be a new jira. None of the clients (hadoop, pig, hive) do
> it now.
>
> On Wed, Jan 6, 2016 at 6:35 AM, Niels Basjes <Ni...@basjes.nl> wrote:
>
> > Hi,
> >
> > When I run a Pig job on a Kerberos secured cluster it uses the tickets
> > obtained from the kinit I did just before starting the job.
> > In some cases the job will run for a longer time than the max renew time
> of
> > the kerberos tickets.
> >
> > In other Yarn applications (like Apache Flink) I can login using a
> Kerberos
> > keytab file on a secure cluster by doing something like this in my Java
> > code:
> >
> > System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
> >
> > UserGroupInformation.loginUserFromKeytab("nbasjes@XXXXX.NET",
> > "/home/nbasjes/.krb/nbasjes.keytab");
> >
> >
> > I checked the source of Pig and couldn't find any reference to logging in
> > with a keytab file.
> >
> >
> > How can I use a keytab file to authenticate a pig job on a secure
> cluster?
> > Or is this for which I should submit a feature request?
> >
> > --
> > Best regards / Met vriendelijke groeten,
> >
> > Niels Basjes
> >
>
--
Best regards / Met vriendelijke groeten,
Niels Basjes
Re: Login with Kerberos keytab ?
Posted by Niels Basjes <ni...@basj.es>.
Ok, thanks.
I'll see if I can come up with a viable way of doing this.
Niels
On 19 Jan 2016 07:20, "Rohini Palaniswamy" <ro...@gmail.com> wrote:
> Can't you set up a cron to kinit periodically? If you need pig to do it,
> it will have to be a new jira. None of the clients (hadoop, pig, hive) do
> it now.
>
> On Wed, Jan 6, 2016 at 6:35 AM, Niels Basjes <Ni...@basjes.nl> wrote:
>
> > Hi,
> >
> > When I run a Pig job on a Kerberos secured cluster it uses the tickets
> > obtained from the kinit I did just before starting the job.
> > In some cases the job will run for a longer time than the max renew time
> of
> > the kerberos tickets.
> >
> > In other Yarn applications (like Apache Flink) I can login using a
> Kerberos
> > keytab file on a secure cluster by doing something like this in my Java
> > code:
> >
> > System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
> >
> > UserGroupInformation.loginUserFromKeytab("nbasjes@XXXXX.NET",
> > "/home/nbasjes/.krb/nbasjes.keytab");
> >
> >
> > I checked the source of Pig and couldn't find any reference to logging in
> > with a keytab file.
> >
> >
> > How can I use a keytab file to authenticate a pig job on a secure
> cluster?
> > Or is this for which I should submit a feature request?
> >
> > --
> > Best regards / Met vriendelijke groeten,
> >
> > Niels Basjes
> >
>
Re: Login with Kerberos keytab ?
Posted by Rohini Palaniswamy <ro...@gmail.com>.
Can't you set up a cron to kinit periodically? If you need pig to do it,
it will have to be a new jira. None of the clients (hadoop, pig, hive) do
it now.
On Wed, Jan 6, 2016 at 6:35 AM, Niels Basjes <Ni...@basjes.nl> wrote:
> Hi,
>
> When I run a Pig job on a Kerberos secured cluster it uses the tickets
> obtained from the kinit I did just before starting the job.
> In some cases the job will run for a longer time than the max renew time of
> the kerberos tickets.
>
> In other Yarn applications (like Apache Flink) I can login using a Kerberos
> keytab file on a secure cluster by doing something like this in my Java
> code:
>
> System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
>
> UserGroupInformation.loginUserFromKeytab("nbasjes@XXXXX.NET",
> "/home/nbasjes/.krb/nbasjes.keytab");
>
>
> I checked the source of Pig and couldn't find any reference to logging in
> with a keytab file.
>
>
> How can I use a keytab file to authenticate a pig job on a secure cluster?
> Or is this for which I should submit a feature request?
>
> --
> Best regards / Met vriendelijke groeten,
>
> Niels Basjes
>