You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-user@hadoop.apache.org by Koert Kuipers <ko...@tresata.com> on 2014/06/30 01:50:19 UTC

kerberos ticket renewal for hadoop services

how do long lived services such as the namenode or yarn resourcemanager
deal with kerberos ticket expiration for the user that runs the service?

do they periodically renew/refresh their tickets by calling
SecurityUtil.login(conf, keytab, user, host)?

where can i find an example the code that handles this (in NameNode.java
its easy to find the initial login but i cannot find the code that handles
with expiration/renewal/refresh of tickets)?

thanks! koert

Re: kerberos ticket renewal for hadoop services

Posted by Koert Kuipers <ko...@tresata.com>.

thanks! it makes sense to use loginUserFromKeytab initially and then
checkTGTAndReloginFromKeytab or reloginFromKeytab periodically.  i will try
to find the usage of these in the code for the services such as namenode (a
quick grep doesnt show these relogin functions being called...)

On Sun, Jun 29, 2014 at 8:52 PM, Geoff Thompson <ge...@bearpeak.com> wrote:

> Hi Koert,
>
> I don’t have an example. However, perhaps class
> org.apache.hadoop.security.UserGroupInformation has what you need. Some
> relevant methods are:
> reloginFromKeytab()
> reloginFromTicketCache()
> loginUserFromKeytab(String user, String path)
>
> Geoff
>
> On Jun 29, 2014, at 5:50 PM, Koert Kuipers <ko...@tresata.com> wrote:
>
> how do long lived services such as the namenode or yarn resourcemanager
> deal with kerberos ticket expiration for the user that runs the service?
>
> do they periodically renew/refresh their tickets by calling
> SecurityUtil.login(conf, keytab, user, host)?
>
> where can i find an example the code that handles this (in NameNode.java
> its easy to find the initial login but i cannot find the code that handles
> with expiration/renewal/refresh of tickets)?
>
> thanks! koert
>
>
>

Re: kerberos ticket renewal for hadoop services

Posted by Koert Kuipers <ko...@tresata.com>.

thanks! it makes sense to use loginUserFromKeytab initially and then
checkTGTAndReloginFromKeytab or reloginFromKeytab periodically.  i will try
to find the usage of these in the code for the services such as namenode (a
quick grep doesnt show these relogin functions being called...)

On Sun, Jun 29, 2014 at 8:52 PM, Geoff Thompson <ge...@bearpeak.com> wrote:

> Hi Koert,
>
> I don’t have an example. However, perhaps class
> org.apache.hadoop.security.UserGroupInformation has what you need. Some
> relevant methods are:
> reloginFromKeytab()
> reloginFromTicketCache()
> loginUserFromKeytab(String user, String path)
>
> Geoff
>
> On Jun 29, 2014, at 5:50 PM, Koert Kuipers <ko...@tresata.com> wrote:
>
> how do long lived services such as the namenode or yarn resourcemanager
> deal with kerberos ticket expiration for the user that runs the service?
>
> do they periodically renew/refresh their tickets by calling
> SecurityUtil.login(conf, keytab, user, host)?
>
> where can i find an example the code that handles this (in NameNode.java
> its easy to find the initial login but i cannot find the code that handles
> with expiration/renewal/refresh of tickets)?
>
> thanks! koert
>
>
>

Re: kerberos ticket renewal for hadoop services

Posted by Koert Kuipers <ko...@tresata.com>.

thanks! it makes sense to use loginUserFromKeytab initially and then
checkTGTAndReloginFromKeytab or reloginFromKeytab periodically.  i will try
to find the usage of these in the code for the services such as namenode (a
quick grep doesnt show these relogin functions being called...)

On Sun, Jun 29, 2014 at 8:52 PM, Geoff Thompson <ge...@bearpeak.com> wrote:

> Hi Koert,
>
> I don’t have an example. However, perhaps class
> org.apache.hadoop.security.UserGroupInformation has what you need. Some
> relevant methods are:
> reloginFromKeytab()
> reloginFromTicketCache()
> loginUserFromKeytab(String user, String path)
>
> Geoff
>
> On Jun 29, 2014, at 5:50 PM, Koert Kuipers <ko...@tresata.com> wrote:
>
> how do long lived services such as the namenode or yarn resourcemanager
> deal with kerberos ticket expiration for the user that runs the service?
>
> do they periodically renew/refresh their tickets by calling
> SecurityUtil.login(conf, keytab, user, host)?
>
> where can i find an example the code that handles this (in NameNode.java
> its easy to find the initial login but i cannot find the code that handles
> with expiration/renewal/refresh of tickets)?
>
> thanks! koert
>
>
>

Re: kerberos ticket renewal for hadoop services

Posted by Koert Kuipers <ko...@tresata.com>.

thanks! it makes sense to use loginUserFromKeytab initially and then
checkTGTAndReloginFromKeytab or reloginFromKeytab periodically.  i will try
to find the usage of these in the code for the services such as namenode (a
quick grep doesnt show these relogin functions being called...)

On Sun, Jun 29, 2014 at 8:52 PM, Geoff Thompson <ge...@bearpeak.com> wrote:

> Hi Koert,
>
> I don’t have an example. However, perhaps class
> org.apache.hadoop.security.UserGroupInformation has what you need. Some
> relevant methods are:
> reloginFromKeytab()
> reloginFromTicketCache()
> loginUserFromKeytab(String user, String path)
>
> Geoff
>
> On Jun 29, 2014, at 5:50 PM, Koert Kuipers <ko...@tresata.com> wrote:
>
> how do long lived services such as the namenode or yarn resourcemanager
> deal with kerberos ticket expiration for the user that runs the service?
>
> do they periodically renew/refresh their tickets by calling
> SecurityUtil.login(conf, keytab, user, host)?
>
> where can i find an example the code that handles this (in NameNode.java
> its easy to find the initial login but i cannot find the code that handles
> with expiration/renewal/refresh of tickets)?
>
> thanks! koert
>
>
>

Re: kerberos ticket renewal for hadoop services

Posted by Geoff Thompson <ge...@bearpeak.com>.

Hi Koert,

I don’t have an example. However, perhaps class org.apache.hadoop.security.UserGroupInformation has what you need. Some relevant methods are:
reloginFromKeytab()
reloginFromTicketCache()
loginUserFromKeytab(String user, String path)

Geoff

On Jun 29, 2014, at 5:50 PM, Koert Kuipers <ko...@tresata.com> wrote:

> how do long lived services such as the namenode or yarn resourcemanager deal with kerberos ticket expiration for the user that runs the service? 
> 
> do they periodically renew/refresh their tickets by calling SecurityUtil.login(conf, keytab, user, host)?
> 
> where can i find an example the code that handles this (in NameNode.java its easy to find the initial login but i cannot find the code that handles with expiration/renewal/refresh of tickets)? 
> 
> thanks! koert
>

Re: kerberos ticket renewal for hadoop services

Posted by Geoff Thompson <ge...@bearpeak.com>.

Hi Koert,

I don’t have an example. However, perhaps class org.apache.hadoop.security.UserGroupInformation has what you need. Some relevant methods are:
reloginFromKeytab()
reloginFromTicketCache()
loginUserFromKeytab(String user, String path)

Geoff

On Jun 29, 2014, at 5:50 PM, Koert Kuipers <ko...@tresata.com> wrote:

> how do long lived services such as the namenode or yarn resourcemanager deal with kerberos ticket expiration for the user that runs the service? 
> 
> do they periodically renew/refresh their tickets by calling SecurityUtil.login(conf, keytab, user, host)?
> 
> where can i find an example the code that handles this (in NameNode.java its easy to find the initial login but i cannot find the code that handles with expiration/renewal/refresh of tickets)? 
> 
> thanks! koert
>

Re: kerberos ticket renewal for hadoop services

Posted by Geoff Thompson <ge...@bearpeak.com>.

Hi Koert,

I don’t have an example. However, perhaps class org.apache.hadoop.security.UserGroupInformation has what you need. Some relevant methods are:
reloginFromKeytab()
reloginFromTicketCache()
loginUserFromKeytab(String user, String path)

Geoff

On Jun 29, 2014, at 5:50 PM, Koert Kuipers <ko...@tresata.com> wrote:

> how do long lived services such as the namenode or yarn resourcemanager deal with kerberos ticket expiration for the user that runs the service? 
> 
> do they periodically renew/refresh their tickets by calling SecurityUtil.login(conf, keytab, user, host)?
> 
> where can i find an example the code that handles this (in NameNode.java its easy to find the initial login but i cannot find the code that handles with expiration/renewal/refresh of tickets)? 
> 
> thanks! koert
>

Re: kerberos ticket renewal for hadoop services

Posted by Geoff Thompson <ge...@bearpeak.com>.

Hi Koert,

I don’t have an example. However, perhaps class org.apache.hadoop.security.UserGroupInformation has what you need. Some relevant methods are:
reloginFromKeytab()
reloginFromTicketCache()
loginUserFromKeytab(String user, String path)

Geoff

On Jun 29, 2014, at 5:50 PM, Koert Kuipers <ko...@tresata.com> wrote:

> how do long lived services such as the namenode or yarn resourcemanager deal with kerberos ticket expiration for the user that runs the service? 
> 
> do they periodically renew/refresh their tickets by calling SecurityUtil.login(conf, keytab, user, host)?
> 
> where can i find an example the code that handles this (in NameNode.java its easy to find the initial login but i cannot find the code that handles with expiration/renewal/refresh of tickets)? 
> 
> thanks! koert
>