Re: UserGroupInformation and Kerberos

[Wei-Chiu Chuang <we...@apache.org>]

Hi Jorge,

If you use Hadoop library as a client, and your first login using key is
via UserGroupInformation#loginUserFromKeytab(), the client automatically
relogins again using keytab when it gets an exception (see
o.a.h.ipc.Client#handleSaslConnectionFailure).

Note: using UserGroupInformation.loginUserFromSubject() won't do the same.
It is used when you have a valid tgt.

On Tue, Jan 2, 2018 at 11:40 AM, Jorge Machado <jo...@me.com> wrote:

> Hey everyone, I was working with UserGroupInformation Class and Kerberos.
>
>  Is there a proper example how to renew the Kerkebros Ticket from a keytab
> ?
>
> For Example:
>
> assuming that  I have the jaas.config set in the jvm I do:
>
> UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
> This will login the user but not using a keytab.
>
> Using this code it will login with Kerberos:
> UserGroupInformation.setConfiguration(conf);
> Krb5LoginModule context = new Krb5LoginModule();
> Subject subject = new Subject();
> javax.security.auth.login.Configuration jconf = javax.security.auth.login.
> Configuration.getConfiguration();
> AppConfigurationEntry entries[] = jconf.getAppConfigurationEntry("
> Client");
> context.initialize(subject,null, new HashMap<String, String>(),
> entries[0].getOptions());
> context.login();
> context.commit();
> UserGroupInformation.loginUserFromSubject(subject);
>
>
> How Do I make sure that my Keytab get’s renewed ? I think Hadoop Libraries
> should take of this. I can count  a lot of projects implementing their own
> TicketRewener…
>
> Any suggestions here ?
>
> Thanks
>
>
> Jorge Machado
>
>
>
>
>
>
>


-- 
A very happy Hadoop contributor