You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hadoop.apache.org by Jorge Machado <jo...@me.com> on 2018/01/02 19:40:01 UTC
UserGroupInformation and Kerberos
Hey everyone, I was working with UserGroupInformation Class and Kerberos.
Is there a proper example how to renew the Kerkebros Ticket from a keytab ?
For Example:
assuming that I have the jaas.config set in the jvm I do:
UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
This will login the user but not using a keytab.
Using this code it will login with Kerberos:
UserGroupInformation.setConfiguration(conf);
Krb5LoginModule context = new Krb5LoginModule();
Subject subject = new Subject();
javax.security.auth.login.Configuration jconf = javax.security.auth.login.Configuration.getConfiguration();
AppConfigurationEntry entries[] = jconf.getAppConfigurationEntry("Client");
context.initialize(subject,null, new HashMap<String, String>(),entries[0].getOptions());
context.login();
context.commit();
UserGroupInformation.loginUserFromSubject(subject);
How Do I make sure that my Keytab get’s renewed ? I think Hadoop Libraries should take of this. I can count a lot of projects implementing their own TicketRewener…
Any suggestions here ?
Thanks
Jorge Machado
Re: UserGroupInformation and Kerberos
Posted by Wei-Chiu Chuang <we...@apache.org>.
Hi Jorge,
If you use Hadoop library as a client, and your first login using key is
via UserGroupInformation#loginUserFromKeytab(), the client automatically
relogins again using keytab when it gets an exception (see
o.a.h.ipc.Client#handleSaslConnectionFailure).
Note: using UserGroupInformation.loginUserFromSubject() won't do the same.
It is used when you have a valid tgt.
On Tue, Jan 2, 2018 at 11:40 AM, Jorge Machado <jo...@me.com> wrote:
> Hey everyone, I was working with UserGroupInformation Class and Kerberos.
>
> Is there a proper example how to renew the Kerkebros Ticket from a keytab
> ?
>
> For Example:
>
> assuming that I have the jaas.config set in the jvm I do:
>
> UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
> This will login the user but not using a keytab.
>
> Using this code it will login with Kerberos:
> UserGroupInformation.setConfiguration(conf);
> Krb5LoginModule context = new Krb5LoginModule();
> Subject subject = new Subject();
> javax.security.auth.login.Configuration jconf = javax.security.auth.login.
> Configuration.getConfiguration();
> AppConfigurationEntry entries[] = jconf.getAppConfigurationEntry("
> Client");
> context.initialize(subject,null, new HashMap<String, String>(),
> entries[0].getOptions());
> context.login();
> context.commit();
> UserGroupInformation.loginUserFromSubject(subject);
>
>
> How Do I make sure that my Keytab get’s renewed ? I think Hadoop Libraries
> should take of this. I can count a lot of projects implementing their own
> TicketRewener…
>
> Any suggestions here ?
>
> Thanks
>
>
> Jorge Machado
>
>
>
>
>
>
>
--
A very happy Hadoop contributor