Thanks Josh and everyone else .. Shall try this suggestion On 22 Mar 2016 09:36, "Josh Elser" <josh.el...@gmail.com> wrote:
> Keytab-based logins do not automatically spawn a renewal thread in > Hadoop's UserGroupInformation library, IIRC. HBase's RPC implementation > does try to automatically re-login, but if you are not actively making > RPCs, you may miss the window in which you are allowed to perform a renewal. > > Commonly, you would launch your own thread to perform the renewal. This is > something we could probably make better inside Phoenix's client. You could > add something like the following to run periodically inside your > application (after instantiating the Phoenix Driver): > > `UserGroupInformation.checkTGTAndReloginFromKeytab()` > > Sergey Soldatov wrote: > >> Where do you see this error? Is it the client side? Ideally you don't >> need to renew ticket since Phoenix Driver gets the required >> information (principal name and keytab path) from jdbc connection >> string and performs User.login itself. >> >> Thanks, >> Sergey >> >> On Wed, Mar 16, 2016 at 11:02 AM, Sanooj Padmakumar<p.san...@gmail.com> >> wrote: >> >>> This is the error in the log when it fails >>> >>> ERROR org.apache.hadoop.security.UserGroupInformation - >>> PriviledgedActionException as:<principal here> (auth:KERBEROS) >>> cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by >>> GSSException: No valid credentials provided (Mechanism level: Failed to >>> find >>> any Kerberos tgt)] >>> >>> On Wed, Mar 16, 2016 at 8:35 PM, Sanooj Padmakumar<p.san...@gmail.com> >>> wrote: >>> >>>> Hi Anil >>>> >>>> Thanks for your reply. >>>> >>>> We do not do anything explicitly in the code to do the ticket renwal , >>>> what we do is run a cron job for the user for which the ticket has to be >>>> renewed. But with this approach we need a restart to get the thing >>>> going >>>> after the ticket expiry >>>> >>>> We use the following connection url for getting the phoenix connection >>>> jdbc:phoenix:<zkhosts>:<zkport>:/hbase:<kerberos principal>:<path to >>>> keytab> >>>> >>>> This along with the entries in hbase-site.xml& core-site.xml are passed >>>> to the connection object >>>> >>>> Thanks >>>> Sanooj Padmakumar >>>> >>>> On Tue, Mar 15, 2016 at 12:04 AM, anil gupta<anilgupt...@gmail.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> At my previous job, we had web-services fetching data from a secure >>>>> hbase >>>>> cluster. We never needed to renew the lease by restarting webserver. >>>>> Our app >>>>> used to renew the ticket. I think, Phoenix/HBase already handles >>>>> renewing >>>>> ticket. Maybe you need to look into your kerberos environment >>>>> settings. How >>>>> are you authenticating with Phoenix/HBase? >>>>> Sorry, I dont remember the exact kerberos setting that we had. >>>>> >>>>> HTH, >>>>> Anil Gupta >>>>> >>>>> On Mon, Mar 14, 2016 at 11:00 AM, Sanooj Padmakumar<p.san...@gmail.com >>>>> > >>>>> wrote: >>>>> >>>>>> Hi >>>>>> >>>>>> We have a rest style micro service application fetching data from >>>>>> hbase >>>>>> using Phoenix. The cluster is kerberos secured and we run a cron to >>>>>> renew >>>>>> the kerberos ticket on the machine where the micro service is >>>>>> deployed. >>>>>> >>>>>> But it always needs a restart of micro service java process to get the >>>>>> kerberos ticket working once after its expired. >>>>>> >>>>>> Is there a way I can avoid this restart? >>>>>> >>>>>> Any pointers will be very helpful. Thanks >>>>>> >>>>>> PS : We have a Solr based micro service which works without a restart. >>>>>> >>>>>> Regards >>>>>> Sanooj >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks& Regards, >>>>> Anil Gupta >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Sanooj Padmakumar >>>> >>> >>> >>> >>> -- >>> Thanks, >>> Sanooj Padmakumar >>> >>
