自动更新Kerberos票证不能从Java工作 [英] Auto renewal of Kerberos ticket not working from Java

问题描述

在我的服务器应用程序中，我从我的Java应用程序连接到Kerberos安全的Hadoop集群。在应用程序启动时，我会调用

  UserGroupInformation.loginUserFromKeytabAndReturnUGI（...）; 
  

我正在使用本地 FileSystem API，如 FileSystem.exists（）和 FileSystem.delete（）

我的应用程序在24H后会抛出以下错误。这是Kerberos票证的到期日。

 导致：java.io.IOException：javax.security.sasl.SaslException：GSS启动失败[由GSSException引起：No提供的有效凭证（机制级别：未能找到任何Kerberos tgt）] 
在org.apache.hadoop.ipc.Client $ Connection $ 1.run（Client.java:690）
在java.security。 AccessController.doPrivileged（本地方法）
位于javax.security.auth.Subject.doAs（Subject.java:422）
位于org.apache.hadoop.security.UserGroupInformation.doAs（UserGroupInformation.java:1709 ）
在org.apache.hadoop.ipc.Client $ Connection.handleSaslConnectionFailure（Client.java:653）
在org.apache.hadoop.ipc.Client $ Connection.setupIOstreams（Client.java:740 ）
在org.apache.hadoop.ipc.Client.Client $ Connection.access $ 2900（Client.java:378）
在org.apache.hadoop.ipc.Client.getConnection（Client.java:1492） 
 at org.apache.hadoop.ipc.Client.call（Client.java:1402）
 ... 27 more 
引起通过：javax.security.sasl.SaslException：GSS启动失败[由GSSException引起：没有提供有效的凭据（机制级别：无法找到任何Kerberos tgt）] 
 at com.sun.security.sasl.gsskerb.GssKrb5Client .evaluateChallenge（GssKrb5Client.java:211）
 at org.apache.hadoop.security.SaslRpcClient.saslConnect（SaslRpcClient.java:413）
 at org.apache.hadoop.ipc.Client $ Connection.setupSaslConnection （Client.java:563）
  

来自此答复，Kerberos票证应自动续订。

我的应用程序使用Java 8，并且遇到这个bug 。然后看起来像 hadoop-common-我的应用程序使用的2.7.1.2.4.2.12-1.jar已经有修复程序。来源可以发现在这里。

但是仍然有同样的错误自动更新没有发生。它只有在调用 UserGroupInformation.checkTGTAndReloginFromkeytab（） 按照上述建议操作答案。但只有在使用Rest API而不是RPC时建议使用，我希望本地Java API只使用RPC。

为什么自动续订不会像上述回答

解决方案

不幸的是，在使用 UserGroupInformation时，自动更新存在一个已知问题，无法正常工作#loginUserFromKeytabAndReturnUGI 方法。

您添加对 UserGroupInformation＃checkTGTAndReloginFromKeytab 的调用的解决方案c $ c>是一种可行的解决方法。我建议您现在坚持这一点，并密切关注Apache Hadoop发行说明，以确定未来是否会有修复。

In my server application I'm connecting to Kerberos secured Hadoop cluster from my java application. On the application startup I do call

UserGroupInformation.loginUserFromKeytabAndReturnUGI( ... );

I'm doing basic File operations using native FileSystem API like FileSystem.exists() and FileSystem.delete()

My application throws the following error after 24H. That's the expiry for Kerberos ticket.

Caused by: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
        at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:690)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1709)
        at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:653)
        at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:740)
        at org.apache.hadoop.ipc.Client$Connection.access$2900(Client.java:378)
        at org.apache.hadoop.ipc.Client.getConnection(Client.java:1492)
        at org.apache.hadoop.ipc.Client.call(Client.java:1402)
        ... 27 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
        at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)
        at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:563)

From this answer, the Kerberos ticket should be auto renewed.

My application is using Java 8 and I came across this bug.

But then looks like the hadoop-common-2.7.1.2.4.2.12-1.jar used by my application already has the fix. The source can be found here.

But still got the same error as the auto renewal was not happening. It was resolved only after calling UserGroupInformation.checkTGTAndReloginFromkeytab() before each action as suggested in the above answer .But that was suggested only when using Rest APIs and not for RPCs and I hope native Java APIs use RPC only.

Why is the auto renewal not happening as suggested in the above answer?

解决方案

Unfortunately, there is a known issue with automatic renewal not working correctly when using the UserGroupInformation#loginUserFromKeytabAndReturnUGI method. I am not aware of any known code fix within Apache Hadoop at this time.

Your solution to add a call to UserGroupInformation#checkTGTAndReloginFromKeytab is a viable workaround. I recommend that you stick with that for now and keep an eye on Apache Hadoop release notes to see if there is a fix committed in the future.

这篇关于自动更新Kerberos票证不能从Java工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！