带有Kerberos的HBase - 保持一个HTable实例打开超过10个小时 [英] HBase with Kerberos - keep a HTable instance open more than 10 hours
问题描述
我有一个对象,它在启动时创建一个HTable实例并挂上它。它调用:
UserGroupInformation.setConfiguration(configuration);
UserGroupInformation.loginUserFromKeytab(user,keytab);
登录到Kerberized群集。
这个对象在几个小时之后会闲置。在超过10个小时(来自我们的Kerberos集群的票证上的超时)之后,下一次扫描表的结果如下:
16/12/01 18:16:24 WARN security.UserGroupInformation:PriviledgedActionException as:bigdata-app-analyticscore-msr@INTQA.THOMSONREUTERS.COM(auth:KERBEROS)cause:javax.security.sasl.SaslException:GSS启动失败[由GSSException引起:没有提供有效的凭据(机制级别:无法找到任何Kerberos tgt)]
16/12/01 18:16:24 WARN ipc.RpcClient:连接到服务器时遇到异常:javax .security.sasl.SaslException:GSS启动失败[由GSSException引起:没有提供有效的凭据(机制级别:无法找到任何Kerberos tgt)]
16/12/01 18:16:24致命ipc.RpcClient: SASL认证失败。最可能的原因是丢失或无效的凭证。考虑'kinit'。
- javax.security.sasl.SaslException:GSS启动失败[由GSSException引起:没有提供有效的凭证(机制级别:未能找到任何Kerberos tgt)]
- at com.sun.security.sasl .gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
- 等
我可以让Kerberos身份验证保持活跃吗?
我刚才在这个论坛上做了一些研究。 Kerberos身份验证在10小时后死亡的问题声明与此线程几乎相同:
10小时后续订与Apache Phoenix的连接(使用Kerberos)会在10小时后失败
p>
实际上我今天早些时候编辑了该线程,并将10小时放入主题行中。这个线程包含了一些关于在这里做什么的伟大建议。我将继续借鉴Samson Scharfrichter提供的良好智慧,他说:标准解决方案是定期产生一个调用checkTGTAndReloginFromKeytab()的后台线程 - 请参阅,这是非常复杂的HortonWorks专家(一位撰写GitBook关于Hadoop& Kerberos的人的同事)的解释 我希望这能够提供您的指导。 Here is the situation: we have a secured (Kerberos) HBase cluster.
I have an object that creates an instance of HTable at startup and hang on to it. It calls: to login to the Kerberized cluster.
This object then hangs around unused for many hours. After more than 10 hours (the timeout on a ticket from our Kerberos cluster), the next call to scan the table results in this: How can I keep the Kerberos authentication alive? I happened to be doing some research in this forum earlier. The problem statement here, where Kerberos authentication dies after 10 hours, is nearly identical to that of this thread: Renewing a connection to Apache Phoenix (using Kerberos) fails after exactly 10 hours I actually just edited that thread earlier today and placed the "10 hours" into the Subject line. That thread contains some great advice on what to do here. I'm going to go ahead and borrow the good wisdom provided by Samson Scharfrichter who stated in it: "The standard solution is to spawn a background thread invoking checkTGTAndReloginFromKeytab() periodically -- see Should I call ugi.checkTGTAndReloginFromKeytab() before every action on hadoop? for a very elaborate explanation by a HortonWorks guru (a colleague of the guy who wrote that GitBook about Hadoop & Kerberos)" I hope this provides your direction. 这篇关于带有Kerberos的HBase - 保持一个HTable实例打开超过10个小时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
UserGroupInformation.setConfiguration(configuration);
UserGroupInformation.loginUserFromKeytab(user, keytab);
16/12/01 18:16:24 WARN security.UserGroupInformation: PriviledgedActionException as:bigdata-app-analyticscore-msr@INTQA.THOMSONREUTERS.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
16/12/01 18:16:24 WARN ipc.RpcClient: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
16/12/01 18:16:24 FATAL ipc.RpcClient: SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.
- javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
- at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
- etc.
