HBase kerberos令牌会过期吗 [英] Will the hbase kerberos token expired
问题描述
我有一个Spark Streaming应用程序,对于每个批次,我都需要将其插入受Kerberos保护的hbase中.我找到了一个解决方案,那就是在驱动程序端创建连接并从该conn获取令牌,然后将其传递给执行程序.在执行器端,我将其解码并获得令牌,这样我就可以成功地将数据插入到hbase中.这看起来不错,但我担心的是令牌会过期吗?如果是这样,请如何解决?
I have a spark streaming application, for every batch, I need to insert it to the hbase which is protected by kerberos. I found a solution, that is in the driver side I create a connection and obtain a token from that conn and then pass it to the executor. In the executor side, I decode it and get the token, in this way I can insert data to hbase successfully. This seems good, but my concern is that will the token expired? If so , how to solve it please?
我的代码段是
val ugi=UserGroupInformation.loginUserFromKeytabAndReturnUGI(principle,keytabfile);
ugi.doAs(new PrivilegedAction[Unit]() {
def run(): Unit = {
conn = ConnectionFactory.createConnection(conf)
val token = TokenUtil.obtainToken(conn)
tokenStr = token.encodeToUrlString()
}
})
在rdd.foreachpartition中,
in the rdd.foreachpartition,
val token = new Token()
token.decodeFromUrlString(tokenStr)
UserGroupInformation.getCurrentUser.addToken(token)
尽管我在Internet上搜索了很多有关此问题的内容,但是我没有找到关于此问题的好的解决方案.这个问题的常见答案是
Although I have searched a lot from Internet about this issue, but I did not found a good solution about this issue. The common answer to this question is
UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
但是作为我的测试,在此方法中
But as my test, inside this method,
public synchronized void checkTGTAndReloginFromKeytab() throws IOException {
if (!isSecurityEnabled()
|| user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS
|| !isKeytab)
return;
KerberosTicket tgt = getTGT();
if (tgt != null && Time.now() < getRefreshTime(tgt)) {
return;
}
reloginFromKeytab();
}
isKeytab 始终为false,因此它将永远不会执行以下代码,我不明白为什么会返回false.那么有人可以帮助我解决这个问题吗?感谢您的帮助!
The isKeytab is always false, so it will never execute the following code,I do not understand why this return false. So anybody can help me solve this question? Any help is appreciated!
推荐答案
它是由Java版本引起的.如果要在JDK 1.7.0_85或更高版本上运行安全的Hadoop集群,则必须运行Apache Hadoop 2.7.0或更高版本.
It is caused by the java version. If you want to run a secured Hadoop cluster on JDK 1.7.0_85 or later, then you must run Apache Hadoop 2.7.0 or later.
To see this Jira issue HADOOP-10786
这篇关于HBase kerberos令牌会过期吗的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
