3

I have a java application which needs to access Hadoop cluster to fetch a file at regular intervals(say, every 24 hours).

Since Kerberos protocol is enabled for protection on that cluster, I am using loginUserFromKeytab() method of UserGroupInformation class : https://hadoop.apache.org/docs/r1.2.1/api/org/apache/hadoop/security/UserGroupInformation.html.

Now, I know that kinit command grants a ticket-granting ticket to access any Kerberized service and this ticket has to be refreshed periodically(through kinit command). Now, my question is, is it required to run kinit periodically(from code) in combination with the above Java API for the code to work? Or will running it once be sufficient? Or is it not required at all.

Thanks for reading.

white-hawk-73
  • 856
  • 2
  • 10
  • 24
  • `loginUserFromKeytab()` calls the java implementation of Kerberos to create a TGT, then it keeps it *private* to the current process. `kinit` calls the C implementation of Kerberos to create a TGT, then it makes it *shared* by storing it in a cache ("shared" by the Linux process owner only...) – Samson Scharfrichter Jun 05 '17 at 20:48

2 Answers2

3

No. you don't need to run kinit periodically from anywhere if you are using the function loginUserFromKeytab with a valid keytab and username.

From docs

Log a user in from a keytab file. Loads a user identity from a keytab file and logs them in. They become the currently logged-in user.

So everytime you call the method loginUserFromKeytab with valid parameters. It logs in the user.

philantrovert
  • 9,904
  • 3
  • 37
  • 61
  • So, is kinit required at all? I mean, do i not have to run it even once? As in, i couldn't find any info about the fact that the ticket is refreshed using the `loginUserFromKeytab` API. – white-hawk-73 Jun 05 '17 at 06:59
  • You can use [`loginUserFromKeytabAndReturnUGI`](http://grepcode.com/file/repo1.maven.org/maven2/org.apache.hadoop/hadoop-common/2.6.0/org/apache/hadoop/security/UserGroupInformation.java) to get the details of the currently logged in User once the keytab has been successfully used to login. – philantrovert Jun 05 '17 at 07:04
  • Or if you really really want to play safe you can add one `Runtime.exec("kinit -kt .... ")` above your `loginUserFromKeytab` – philantrovert Jun 05 '17 at 07:06
  • That is my doubt. Currently I am executing `kinit` once, but `loginUserFromKeytab` is being executed repeatedly(for my purpose). But I want to know if ``kinit is required at all. – white-hawk-73 Jun 05 '17 at 07:15
  • AFAIK, you don't need to `kinit`. – philantrovert Jun 05 '17 at 07:15
  • Thank you @philantrovert. Can you explain why? Is there any documentation which mentions how `loginUserFromKeytab` works? – white-hawk-73 Jun 05 '17 at 07:26
3

It's a long and complicated story. In short:

  • if you request explicitly the Hadoop auth library to create a private Kerberos ticket with loginUserFromKeytab(), then that ticket is not renewable; you must launch a background thread to call checkTGTAndReloginFromKeytab() from time to time, and it will re-create the ticket whenever it comes close to expiration
  • otherwise the UGI will implicitly read the shared ticket cache to get an existing ticket; and it will also implicitly launch a background thread to renew automatically that ticket (as long as it does not reach its end-of-renewal time -- at this point you are screwed)

Some recommended readings:
- HBase Kerberos connection renewal strategy
- Should I call ugi.checkTGTAndReloginFromKeytab() before every action on hadoop?
- Auto renewal of Kerberos ticket not working from Java (i.e. there's a bug in the non-static methods of UGI)

Samson Scharfrichter
  • 8,884
  • 1
  • 17
  • 36