情况如下:我们有一个安全的(Kerberos)HBase集群。 我有一个对象,它在启动时创建一个HTable实例并挂起它。它叫:
UserGroupInformation.setConfiguration(configuration);
UserGroupInformation.loginUserFromKeytab(user, keytab);
登录Kerberized集群。 然后这个对象闲置几个小时。超过10小时后(来自我们的Kerberos群集的故障单超时),下一次扫描表的调用结果如下:
16/12/01 18:16:24 WARN security.UserGroupInformation: PriviledgedActionException as:bigdata-app-analyticscore-msr@INTQA.THOMSONREUTERS.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
16/12/01 18:16:24 WARN ipc.RpcClient: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
16/12/01 18:16:24 FATAL ipc.RpcClient: SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.
- javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
- at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
- etc.
如何使Kerberos身份验证保持活动状态?
答案 0 :(得分:1)
我之前碰巧在这个论坛做了一些研究。这里的问题陈述,其中Kerberos身份验证在10小时后死亡,几乎与此线程的相同:
Renewing a connection to Apache Phoenix (using Kerberos) fails after exactly 10 hours
我实际上刚刚在今天早些时候编辑过那个帖子,然后放置了#10; 10小时"进入主题行。该主题包含一些关于如何做的好建议。我将继续前进并借用Samson Scharfrichter提供的好智慧,他们在其中说:"标准解决方案是定期生成一个后台线程调用checkTGTAndReloginFromKeytab() - 请参阅Should I call ugi.checkTGTAndReloginFromKeytab() before every action on hadoop? HortonWorks大师(编写关于Hadoop和Kerberos的GitBook的同事)的非常精细的解释"
我希望这能为你提供方向。