0

We are unable to renew kerberos user tickets from keytab using java code, while it's working with "kinit -R"

code:

UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); loginUser.checkTGTAndReloginFromKeytab();

Please help me out.

Rakesh E
  • 1
  • 1
  • Your question is not clear. Is it about ticket renewal, as with `kinit -R`, or ticket re-creation, as with `kinit -kt ` or with `.checkTGTAndReloginFromKeytab()` method? And BTW your formatting is not appropriate (i.e. `code excerpts` are not supposed to be **bold**) – Samson Scharfrichter Oct 17 '17 at 20:47
  • Some research on Google and/or StackOverflow would have told you that Java implementation of Kerberos is **not complete** -- in particular, Java cannot create renewable tickets, and cannot write tickets into the file cache (although it can read it). Hadoop uses Java so that it shares most of its limitations; although there is a dirty fix to renew pre-existing tickets in the cache. – Samson Scharfrichter Oct 17 '17 at 21:08
  • Recommended readings: https://stackoverflow.com/questions/33211134/hbase-kerberos-connection-renewal-strategy and https://stackoverflow.com/questions/34616676/should-i-call-ugi-checktgtandreloginfromkeytab-before-every-action-on-hadoop. – Samson Scharfrichter Oct 17 '17 at 21:08

1 Answers1

0

Did you do a kinit before the process started? Only then it could be renewed.

Is the keytab under the same user that your program runs on? i.e. does the user have the rights to renew the keytab.

What is the exact stacktrace?

Maybe this will work for you, pointing to the exact location of your keytab. Because when you do a renewal when there is no keytab it is ofcourse pointless.

import org.apache.hadoop.security.UserGroupInformation;
org.apache.hadoop.conf.Configuration conf = new   
org.apache.hadoop.conf.Configuration();
conf.set("hadoop.security.authentication", "Kerberos");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("example_user@IBM.COM", "/path/to/example_user.keytab");
Cloudkollektiv
  • 11,852
  • 3
  • 44
  • 71
  • Yes, we gave the principal and keytab location. and needs to be renewed with the same keytab and the below method loginUser.checkTGTAndReloginFromKeytab(); We are testing this method is gonna renew ticket when we call – Rakesh E Oct 18 '17 at 13:32
  • When we enable the trace, debug and run the porgram it is showing renewable false, But we are able to see renewable true when we do kinit from command prompt. is there any way we can set "renewble true" using java API – Rakesh E Oct 20 '17 at 06:29