Running kinit for keytab login from java

Question

I have the below code snippet for kerberos login using keytab.

    Configuration conf = HBaseConfiguration.create();

    conf.addResource("hbase-site.xml");

    Connection connection = ConnectionFactory.createConnection(conf); 

    UserGroupInformation.setConfiguration(conf);       

    UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, keytabpath);

We also have the renew lifetime set to 7days in our environment per security standards. Hence, the above code works for 7days and on the last day although the application code tries to renew toek, it fails for 'renew until' constraints. I have to manually do a kinit to keep things working for next 7days.

Is there an alternative to handle this at the application code level? I am exploring options at the environment level to handle but having constraints though. I had tried the recommendations in this link but it didnt work: HBase Kerberos connection renewal strategy

Updated with klist details:

[Fri 04/10 05:30 PM] root@lxapp6479:~# klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: uname@domain

 Valid starting       Expires              Service principal
 10/04/2019 11:10:19  10/05/2019 11:10:19  
  krbtgt/DOMAIN@ABC.COM
    renew until 10/09/2019 12:32:35

Given the new ticket was renewed @ 10/04, the renew until should have got pushed back to 10/11 but it isnt happening with the below api call:

   UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();

There is no proper "documentation" for Hadoop security features, but you can browse the source code for `UserGroupInformation` on GitHub. You will find methods about **relogin**. — Samson Scharfrichter, Oct 03 '19 at 20:00
For extra details by a Hadoop committer _(worked for Horton at the time)_, see https://stackoverflow.com/questions/34616676/should-i-call-ugi-checktgtandreloginfromkeytab-before-every-action-on-hadoop — Samson Scharfrichter, Oct 03 '19 at 20:00
BTW your questiion is **not** about _**"doing kinit"**_ >> `kinit` command-line utility is based on a C library; Java has its own (partial) implementation of a Kerberos client; and Hadoop has some customisations on top of the Java implementation. — Samson Scharfrichter, Oct 03 '19 at 20:33
Thank you @SamsonScharfrichter. I have implemented the same approach as listed in the wiki link you shared. I make an explicit call `UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();` but still my klist is not showing the renew until extended although a new token is acquired. `[Fri 04/10 05:30 PM] klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: usernmae@domain Valid starting Expires Service principal 10/04/2019 11:10:19 10/05/2019 11:10:19 krbtgt/ renew until 10/09/2019 12:32:35` — Siva, Oct 07 '19 at 02:47
@SamsonScharfrichter updated my actual query with the behavior that i am getting currently. — Siva, Oct 07 '19 at 03:10
**1.** Your `klist` command displays the default ticket cache for the current user >> I hope you don't run your jobs as `root`?!?!?!? >> do you know that you can use an arbitrary ticket cache using env variable `KRB5CCNAME` _(although Hadoop supports only the `FILE:` type)_? — Samson Scharfrichter, Oct 07 '19 at 07:52
**2.** the UGI methods `loginUserFromKeytab` and `loginUserFromKeytabAndReturnUGI` do **not** use the ticket cache, the Kerberos ticket is kept private in memory -- which is much safer, and even mandatory with "***ReturnUGI" since you typically have _multiple_ tickets in parallel, which is not possible with a cache — Samson Scharfrichter, Oct 07 '19 at 07:56
**3.** you are running `getLoginUser` against the **static** UGI (the default identity) while `loginUserFromKeytabAndReturnUGI` is specifically used when you don't want to use the static UGI -- **and then you must store the "returned UGI" object** and run methods against it. I guess you just copy/pasted some random code without any understanding of what it was supposed to do. — Samson Scharfrichter, Oct 07 '19 at 08:00

score 0 · Answer 1 · answered Dec 22 '22 at 23:23

0

Java doesn't support MIT standard. Use only kinit with jgss.native true for SSO

answered Dec 22 '22 at 23:23

tritbit

11
2

Can you pleasd add a reference? – MrTux Dec 28 '22 at 06:10
You can use it for any Java app (client or server) so it gives all kerberos feature like your app would be coded on c/c++ : https://docs.oracle.com/en/java/javase/17/security/accessing-native-gss-api.html – tritbit Mar 27 '23 at 18:29

Running kinit for keytab login from java

1 Answers1