1

I am writing a java program to access seured HBase on kerberized cluster. My understanding is I can do it in two ways:

  1. Login using principal name and password to create TGT in cache and use it to access the hbase.

  2. Using keytab file to access hbase.

before I decide which approach I should take, I want to understand pros and cons of both options. I did google and found this article which explained how both options works. This post also pointed out that TGT from keytab can be renewed by calling checkTGTAndReloginFromKeytab but it did not talk about renewal process for renewing TGT of kinit cache but I think it can be done using renewTGT property in jaas config(correct me if I am wrong). Another point from this post is that kinit cache is only good for short running application since we cannot renew TGT beyond 7 days.

I am leaning towards cache approach since I can securely keep username and password in keyvault and never have to worry about securing keytab. But limitation with this approach is as mentioned earlier, the max length of TGT(7days), I can't use it for long running jobs, at least that's what I understood(correct me).

If you can explain the difference between two or point me to a good article which explains both approach in details, that would be really helpful.

I have written below program to get TGT using username and password.

public static LoginContext kinit() throws LoginException {
    return new LoginContext("Client", callbacks -> {
        for(Callback c : callbacks){
            if(c instanceof NameCallback)
                ((NameCallback) c).setName(username);
            if(c instanceof PasswordCallback)
                ((PasswordCallback) c).setPassword(password);
            }
    });
}


public static void connectToKerberizedHBase(Configuration conf) throws LoginException, IOException {
    UserGroupInformation.setConfiguration(conf);

    LoginContext lc = kinit();
    lc.login();
    UserGroupInformation.loginUserFromSubject(lc.getSubject());
}

Using it as below

somemethod(){
    Configuration config = HBaseConfiguration.create();
    loadHBaseConfigsFromProperties(config);//to load zookeeper quorum, port etc...
    connectToKerberizedHBase(config);
}

JAAS Config file:

Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=false
    renewTGT=true
    useTicketCache=true;
};

The above mentioned article also talks about delegates using keytab which I didn't understand so please help me to understand if that is the right to create connection for long running jobs?

Sandeep Kumar
  • 13,799
  • 21
  • 74
  • 110
  • The Java implementation of Kerberos (part of JAAS) can consume a TGT from the Kerberos cache, but cannot renew it, cannot recreate it. Actually it _never_ writes anything in the Kerberos cache. – Samson Scharfrichter Oct 30 '20 at 15:08
  • The Hadoop wrapper around JAAS (inside `hadoop-auth.jar`) does a lot of dirty things, including a lame way to renew a TGT found in the cache (using `kinit -T` in a sub-process, from a background thread) and a way to create/re-create explicitly a private TGT from a keytab – Samson Scharfrichter Oct 30 '20 at 15:10
  • Note that the Hadoop UGI will not re-create a public TGT in the cache, and will not renew a private TGT (since it can be re-created anyway) – Samson Scharfrichter Oct 30 '20 at 15:13
  • Hadoop services (HDFS, YARN, Hive Metastore, HS2, HBase) also use a delegation token mechanism to make Kerberos more friendly with distributed systems, but that's another story. – Samson Scharfrichter Oct 30 '20 at 15:15
  • Recommended reading: https://stackoverflow.com/questions/34616676/should-i-call-ugi-checktgtandreloginfromkeytab-before-every-action-on-hadoop – Samson Scharfrichter Oct 30 '20 at 15:17
  • Recommended reading: https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/kerberos_the_madness.html – Samson Scharfrichter Oct 30 '20 at 15:18
  • @SamsonScharfrichter: Thanks, Appreciate your response. – Sandeep Kumar Nov 04 '20 at 19:33

0 Answers0