Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
HBase >> mail # dev >> Secure Hadoop and non-secure HBase


Copy link to this message
-
Re: Secure Hadoop and non-secure HBase
Hi Eric,

If you configure

hbase.master.keytab.file
hbase.master.kerberos.principal
hbase.regionserver.keytab.file
hbase.regionserver.kerberos.principal

in your hbase-site.xml, then the master and region server processes should
login from the keytab files on startup, as Todd mentions.  It's also my
understanding that they don't need a renewal thread in that case.  The RPC
client just tries a relogin from the keytab in the case of a connection
error.

Can you describe a bit more what you're seeing so that we can understand the
context?

Gary
On Sun, Sep 11, 2011 at 3:13 PM, Todd Lipcon <[EMAIL PROTECTED]> wrote:

> Hi Eric,
>
> Could you please explain more fully what you mean by this? The daemons
> generally run using keytabs, not user credentials, and thus shouldn't
> need the explicit TGT Renewer, right?
>
> -Todd
>
> On Sun, Sep 11, 2011 at 11:04 AM, Eric Yang <[EMAIL PROTECTED]> wrote:
> > Hi all,
> >
> > Hortonworks has a patch for secure append for Apache Hadoop 0.20.205 to
> work with HBase 0.90.x.  However, secure Hadoop and HBase would work until
> kerberos token expires.  There is currently no code that renews kerberos
> token in HBase.  Hence, it is possible to add a cron job to periodically
> renew the HBase user token to keep the system running.  What does the
> community think about having a setup script for cron job as part of HBase
> upcoming minor release, and fix the token renewal in HBase code for the next
> major version.  On the other hand, would the community accept the token
> renewal code in HBase as part of the upcoming 0.90.5 release?  If yes, what
> is the time line for 0.90.5?
> >
> > regards,
> > Eric
>
>
>
> --
> Todd Lipcon
> Software Engineer, Cloudera
>