HBase with Kerberos - 保持 HTable 实例打开超过 10 小时

Question

情况如下：我们有一个安全的 (Kerberos) HBase 集群。 我有一个在启动时创建 HTable 实例并挂在它上面的对象。它调用：

UserGroupInformation.setConfiguration(configuration);
UserGroupInformation.loginUserFromKeytab(user, keytab);

登录 Kerberized 集群。 然后这个对象闲置了好几个小时。超过 10 小时后（来自我们的 Kerberos 集群的票证超时），下一次扫描 table 的调用结果如下：

16/12/01 18:16:24 WARN security.UserGroupInformation: PriviledgedActionException as:bigdata-app-analyticscore-msr@INTQA.THOMSONREUTERS.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
16/12/01 18:16:24 WARN ipc.RpcClient: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
16/12/01 18:16:24 FATAL ipc.RpcClient: SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.
- javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
- at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
- etc.

如何保持 Kerberos 身份验证有效？

Answer 1

我之前刚好在这个论坛上做一些研究。此处的问题陈述（Kerberos 身份验证在 10 小时后终止）与该线程的问题陈述几乎相同：

Renewing a connection to Apache Phoenix (using Kerberos) fails after exactly 10 hours

实际上，我今天早些时候刚刚编辑了该主题并将“10 小时”放入主题行。该线程包含一些关于在这里做什么的很好的建议。我将继续借鉴 Samson Scharfrichter 提供的智慧，他在其中指出："The standard solution is to spawn a background thread invoking checkTGTAndReloginFromKeytab() periodically -- see for a very elaborate explanation by a HortonWorks guru (a colleague of the guy who wrote that GitBook about Hadoop & Kerberos)"

希望这能为您指明方向。