Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

What is the difference between relogInFromKeyTab and renewal of Kerberos ticket?

Highlighted

What is the difference between relogInFromKeyTab and renewal of Kerberos ticket?

Contributor

Dear All,

I am running program which fetches the records from the secured (Kerboraized ) HBase .

And user principal I am using in my program has maximumlife of 30 Seconds and maximum renewal life of 1 Minutes .

And I am actually doing an experiment in the test program to understand how auto renewal works in Hadoop .

When I am making the thread sleep for every one minute before fetching the records it able to fetch the records .

My question here even though auto renewal of ticket is working fine .

Since the maximum renewable life time is 1 minutes when make the thread sleep for a miuntes and then fetches the records it still able to fetch the records How come this is possible as it violates the basic definition of the maximum renewable life time of ticket .

Is it because whenever it performs the reloginFromKeyTab before making an RPC call the life time of ticket it getting refreshed and advanced to the future time . i.e the current renewal time + maximum life time .

And what is the difference between renewal of ticket and reloginFromKey .

Thanks in Advance,

Param.

4 REPLIES 4

Re: What is the difference between relogInFromKeyTab and renewal of Kerberos ticket?

Super Guru

@Param NC

This was answered couple of weeks ago in another thread. link here.

Basically, automatic re-login is already implemented inside RPC client layer (imagine, data node kerberos ticket expiring every 24 hours or seven days which is the norm - your test case is quite an outlier for expiring tickets in only 1 minute). So this has already been implemented at the client RPC layer because there are way too many Hadoop processes running and talking to each other with Kerberos enabled.

Following link gives very good detail to help answer your question.

http://stackoverflow.com/questions/34616676/should-i-call-ugi-checktgtandreloginfromkeytab-before-ev...

Here is the code that's already implemented for you in the client API.

  // try re-login
          if (UserGroupInformation.isLoginKeytabBased()) {
            UserGroupInformation.getLoginUser().reloginFromKeytab();
          } else if (UserGroupInformation.isLoginTicketBased()) {
            UserGroupInformation.getLoginUser().reloginFromTicketCache();
          }
key table or keytab

A file that includes an unencrypted list of principals and their keys. Servers retrieve the keys they need from keytab files instead of using kinit. The default keytab file is /etc/krb5.keytab. The KDC administration server, /usr/kerberos/sbin/kadmind, is the only service that uses any other file (it uses/var/kerberos/krb5kdc/kadm5.keytab).

ticket

A temporary set of electronic credentials that verify the identity of a client for a particular service. Also called credentials.

Re: What is the difference between relogInFromKeyTab and renewal of Kerberos ticket?

Contributor

Thank you for the response .

concept is clear for me .

Actually my question is .

If the maximum renewable file time of ticket if 7 Days then , maximum time up to which we can renew of the ticket and use is on or before 7 Days , So when I am making calls to HBase Hadoop client is making RPC calls and before that it executes below code .

if(UserGroupInformation.isLoginKeytabBased()){

UserGroupInformation.getLoginUser().reloginFromKeytab();

}elseif(UserGroupInformation.isLoginTicketBased()){

UserGroupInformation.getLoginUser().reloginFromTicketCache();

}

What you said , But my question here also ,

I must get ticket expiration exception once the User principal maximum renewal time reached ? Why I am not getting that .

And Is UserGroupInformation.getLoginUser().reloginFromKeytab(); is actually changing the

Valid starting Expires Service principal

12/28/16 12:27:20 12/28/16 12:27:50 krbtgt/XYZ@XYZ.COM

renew until 12/28/16 12:28:11

Every time it re login.

Finally what is the difference between renewal (in command it is kinit -R ) and re-log in (In program UserGroupInformation.getLoginUser().reloginFromKeytab() )

Thanks ,

Param.

Re: What is the difference between relogInFromKeyTab and renewal of Kerberos ticket?

Super Guru
@Param NC

The answer is in the link I gave you. If you are using Hadoop RPC calls which I think you are, relogin is done for you and that's why you don't getting ticket expired exception. Here is an excerpt from the link:

If your application's usage pattern is to login from a keytab and then perform typical Hadoop RPC calls, then you likely do not need to roll your own re-login code. The RPC client layer will do it for you. "Typical Hadoop RPC" means the vast majority of Java APIs for interacting with Hadoop, including the HDFS FileSystem API, the YarnClient and MapReduce Job submissions.

check this link again.

http://stackoverflow.com/questions/34616676/should-i-call-ugi-checktgtandreloginfromkeytab-before-ev...

Re: What is the difference between relogInFromKeyTab and renewal of Kerberos ticket?

"Finally what is the difference between renewal (in command it is kinit -R ) and re-log in (In program UserGroupInformation.getLoginUser().reloginFromKeytab() )"

Essentially, none. They are ultimately doing the same thing, just storing the resulting ticket in different manners (kinit would store it in the ticket cache, the UGI call would store it in memory of the process which made the call).