Member since
07-17-2019
738
Posts
433
Kudos Received
111
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
2619 | 08-06-2019 07:09 PM | |
2854 | 07-19-2019 01:57 PM | |
4046 | 02-25-2019 04:47 PM | |
4030 | 10-11-2018 02:47 PM | |
1343 | 09-26-2018 02:49 PM |
08-03-2017
02:54 PM
1 Kudo
First off, yes. This can/should work and you have the correct general idea. You deploy a keytab for your application to use. The application logs in when it first starts, and launches a thread to periodically invoke a renewal. Remember that ticket caches (what happens when you invoke a kinit) is mutually exclusive from a programmatic login using a keytab with UGI. The warning from UGI can be ignored in your application. UGI won't perform a re-login for calls you make until you reach 80% of your ticket lifetime. I would be more interested in what kind of logging you get out of the UGI class after the 80% of ticket lifetime is exceeded. You should see a message saying that UGI attempted the re-login and (successfully, hopefully) renewed your ticket. Please remember that the ticket lifetime is unique from a ticket's renewable lifetime. As a sanity check, I would perform a quick experiment to make sure that you have a renewal ticket in the first place. $ kinit -kt /my/file.keytab principal
$ kinit -R The above should not throw an error (as long as you do it in the renewable lifetime of the ticket). You can also use the command `getprinc` in kadmin to inspect the ticket lifetime and renewal lifetime (e.g. `getprinc principal` in kadmin). (shameless self-plug) you may also find this presentation that I gave recently trying to de-mystify some of this http://www.slideshare.net/je2451/practical-kerberos-with-apache-hbase/
... View more
07-28-2017
04:32 PM
The one you have in the description is wrong and will never work. The one here is the form you must use. Please follow Ankit's suggestion to provide for information. A TimeoutException that makes no reference to Phoenix code is not helpful. Please also be aware that hbase-site.xml and core-site.xml are required to be on the classpath for Phoenix to connect to a secured HBase installation. This may be the root of your problem, but it is unknown without more data.
... View more
07-28-2017
04:22 PM
You are using an incorrect URL. Please read the documentation https://phoenix.apache.org/#Connection jdbc:phoenix:zk-host-1,zk-host-2,zk-host-3:2181:/hbase-secure:user1@EXAMPLE.COM:/Users/user1/user1.headless.keytab
... View more
07-25-2017
04:01 PM
Can you please share the version of HDP you're running, the table's schema and the UPSERT SELECT command you ran?
... View more
07-25-2017
03:26 PM
1 Kudo
The best way is to run HBase in an HDFS encryption zone. This ensures that the HBase WALs and store files are all encrypted at rest. Make sure that you are also enabling wire-encryption (auth-conf quality of protection in HBase's SASL configuration) if data-in-motion also needs to be encrypted.
https://hbase.apache.org/book.html#hbase.encryption.server https://hortonworks.com/blog/new-in-hdp-2-3-enterprise-grade-hdfs-data-at-rest-encryption/
... View more
07-20-2017
05:29 PM
Thanks for clarifying. Trivial use of phoenix likely would work. It will not work for the full-feature-set of Phoenix. I appreciate your caveat that this should only be used for one-off/demo setups, not for production.
... View more
07-20-2017
02:52 PM
That's a very bad idea -- you should be figuring out why the class could not be loaded. Without that coprocessor, Phoenix will not function correctly.
... View more
07-13-2017
06:11 PM
Your application contains two jar files which both contain a slf4j
logger implementation. The jar files are listed in the output you
provided. Exclude one of these jars from your application's classpath.
... View more
07-11-2017
04:07 PM
1 Kudo
In general, no. If you have a specific concern, please clarify your question.
... View more
07-05-2017
04:00 PM
HTTP/403 means that you were able to successfully authenticate with the server, however you were disallowed due to authorization reasons (authentication and authorization are different things!) What is the Kerberos principal your client is using and what is the Kerberos principal PQS is using? You could be running into CALCITE-1282 / PHOENIX-3004
... View more