Java – I should call ugi. before every action on Hadoop. checkTGTAndReloginFromKeytab()?
In my server application, I am connecting from my java application to the Kerberos secure Hadoop cluster I am using various components such as HDFS file system, oozie, hive and so on When the application starts, I call
UserGroupInformation.loginUserFromKeytabAndReturnUGI( ... );
This returns my useregroupinformation instance, and I keep its application lifecycle In doing privileged action, I launched them UGI DOAS (action)
That's good, but I want to know how and when to renew Kerberos tickets in usergroupinformation? I found a method usergroupinformation Checktgtandreloginfromkeytab(), appears to be updated near expiration I also found that this method is being called by various Hadoop tools such as web HDFS file system
Now, if I want my server application (which may run for months or even years) to never experience ticket expiration, what is the best way? Ask specific questions:
>Can I rely on the various Hadoop clients they call checktgtandreloginfromkeytab? Should I call checkTGTAndReloginFromKeytab in my code? > If so, use ugi Before DOAS (...), or set a timer and call it regularly (how long)?
Solution
Hadoop Submitter is here! This is a good question
Unfortunately, without a deep understanding of the specific usage patterns of applications, it is difficult to give a clear answer Instead, I can provide general guidelines and describe when Hadoop will automatically process the update or re login key for you and when it will not
The main use case of Kerberos authentication in Hadoop ecosystem is the RPC framework of Hadoop, which uses SASL for authentication Most daemons in the Hadoop ecosystem handle this problem by making a one-time call to usergroupinformation#loginuserfromkeytab when the process starts Examples include HDFS datanode that must validate its RPC call to namenode and yarn nodemanager that must validate its call to ResourceManager How can daemons such as datanode log in at one time when the process starts, and then continue to run for several months? The typical ticket expiration time a long time ago?
Because this is a common use case, Hadoop directly implements the automatic re login mechanism in the RPC client layer This code is visible in the RPC client #handlesaslconnectionfailure method:
// try re-login
if (UserGroupInformation.isLoginKeytabBased()) {
UserGroupInformation.getLoginUser().reloginFromKeytab();
} else if (UserGroupInformation.isLoginTicketBased()) {
UserGroupInformation.getLoginUser().reloginFromTicketCache();
}
You can think of this as a lazy assessment to log back in It only re - performs login on the attempted RPC connection in response to authentication failure
Knowing this, we can give some answers If your application's usage pattern is to log in from the key table and then perform a typical Hadoop RPC call, you may not need to scroll through your own re login code The RPC client layer will do this for you "Typical Hadoop RPC" means that most Java APIs interact with Hadoop, including HDFS file system API, yarnclient and MapReduce job submission
However, some application usage patterns do not involve Hadoop RPC at all An example is an application that fully interacts with Hadoop's rest APIs (such as webhdfs or yarn rest APIs) In this case, the authentication model uses Kerberos through SPNEGO, as described in the Hadoop HTTP authentication document
Knowing this, we can add more answers If your application uses a rest API instead of Hadoop RPC at all, you must scroll through your own login logic That's why 07007, as you've noticed Webhdfs file system chooses to call before each operation This is a good strategy because usergroupinformation#checktgtandreloginfromkeytab only renews the ticket if it's "close" to expiration Otherwise, the call is invalid
As a final use case, let's consider an interactive process, instead of logging in from the KeyTab, which requires the user to run Kinit externally before starting the application In most cases, these will be short - running applications, such as Hadoop cli commands However, in some cases, these can be longer running processes In order to support longer running processes, Hadoop starts the background thread to "close" the Kerberos fault ticket until it expires This logic is visible in usergroupinformation #spawnautorewealthreadforusercreds There is an important difference from the automatic re - login logic provided by the RPC layer In this case, Hadoop can only update the ticket and prolong its service life Tickets have the largest renewable life cycle, as specified by Kerberos infrastructure After that, the tickets were no longer available In this case, re login is actually impossible, because it will mean re prompting the user for password and may leave the terminal This means that if the process continues to run after the ticket expires, it will no longer be able to authenticate
Again, we can use this information to inform our overall answer If you rely on users to log in interactively through Kinit before starting the application, and if you are sure that the running time of the application will not exceed the maximum renewable life cycle of Kerberos tickets, you can rely on Hadoop internal components to update it regularly for you
If you are using keyboard based login and you are just not sure whether the application usage mode can rely on the automatic re login of Hadoop RPC layer, the conservative method is to scroll your own@ Samson scharfrichter gives a good answer here, which is to scroll your own
HBase Kerberos connection renewal strategy
Finally, I should add a comment on API stability The Apache Hadoop compatibility guide discusses in detail the Hadoop development community's commitment to backward compatibility The user group information interface notes are "limited private" and "evolution" Technically, this means that the usergroupinformation API is not considered public and may evolve in a backward incompatible manner In fact, a lot of code already depends on the interface of usergroupinformation, so we can't make a breakthrough change at all Of course, in the current 2 In the X release, I won't worry about breaking your code by changing the method signature from below
Now that we have all this background information, let's review your specific question
If your application's usage pattern is to call Hadoop clients, which in turn utilizes Hadoop's RPC framework, you can rely on this If your application's usage mode only calls Hadoop rest API, you cannot rely on this
If the usage mode of the application is only used to call Hadoop rest API instead of Hadoop RPC call, you may need to do this You will not realize the benefits of automatic re - login in the RPC client of Hadoop
It is good to call UserGroupInformation#checkTGTAndReloginFromKeytab before each operation that needs to be verified. If the ticket is not close to expiration, the method will be invalid If you suspect that the Kerberos infrastructure is unstable and you do not want the client operation to pay the delay cost of re login, this will be a reason to perform this operation in a separate background thread Just make sure to leave a little before the actual expiration time of the ticket You can use the logic in usergroupinformation to determine whether the ticket is "closed" and due In fact, I've never seen a problem with the delay of re - login