When ugi returned
by UserGroupInformation.createProxyUser is used to call "doAs", renewing ticket (through checkTGTAndReloginFromKeytab) need to go through its
RealUser. If you call
ugi.isFromKeytab(), it will return 'false' because ugi is just a proxy. But if you call
ugi.getRealUser().isFromKeytab(), it will return 'true'. Here, ugi.getRealUser() returns the
UserGroupInformation object for its real user (hdfs@HDP.DG). Calling 'checkTGTAndReloginFromKeytab' should
go through real user, not the proxy.
if (ugi.getRealUser().isFromKeytab()) {
log("trying to reloginFromKeytab");
UserGroupInformation ugiReal = ugi.getRealUser();
ugiReal.checkTGTAndReloginFromKeytab();
log("RealUser.getUserName: " +
ugiReal.getUserName());
log("RealUser.getRealAuthenticationMethod: "
+ ugiReal.getRealAuthenticationMethod().name());
log("RealUser.hasKerberosCredentials: " +
ugiReal.hasKerberosCredentials());
readFile(conf, dirPath);
}
The ticket expiration time is controlled by KDC's krb5.conf file (not the client's
krb5.conf file).
If you use HW:
Even you set your own value for "ticket_lifetime", Hortonwork 2.2 will reset it when keytab file is recreated and its services are restarted.
Key API:
UserGroupInformation.loginUserFromKeytabAndReturnUGI
UserGroupInformation.createProxyUser
No comments:
Post a Comment