Kerberos ticket lifetime及其它

Morven.Huang發表於2015-06-29

前言

之前的博文中涉及到了Kerberos的內容,這裡對Kerberos ticket lifetime相關的內容做一個補充。

ticket lifetime

Kerberos ticket具有lifetime,超過此時間則ticket就會過期,需要重新申請或renew。ticket lifetime取決於以下5項設定中的最小值:

  • Kerberos server上/var/kerberos/krb5kdc/kdc.conf中max_life
  • 內建principal krbtgt的maximum ticket life,可在kadmin命令列下用getprinc命令檢視
  • 你的principal的maximum ticket life,可在kadmin命令列下用getprinc命令檢視
  • Kerberos client上/etc/krb5.conf的ticket_lifetime
  • kinit -l 引數後面指定的時間

ticket renew lifetime

ticket過期後,如果想延長,一種方法是重新申請(需要輸入密碼),另一種是renew(不需要輸入密碼),每renew一次,就延長一個lifetime。不過renew操作本身也有lifetime,即在ticket renew lifetime,在此lifetime之內,才能進行renew操作。與上面的很相似,ticket renew lifetime取決於以下5項設定中的最小值:

  • Kerberos server上/var/kerberos/krb5kdc/kdc.conf中max_renewable_life
  • 內建principal krbtgt的maximum renewable life,可在kadmin命令列下用getprinc命令檢視
  • 你的principal的maximum renewable life,可在kadmin命令列下用getprinc命令檢視
  • Kerberos client上/etc/krb5.conf的renew_lifetime
  • kinit -r 引數後面指定的時間

HBase與ticket lifetime

HBase需要長時間執行,它對ticket過期問題的處理見org.apache.hadoop.hbase.ipc.RpcClient,方法handleSaslConnectionFailure(),方法註釋中提到HBase是嘗試自動relogin,從程式碼上看應該是直接獲取一個新的ticket,而不是進行renew。

The other problem is to do with ticket expiry. To handle that, a relogin is attempted.
The retry logic is governed by the shouldAuthenticateOverKrb method. In case when the user doesn't have valid credentials, we don't need to retry (from cache or ticket). In such cases, it is prudent to throw a runtime exception when we receive a SaslException from the underlying authentication implementation, so there is no retry from other high level (for eg, HCM or HBaseAdmin).

 

另外:

[org.apache.hadoop.security.UserGroupInformation] Not attempting to re-login since the last re-login was attempted less than 600 seconds before.

這個錯誤實際是由於UserGroupInformation中的一個hard code值引起的,MIN_TIME_BEFORE_RELOGIN=10*60*1000L,是hadoop自己做出的限制,即不允許過於頻繁地relogin,需要將ticket_lifetime設定為大於10分鐘即可。

keytab與ticket lifetime

keytab檔案實際只是一個密碼檔案,顯然,修改lifetime相關設定跟密碼是沒有關係的,不需要去重新生成現有的keytab檔案。

一些命令

  • kadmin: modprinc -maxrenewlife 11days +allow_renewable {principal}
  • kadmin: modprinc -maxlife 6minutes {principal}
  • kadmin: getprinc {principal} //retrieve the detail info of principal
  • kinit -R //renew current ticket
  • kinit {principal} -kt {keytab file} //init a principal via keytab file


送書了,送書了,關注公眾號“程式設計師雜書館”,就送出O'Reilly《Spark快速大資料分析》紙質書(亦有一批PDF分享)! —— 2018年12月

相關文章