Kerberos Ticket Lifetime and others

Objective

The previous blog post involved the content of Kerberos, which complements Kerberos ticket lifetime-related content.

Ticket lifetime

The Kerberos ticket has lifetime, and the ticket expires at this time and requires a re-application or renew. Ticket lifetime depends on the minimum value in the following 5 settings:

• /var/kerberos/krb5kdc/kdc.conf on Kerberos Server Max_life
• Built-in principal krbtgt maximum ticket life, can be viewed under kadmin command line with getprinc command
• Your principal maximum ticket life, can be viewed under the Kadmin command line with the Getprinc command
• /etc/krb5.conf Ticket_lifetime on the Kerberos client
• The time specified after the kinit-l parameter

Ticket Renew Lifetime

Ticket after expiration, if you want to extend, one way is to re-apply (need to enter a password), the other is renew (do not need to enter a password), every renew once, the extension of a lifetime. However renew operation itself also has lifetime, namely in ticket renew lifetime, within this lifetime, can carry on renew operation. Similar to the above, ticket renew lifetime depends on the minimum value in the following 5 settings:

• /var/kerberos/krb5kdc/kdc.conf on Kerberos Server Max_renewable_life
• Built-in principal krbtgt maximum renewable life, can be viewed under kadmin command line with getprinc command
• Your principal maximum renewable life, can be viewed under the Kadmin command line with the Getprinc command
• /etc/krb5.conf Renew_lifetime on the Kerberos client
• The time specified after the Kinit-r parameter

HBase and Ticket lifetime

HBase takes a long time to run, and its handling of ticket expiration issues is seen in Org.apache.hadoop.hbase.ipc.RpcClient, Method Handlesaslconnectionfailure (), The method note mentions HBase as an attempt to automatically relogin, and it should be taken directly from the code to get a new ticket instead of renew.

The other problem are to does with ticket expiry. To handle this, a relogin is attempted.
The retry logic is governed by the SHOULDAUTHENTICATEOVERKRB method. In case the user doesn ' t has valid credentials, we don ' t need to retry (from cache or ticket). In such cases, it's prudent to throw a runtime exception if we receive a saslexception from the underlying Authenticati On implementation, so there are no retry from the other high level (for eg, HCM or hbaseadmin).

Other than that:

[Org.apache.hadoop.security.UserGroupInformation] not attempting to re-login since the last Re-login is attempted less th An seconds before.

This error is actually caused by a hard code value in Usergroupinformation, min_time_before_relogin=10*60*1000l, which is the limit that Hadoop makes itself, That is, it is not allowed to relogin too frequently, you need to set Ticket_lifetime to be greater than 10 minutes.

Keytab and Ticket lifetime

The keytab file is actually just a password file, and obviously, modifying the lifetime related settings is irrelevant to the password and does not need to regenerate the existing keytab file.

Some commands

• Kadmin:modprinc-maxrenewlife 11days +allow_renewable {principal}
• Kadmin:modprinc-maxlife 6minutes {principal}
• Kadmin:getprinc {principal}//retrieve the detail info of Principal
• Kinit-r//renew Current Ticket
• kinit {principal}-kt {keytab file}//init a principal via keytab file

Kerberos Ticket Lifetime and others