@Override protected void chore() { try { user.checkTGTAndReloginFromKeytab(); } catch (IOException e) { LOG.error("Got exception while trying to refresh credentials: " + e.getMessage(), e); } } };
@Override public void run() { try { ugi.checkTGTAndReloginFromKeytab(); } catch (IOException e) { LOG.warn("Error occured during checkTGTAndReloginFromKeytab() for user " + ugi.getUserName(), e); } } }, CHECK_TGT_INTERVAL, CHECK_TGT_INTERVAL, TimeUnit.SECONDS);
/** * Re-logins the user if needed. * First, the re-login interval defined in factory is checked. The re-login attempts will be not more * frequent than one attempt per {@code reloginInterval}. * Second, {@code UserGroupInformation.checkTGTAndReloginFromKeytab()} method invoked that gets existing * TGT and checks its validity. If the TGT is expired or is close to expiry, it performs re-login. * * <p>This operation expected to be called upon each operation with the file system created with the factory. * As long as {@link #get(String)} operation is invoked upon each file {@link IgniteHadoopFileSystem}, there * is no need to invoke it otherwise specially. * * @throws IOException If login fails. */ private void reloginIfNeeded() throws IOException { long now = System.currentTimeMillis(); if (now >= lastReloginTime + reloginInterval) { user.checkTGTAndReloginFromKeytab(); lastReloginTime = now; } } }
@Override public UserGroupInformation createUgi() throws IOException { // Make sure the UGI is current. baseUgi.checkTGTAndReloginFromKeytab(); // TODO: the only reason this is done this way is because we want unique Subject-s so that // the FS.get gives different FS objects to different fragments. // TODO: could we log in from ticket cache instead? no good method on UGI right now. return SHIMS.cloneUgi(baseUgi); } }
private void login(final String keytabPrincipal, final String keytabPath) throws IOException { if (this.loggedInUser == null) { log.info( String.format("Logging in using Principal: %s Keytab: %s", keytabPrincipal, keytabPath)); UserGroupInformation.loginUserFromKeytab(keytabPrincipal, keytabPath); this.loggedInUser = UserGroupInformation.getLoginUser(); log.info(String.format("User %s logged in.", this.loggedInUser)); } else { log.info(String.format("User %s already logged in. Refreshing TGT", this.loggedInUser)); this.loggedInUser.checkTGTAndReloginFromKeytab(); } } }
private void reloginUGI(UserGroupInformation ugi) { try { if (ugi.hasKerberosCredentials()) { long now = System.currentTimeMillis(); if (now - lastReloginAttempt < MIN_TIME_BEFORE_RELOGIN) { return; } lastReloginAttempt = now; ugi.checkTGTAndReloginFromKeytab(); } } catch (IOException e) { throw new SecurityException("Error trying to relogin from keytab for user " + ugi.getUserName(), e); } }
@Override public void authenticate(URL url, AuthenticatedURL.Token token) throws IOException, AuthenticationException { if (!hasDelegationToken(url, token)) { try { // check and renew TGT to handle potential expiration UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab(); LOG.debug("No delegation token found for url={}, token={}, " + "authenticating with {}", url, token, authenticator.getClass()); authenticator.authenticate(url, token); } catch (IOException ex) { throw NetUtils.wrapException(url.getHost(), url.getPort(), null, 0, ex); } } else { LOG.debug("Authenticated from delegation token. url={}, token={}", url, token); } }
@Override public void run() { stopped = false; while (!stopped) { try { logger.debug("Invoking renewal attempt for Kerberos ticket"); // While we run this "frequently", the Hadoop implementation will only perform the login at 80% of ticket lifetime. ugi.doAs((PrivilegedExceptionAction<Void>) () -> { ugi.checkTGTAndReloginFromKeytab(); return null; }); } catch (IOException e) { logger.error("Failed to renew Kerberos ticket", e); } catch (InterruptedException e) { logger.error("Interrupted while attempting to renew Kerberos ticket", e); Thread.currentThread().interrupt(); return; } logger.debug("current UGI {}", new Object[]{ugi}); // Wait for a bit before checking again. try { Thread.sleep(renewalPeriod); } catch (InterruptedException e) { logger.error("Renewal thread interrupted", e); Thread.currentThread().interrupt(); return; } } }
/** * Relogin if login user is logged in using keytab * Relogin is actually done by ugi code only if sufficient time has passed * A no-op if kerberos security is not enabled * @throws MetaException */ private void reloginExpiringKeytabUser() throws MetaException { if(!UserGroupInformation.isSecurityEnabled()){ return; } try { UserGroupInformation ugi = UserGroupInformation.getLoginUser(); //checkTGT calls ugi.relogin only after checking if it is close to tgt expiry //hadoop relogin is actually done only every x minutes (x=10 in hadoop 1.x) if(ugi.isFromKeytab()){ ugi.checkTGTAndReloginFromKeytab(); } } catch (IOException e) { String msg = "Error doing relogin using keytab " + e.getMessage(); LOG.error(msg, e); throw new MetaException(msg); } }
UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab(); return; } else if (UserGroupInformation.isLoginTicketBased()) {
currentUser.checkTGTAndReloginFromKeytab(); LOG.debug("The user credential is {}", currentUser); String
@Override public void run() { while (true) { try { renewalLog.debug("Invoking renewal attempt for Kerberos ticket"); // While we run this "frequently", the Hadoop implementation will only perform the login // at 80% of ticket lifetime. ugi.checkTGTAndReloginFromKeytab(); } catch (IOException e) { // Should failures to renew the ticket be retried more quickly? renewalLog.error("Failed to renew Kerberos ticket", e); } // Wait for a bit before checking again. try { Thread.sleep(renewalPeriod); } catch (InterruptedException e) { renewalLog.error("Renewal thread interrupted", e); Thread.currentThread().interrupt(); return; } } } }));
@Override public Void run() throws IOException { // We may have lost our ticket since last checkpoint, log in again, just in case if (UserGroupInformation.isSecurityEnabled()) { UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab(); } boolean success = false; try { TransferFsImage.doGetUrl(url, localPaths, storage, true); assert tmpFile.exists(); success = true; } finally { if (!success) { if (!tmpFile.delete()) { LOG.warn("Failed to delete temporary file " + tmpFile); } } } return null; } });
UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab();
UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab();
@Override protected void chore() { try { ugi.checkTGTAndReloginFromKeytab(); } catch (IOException e) { LOG.error("Got exception while trying to refresh credentials: " + e.getMessage(), e); } } };
@Override public void run() { try { UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab(); } catch (IOException e) { LOG.error("Failed to relogin from keytab", e); } } }, delaySec, delaySec, TimeUnit.SECONDS);
@Override public void authenticate(URL url, AuthenticatedURL.Token token) throws IOException, AuthenticationException { if (!hasDelegationToken(url, token)) { // check and renew TGT to handle potential expiration UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab(); authenticator.authenticate(url, token); } }
@Override public void authenticate(URL url, AuthenticatedURL.Token token) throws IOException, AuthenticationException { if (!hasDelegationToken(url, token)) { // check and renew TGT to handle potential expiration UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab(); authenticator.authenticate(url, token); } }