Is kinit required while accessing a Kerberized service through Java code?

Question

I have a java application which needs to access Hadoop cluster to fetch a file at regular intervals(say, every 24 hours).

Since Kerberos protocol is enabled for protection on that cluster, I am using loginUserFromKeytab() method of UserGroupInformation class : https://hadoop.apache.org/docs/r1.2.1/api/org/apache/hadoop/security/UserGroupInformation.html.

Now, I know that kinit command grants a ticket-granting ticket to access any Kerberized service and this ticket has to be refreshed periodically(through kinit command). Now, my question is, is it required to run kinit periodically(from code) in combination with the above Java API for the code to work? Or will running it once be sufficient? Or is it not required at all.

Thanks for reading.

Answer 1

It's a long and complicated story. In short:

• if you request explicitly the Hadoop auth library to create a private Kerberos ticket with loginUserFromKeytab(), then that ticket is not renewable; you must launch a background thread to call checkTGTAndReloginFromKeytab() from time to time, and it will re-create the ticket whenever it comes close to expiration
• otherwise the UGI will implicitly read the shared ticket cache to get an existing ticket; and it will also implicitly launch a background thread to renew automatically that ticket (as long as it does not reach its end-of-renewal time -- at this point you are screwed)

Some recommended readings:
- HBase Kerberos connection renewal strategy
- Should I call ugi.checkTGTAndReloginFromKeytab() before every action on hadoop?
- Auto renewal of Kerberos ticket not working from Java (i.e. there's a bug in the non-static methods of UGI)