Apache Storm does not handle automatic TGT renewal for running topologies. As a
result, you must manage the TGT renewal process to ensure that your access does not expire.
HCP includes a Python script you can use to manage the TGT renewal process. Run the script
on an interval that is shorter than the renew_lifetime property configured
for your TGT.
-
On a node running Storm, install the following:
sudo yum install -y gcc krb5-devel python-devel
sudo yum install -y libffi libffi-devel
sudo yum install -y python-cffi
sudo yum install -y openssl-devel
-
Set up Python with metron user:
-
Export the following to set your Python home and and Python library
paths:
export PYTHON27_HOME=/opt/rh/python27/root
export LD_LIBRARY_PATH="/opt/rh/python27/root/usr/lib64"
-
Create a
project_dir directory:
-
Upgrade the Python
setuptools to version 18.5 and install
requests-kerberos which is an authentication handler for
using Kerberos with Python Requests.
${PYTHON27_HOME}/usr/bin/virtualenv venv
source venv/bin/activate
pip install --upgrade setuptools==18.5
pip install requests-kerberos
-
Execute the
tgt_renew.py script:
su - metron
python $METRON_HOME/bin/tgt_renew.py $HOST:PORT $TOPOLOGY_OWNER
Where:
- HOST:PORT
- The port for the Storm UI server.
- TOPOLOGY_OWNER
- The topology owner is typically "metron" for a Kerberized cluster
with Metron topologies.
Create a cron job to run the tgt_renew.py
script at intervals shorter than the renew_lifetime
property configured for your TGT.
