Set up TGT Renewal

Apache Storm does not handle automatic TGT renewal for running topologies. As a result, you must manage the TGT renewal process to ensure that your access does not expire. HCP includes a Python script you can use to manage the TGT renewal process. Run the script on an interval that is shorter than the renew_lifetime property configured for your TGT.

  1. On a node running Storm, install the following:
    sudo yum install -y gcc krb5-devel python-devel
    sudo yum install -y libffi libffi-devel
    sudo yum install -y python-cffi
    sudo yum install -y openssl-devel
  2. Set up Python with metron user:
    su - metron
  3. Export the following to set your Python home and and Python library paths:
    export PYTHON27_HOME=/opt/rh/python27/root
    export LD_LIBRARY_PATH="/opt/rh/python27/root/usr/lib64"
  4. Create a project_dir directory:
    mkdir project_dir
  5. Upgrade the Python setuptools to version 18.5 and install requests-kerberos which is an authentication handler for using Kerberos with Python Requests.
    ${PYTHON27_HOME}/usr/bin/virtualenv venv
    source venv/bin/activate
    pip install --upgrade setuptools==18.5
    pip install requests-kerberos
  6. Execute the script:
    su - metron
    The port for the Storm UI server.
    The topology owner is typically "metron" for a Kerberized cluster with Metron topologies.
Create a cron job to run the script at intervals shorter than the renew_lifetime property configured for your TGT.