You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by zj...@apache.org on 2018/04/18 03:38:12 UTC

zeppelin git commit: [ZEPPELIN-3356] Kerberos ticket still expire after 7 days

Repository: zeppelin
Updated Branches:
  refs/heads/master 0e82a5712 -> 6cb39a071


[ZEPPELIN-3356] Kerberos ticket still expire after 7 days

### What is this PR for?

The root cause is that we may do UserGroupInformation.loginUserFromKeytab multiple times if we use hdfs for several places, e.g. for notebook repo and zeppelin config. This PR fix the bug by only doing UserGroupInformation.loginUserFromKeytab one time.

### What type of PR is it?
[Bug Fix ]

### Todos
* [ ] - Task

### What is the Jira issue?
* https://issues.apache.org/jira/browse/ZEPPELIN-3356

### How should this be tested?
Manually tested
* Add the following properties to /etc/krb5.conf
   renew_lifetime = 10m
  ticket_lifetime = 5m
* Add the following properties to /var/kerberos/krb5kdc/kdc.conf
  max_renewable_life = 10m
  max_life = 5m

Without this PR, will hit the ticket expire after 10 minutes. With this PR, the ticket is still valid after 10 minutes

### Screenshots (if appropriate)

### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? No

Author: Jeff Zhang <zj...@apache.org>

Closes #2924 from zjffdu/ZEPPELIN-3356 and squashes the following commits:

00eda00 [Jeff Zhang] [ZEPPELIN-3356] Kerberos ticket still expire after 7 days


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/6cb39a07
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/6cb39a07
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/6cb39a07

Branch: refs/heads/master
Commit: 6cb39a07173c8abaabb114d20e108781f2d39d6f
Parents: 0e82a57
Author: Jeff Zhang <zj...@apache.org>
Authored: Thu Apr 12 15:50:52 2018 +0800
Committer: Jeff Zhang <zj...@apache.org>
Committed: Wed Apr 18 11:38:07 2018 +0800

----------------------------------------------------------------------
 .../zeppelin/notebook/FileSystemStorage.java    | 36 +++++++++++++-------
 1 file changed, 23 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/6cb39a07/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/FileSystemStorage.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/FileSystemStorage.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/FileSystemStorage.java
index 24bab57..4670e20 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/FileSystemStorage.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/FileSystemStorage.java
@@ -30,9 +30,31 @@ public class FileSystemStorage {
 
   private static Logger LOGGER = LoggerFactory.getLogger(FileSystemStorage.class);
 
+  // only do UserGroupInformation.loginUserFromKeytab one time, otherwise you will still get
+  // your ticket expired.
+  static {
+    if (UserGroupInformation.isSecurityEnabled()) {
+      ZeppelinConfiguration zConf = ZeppelinConfiguration.create();
+      String keytab = zConf.getString(
+          ZeppelinConfiguration.ConfVars.ZEPPELIN_SERVER_KERBEROS_KEYTAB);
+      String principal = zConf.getString(
+          ZeppelinConfiguration.ConfVars.ZEPPELIN_SERVER_KERBEROS_PRINCIPAL);
+      if (StringUtils.isBlank(keytab) || StringUtils.isBlank(principal)) {
+        throw new RuntimeException("keytab and principal can not be empty, keytab: " + keytab
+            + ", principal: " + principal);
+      }
+      try {
+        UserGroupInformation.loginUserFromKeytab(principal, keytab);
+      } catch (IOException e) {
+        throw new RuntimeException("Fail to login via keytab:" + keytab +
+            ", principal:" + principal, e);
+      }
+    }
+  }
+
   private ZeppelinConfiguration zConf;
   private Configuration hadoopConf;
-  private boolean isSecurityEnabled = false;
+  private boolean isSecurityEnabled;
   private FileSystem fs;
 
   public FileSystemStorage(ZeppelinConfiguration zConf, String path) throws IOException {
@@ -43,18 +65,6 @@ public class FileSystemStorage {
     this.hadoopConf.set("fs.file.impl", RawLocalFileSystem.class.getName());
     this.isSecurityEnabled = UserGroupInformation.isSecurityEnabled();
 
-    if (isSecurityEnabled) {
-      String keytab = zConf.getString(
-          ZeppelinConfiguration.ConfVars.ZEPPELIN_SERVER_KERBEROS_KEYTAB);
-      String principal = zConf.getString(
-          ZeppelinConfiguration.ConfVars.ZEPPELIN_SERVER_KERBEROS_PRINCIPAL);
-      if (StringUtils.isBlank(keytab) || StringUtils.isBlank(principal)) {
-        throw new IOException("keytab and principal can not be empty, keytab: " + keytab
-            + ", principal: " + principal);
-      }
-      UserGroupInformation.loginUserFromKeytab(principal, keytab);
-    }
-
     try {
       this.fs = FileSystem.get(new URI(path), this.hadoopConf);
     } catch (URISyntaxException e) {