You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Bhavik Patel (Jira)" <ji...@apache.org> on 2022/04/08 06:10:00 UTC
[jira] [Assigned] (RANGER-3612) KMS should either Die or Auto-Recover when its ranger-agent auth to KDC failed
[ https://issues.apache.org/jira/browse/RANGER-3612?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bhavik Patel reassigned RANGER-3612:
------------------------------------
Assignee: kirby zhou
> KMS should either Die or Auto-Recover when its ranger-agent auth to KDC failed
> ------------------------------------------------------------------------------
>
> Key: RANGER-3612
> URL: https://issues.apache.org/jira/browse/RANGER-3612
> Project: Ranger
> Issue Type: Bug
> Components: kms, plugins
> Affects Versions: 3.0.0, 2.2.0
> Reporter: kirby zhou
> Assignee: kirby zhou
> Priority: Major
>
> If we install ranger agent to KMS, the agent would auth itself to KDC at startup. But if it failed, it just print a log in ranger-kms-<hostname>.log, and the KMS can never recover to refresh its policies.
> {code:java}
> ]$ tail -f log/ranger-kms-ranger_kms-.log | fgrep ERROR
> 2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab and principal{code}
> {code:java}
> package org.apache.ranger.authorization.kms.authorizer;
> public class RangerKmsAuthorizer implements Runnable, KeyACLs {
> RangerKmsAuthorizer(Configuration conf) {
> authWithKerberos(conf);
> }
> private void authWithKerberos(Configuration conf) {
> MiscUtil.authWithKerberos(keytab, principal, nameRules);
> }
> }
> package org.apache.ranger.audit.provider;
> public class MiscUtil {
> public static void authWithKerberos(...) {
> try {
> {
> UserGroupInformation ugi = UserGroupInformation
> .loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0],
> keytab);
> MiscUtil.setUGILoginUser(ugi, null);
> }
> } catch (Throwable t) {
> logger.error("Failed to login with given keytab and principal", t);
> }
> }
> }{code}
>
> There seems only one chance for plugin to auth to KDC, so it can not auto recover.
> And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not die when the plugin failed.
> This situation is too unfriendly to administrators. It should be fixed.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)