You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Bhavik Patel (Jira)" <ji...@apache.org> on 2022/04/08 06:10:00 UTC

[jira] [Assigned] (RANGER-3612) KMS should either Die or Auto-Recover when its ranger-agent auth to KDC failed

     [ https://issues.apache.org/jira/browse/RANGER-3612?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bhavik Patel reassigned RANGER-3612:
------------------------------------

    Assignee: kirby zhou

> KMS should either Die or Auto-Recover when its ranger-agent auth to KDC failed
> ------------------------------------------------------------------------------
>
>                 Key: RANGER-3612
>                 URL: https://issues.apache.org/jira/browse/RANGER-3612
>             Project: Ranger
>          Issue Type: Bug
>          Components: kms, plugins
>    Affects Versions: 3.0.0, 2.2.0
>            Reporter: kirby zhou
>            Assignee: kirby zhou
>            Priority: Major
>
> If we install ranger agent to KMS, the agent would auth itself to KDC at startup. But if it failed, it just print a log in ranger-kms-<hostname>.log, and the KMS can never recover to refresh its policies.
> {code:java}
> ]$ tail -f log/ranger-kms-ranger_kms-.log  | fgrep ERROR 
> 2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab and principal{code}
> {code:java}
> package org.apache.ranger.authorization.kms.authorizer;
> public class RangerKmsAuthorizer implements Runnable, KeyACLs {
> RangerKmsAuthorizer(Configuration conf) { 
>    authWithKerberos(conf); 
> }
> private void authWithKerberos(Configuration conf) {
>     MiscUtil.authWithKerberos(keytab, principal, nameRules);
> }
> }
> package org.apache.ranger.audit.provider;
> public class MiscUtil {
> public static void authWithKerberos(...) {
>   try {
>     {
>       UserGroupInformation ugi = UserGroupInformation
>          .loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0],
>          keytab);
>       MiscUtil.setUGILoginUser(ugi, null);
>      }
>   } catch (Throwable t) {
>     logger.error("Failed to login with given keytab and principal", t);
>   }
> }
> }{code}
>  
> There seems only one chance for plugin to auth to KDC, so it can not auto recover.
> And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not die when the plugin failed.
> This situation is too unfriendly to administrators. It should be fixed.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)