You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Bob Wen (Jira)" <ji...@apache.org> on 2020/04/23 11:03:00 UTC
[jira] [Created] (KAFKA-9908) Kafka client always trying "kinit -R"
even the ticketCache has been renewed by external
Bob Wen created KAFKA-9908:
------------------------------
Summary: Kafka client always trying "kinit -R" even the ticketCache has been renewed by external
Key: KAFKA-9908
URL: https://issues.apache.org/jira/browse/KAFKA-9908
Project: Kafka
Issue Type: Bug
Components: clients
Affects Versions: 2.3.1
Environment: linux, container based application that don't have /usr/bin/kinit in image. kerberos ticket cache is a file mounted to file system, and shared by multiple kerberos client. the ticket cache is managed and renewed by other containers from time to time.
Reporter: Bob Wen
when using kerberos ticketCache, the kafka refreshing thread will get the expiry time from the initial ticketCache and sleep until the time to renew. then wake up and immediately to renew with "kinit - R", the problem is now many systems are managing the ticketCache out side of Kafka client, and the ticketCache already renewed (when the refresh thread was sleeping), what's more many container based applications may not provide the /usr/bin/kinit in their images. in this case, the refreshing thread will error out and exit, so even the ticketCache is still valid and renewed by external, kafka client will still lose the connection.
code logic between line #194 and #213 of below link:
[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java]
I found this bug in 2.3.1 kafka client, but from the latest code logic above, it should be an issue for other versions too
Workaround: now my workaround is mock a kinit command to kafka client, like passing the /usr/bin/echo to sals.kerberos.kinit.cmd to avoid the issue.
Suggestion: when refreshing thread wake up from sleeping, need to double check the TGT and expiry time again, if the expiry time already extended (for example by external), the kinit should be skipped and directly jump to re-login.
Thanks,
Bob
--
This message was sent by Atlassian Jira
(v8.3.4#803005)