You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2019/04/04 17:10:02 UTC
[jira] [Commented] (IMPALA-5129) Use Kudu's Kinit code to avoid
expensive fork
[ https://issues.apache.org/jira/browse/IMPALA-5129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16810082#comment-16810082 ]
ASF subversion and git services commented on IMPALA-5129:
---------------------------------------------------------
Commit b97e0cd555a53057a82dc9c0ad9e0cfe58f3ec66 in impala's branch refs/heads/2.x from Sailesh Mukil
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=b97e0cd ]
IMPALA-5129: Use Kudu's Kinit code to avoid expensive fork
NOTE: This commit is part of a set of changes for IMPALA-7006. It
contains pieces of a previous commit that need to be cherry picked
again after rebasing the code in be/src/kudu/{util,security,rpc}.
The original commit message is below:
Impala currently kinits by forking off a child process. This
has proved to be expensive in many cases since the subprocess
tries to reserve as much memory as Impala is currently using
which can be quite a lot.
This patch adds a flag called 'use_kudu_kinit' that defaults to
true. When it's true, it uses the Kudu security library's kinit code
that programatically uses the krb5 library to kinit.
When it's false, we run our current path which kicks off the
kinit-thread and forks off a kinit process periodically to reacquire
tickets based on FLAGS_kerberos_reinit_interval.
Converted existing tests in thrift-server-test to run with and
without kerberos. We now run this BE test with kerberos by using
Kudu's MiniKdc utility. This introduces a new dependency on some
kerberos binaries that are checked through FindKerberosPrograms.cmake.
Note that this is only a test dependency and not a dependency for
the impalad binaries and friends. Compilation will still succeed if
the kerberos binaries for the MiniKdc are not found, however, the
thrift-server-test will fail. We run with and without the
'use_kudu_kinit' flag.
TODO: Since the setting up and tearing down of our security code
isn't idempotent, we can run only any one test in a process with
Kerberos now (IMPALA-6085).
Updated bin/bootstrap_system.sh to install new sasl-gssapi
modules and the kerberos binaries required for the MiniKdc.
Also fixed a bug that didn't transfer the environment into 'sudo'
in bin/bootstrap_system.sh.
Testing: Verified with thrift-server-test and also manually on a
live kerberized cluster.
Change-Id: Ie3c6e933c454e7adca69ef03e7d5c0c84b656895
Reviewed-on: http://gerrit.cloudera.org:8080/7938
Reviewed-by: Sailesh Mukil <sa...@cloudera.com>
Tested-by: Impala Public Jenkins
Reviewed-on: http://gerrit.cloudera.org:8080/10763
Reviewed-by: Lars Volker <lv...@cloudera.com>
Tested-by: Lars Volker <lv...@cloudera.com>
> Use Kudu's Kinit code to avoid expensive fork
> ---------------------------------------------
>
> Key: IMPALA-5129
> URL: https://issues.apache.org/jira/browse/IMPALA-5129
> Project: IMPALA
> Issue Type: Improvement
> Components: Security
> Reporter: Sailesh Mukil
> Assignee: Sailesh Mukil
> Priority: Major
> Labels: security
> Fix For: Impala 2.11.0
>
>
> Impala does a kinit by doing a RunShell() command which basically forks the entire process (potentially expensive) and execs the 'kinit' command.
> KuduRPC avoids the fork by calling into libkrb programatically. Since we eventually will be pulling in KuduRPC to Impala, we can get rid of the fork and call into the appropriate KuduRPC code.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org