Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-26212

Allow AuthUtil automatic renewal to be disabled

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.5.0, 3.0.0-alpha-2
    • Component/s: Client, security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      This change introduces a configuration property "hbase.client.keytab.automatic.renewal" to control AuthUtil, the class which automatically tries to perform Kerberos ticket renewal in client applications. This configuration property defaults to "true", meaning that AuthUtil will automatically attempt to renew Kerberos tickets per its capabilities. Those who want AuthUtil to not renew client Kerberos tickets can set this property to be "false".
      Show
      This change introduces a configuration property "hbase.client.keytab.automatic.renewal" to control AuthUtil, the class which automatically tries to perform Kerberos ticket renewal in client applications. This configuration property defaults to "true", meaning that AuthUtil will automatically attempt to renew Kerberos tickets per its capabilities. Those who want AuthUtil to not renew client Kerberos tickets can set this property to be "false".

      Description

      Talking with Bryan Bende who was looking at some "spam" in the NiFi log where AuthUtil was complaining that it couldn't renew the UGI. This is did not cause him problems (NiFi could always read/write to HBase), but it generated a lot of noise in the NiFi log.

      NiFi is special in that it's managing renewals on its own (for all services it can communicate with), rather than letting each client do it on its own. Specifically, one way they do this is by doing a keytab-based login via JAAS, constructing a UGI object from that JAAS login, and then invoking HBase in a normal UGI.doAs().

      The problem comes in that AuthUtil thinks that it is capable of renewing this UGI instance on its own. AuthUtil can determine that the current UGI came from a keytab, and thus thinks that it can renew it. However, this actually fails because the LoginContext inside UGI isn't actually something that UGI can renew (remember: because NiFI did it directly via JAAS and not via UGI)

      2021-08-19 17:32:19,438 ERROR [Relogin service.Chore.1] org.apache.hadoop.hbase.AuthUtil Got exception while trying to refresh credentials: loginUserFromKeyTab must be done first
      java.io.IOException: loginUserFromKeyTab must be done first
      	at org.apache.hadoop.security.UserGroupInformation.reloginFromKeytab(UserGroupInformation.java:1194)
      	at org.apache.hadoop.security.UserGroupInformation.checkTGTAndReloginFromKeytab(UserGroupInformation.java:1125)
      	at org.apache.hadoop.hbase.AuthUtil$1.chore(AuthUtil.java:206) 

      After talking with Bryan about this: we don't see a good way for HBase to detect this specific "A UGI instance, but not created by UGI" case because the LoginContext inside UGI is private. It is great that AuthUtil will automatically try to renew keytab logins, even if not using hbase.client.keytab.file and hbase.client.keytab.principal, so I don't want to break that functionality.

      NiFi is unique in this case that it is fully managing the renewals, so I think the best path forward is to add an option which lets NiFi disable AuthUtil since it knows it can safely do this. This should affect any others users (but also give us an option if AuthUtil ever does cause problems).

        Attachments

          Activity

            People

            • Assignee:
              elserj Josh Elser
              Reporter:
              elserj Josh Elser
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: