Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-8844

Decouple tgt renewal thread from Keberos configuration.

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: Impala 3.2.0
    • Fix Version/s: None
    • Component/s: Backend
    • Labels:
      None
    • Epic Color:
      ghx-label-7

      Description

      Currently, Impala starts a kinit renewal thread only when kerberos is enabled, 

      Status SecureAuthProvider::Start() {
      	// True for kerberos internal use
      	if (needs_kinit_) {
      	  DCHECK(is_internal_);
      	  DCHECK(!principal_.empty());
      	  // IMPALA-8154: Disable any Kerberos auth_to_local mappings.
      	  FLAGS_use_system_auth_to_local = false;
      	  // Starts a thread that periodically does a 'kinit'. The thread lives as long as the
      	  // process does.
      	  KUDU_RETURN_IF_ERROR(kudu::security::InitKerberosForServer(principal_, keytab_file_,
      	  FLAGS_krb5_ccname, false), "Could not init kerberos"); <==== starts the thread
      	  LOG(INFO) << "Kerberos ticket granted to " << principal_;
      	}
      

      There can be cases where Impala's internal connections are not kerberized but communication with external components like HMS/Ranger/Atlas could be kerberized. In such setups, Impala process doesn't have a tgt initialized resulting in failing connections to these components.

      We could start with decoupling the kinit thread from the kerberos configuration and have it run in cases where any communication is kerberized (use a flag?).

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bharathv Bharath Vissapragada
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: