[RANGER-3612] KMS should either Die or Auto-Recover when its ranger-agent auth to KDC failed - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.0.0, 2.2.0
Fix Version/s: None
Component/s: kms, plugins
Labels:
None

Description

If we install ranger agent to KMS, the agent would auth itself to KDC at startup. But if it failed, it just print a log in ranger-kms-<hostname>.log, and the KMS can never recover to refresh its policies.

]$ tail -f log/ranger-kms-ranger_kms-.log  | fgrep ERROR 
2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab and principal

package org.apache.ranger.authorization.kms.authorizer;
public class RangerKmsAuthorizer implements Runnable, KeyACLs {
RangerKmsAuthorizer(Configuration conf) { 
   authWithKerberos(conf); 
}
private void authWithKerberos(Configuration conf) {
    MiscUtil.authWithKerberos(keytab, principal, nameRules);
}
}

package org.apache.ranger.audit.provider;
public class MiscUtil {
public static void authWithKerberos(...) {
  try {
    {
      UserGroupInformation ugi = UserGroupInformation
         .loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0],
         keytab);
      MiscUtil.setUGILoginUser(ugi, null);
     }
  } catch (Throwable t) {
    logger.error("Failed to login with given keytab and principal", t);
  }
}
}

There seems only one chance for plugin to auth to KDC, so it can not auto recover.

And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not die when the plugin failed.

This situation is too unfriendly to administrators. It should be fixed.

Attachments

Activity

People

Assignee:: kirby zhou

Reporter:: kirby zhou

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 09/Feb/22 11:22

Updated:: 01/Dec/22 08:46