Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-3606

AutoTGT shouldn't invoke TGT renewal thread (from UserGroupInformation.loginUserFromSubject)

Rank to TopRank to BottomBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.0.0, 1.2.3, 2.1.0
    • 2.2.0, 2.1.1
    • None

    Description

      When hadoop security is enabled,
      https://github.com/apache/storm/blob/master/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java#L199-L209

      AutoTGT will invoke "loginUserFromSubject", and it will spawn a TGT renewal thread ("TGT Renewer for <username>").
      https://github.com/apache/hadoop/blob/branch-2.8.5/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L928-L957

      which will eventually invoke system command "kinit -R", and then fail with the exception

      org.apache.hadoop.util.Shell$ExitCodeException: kinit: Credentials cache file '/tmp/krb5cc_xxx' not found while renewing credentials
      
      	at org.apache.hadoop.util.Shell.runCommand(Shell.java:1004) ~[stormjar.jar:?]
      	at org.apache.hadoop.util.Shell.run(Shell.java:898) ~[stormjar.jar:?]
      	at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:1213) ~[stormjar.jar:?]
      	at org.apache.hadoop.util.Shell.execCommand(Shell.java:1307) ~[stormjar.jar:?]
      	at org.apache.hadoop.util.Shell.execCommand(Shell.java:1289) ~[stormjar.jar:?]
      	at org.apache.hadoop.security.UserGroupInformation$1.run(UserGroupInformation.java:1011) [stormjar.jar:?]
      	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
      

      "kinit" will never work from worker process since Storm don't keep TGT in local cache. Instead, TGT is saved in zookeeper and in memory of Worker process.

      This exception is confusing but not harmful to topologies. And the TGT renewal thread will eventually abort.

      It's better to find a real solution for it. But for now we can document what might happen in AutoTGT code.

      To be clear, we still need loginUserFromSubject or some sort but we don't want to spawn TGT renewal thread. This is found with hadoop-2.8.5. Other versions are similar. But it can also change in the future release.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            agresch Aaron Gresch
            ethanli Ethan Li
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 40m
                40m

                Slack

                  Issue deployment