(doris) branch master updated: [Improve](broker) Modify the original TGT renewal logic to prevent high-concurrency access to the KDC (#59854)

[morningman]

This is an automated email from the ASF dual-hosted git repository.

morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new b630cb47ff2  [Improve](broker) Modify the original TGT renewal logic 
to prevent high-concurrency access to the KDC (#59854)
b630cb47ff2 is described below

commit b630cb47ff274500df6a888dc082f050f8b53da6
Author: shee <13843187+qz...@users.noreply.github.com>
AuthorDate: Thu Jan 15 17:56:25 2026 +0800

     [Improve](broker) Modify the original TGT renewal logic to prevent 
high-concurrency access to the KDC (#59854)
    
    Problem Summary:
    
    If the broker has Kerberos enabled, the expiration time of the file system 
is based on its creation time. Once the file system expires, re-authentication 
with the KDC is required for every access to the broker. In cases where there 
is high concurrency of requests from the BE , the request load on the KDC will 
become extremely heavy.
    when file system is expired when broker enable kerberos.
---
 .../apache/doris/broker/hdfs/BrokerFileSystem.java | 11 ++------
 .../doris/broker/hdfs/FileSystemManager.java       | 31 +++++++++-------------
 2 files changed, 15 insertions(+), 27 deletions(-)

diff --git 
a/fs_brokers/apache_hdfs_broker/src/main/java/org/apache/doris/broker/hdfs/BrokerFileSystem.java
 
b/fs_brokers/apache_hdfs_broker/src/main/java/org/apache/doris/broker/hdfs/BrokerFileSystem.java
index e3e27fe1c29..6c32f32f9ac 100644
--- 
a/fs_brokers/apache_hdfs_broker/src/main/java/org/apache/doris/broker/hdfs/BrokerFileSystem.java
+++ 
b/fs_brokers/apache_hdfs_broker/src/main/java/org/apache/doris/broker/hdfs/BrokerFileSystem.java
@@ -32,7 +32,6 @@ public class BrokerFileSystem {
     private FileSystemIdentity identity;
     private FileSystem dfsFileSystem;
     private volatile long lastAccessTimestamp;
-    private long createTimestamp;
     private UUID fileSystemId;
 
     public BrokerFileSystem(FileSystemIdentity identity) {
@@ -40,14 +39,12 @@ public class BrokerFileSystem {
         this.lock = new ReentrantLock();
         this.dfsFileSystem = null;
         this.lastAccessTimestamp = System.currentTimeMillis();
-        this.createTimestamp = System.currentTimeMillis();
         this.fileSystemId = UUID.randomUUID();
     }
 
     public synchronized void setFileSystem(FileSystem fileSystem) {
         this.dfsFileSystem = fileSystem;
         this.lastAccessTimestamp = System.currentTimeMillis();
-        this.createTimestamp = System.currentTimeMillis();
     }
 
     public void closeFileSystem() {
@@ -85,12 +82,8 @@ public class BrokerFileSystem {
         return lock;
     }
 
-    public boolean isExpiredByLastAccessTime(long expirationIntervalSecs) {
-        return System.currentTimeMillis() - lastAccessTimestamp > 
expirationIntervalSecs * 1000;
-    }
-
-    public boolean isExpiredByCreateTime(long expirationIntervalSecs) {
-        return System.currentTimeMillis() - createTimestamp > 
expirationIntervalSecs * 1000;
+    public boolean isExpiredByLastAccessTime() {
+        return System.currentTimeMillis() - lastAccessTimestamp > 
BrokerConfig.client_expire_seconds * 1000L;
     }
 
     @Override
diff --git 
a/fs_brokers/apache_hdfs_broker/src/main/java/org/apache/doris/broker/hdfs/FileSystemManager.java
 
b/fs_brokers/apache_hdfs_broker/src/main/java/org/apache/doris/broker/hdfs/FileSystemManager.java
index 1079f441d9b..364035d6cdb 100644
--- 
a/fs_brokers/apache_hdfs_broker/src/main/java/org/apache/doris/broker/hdfs/FileSystemManager.java
+++ 
b/fs_brokers/apache_hdfs_broker/src/main/java/org/apache/doris/broker/hdfs/FileSystemManager.java
@@ -60,8 +60,6 @@ import java.util.Map;
 import java.util.Random;
 import java.util.UUID;
 import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
 
 public class FileSystemManager {
 
@@ -1383,35 +1381,32 @@ public class FileSystemManager {
     /**
      *   In view of the different expiration mechanisms of different 
authentication modes，
      *   there are two ways to determine whether BrokerFileSystem has expired:
-     *   1. For the authentication mode of Kerberos and S3 aksk, use the 
createTime to determine whether it expires
+     *   1. For the authentication mode of Kerberos and S3 aksk, use the end 
time of TGT to determine whether it expires
      *   2. For other authentication modes, the lastAccessTime is used to 
determine whether it has expired
      */
     private BrokerFileSystem updateCachedFileSystem(FileSystemIdentity 
fileSystemIdentity, Map<String, String> properties) {
         BrokerFileSystem brokerFileSystem;
         if (cachedFileSystem.containsKey(fileSystemIdentity)) {
             brokerFileSystem = cachedFileSystem.get(fileSystemIdentity);
-            if (properties.containsKey(KERBEROS_KEYTAB) && 
properties.containsKey(KERBEROS_PRINCIPAL)) {
-                if 
(brokerFileSystem.isExpiredByCreateTime(BrokerConfig.client_expire_seconds)) {
-                    logger.info("file system " + brokerFileSystem + " is 
expired, update it.");
-                    try {
-                        Configuration conf = new HdfsConfiguration();
-                        
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, 
AUTHENTICATION_KERBEROS);
-                        UserGroupInformation ugi = 
UserGroupInformation.loginUserFromKeytabAndReturnUGI(
-                            
preparePrincipal(properties.get(KERBEROS_PRINCIPAL)), 
properties.get(KERBEROS_KEYTAB));
-                        // update FileSystem TGT
-                        ugi.checkTGTAndReloginFromKeytab();
-                    } catch (Exception e) {
-                        logger.error("errors while 
checkTGTAndReloginFromKeytab: ", e);
-                    }
+            if (UserGroupInformation.isSecurityEnabled()) {
+                try {
+                    
UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab();
+                } catch (Exception e) {
+                    logger.error("errors while refresh TGT: ", e);
                 }
-            } else if 
(brokerFileSystem.isExpiredByLastAccessTime(BrokerConfig.client_expire_seconds))
 {
+            } else if (brokerFileSystem.isExpiredByLastAccessTime()) {
                 brokerFileSystem.getLock().lock();
+                BrokerFileSystem bfs = 
cachedFileSystem.get(fileSystemIdentity);
+                if (!bfs.isExpiredByLastAccessTime()) {
+                  return bfs;
+                }
                 try {
                     logger.info("file system " + brokerFileSystem + " is 
expired, update it.");
                     brokerFileSystem.closeFileSystem();
-                    brokerFileSystem.getLock().unlock();
                 } catch (Throwable t) {
                     logger.error("errors while close file system: ", t);
+                } finally {
+                    brokerFileSystem.getLock().unlock();
                 }
                 brokerFileSystem = new BrokerFileSystem(fileSystemIdentity);
                 cachedFileSystem.put(fileSystemIdentity, brokerFileSystem);


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org