(kyuubi) branch master updated: [KYUUBI #7153] Share JAAS configuration for Zookeeper client to avoid server OOM

Thu, 14 Aug 2025 23:23:00 -0700 

This is an automated email from the ASF dual-hosted git repository.

chengpan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git


The following commit(s) were added to refs/heads/master by this push:
     new f7e10e65d3 [KYUUBI #7153]  Share JAAS configuration for Zookeeper 
client to avoid server OOM
f7e10e65d3 is described below

commit f7e10e65d3aca6fa82171bb3d75b7622c74807b7
Author: wuziyi <wuziy...@corp.netease.com>
AuthorDate: Fri Aug 15 14:21:46 2025 +0800

    [KYUUBI #7153]  Share JAAS configuration for Zookeeper client to avoid 
server OOM
    
    ### Why are the changes needed?
    
    Sharing jaas configuration for zookeeper client with same keytab and 
principal to avoid server oom due to nested jaas configuration.
    
    fix issue https://github.com/apache/kyuubi/issues/7153
    
    ### How was this patch tested?
    
    ut
    
    ### Was this patch authored or co-authored using generative AI tooling?
    
    no
    
    Closes #7154 from Z1Wu/fix/comm_reuse_zk_jass.
    
    Closes #7153
    
    3b0169a00 [Cheng Pan] Update 
kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/zookeeper/ZookeeperClientProvider.scala
    5873d12f3 [Cheng Pan] Update 
kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/zookeeper/ZookeeperClientProvider.scala
    0d8a18a4e [wuziyi] nit
    ffa7d29fc [wuziyi] [fix] share jaas configuration for zookeeper client with 
same keytab and principal to avoid server oom due to recursive jaas 
configuration.
    
    Lead-authored-by: wuziyi <wuziy...@corp.netease.com>
    Co-authored-by: Cheng Pan <pan3...@gmail.com>
    Signed-off-by: Cheng Pan <cheng...@apache.org>
---
 .../client/zookeeper/ZookeeperClientProvider.scala | 44 ++++++++++++++--------
 1 file changed, 28 insertions(+), 16 deletions(-)

diff --git 
a/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/zookeeper/ZookeeperClientProvider.scala
 
b/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/zookeeper/ZookeeperClientProvider.scala
index d0749c8d92..a6cb1a19d6 100644
--- 
a/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/zookeeper/ZookeeperClientProvider.scala
+++ 
b/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/zookeeper/ZookeeperClientProvider.scala
@@ -19,6 +19,7 @@ package org.apache.kyuubi.ha.client.zookeeper
 
 import java.io.{File, IOException}
 import java.nio.charset.StandardCharsets
+import java.util.concurrent.ConcurrentHashMap
 import javax.security.auth.login.Configuration
 
 import scala.util.Random
@@ -38,6 +39,13 @@ import org.apache.kyuubi.util.reflect.DynConstructors
 
 object ZookeeperClientProvider extends Logging {
 
+  /**
+   * Share JAAS configuration for Zookeeper client with same keytab and 
principal to
+   * avoid server OOM due to each new JAAS configuration references the 
previous instance.
+   * See KYUUBI #7154 for more details.
+   */
+  val jaasConfigurationCache = new ConcurrentHashMap[(String, String), 
Configuration]()
+
   /**
    * Create a [[CuratorFramework]] instance to be used as the ZooKeeper client
    * Use the [[ZookeeperACLProvider]] to create appropriate ACLs
@@ -113,22 +121,26 @@ object ZookeeperClientProvider extends Logging {
           System.setProperty("zookeeper.server.principal", zkServerPrincipal)
         }
         val zkClientPrincipal = KyuubiHadoopUtils.getServerPrincipal(principal)
-        // HDFS-16591 makes breaking change on JaasConfiguration
-        val jaasConf = DynConstructors.builder()
-          .impl( // Hadoop 3.3.5 and above
-            "org.apache.hadoop.security.authentication.util.JaasConfiguration",
-            classOf[String],
-            classOf[String],
-            classOf[String])
-          .impl( // Hadoop 3.3.4 and previous
-            // scalastyle:off
-            
"org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager$JaasConfiguration",
-            // scalastyle:on
-            classOf[String],
-            classOf[String],
-            classOf[String])
-          .build[Configuration]()
-          .newInstance("KyuubiZooKeeperClient", zkClientPrincipal, keytab)
+        val jaasConf = jaasConfigurationCache.computeIfAbsent(
+          (principal, keytab),
+          _ => {
+            // HDFS-16591 makes breaking change on JaasConfiguration
+            DynConstructors.builder()
+              .impl( // Hadoop 3.3.5 and above
+                
"org.apache.hadoop.security.authentication.util.JaasConfiguration",
+                classOf[String],
+                classOf[String],
+                classOf[String])
+              .impl( // Hadoop 3.3.4 and previous
+                // scalastyle:off
+                
"org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager$JaasConfiguration",
+                // scalastyle:on
+                classOf[String],
+                classOf[String],
+                classOf[String])
+              .build[Configuration]()
+              .newInstance("KyuubiZooKeeperClient", zkClientPrincipal, keytab)
+          })
         Configuration.setConfiguration(jaasConf)
       case _ =>
     }

Reply via email to