shashwatsai opened a new issue, #7805: URL: https://github.com/apache/seatunnel/issues/7805
### Search before asking - [X] I had searched in the [issues](https://github.com/apache/seatunnel/issues?q=is%3Aissue+label%3A%22bug%22) and found no similar issues. ### What happened The Hadoop Source/Sink fails with Unable to find valid Kerberos Ticket. In HadoopFileSystemProxy, the UserGroupInformation Object is tightly bound to the security context of the initiating thread. If we try to run the privileged actions that require the subject's security context, it fails with the error, ``` Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) ``` We can attach Security Context of the Specified Subject to the thread Performing Action by using UserGroupInformation#doAs, it attaches the subject's security context for time being till the action is running. This issue can be reproduced, - Set System property **javax.security.auth.useSubjectCredsOnly** to _false_. - Run the HdfsFile source/sync job ### SeaTunnel Version 2.3.7 ### SeaTunnel Config ```conf env { "job.mode"=BATCH "job.name"="SeaTunnel_Job" "savemode.execute.location"=CLUSTER } source { HdfsFile { path="/data/daily/aggregation/tblAssocProfileData_daily_180710.txt" "file_format_type"=CSV "field_delimiter"="|" parallelism=1, "use_kerberos"="true" "kerberos_principal"="[email protected]" "fs.defaultFS"="hdfs://clusterA" "hdfs_site_path"="/etc/hadoop/conf/hdfs-site.xml" "kerberos_keytab_path"="/home/user/service_user.keytab" "krb5_path"="/etc/krb5.conf" "core_site_path"="/etc/hadoop/conf/core-site.xml" } } sink { HdfsFile { path="/Projects/test/reports/sea_tunnel/single/" tmp_path="/Projects/test/reports/" "file_format_type"=CSV "row_delimiter"="\n" "field_delimiter"="|" "enable_header_write"="false" "use_kerberos"="true" "kerberos_principal"="[email protected]" "fs.defaultFS"="hdfs://clusterA" "hdfs_site_path"="/etc/hadoop/conf/hdfs-site.xml" "kerberos_keytab_path"="/home/root/service_user.keytab" "krb5_path"="/etc/krb5.conf" "core_site_path"="/etc/hadoop/conf/core-site.xml" } } ``` ### Running Command ```shell sh /opt/seatunnel-workspace/seatunnel/bin/seatunnel.sh --config /opt/seatunnel-workspace/apache-seatunnel-web-1.0.1/profile/manual.conf ``` ### Error Exception ```log Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: Error while authenticating with endpoint: http://<kms-host>:9292/kms/v1/keyversion/hdp_analytics_dev_data%400/_eek?eek_op=decrypt at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?] at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?] at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?] at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?] at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?] at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.wrapExceptionWithMessage(KerberosAuthenticator.java:237) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:220) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:143) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:350) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.openConnection(DelegationTokenAuthenticatedURL.java:327) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:512) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:507) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?] at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?] at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1899) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createConnection(KMSClientProvider.java:506) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:826) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:354) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:350) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:175) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.decryptEncryptedKey(LoadBalancingKMSClientProvider.java:350) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.decryptEncryptedKey(KeyProviderCryptoExtension.java:535) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.hdfs.HdfsKMSUtil.decryptEncryptedDataEncryptionKey(HdfsKMSUtil.java:216) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.hdfs.HdfsKMSUtil.createWrappedInputStream(HdfsKMSUtil.java:196) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.hdfs.DFSClient.createWrappedInputStream(DFSClient.java:967) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:345) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:339) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.hdfs.DistributedFileSystem.open(DistributedFileSystem.java:356) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:997) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.seatunnel.connectors.seatunnel.file.hadoop.HadoopFileSystemProxy.getInputStream(HadoopFileSystemProxy.java:166) ~[?:?] at org.apache.seatunnel.connectors.seatunnel.file.source.reader.TextReadStrategy.read(TextReadStrategy.java:77) ~[?:?] at org.apache.seatunnel.connectors.seatunnel.file.source.BaseFileSourceReader.pollNext(BaseFileSourceReader.java:63) ~[?:?] ... 11 more Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:365) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:205) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:143) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:350) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.openConnection(DelegationTokenAuthenticatedURL.java:327) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:512) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:507) ~[seatunnel-hadoop3-3.1.4-uber.jar:2.3.7] at java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?] at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?] ``` ### Zeta or Flink or Spark Version 2.3.7 ### Java or Scala Version _No response_ ### Screenshots _No response_ ### Are you willing to submit PR? - [X] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
