Josh Elser created HBASE-26212:
----------------------------------
Summary: Allow AuthUtil automatic renewal to be disabled
Key: HBASE-26212
URL: https://issues.apache.org/jira/browse/HBASE-26212
Project: HBase
Issue Type: Improvement
Components: Client, security
Reporter: Josh Elser
Assignee: Josh Elser
Talking with [~bbende] who was looking at some "spam" in the NiFi log where
AuthUtil was complaining that it couldn't renew the UGI. This is did not cause
him problems (NiFi could always read/write to HBase), but it generated a lot of
noise in the NiFi log.
NiFi is special in that it's managing renewals on its own (for all services it
can communicate with), rather than letting each client do it on its own.
Specifically, one way they do this is by doing a keytab-based login via JAAS,
constructing a UGI object from that JAAS login, and then invoking HBase in a
normal UGI.doAs().
The problem comes in that AuthUtil _thinks_ that it is capable of renewing this
UGI instance on its own. AuthUtil can determine that the current UGI came from
a keytab, and thus thinks that it can renew it. However, this actually fails
because the LoginContext inside UGI *isn't* actually something that UGI can
renew (remember: because NiFI did it directly via JAAS and not via UGI)
{noformat}
2021-08-19 17:32:19,438 ERROR [Relogin service.Chore.1]
org.apache.hadoop.hbase.AuthUtil Got exception while trying to refresh
credentials: loginUserFromKeyTab must be done first
java.io.IOException: loginUserFromKeyTab must be done first
at
org.apache.hadoop.security.UserGroupInformation.reloginFromKeytab(UserGroupInformation.java:1194)
at
org.apache.hadoop.security.UserGroupInformation.checkTGTAndReloginFromKeytab(UserGroupInformation.java:1125)
at org.apache.hadoop.hbase.AuthUtil$1.chore(AuthUtil.java:206)
{noformat}
After talking with Bryan about this: we don't see a good way for HBase to
detect this specific "A UGI instance, but not created by UGI" case because the
LoginContext inside UGI is private. It is great that AuthUtil will
automatically try to renew keytab logins, even if not using
{{hbase.client.keytab.file}} and {{hbase.client.keytab.principal}}, so I don't
want to break that functionality{{.}}
NiFi is unique in this case that it is fully managing the renewals, so I think
the best path forward is to add an option which lets NiFi disable AuthUtil
since it knows it can safely do this. This should affect any others users (but
also give us an option if AuthUtil ever does cause problems).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
