> On Aug. 4, 2017, 10:23 a.m., Colm O hEigeartaigh wrote: > > Why does setUGIFromJAASConfig solve the problem as opposed to > > authWithConfig? It's not really clear from the bug description. One > > potential issue is that setUGIFromJAASConfig requires a KeyTab in JAAS > > configuration, whereas authWithConfig looks like it would work with a > > password.
Your Observation is correct. Ranger Plugin for non core Hadoop components like Solr, when it uses Hadoop UserGroupInformation api to set/get the UGI, and this UGI is used for Authenticated call to Download Policy / Audit to HDFS. When TGT expires there was failure as it never got renewed. (Core components like Hdfs, hive, hbase internally taking care of this with right keytab login and renewal ). So in this case when we do a MiscUtil.getUGILoginUser() to get UGI at the plugin, this call will invoke UGI.checkTGTAndReloginFromKeytab() to check and renew the TGT. This fails if the UGI is not created with Principal/Keytab. In this issue when authWithConfig(), it uses the just Subject() alone to login and as a result checkTGTAndReloginFromKeytab() failed. I have updated the Description with the details. - Ramesh ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/61412/#review182195 ----------------------------------------------------------- On Aug. 3, 2017, 6:53 p.m., Ramesh Mani wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/61412/ > ----------------------------------------------------------- > > (Updated Aug. 3, 2017, 6:53 p.m.) > > > Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Selvamohan > Neethiraj, and Velmurugan Periasamy. > > > Bugs: RANGER-1649 > https://issues.apache.org/jira/browse/RANGER-1649 > > > Repository: ranger > > > Description > ------- > > RANGER-1649:Ranger Solr Plugin fails to refresh policy due to failure in > ticket renewal mechanism > > > Diffs > ----- > > > plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java > 5c4e066 > > > Diff: https://reviews.apache.org/r/61412/diff/1/ > > > Testing > ------- > > Testing done in local VM. > > > Thanks, > > Ramesh Mani > >