[jira] [Created] (RANGER-3233) Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config instead of Subject from Kafka Login Manager

Ramesh Mani (Jira) Mon, 05 Apr 2021 16:15:10 -0700

Ramesh Mani created RANGER-3233:
-----------------------------------

             Summary: Ranger Kafka Plugin changes to get the UGI from  Kafka 
client JAAS config instead of Subject from Kafka Login Manager
                 Key: RANGER-3233
                 URL: https://issues.apache.org/jira/browse/RANGER-3233
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
            Reporter: Ramesh Mani



Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config 
instead of Subject from Kafka Login Manager.

When UGI is created with Subject from Kafka LoginManager, Ranger Kafka Plugin 
fails with kerberos error because of changed kerberos identity when ticket 
expires and subject load all the principals based on the GSS mechanism used.

https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub

This was reported in https://issues.apache.org/jira/browse/RANGER-2810 which 
has a work around. Solution would be to have the UGI created with the kafka 
client JAAS and use it in plugin. This will help is Kerberos ticket renewed 
properly and avoid using the Subject() which may cause issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (RANGER-3233) Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config instead of Subject from Kafka Login Manager

Reply via email to