[
https://issues.apache.org/jira/browse/RANGER-3233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramesh Mani updated RANGER-3233:
--------------------------------
Description:
Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config
instead of Subject from Kafka LoginManager.
When UGI is created with Subject from Kafka LoginManager, Ranger Kafka Plugin
fails with kerberos error because of changed kerberos identity when ticket
expires and subject load all the principals based on the GSS mechanism used.
[https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub]
This was reported in https://issues.apache.org/jira/browse/RANGER-2810 which
has a work around. Solution would be to have the UGI created with the kafka
client JAAS and use it in plugin. This will help is Kerberos ticket renewed
properly and avoid using the Subject() which may cause issue.
was:
Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config
instead of Subject from Kafka Login Manager.
When UGI is created with Subject from Kafka LoginManager, Ranger Kafka Plugin
fails with kerberos error because of changed kerberos identity when ticket
expires and subject load all the principals based on the GSS mechanism used.
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub
This was reported in https://issues.apache.org/jira/browse/RANGER-2810 which
has a work around. Solution would be to have the UGI created with the kafka
client JAAS and use it in plugin. This will help is Kerberos ticket renewed
properly and avoid using the Subject() which may cause issue.
> Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config
> instead of Subject from Kafka LoginManager
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-3233
> URL: https://issues.apache.org/jira/browse/RANGER-3233
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Ramesh Mani
> Assignee: Ramesh Mani
> Priority: Major
>
> Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config
> instead of Subject from Kafka LoginManager.
> When UGI is created with Subject from Kafka LoginManager, Ranger Kafka Plugin
> fails with kerberos error because of changed kerberos identity when ticket
> expires and subject load all the principals based on the GSS mechanism used.
> [https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub]
> This was reported in https://issues.apache.org/jira/browse/RANGER-2810 which
> has a work around. Solution would be to have the UGI created with the kafka
> client JAAS and use it in plugin. This will help is Kerberos ticket renewed
> properly and avoid using the Subject() which may cause issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
