[
https://issues.apache.org/jira/browse/RANGER-3233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramesh Mani resolved RANGER-3233.
---------------------------------
Resolution: Fixed
> Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config
> instead of Subject from Kafka LoginManager
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-3233
> URL: https://issues.apache.org/jira/browse/RANGER-3233
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 3.0.0, 2.2.0
> Reporter: Ramesh Mani
> Assignee: Ramesh Mani
> Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config
> instead of Subject from Kafka LoginManager.
> When UGI is created with Subject from Kafka LoginManager, Ranger Kafka Plugin
> fails with kerberos error because of changed kerberos identity when ticket
> expires and subject load all the principals based on the GSS mechanism used.
> [https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub]
> This was reported in https://issues.apache.org/jira/browse/RANGER-2810 which
> has a work around. Solution would be to have the UGI created with the kafka
> client JAAS and use it in plugin. This will help is Kerberos ticket renewed
> properly and avoid using the Subject() which may cause issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
