kirby zhou created RANGER-3612:
----------------------------------
Summary: KMS should either Die or Auto-Recover when its
ranger-agent auth to KDC failed
Key: RANGER-3612
URL: https://issues.apache.org/jira/browse/RANGER-3612
Project: Ranger
Issue Type: Bug
Components: kms, plugins
Affects Versions: 2.2.0, 3.0.0
Reporter: kirby zhou
If we install ranger agent to KMS, the agent would auth itself to KDC at
startup. But if it failed, it just print a log in ranger-kms-<hostname>.log,
and the KMS can never recover to refresh its policies.
{code:java}
]$ tail -f log/ranger-kms-ranger_kms-.log | fgrep ERROR
2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab and
principal{code}
{code:java}
package org.apache.ranger.authorization.kms.authorizer;
public class RangerKmsAuthorizer implements Runnable, KeyACLs {
RangerKmsAuthorizer(Configuration conf) {
authWithKerberos(conf);
}
private void authWithKerberos(Configuration conf) {
MiscUtil.authWithKerberos(keytab, principal, nameRules);
}
}
package org.apache.ranger.audit.provider;
public class MiscUtil {
public static void authWithKerberos(...) {
try {
{
UserGroupInformation ugi = UserGroupInformation
.loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0],
keytab);
MiscUtil.setUGILoginUser(ugi, null);
}
} catch (Throwable t) {
logger.error("Failed to login with given keytab and principal", t);
}
}
}{code}
There seems only one chance for plugin to auth to KDC, so it can not auto
recover.
And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not die
when the plugin failed.
This situation is too unfriendly to administrators. It should be fixed.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
