[jira] [Commented] (RANGER-3612) KMS should either Die or Auto-Recover when its ranger-agent auth to KDC failed

Wed, 09 Feb 2022 23:52:04 -0800 


    [ 
https://issues.apache.org/jira/browse/RANGER-3612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490009#comment-17490009
 ] 

kirby zhou commented on RANGER-3612:
------------------------------------

For example:

If Kerberos KDC temporarily hang while KMS is starting up. KMS just print a 
log, and keep the state that the policy cannot be refreshed from ranger, even 
if KDC is return back, KMS still keep unhealthy until ever.

It is unacceptable.

 

> KMS should either Die or Auto-Recover when its ranger-agent auth to KDC failed
> ------------------------------------------------------------------------------
>
>                 Key: RANGER-3612
>                 URL: https://issues.apache.org/jira/browse/RANGER-3612
>             Project: Ranger
>          Issue Type: Bug
>          Components: kms, plugins
>    Affects Versions: 3.0.0, 2.2.0
>            Reporter: kirby zhou
>            Priority: Major
>
> If we install ranger agent to KMS, the agent would auth itself to KDC at 
> startup. But if it failed, it just print a log in ranger-kms-<hostname>.log, 
> and the KMS can never recover to refresh its policies.
> {code:java}
> ]$ tail -f log/ranger-kms-ranger_kms-.log  | fgrep ERROR 
> 2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab 
> and principal{code}
> {code:java}
> package org.apache.ranger.authorization.kms.authorizer;
> public class RangerKmsAuthorizer implements Runnable, KeyACLs {
> RangerKmsAuthorizer(Configuration conf) { 
>    authWithKerberos(conf); 
> }
> private void authWithKerberos(Configuration conf) {
>     MiscUtil.authWithKerberos(keytab, principal, nameRules);
> }
> }
> package org.apache.ranger.audit.provider;
> public class MiscUtil {
> public static void authWithKerberos(...) {
>   try {
>     {
>       UserGroupInformation ugi = UserGroupInformation
>          .loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0],
>          keytab);
>       MiscUtil.setUGILoginUser(ugi, null);
>      }
>   } catch (Throwable t) {
>     logger.error("Failed to login with given keytab and principal", t);
>   }
> }
> }{code}
>  
> There seems only one chance for plugin to auth to KDC, so it can not auto 
> recover.
> And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not 
> die when the plugin failed.
> This situation is too unfriendly to administrators. It should be fixed.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to