-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73841/
-----------------------------------------------------------
(Updated 三月 2, 2022, 3:51 a.m.)
Review request for ranger, Bhavik Bavishi, Dhaval Shah, Dineshkumar Yadav,
Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen
Mansoori, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, VaradreawiZTV
VaradreawiZTV, Vishal Suvagia, and Velmurugan Periasamy.
Summary (updated)
-----------------
RANGER-3612: Ranger plugin should cause kms to fail at startup when auth to
krb5 failed.
Bugs: RANGER-3612
https://issues.apache.org/jira/browse/RANGER-3612
Repository: ranger
Description
-------
If we install ranger agent to KMS, the agent would auth itself to KDC at
startup. But if it failed due to network or keytab problem, it just print a log
in ranger-kms-<hostname>.log, and the KMS can never recover to refresh its
policies.
]$ tail -f log/ranger-kms-ranger_kms-.log | fgrep ERROR
2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab and
principal
There seems only one chance for plugin to auth to KDC, so it can not auto
recover.
And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not die
when the plugin failed.
This situation is too unfriendly to administrators.
KMS should either Die or Auto-Recover when its ranger-agent auth to KDC failed.
My patch here is let it die on startup. Auto recovery is only useful when KDC
temporarily unavailable.
Diffs
-----
agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
b69e27693
plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
799eb322c
ranger-kms-plugin-shim/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
7fa36ce79
Diff: https://reviews.apache.org/r/73841/diff/1/
Testing
-------
mvn clean compile package test
Thanks,
Kirby Zhou
