> On 四月 8, 2022, 6:12 a.m., bhavik patel wrote: > > your patch is Supporting auto recovery when KDC is down for sometime?
If KDC is up at startup, and then down for sometime, This situation is already supported by the old code. My patch is to let KMS quit directly if it can't connect to KDC or fails to authenticate during the startup phase. - Kirby ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73841/#review224272 ----------------------------------------------------------- On 三月 2, 2022, 3:51 a.m., Kirby Zhou wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73841/ > ----------------------------------------------------------- > > (Updated 三月 2, 2022, 3:51 a.m.) > > > Review request for ranger, Bhavik Bavishi, Dhaval Shah, Dineshkumar Yadav, > Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen > Mansoori, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, VaradreawiZTV > VaradreawiZTV, Vishal Suvagia, and Velmurugan Periasamy. > > > Bugs: RANGER-3612 > https://issues.apache.org/jira/browse/RANGER-3612 > > > Repository: ranger > > > Description > ------- > > If we install ranger agent to KMS, the agent would auth itself to KDC at > startup. But if it failed due to network or keytab problem, it just print a > log in ranger-kms-<hostname>.log, and the KMS can never recover to refresh > its policies. > > ]$ tail -f log/ranger-kms-ranger_kms-.log | fgrep ERROR > 2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab > and principal > > There seems only one chance for plugin to auth to KDC, so it can not auto > recover. > And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not > die when the plugin failed. > > This situation is too unfriendly to administrators. > KMS should either Die or Auto-Recover when its ranger-agent auth to KDC > failed. > > My patch here is let it die on startup. Auto recovery is only useful when KDC > temporarily unavailable. > > > Diffs > ----- > > agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java > b69e27693 > > plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java > 799eb322c > > ranger-kms-plugin-shim/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java > 7fa36ce79 > > > Diff: https://reviews.apache.org/r/73841/diff/1/ > > > Testing > ------- > > mvn clean compile package test > > > Thanks, > > Kirby Zhou > >
