Re: [PR] RANGER-5654: Solr audit dispatcher fails to index after Kerberos TGT relogin (No key to store) with default useTicketCache=true [ranger]

Tue, 23 Jun 2026 09:45:22 -0700 


ramackri commented on code in PR #1030:
URL: https://github.com/apache/ranger/pull/1030#discussion_r3461416305


##########
audit-server/audit-dispatcher/dispatcher-solr/src/main/resources/conf/ranger-audit-dispatcher-solr-site.xml:
##########
@@ -175,7 +175,7 @@
 
     <property>
         <name>xasecure.audit.jaas.Client.option.useTicketCache</name>
-        <value>true</value>
+        <value>false</value>

Review Comment:
   alternate to disabling ticket cache?
   Proactive refresh already exists — we don't need a separate background 
thread. The Solr dispatcher uses KerberosAction, which calls 
checkTGTAndRelogin() before every Solr write. At ~80% of TGT lifetime that path 
intentionally does logout(); login(). So the issue isn't missing refresh; it's 
that relogin after logout() fails when useTicketCache=true on a keytab-only 
daemon: the ticket cache is empty, Krb5LoginModule doesn't fall back to the 
keytab cleanly, and we see "No key to store" until restart.
   
   Alternatives that avoid setting useTicketCache=false would be Java changes, 
and they work at different layers:
   
   UGI/keytab pattern (like HDFS dispatcher and plugin→ingestor) — initialize 
UserGroupInformation from the keytab in AuditSolrDispatcher and run Solr writes 
via MiscUtil.executePrivilegedAction() / checkTGTAndReloginFromKeytab() instead 
of KerberosAction. That avoids JAAS logout()/login() on the write path, but 
it's a broader auth-path change in shared SolrAuditDestination code.
   Shared SolrAuditDestination means the Solr write logic lives in one class in 
the agents-audit library, and more than one component uses it — not only the 
Solr audit dispatcher.
   
   
   
   Change AbstractKerberosUser.checkTGTAndRelogin() — for useKeyTab=true, renew 
in place (e.g. loginContext.login() without logout() first) instead of always 
doing logout(); login(). That would affect all KerberosAction callers (Admin 
Solr queries, plugins writing to Solr, etc.), so the blast radius is wider and 
behavior is more subtle across JDK/Krb5 versions.
   That must be done in both copies of AbstractKerberosUser (agents-audit and 
security-admin), and it affects Admin Solr, plugins writing to Solr, and the 
dispatcher — not just the Solr dispatcher.
   
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to