[
https://issues.apache.org/jira/browse/STORM-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15141134#comment-15141134
]
ASF GitHub Bot commented on STORM-1521:
---------------------------------------
Github user dbahir commented on a diff in the pull request:
https://github.com/apache/storm/pull/1064#discussion_r52486706
--- Diff:
external/storm-hbase/src/main/java/org/apache/storm/hbase/security/HBaseSecurityUtil.java
---
@@ -39,26 +39,34 @@
public static final String STORM_KEYTAB_FILE_KEY = "storm.keytab.file";
public static final String STORM_USER_NAME_KEY =
"storm.kerberos.principal";
+ private static UserProvider legacyProvider = null;
public static UserProvider login(Map conf, Configuration hbaseConfig)
throws IOException {
//Allowing keytab based login for backward compatibility.
- UserProvider provider = UserProvider.instantiate(hbaseConfig);
- if (conf.get(TOPOLOGY_AUTO_CREDENTIALS) == null ||
- !(((List)
conf.get(TOPOLOGY_AUTO_CREDENTIALS)).contains(AutoHBase.class.getName()))) {
+ if (UserGroupInformation.isSecurityEnabled() &&
(conf.get(TOPOLOGY_AUTO_CREDENTIALS) == null ||
+ !(((List)
conf.get(TOPOLOGY_AUTO_CREDENTIALS)).contains(AutoHBase.class.getName())))) {
LOG.info("Logging in using keytab as AutoHBase is not
specified for " + TOPOLOGY_AUTO_CREDENTIALS);
- if (UserGroupInformation.isSecurityEnabled()) {
- String keytab = (String) conf.get(STORM_KEYTAB_FILE_KEY);
- if (keytab != null) {
- hbaseConfig.set(STORM_KEYTAB_FILE_KEY, keytab);
+ //insure that if keytab is used only one login per process
executed
+ if(legacyProvider == null) {
+ synchronized (HBaseSecurityUtil.class) {
+ if(legacyProvider == null) {
--- End diff --
There is a double check pattern here which locks on the class, the lock on
the class will ensure that the legacy provider is instantiated and logged in
only once per process
> When using Kerberos login from keytab with multiple bolts/executors ticket is
> not renewed
> -----------------------------------------------------------------------------------------
>
> Key: STORM-1521
> URL: https://issues.apache.org/jira/browse/STORM-1521
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-hbase
> Affects Versions: 0.10.0, 0.9.5
> Reporter: Dan Bahir
> Assignee: Dan Bahir
>
> When logging in with a keytab, if the topology has more than one instance of
> an HBase bolt then the ticket will not be automatically renewed.
> Expected: The ticket will be automatically renewed and the bolt will be able
> to write to the database.
> Actual: The ticket is not renewed and the bolt loses access to HBase.
> Note when there is only one bolt with one executor is renews correctly.
> Exception in bolt is:
> 2015-12-18T09:41:13.862-0500 o.a.h.s.UserGroupInformation [ERROR]
> PriviledgedActionException as:[email protected]
> cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any
> Kerberos tgt)]
> 2015-12-18T09:41:13.862-0500 o.a.h.i.RpcClient [WARN] Exception encountered
> while connecting to the server : javax.security.sasl.SaslException: GSS
> initiate
> failed [Caused by GSSException: No valid credentials provided (Mechanism
> level:
> Failed to find any Kerberos tgt)]
> 2015-12-18T09:41:13.863-0500 o.a.h.i.RpcClient [ERROR] SASL authentication
> failed. The most likely cause is missing or invalid credentials. Consider
> 'kinit'.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
