[
https://issues.apache.org/jira/browse/HBASE-26212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Josh Elser updated HBASE-26212:
-------------------------------
Status: Patch Available (was: Open)
> Allow AuthUtil automatic renewal to be disabled
> -----------------------------------------------
>
> Key: HBASE-26212
> URL: https://issues.apache.org/jira/browse/HBASE-26212
> Project: HBase
> Issue Type: Improvement
> Components: Client, security
> Reporter: Josh Elser
> Assignee: Josh Elser
> Priority: Minor
>
> Talking with [~bbende] who was looking at some "spam" in the NiFi log where
> AuthUtil was complaining that it couldn't renew the UGI. This is did not
> cause him problems (NiFi could always read/write to HBase), but it generated
> a lot of noise in the NiFi log.
> NiFi is special in that it's managing renewals on its own (for all services
> it can communicate with), rather than letting each client do it on its own.
> Specifically, one way they do this is by doing a keytab-based login via JAAS,
> constructing a UGI object from that JAAS login, and then invoking HBase in a
> normal UGI.doAs().
> The problem comes in that AuthUtil _thinks_ that it is capable of renewing
> this UGI instance on its own. AuthUtil can determine that the current UGI
> came from a keytab, and thus thinks that it can renew it. However, this
> actually fails because the LoginContext inside UGI *isn't* actually something
> that UGI can renew (remember: because NiFI did it directly via JAAS and not
> via UGI)
> {noformat}
> 2021-08-19 17:32:19,438 ERROR [Relogin service.Chore.1]
> org.apache.hadoop.hbase.AuthUtil Got exception while trying to refresh
> credentials: loginUserFromKeyTab must be done first
> java.io.IOException: loginUserFromKeyTab must be done first
> at
> org.apache.hadoop.security.UserGroupInformation.reloginFromKeytab(UserGroupInformation.java:1194)
> at
> org.apache.hadoop.security.UserGroupInformation.checkTGTAndReloginFromKeytab(UserGroupInformation.java:1125)
> at org.apache.hadoop.hbase.AuthUtil$1.chore(AuthUtil.java:206)
> {noformat}
> After talking with Bryan about this: we don't see a good way for HBase to
> detect this specific "A UGI instance, but not created by UGI" case because
> the LoginContext inside UGI is private. It is great that AuthUtil will
> automatically try to renew keytab logins, even if not using
> {{hbase.client.keytab.file}} and {{hbase.client.keytab.principal}}, so I
> don't want to break that functionality{{.}}
> NiFi is unique in this case that it is fully managing the renewals, so I
> think the best path forward is to add an option which lets NiFi disable
> AuthUtil since it knows it can safely do this. This should affect any others
> users (but also give us an option if AuthUtil ever does cause problems).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
