[
https://issues.apache.org/jira/browse/HBASE-26212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Josh Elser updated HBASE-26212:
-------------------------------
Hadoop Flags: Reviewed
Release Note: This change introduces a configuration property
"hbase.client.keytab.automatic.renewal" to control AuthUtil, the class which
automatically tries to perform Kerberos ticket renewal in client applications.
This configuration property defaults to "true", meaning that AuthUtil will
automatically attempt to renew Kerberos tickets per its capabilities. Those who
want AuthUtil to not renew client Kerberos tickets can set this property to be
"false".
Resolution: Fixed
Status: Resolved (was: Patch Available)
> Allow AuthUtil automatic renewal to be disabled
> -----------------------------------------------
>
> Key: HBASE-26212
> URL: https://issues.apache.org/jira/browse/HBASE-26212
> Project: HBase
> Issue Type: Improvement
> Components: Client, security
> Reporter: Josh Elser
> Assignee: Josh Elser
> Priority: Minor
> Fix For: 2.5.0, 3.0.0-alpha-2
>
>
> Talking with [~bbende] who was looking at some "spam" in the NiFi log where
> AuthUtil was complaining that it couldn't renew the UGI. This is did not
> cause him problems (NiFi could always read/write to HBase), but it generated
> a lot of noise in the NiFi log.
> NiFi is special in that it's managing renewals on its own (for all services
> it can communicate with), rather than letting each client do it on its own.
> Specifically, one way they do this is by doing a keytab-based login via JAAS,
> constructing a UGI object from that JAAS login, and then invoking HBase in a
> normal UGI.doAs().
> The problem comes in that AuthUtil _thinks_ that it is capable of renewing
> this UGI instance on its own. AuthUtil can determine that the current UGI
> came from a keytab, and thus thinks that it can renew it. However, this
> actually fails because the LoginContext inside UGI *isn't* actually something
> that UGI can renew (remember: because NiFI did it directly via JAAS and not
> via UGI)
> {noformat}
> 2021-08-19 17:32:19,438 ERROR [Relogin service.Chore.1]
> org.apache.hadoop.hbase.AuthUtil Got exception while trying to refresh
> credentials: loginUserFromKeyTab must be done first
> java.io.IOException: loginUserFromKeyTab must be done first
> at
> org.apache.hadoop.security.UserGroupInformation.reloginFromKeytab(UserGroupInformation.java:1194)
> at
> org.apache.hadoop.security.UserGroupInformation.checkTGTAndReloginFromKeytab(UserGroupInformation.java:1125)
> at org.apache.hadoop.hbase.AuthUtil$1.chore(AuthUtil.java:206)
> {noformat}
> After talking with Bryan about this: we don't see a good way for HBase to
> detect this specific "A UGI instance, but not created by UGI" case because
> the LoginContext inside UGI is private. It is great that AuthUtil will
> automatically try to renew keytab logins, even if not using
> {{hbase.client.keytab.file}} and {{hbase.client.keytab.principal}}, so I
> don't want to break that functionality.
> NiFi is unique in this case that it is fully managing the renewals, so I
> think the best path forward is to add an option which lets NiFi disable
> AuthUtil since it knows it can safely do this. This should affect any others
> users (but also give us an option if AuthUtil ever does cause problems).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
