Re: [PR] HDDS-11587. Ozone Manager not processing file put requests with multi-tenancy enabled [ozone]

Tue, 29 Oct 2024 03:36:26 -0700 


smengcl commented on code in PR #7316:
URL: https://github.com/apache/ozone/pull/7316#discussion_r1820521610


##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/multitenant/RangerClientMultiTenantAccessController.java:
##########
@@ -130,9 +130,15 @@ public 
RangerClientMultiTenantAccessController(OzoneConfiguration conf)
 
     LOG.info("authType = {}, login user = {}", authType, usernameOrPrincipal);
 
-    client = new RangerClient(rangerHttpsAddress,
-        authType, usernameOrPrincipal, passwordOrKeytab,
-        rangerServiceName, OzoneConsts.OZONE);
+    UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
+    try {
+      client = new RangerClient(rangerHttpsAddress,
+          authType, usernameOrPrincipal, passwordOrKeytab,
+          rangerServiceName, OzoneConsts.OZONE);
+    } finally {
+      // set back the expected login user
+      UserGroupInformation.setLoginUser(loginUser);
+    }

Review Comment:
   Thanks Sammi. Good catch.
   
   From what I understand of HDDS-11587 description, `RangerClient` shares the 
same `UserGroupInformation` context with its caller (OM in this case).
   
   Thus, when `RangerClient`'s internal Kerberos login logic generated a new 
UGI and replaces the caller's LoginUser UGI, which causes the breakage (OM 
stuck, failed to re-login after a while).
   
   Questions for Ranger folks: @kumaab
   1. What happens when `RangerClient`'s UGI Kerberos login expires as well? My 
concern is, if `RangerClient` re-login using similar logic, the `RangerClient` 
instance can get stuck for the same reason as well? Or if `RangerClient` sets 
UGI again (haven't checked the impl), the OM could get stuck again for the same 
reason.
   3. Is there a way to isolate `RangerClient`'s internal 
`UserGroupInformation` so that it doesn't leak out? Or, is it feasible to share 
the same UGI with caller?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to