[jira] [Updated] (STORM-3606) AutoTGT shouldn't invoke TGT renewal thread (from UserGroupInformation.loginUserFromSubject)

Wed, 25 Mar 2020 11:42:20 -0700 


     [ 
https://issues.apache.org/jira/browse/STORM-3606?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ethan Li updated STORM-3606:
----------------------------
    Affects Version/s: 2.0.0
                       1.2.3
                       2.1.0

> AutoTGT shouldn't invoke TGT renewal thread (from 
> UserGroupInformation.loginUserFromSubject)
> --------------------------------------------------------------------------------------------
>
>                 Key: STORM-3606
>                 URL: https://issues.apache.org/jira/browse/STORM-3606
>             Project: Apache Storm
>          Issue Type: Bug
>    Affects Versions: 2.0.0, 1.2.3, 2.1.0
>            Reporter: Ethan Li
>            Priority: Minor
>
> When hadoop security is enabled, 
> https://github.com/apache/storm/blob/master/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java#L199-L209
> AutoTGT will invoke "loginUserFromSubject", and it will spawn a TGT renewal 
> thread ("TGT Renewer for <username>"). 
> https://github.com/apache/hadoop/blob/branch-2.8.5/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L928-L957
> which will eventually invoke system command "kinit -R", and then fail with 
> the exception
> {code:java}
> org.apache.hadoop.util.Shell$ExitCodeException: kinit: Credentials cache file 
> '/tmp/krb5cc_xxx' not found while renewing credentials
>       at org.apache.hadoop.util.Shell.runCommand(Shell.java:1004) 
> ~[stormjar.jar:?]
>       at org.apache.hadoop.util.Shell.run(Shell.java:898) ~[stormjar.jar:?]
>       at 
> org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:1213) 
> ~[stormjar.jar:?]
>       at org.apache.hadoop.util.Shell.execCommand(Shell.java:1307) 
> ~[stormjar.jar:?]
>       at org.apache.hadoop.util.Shell.execCommand(Shell.java:1289) 
> ~[stormjar.jar:?]
>       at 
> org.apache.hadoop.security.UserGroupInformation$1.run(UserGroupInformation.java:1011)
>  [stormjar.jar:?]
>       at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
> {code}
> "kinit" will never work from worker process since Storm don't keep TGT in 
> local cache. Instead, TGT is saved in zookeeper and in memory of Worker 
> process. 
> This exception is confusing but not harmful to topologies. And the TGT 
> renewal thread will eventually abort. 
> It's better to find a real solution for it. But for now we can document what 
> might happen in AutoTGT code.
> To be clear, we still need loginUserFromSubject or some sort but we don't 
> want to spawn TGT renewal thread.  This is found with hadoop-2.8.5. Other 
> versions are similar. But it can also change in the future release.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to