[ https://issues.apache.org/jira/browse/STORM-4023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Olson updated STORM-4023: -------------------------------- Description: In the [Login|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java] class, a background thread is started that periodically performs a re-login to the Kerberos Ticket Granting Server. For the initial login, a custom Configuration instance is [created|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L257] and [supplied to the LoginContext constructor|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L300] potentially using a custom JAAS file location. However, the background refresh thread does not then subsequently provide the JAAS file location or Configuration to the [reLogin method|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L222], so it tries to construct a LoginContext with [just a context name and subject|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L409] but no Configuration, which means that the underlying {{Configuration.getConfiguration()}} call has to load one from [system defaults|https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/jdk-11%2B28/src/java.base/share/classes/javax/security/auth/login/LoginContext.java#L242]. In our application where this issue was found, we had set {{java.security.auth.login.config}} as a Storm client property along with other standard connectivity properties, since the [client framework|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/KerberosSaslNettyClient.java#L61] loads it [from the topology configuration|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/security/auth/ClientAuthUtils.java#L64]. It looks like the server framework [does the same|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/KerberosSaslNettyServer.java#L55] as well. The initial login succeeded and the following Storm Nimbus interactions were successful, but a while later it lost the ability to communicate with Storm with this error being logged, {noformat} ERROR [Refresh-TGT] org.apache.storm.messaging.netty.Login Could not refresh TGT for principal: <REDACTED> javax.security.auth.login.LoginException: No LoginModules configured for StormClient at java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:267) at java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:385) at org.apache.storm.messaging.netty.Login.reLogin(Login.java:409) at org.apache.storm.messaging.netty.Login$1.run(Login.java:222) at java.base/java.lang.Thread.run(Thread.java:829) {noformat} It appears that a viable workaround for this issue is to also set the system property, {{-Djava.security.auth.login.config=/some/path/jaas.conf}} for the application. After doing so the background refresh thread was able to correctly function. To address this, we should be able to update the {{reLogin}} method to use the same JAAS configuration. was: In the [Login|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java] class, a background thread is started that periodically performs a re-login to the Kerberos Ticket Granting Server. For the initial login, a custom Configuration instance is [created|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L257] and [supplied to the LoginContext constructor|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L300] potentially using a custom JAAS file location. However, the background refresh thread does not then subsequently provide the JAAS file location or Configuration to the [reLogin method|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L222], so it tries to construct a LoginContext with [just a context name and subject|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L409] but no Configuration, which means that the underlying {{Configuration.getConfiguration()}} call has to load one from [system defaults|https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/jdk-11%2B28/src/java.base/share/classes/javax/security/auth/login/LoginContext.java#L242]. In our application where this issue was found, we had set {{java.security.auth.login.config}} as a Storm client property along with other standard connectivity properties. The initial login succeeded and the following Storm Nimbus interactions were successful, but a while later it lost the ability to communicate with Storm with this error being logged, {noformat} ERROR [Refresh-TGT] org.apache.storm.messaging.netty.Login Could not refresh TGT for principal: <REDACTED> javax.security.auth.login.LoginException: No LoginModules configured for StormClient at java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:267) at java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:385) at org.apache.storm.messaging.netty.Login.reLogin(Login.java:409) at org.apache.storm.messaging.netty.Login$1.run(Login.java:222) at java.base/java.lang.Thread.run(Thread.java:829) {noformat} It appears that a viable workaround for this issue is to also set the system property, {{-Djava.security.auth.login.config=/some/path/jaas.conf}} for the application. After doing so the background refresh thread was able to correctly function. > Background periodic Kerberos re-login should use same JAAS configuration as > initial login > ----------------------------------------------------------------------------------------- > > Key: STORM-4023 > URL: https://issues.apache.org/jira/browse/STORM-4023 > Project: Apache Storm > Issue Type: Bug > Components: storm-client > Affects Versions: 2.6.0 > Reporter: Andrew Olson > Priority: Major > Labels: kerberos > > In the > [Login|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java] > class, a background thread is started that periodically performs a re-login > to the Kerberos Ticket Granting Server. > For the initial login, a custom Configuration instance is > [created|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L257] > and [supplied to the LoginContext > constructor|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L300] > potentially using a custom JAAS file location. > However, the background refresh thread does not then subsequently provide the > JAAS file location or Configuration to the [reLogin > method|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L222], > so it tries to construct a LoginContext with [just a context name and > subject|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L409] > but no Configuration, which means that the underlying > {{Configuration.getConfiguration()}} call has to load one from [system > defaults|https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/jdk-11%2B28/src/java.base/share/classes/javax/security/auth/login/LoginContext.java#L242]. > In our application where this issue was found, we had set > {{java.security.auth.login.config}} as a Storm client property along with > other standard connectivity properties, since the [client > framework|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/KerberosSaslNettyClient.java#L61] > loads it [from the topology > configuration|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/security/auth/ClientAuthUtils.java#L64]. > It looks like the server framework [does the > same|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/KerberosSaslNettyServer.java#L55] > as well. The initial login succeeded and the following Storm Nimbus > interactions were successful, but a while later it lost the ability to > communicate with Storm with this error being logged, > {noformat} > ERROR [Refresh-TGT] org.apache.storm.messaging.netty.Login Could not refresh > TGT for principal: <REDACTED> > javax.security.auth.login.LoginException: No LoginModules configured for > StormClient > at > java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:267) > at > java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:385) > at org.apache.storm.messaging.netty.Login.reLogin(Login.java:409) > at org.apache.storm.messaging.netty.Login$1.run(Login.java:222) > at java.base/java.lang.Thread.run(Thread.java:829) > {noformat} > It appears that a viable workaround for this issue is to also set the system > property, > {{-Djava.security.auth.login.config=/some/path/jaas.conf}} > for the application. After doing so the background refresh thread was able to > correctly function. > To address this, we should be able to update the {{reLogin}} method to use > the same JAAS configuration. -- This message was sent by Atlassian Jira (v8.20.10#820010)