[
https://issues.apache.org/jira/browse/STORM-4023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Olson updated STORM-4023:
--------------------------------
Description:
In the
[Login|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java]
class, a background thread is started that periodically performs a re-login to
the Kerberos Ticket Granting Server.
For the initial login, a custom Configuration instance is
[created|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L257]
and [supplied to the LoginContext
constructor|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L300]
potentially using a custom JAAS file location.
However, the background refresh thread does not then subsequently provide the
JAAS file location or Configuration to the [reLogin
method|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L222],
so it tries to construct a LoginContext with [just a context name and
subject|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L409]
but no Configuration, which means that the underlying
{{Configuration.getConfiguration()}} call has to load one from [system
defaults|https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/jdk-11%2B28/src/java.base/share/classes/javax/security/auth/login/LoginContext.java#L242].
In our application where this issue was found, we had set
{{java.security.auth.login.config}} as a Storm client property along with other
standard connectivity properties, since the [client
framework|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/KerberosSaslNettyClient.java#L61]
loads it [from the topology
configuration|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/security/auth/ClientAuthUtils.java#L64].
It looks like the server framework [does the
same|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/KerberosSaslNettyServer.java#L55]
as well. The initial login succeeded and the following Storm Nimbus
interactions were successful, but a while later it lost the ability to
communicate with Storm with this error being logged,
{noformat}
ERROR [Refresh-TGT] org.apache.storm.messaging.netty.Login Could not refresh
TGT for principal: <REDACTED>
javax.security.auth.login.LoginException: No LoginModules configured for
StormClient
at
java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:267)
at
java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:385)
at org.apache.storm.messaging.netty.Login.reLogin(Login.java:409)
at org.apache.storm.messaging.netty.Login$1.run(Login.java:222)
at java.base/java.lang.Thread.run(Thread.java:829)
{noformat}
It appears that a viable workaround for this issue is to also set the system
property,
{{-Djava.security.auth.login.config=/some/path/jaas.conf}}
for the application. After doing so the background refresh thread was able to
correctly function.
To address this, we should be able to update the {{reLogin}} method to use the
same JAAS configuration.
was:
In the
[Login|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java]
class, a background thread is started that periodically performs a re-login to
the Kerberos Ticket Granting Server.
For the initial login, a custom Configuration instance is
[created|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L257]
and [supplied to the LoginContext
constructor|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L300]
potentially using a custom JAAS file location.
However, the background refresh thread does not then subsequently provide the
JAAS file location or Configuration to the [reLogin
method|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L222],
so it tries to construct a LoginContext with [just a context name and
subject|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L409]
but no Configuration, which means that the underlying
{{Configuration.getConfiguration()}} call has to load one from [system
defaults|https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/jdk-11%2B28/src/java.base/share/classes/javax/security/auth/login/LoginContext.java#L242].
In our application where this issue was found, we had set
{{java.security.auth.login.config}} as a Storm client property along with other
standard connectivity properties. The initial login succeeded and the following
Storm Nimbus interactions were successful, but a while later it lost the
ability to communicate with Storm with this error being logged,
{noformat}
ERROR [Refresh-TGT] org.apache.storm.messaging.netty.Login Could not refresh
TGT for principal: <REDACTED>
javax.security.auth.login.LoginException: No LoginModules configured for
StormClient
at
java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:267)
at
java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:385)
at org.apache.storm.messaging.netty.Login.reLogin(Login.java:409)
at org.apache.storm.messaging.netty.Login$1.run(Login.java:222)
at java.base/java.lang.Thread.run(Thread.java:829)
{noformat}
It appears that a viable workaround for this issue is to also set the system
property,
{{-Djava.security.auth.login.config=/some/path/jaas.conf}}
for the application. After doing so the background refresh thread was able to
correctly function.
> Background periodic Kerberos re-login should use same JAAS configuration as
> initial login
> -----------------------------------------------------------------------------------------
>
> Key: STORM-4023
> URL: https://issues.apache.org/jira/browse/STORM-4023
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-client
> Affects Versions: 2.6.0
> Reporter: Andrew Olson
> Priority: Major
> Labels: kerberos
>
> In the
> [Login|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java]
> class, a background thread is started that periodically performs a re-login
> to the Kerberos Ticket Granting Server.
> For the initial login, a custom Configuration instance is
> [created|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L257]
> and [supplied to the LoginContext
> constructor|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L300]
> potentially using a custom JAAS file location.
> However, the background refresh thread does not then subsequently provide the
> JAAS file location or Configuration to the [reLogin
> method|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L222],
> so it tries to construct a LoginContext with [just a context name and
> subject|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java#L409]
> but no Configuration, which means that the underlying
> {{Configuration.getConfiguration()}} call has to load one from [system
> defaults|https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/jdk-11%2B28/src/java.base/share/classes/javax/security/auth/login/LoginContext.java#L242].
> In our application where this issue was found, we had set
> {{java.security.auth.login.config}} as a Storm client property along with
> other standard connectivity properties, since the [client
> framework|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/KerberosSaslNettyClient.java#L61]
> loads it [from the topology
> configuration|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/security/auth/ClientAuthUtils.java#L64].
> It looks like the server framework [does the
> same|https://github.com/apache/storm/blob/v2.6.0/storm-client/src/jvm/org/apache/storm/messaging/netty/KerberosSaslNettyServer.java#L55]
> as well. The initial login succeeded and the following Storm Nimbus
> interactions were successful, but a while later it lost the ability to
> communicate with Storm with this error being logged,
> {noformat}
> ERROR [Refresh-TGT] org.apache.storm.messaging.netty.Login Could not refresh
> TGT for principal: <REDACTED>
> javax.security.auth.login.LoginException: No LoginModules configured for
> StormClient
> at
> java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:267)
> at
> java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:385)
> at org.apache.storm.messaging.netty.Login.reLogin(Login.java:409)
> at org.apache.storm.messaging.netty.Login$1.run(Login.java:222)
> at java.base/java.lang.Thread.run(Thread.java:829)
> {noformat}
> It appears that a viable workaround for this issue is to also set the system
> property,
> {{-Djava.security.auth.login.config=/some/path/jaas.conf}}
> for the application. After doing so the background refresh thread was able to
> correctly function.
> To address this, we should be able to update the {{reLogin}} method to use
> the same JAAS configuration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
