Bob Wen created KAFKA-9908:
------------------------------
Summary: Kafka client always trying "kinit -R" even the
ticketCache has been renewed by external
Key: KAFKA-9908
URL: https://issues.apache.org/jira/browse/KAFKA-9908
Project: Kafka
Issue Type: Bug
Components: clients
Affects Versions: 2.3.1
Environment: linux, container based application that don't have
/usr/bin/kinit in image. kerberos ticket cache is a file mounted to file
system, and shared by multiple kerberos client. the ticket cache is managed and
renewed by other containers from time to time.
Reporter: Bob Wen
when using kerberos ticketCache, the kafka refreshing thread will get the
expiry time from the initial ticketCache and sleep until the time to renew.
then wake up and immediately to renew with "kinit - R", the problem is now many
systems are managing the ticketCache out side of Kafka client, and the
ticketCache already renewed (when the refresh thread was sleeping), what's more
many container based applications may not provide the /usr/bin/kinit in their
images. in this case, the refreshing thread will error out and exit, so even
the ticketCache is still valid and renewed by external, kafka client will still
lose the connection.
code logic between line #194 and #213 of below link:
[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java]
I found this bug in 2.3.1 kafka client, but from the latest code logic above,
it should be an issue for other versions too
Workaround: now my workaround is mock a kinit command to kafka client, like
passing the /usr/bin/echo to sals.kerberos.kinit.cmd to avoid the issue.
Suggestion: when refreshing thread wake up from sleeping, need to double check
the TGT and expiry time again, if the expiry time already extended (for example
by external), the kinit should be skipped and directly jump to re-login.
Thanks,
Bob
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
