This is an automated email from the ASF dual-hosted git repository. kxiao pushed a commit to branch branch-2.0 in repository https://gitbox.apache.org/repos/asf/doris.git
commit 3d308be6c6399f203d664d64cde8118820b4c03b Author: Xiangyu Wang <[email protected]> AuthorDate: Sun Sep 17 00:05:07 2023 +0800 [Fix](kerberos) Fix kerberos relogin bugs when using hdfs-load. (#24490) --- .../apache/doris/fs/remote/dfs/DFSFileSystem.java | 66 +++++++++++----------- 1 file changed, 32 insertions(+), 34 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/fs/remote/dfs/DFSFileSystem.java b/fe/fe-core/src/main/java/org/apache/doris/fs/remote/dfs/DFSFileSystem.java index ce297ce920..79c83b8089 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/fs/remote/dfs/DFSFileSystem.java +++ b/fe/fe-core/src/main/java/org/apache/doris/fs/remote/dfs/DFSFileSystem.java @@ -82,47 +82,45 @@ public class DFSFileSystem extends RemoteFileSystem { conf.set(propEntry.getKey(), propEntry.getValue()); } - boolean hasRelogin = false; - UserGroupInformation ugi; + UserGroupInformation ugi = login(conf); try { - // try use current ugi first to avoid relogin - // because it may be a time-consuming task - ugi = UserGroupInformation.getCurrentUser(); - } catch (IOException e) { - LOG.warn("An IOException occurs when invoke " - + "UserGroupInformation.getCurrentUser(), relogin immediately.", e); - ugi = doLogin(conf); - hasRelogin = true; + dfsFileSystem = ugi.doAs((PrivilegedAction<FileSystem>) () -> { + try { + return FileSystem.get(new Path(remotePath).toUri(), conf); + } catch (IOException e) { + throw new RuntimeException(e); + } + }); + } catch (SecurityException e) { + throw new UserException(e); } - do { + Preconditions.checkNotNull(dfsFileSystem); + operations = new HDFSFileOperations(dfsFileSystem); + return dfsFileSystem; + } + + private UserGroupInformation login(Configuration conf) throws UserException { + if (AuthType.KERBEROS.getDesc().equals( + conf.get(HdfsResource.HADOOP_SECURITY_AUTHENTICATION, null))) { try { - dfsFileSystem = ugi.doAs((PrivilegedAction<FileSystem>) () -> { - try { - String username = properties.get(HdfsResource.HADOOP_USER_NAME); - return username == null - ? FileSystem.get(new Path(remotePath).toUri(), conf) - : FileSystem.get(new Path(remotePath).toUri(), conf, username); - } catch (IOException | InterruptedException e) { - throw new RuntimeException(e); - } - }); - LOG.debug("Reuse current ugi for dfs, remote path: {}", remotePath); - break; - } catch (SecurityException e) { - LOG.warn("A SecurityException occurs when invoke ugi.doAs(), " - + "relogin and retry immediately.", e); - if (hasRelogin) { - throw new UserException(e); + UserGroupInformation ugi = UserGroupInformation.getLoginUser(); + String principal = conf.get(HdfsResource.HADOOP_KERBEROS_PRINCIPAL); + LOG.debug("Current login user: {}", ugi.getUserName()); + if (ugi.hasKerberosCredentials() && ugi.getUserName().equals(principal)) { + // if the current user is logged by kerberos and is the same user + // just use checkTGTAndReloginFromKeytab because this method will only relogin + // when the TGT is expired or is close to expiry + ugi.checkTGTAndReloginFromKeytab(); + return ugi; } - ugi = doLogin(conf); - hasRelogin = true; + } catch (IOException e) { + LOG.warn("A SecurityException occurs with kerberos, do login immediately.", e); + return doLogin(conf); } - } while (true); + } - Preconditions.checkNotNull(dfsFileSystem); - operations = new HDFSFileOperations(dfsFileSystem); - return dfsFileSystem; + return doLogin(conf); } private UserGroupInformation doLogin(Configuration conf) throws UserException { --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
