[ https://issues.apache.org/jira/browse/RANGER-3612?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bhavik Patel reassigned RANGER-3612: ------------------------------------ Assignee: kirby zhou > KMS should either Die or Auto-Recover when its ranger-agent auth to KDC failed > ------------------------------------------------------------------------------ > > Key: RANGER-3612 > URL: https://issues.apache.org/jira/browse/RANGER-3612 > Project: Ranger > Issue Type: Bug > Components: kms, plugins > Affects Versions: 3.0.0, 2.2.0 > Reporter: kirby zhou > Assignee: kirby zhou > Priority: Major > > If we install ranger agent to KMS, the agent would auth itself to KDC at > startup. But if it failed, it just print a log in ranger-kms-<hostname>.log, > and the KMS can never recover to refresh its policies. > {code:java} > ]$ tail -f log/ranger-kms-ranger_kms-.log | fgrep ERROR > 2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab > and principal{code} > {code:java} > package org.apache.ranger.authorization.kms.authorizer; > public class RangerKmsAuthorizer implements Runnable, KeyACLs { > RangerKmsAuthorizer(Configuration conf) { > authWithKerberos(conf); > } > private void authWithKerberos(Configuration conf) { > MiscUtil.authWithKerberos(keytab, principal, nameRules); > } > } > package org.apache.ranger.audit.provider; > public class MiscUtil { > public static void authWithKerberos(...) { > try { > { > UserGroupInformation ugi = UserGroupInformation > .loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0], > keytab); > MiscUtil.setUGILoginUser(ugi, null); > } > } catch (Throwable t) { > logger.error("Failed to login with given keytab and principal", t); > } > } > }{code} > > There seems only one chance for plugin to auth to KDC, so it can not auto > recover. > And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not > die when the plugin failed. > This situation is too unfriendly to administrators. It should be fixed. -- This message was sent by Atlassian Jira (v8.20.1#820001)