> On 四月 8, 2022, 6:12 a.m., bhavik patel wrote: > > your patch is Supporting auto recovery when KDC is down for sometime? > > Kirby Zhou wrote: > If KDC is up at startup, and then down for sometime, This situation is > already supported by the old code. > > My patch is to let KMS quit directly if it can't connect to KDC or fails > to authenticate during the startup phase.
Any idea? - Kirby ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73841/#review224272 ----------------------------------------------------------- On 三月 2, 2022, 3:51 a.m., Kirby Zhou wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73841/ > ----------------------------------------------------------- > > (Updated 三月 2, 2022, 3:51 a.m.) > > > Review request for ranger, Bhavik Bavishi, Dhaval Shah, Dineshkumar Yadav, > Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen > Mansoori, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, VaradreawiZTV > VaradreawiZTV, Vishal Suvagia, and Velmurugan Periasamy. > > > Bugs: RANGER-3612 > https://issues.apache.org/jira/browse/RANGER-3612 > > > Repository: ranger > > > Description > ------- > > If we install ranger agent to KMS, the agent would auth itself to KDC at > startup. But if it failed due to network or keytab problem, it just print a > log in ranger-kms-<hostname>.log, and the KMS can never recover to refresh > its policies. > > ]$ tail -f log/ranger-kms-ranger_kms-.log | fgrep ERROR > 2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab > and principal > > There seems only one chance for plugin to auth to KDC, so it can not auto > recover. > And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not > die when the plugin failed. > > This situation is too unfriendly to administrators. > KMS should either Die or Auto-Recover when its ranger-agent auth to KDC > failed. > > My patch here is let it die on startup. Auto recovery is only useful when KDC > temporarily unavailable. > > > Diffs > ----- > > agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java > b69e27693 > > plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java > 799eb322c > > ranger-kms-plugin-shim/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java > 7fa36ce79 > > > Diff: https://reviews.apache.org/r/73841/diff/1/ > > > Testing > ------- > > mvn clean compile package test > > > Thanks, > > Kirby Zhou > >
