Re: [PR] RANGER-5654: Fix Solr audit dispatcher Kerberos TGT relogin (No key to store) via keytab-aware JAAS relogin [ranger]

Tue, 23 Jun 2026 23:52:22 -0700 


mneethiraj commented on code in PR #1030:
URL: https://github.com/apache/ranger/pull/1030#discussion_r3465075569


##########
agents-audit/core/src/main/java/org/apache/ranger/audit/utils/KerberosJAASConfigUser.java:
##########
@@ -60,6 +62,35 @@ public String getPrincipal() {
         return ret;
     }
 
+    /**
+     * Solr/Kafka outbound JAAS clients (audit dispatcher, plugin Solr
+     * destination) use {@code useKeyTab=true}. Opt those principals into
+     * in-place keytab relogin so shipped {@code useTicketCache=true} does not
+     * fail at TGT renewal with {@code "No key to store"}.
+     */
+    @Override
+    protected boolean useKeytabRelogin() {
+        return isJaasOptionTrue(JAAS_USE_KEYTAB);
+    }
+
+    private boolean isJaasOptionTrue(String optionName) {

Review Comment:
   Consider renaming `isJaasOptionTrue(String optionName)` => 
`getBooleanOption(String optionName)`



##########
agents-audit/core/src/main/java/org/apache/ranger/audit/utils/KerberosJAASConfigUser.java:
##########
@@ -60,6 +62,35 @@ public String getPrincipal() {
         return ret;
     }
 
+    /**
+     * Solr/Kafka outbound JAAS clients (audit dispatcher, plugin Solr
+     * destination) use {@code useKeyTab=true}. Opt those principals into
+     * in-place keytab relogin so shipped {@code useTicketCache=true} does not
+     * fail at TGT renewal with {@code "No key to store"}.
+     */
+    @Override
+    protected boolean useKeytabRelogin() {
+        return isJaasOptionTrue(JAAS_USE_KEYTAB);
+    }
+
+    private boolean isJaasOptionTrue(String optionName) {
+        AppConfigurationEntry[] entries = 
config.getAppConfigurationEntry(configName);

Review Comment:
   To be consistent with most of Ranger code base, prefer a single `return` 
statement per method:
   
   ```
   boolean                 ret     = false;
   AppConfigurationEntry[] entries = 
config.getAppConfigurationEntry(configName);
   
   if (entries != null) {
     for (AppConfigurationEntry entry : entries) {
       Object value = entry.getOptions().get(optionName);
   
       if (value != null && Boolean.parseBoolean(value.toString())) {
         ret = true;
   
         break;
       }
     }
   
     return ret;
   }
   
   ```



##########
agents-audit/core/src/main/java/org/apache/ranger/audit/utils/KerberosJAASConfigUser.java:
##########
@@ -60,6 +62,35 @@ public String getPrincipal() {
         return ret;
     }
 
+    /**
+     * Solr/Kafka outbound JAAS clients (audit dispatcher, plugin Solr
+     * destination) use {@code useKeyTab=true}. Opt those principals into
+     * in-place keytab relogin so shipped {@code useTicketCache=true} does not
+     * fail at TGT renewal with {@code "No key to store"}.
+     */
+    @Override
+    protected boolean useKeytabRelogin() {
+        return isJaasOptionTrue(JAAS_USE_KEYTAB);

Review Comment:
   Instead of iterating through config entries during every call, consider 
computing the value in the constructor.
   
   ```
   public class KerberosJAASConfigUser extends AbstractKerberosUser {
     ...
   
     private final boolean optionUseKeyTab;
   
     public KerberosJAASConfigUser(final String configName, final Configuration 
config) {
       this.configName      = configName;
       this.config          = config;
       this.optionUseKeyTab = getBooleanOption(JAAS_USE_KEYTAB);
     }
   
     ...
   
     @Override
     protected boolean useKeytabRelogin() {
       return optionUseKeyTab;
     }
   
     ...
   }
     
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to