Z1Wu opened a new issue, #7153: URL: https://github.com/apache/kyuubi/issues/7153
### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) ### Search before asking - [x] I have searched in the [issues](https://github.com/apache/kyuubi/issues?q=is%3Aissue) and found no similar issues. ### Describe the bug There are lots of nested Jass Configuration in heapdump. <img width="1636" height="687" alt="Image" src="https://github.com/user-attachments/assets/8df3f168-8f6e-4ea7-afd5-b8ac36a86323"; /> Server heap keeps increasing. <img width="1114" height="256" alt="Image" src="https://github.com/user-attachments/assets/a7e6d920-2d87-4b95-a93c-b7e5f9e87b7f"; /> When invoking `org.apache.kyuubi.ha.client.DiscoveryClientProvider$#withDiscoveryClient` , a new zookeeper client will be created with `JaasConf` whose `baseConfig` refers to previous-created JassConf. ``` scala def setupZkAuth(): Unit = (conf.get(HA_ZK_AUTH_PRINCIPAL), getKeyTabFile(conf)) match { case (Some(principal), Some(keytab)) if UserGroupInformation.isSecurityEnabled => if (!new File(keytab).exists()) { throw new IOException(s"${HA_ZK_AUTH_KEYTAB.key}: $keytab does not exists") } System.setProperty("zookeeper.sasl.clientconfig", "KyuubiZooKeeperClient") conf.get(HA_ZK_AUTH_SERVER_PRINCIPAL).foreach { zkServerPrincipal => // ZOOKEEPER-1467 allows configuring SPN in client System.setProperty("zookeeper.server.principal", zkServerPrincipal) } val zkClientPrincipal = KyuubiHadoopUtils.getServerPrincipal(principal) // HDFS-16591 makes breaking change on JaasConfiguration val jaasConf = DynConstructors.builder() .impl( // Hadoop 3.3.5 and above "org.apache.hadoop.security.authentication.util.JaasConfiguration", classOf[String], classOf[String], classOf[String]) .impl( // Hadoop 3.3.4 and previous // scalastyle:off "org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager$JaasConfiguration", // scalastyle:on classOf[String], classOf[String], classOf[String]) .build[Configuration]() .newInstance("KyuubiZooKeeperClient", zkClientPrincipal, keytab) // This line result in that this jaasConf of next created JaasConfiguration Configuration.setConfiguration(jaasConf) case _ => } ``` As we can see in `org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider.JaasConfiguration` ``` java // org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider.JaasConfiguration @InterfaceAudience.Private public static class JaasConfiguration extends Configuration { private final javax.security.auth.login.Configuration baseConfig = javax.security.auth.login.Configuration.getConfiguration(); .... } ``` A sample thread stack looks like this ``` - org.apache.kyuubi.ha.client.zookeeper.ZookeeperClientProvider$.setupZkAuth$1(ZookeeperClientProvider.scala:161) - org.apache.kyuubi.ha.client.zookeeper.ZookeeperClientProvider$.setUpZooKeeperAuth(ZookeeperClientProvider.scala:169) - org.apache.kyuubi.ha.client.zookeeper.ZookeeperClientProvider$.buildZookeeperClient(ZookeeperClientProvider.scala:49) - org.apache.kyuubi.ha.client.zookeeper.ZookeeperDiscoveryClient.<init>(ZookeeperDiscoveryClient.scala:51) - java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) - java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) - java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) - java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) - java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:481) - org.apache.kyuubi.util.reflect.DynConstructors$Ctor.newInstanceChecked(DynConstructors.java:54) - org.apache.kyuubi.util.reflect.DynConstructors$Ctor.newInstance(DynConstructors.java:71) - org.apache.kyuubi.util.ClassUtils$.createInstance(ClassUtils.scala:41) - org.apache.kyuubi.ha.client.DiscoveryClientProvider$.createDiscoveryClient(DiscoveryClientProvider.scala:52) - org.apache.kyuubi.ha.client.DiscoveryClientProvider$.withDiscoveryClient(DiscoveryClientProvider.scala:33) - org.apache.kyuubi.session.KyuubiSessionImpl.$anonfun$openEngineSession$1(KyuubiSessionImpl.scala:134) - org.apache.kyuubi.session.KyuubiSession.handleSessionException(KyuubiSession.scala:49) - org.apache.kyuubi.session.KyuubiSessionImpl.openEngineSession(KyuubiSessionImpl.scala:134) - org.apache.kyuubi.operation.LaunchEngine.$anonfun$runInternal$1(LaunchEngine.scala:60) - java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) - java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) - java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) - java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) - java.base/java.lang.Thread.run(Thread.java:840) ``` ### Affects Version(s) master ### Kyuubi Server Log Output ```logtalk ``` ### Kyuubi Engine Log Output ```logtalk ``` ### Kyuubi Server Configurations ```yaml ``` ### Kyuubi Engine Configurations ```yaml ``` ### Additional context _No response_ ### Are you willing to submit PR? - [x] Yes. I would be willing to submit a PR with guidance from the Kyuubi community to fix. - [ ] No. I cannot submit a PR at this time. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
