Re: [PR] [KYUUBI #7153] Sharing jaas configuration for zookeeper client with same keytab and principal to avoid server oom due to nested jaas configuration [kyuubi]

Wed, 23 Jul 2025 01:37:56 -0700 


Z1Wu commented on PR #7154:
URL: https://github.com/apache/kyuubi/pull/7154#issuecomment-3106528712

    
   When a `LoginContext` is created without explicitly passing a Configuration 
object, the JAAS framework defaults to using the global configuration, which is 
retrieved via `Configuration.getConfiguration()`, for login and authentication.
   
   ``` java
   // javax.security.auth.login.LoginContext#init
   if (config == null) {
       config = java.security.AccessController.doPrivileged
           (new java.security.PrivilegedAction<Configuration>() {
           public Configuration run() {
               return Configuration.getConfiguration();
           }
       });
   }
   ```
   
   The implementation of 
`org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider.JaasConfiguration`
 uses a chained (or nested) baseConfig to ensure that even if a ZooKeeper 
client overwrites the global configuration through 
`Configuration.setConfiguration()`, other services that rely on the global 
configuration can still retrieve their `AppConfigurationEntry` objects.
   
   ``` java
   // org.apache.kyuubi.ha.client.zookeeper.JaasConfiguration
   public static class JaasConfiguration extends Configuration {
   
       private final javax.security.auth.login.Configuration baseConfig =
           javax.security.auth.login.Configuration.getConfiguration();
       @Override
       public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
         return (entryName.equals(name)) ? entry : ((baseConfig != null)
           ? baseConfig.getAppConfigurationEntry(name) : null);
       }
   }
   ```
   
   We can create a `JaasConfiguration` class in Kyuubi to avoid using 
reflection to access the Hadoop class. The implementation logic of Kyuubi's 
`JaasConfiguration` would be very similar to that of Hadoop's.
   
   Please correct me if I have any misunderstandings.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to