[ https://issues.apache.org/jira/browse/ATLAS-2548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16607818#comment-16607818 ]
Madhan Neethiraj commented on ATLAS-2548: ----------------------------------------- [~sailajanch] - thanks for the patch. Atlas team uses Review Board for code-review. Can you please create a review with your patch? It will make it a lot easier to review and comment. Here are few comments: {noformat} + private static final boolean IBM_JAVA = System.getProperty("java.vendor").contains("IBM"); + private static final String IBM_LOGIN_MODULE = "com.ibm.security.auth.module.Krb5LoginModule"; ... - String loginModuleName = properties.getProperty(keyParam); + + String loginModuleName; + if (IBM_JAVA) + loginModuleName = IBM_LOGIN_MODULE; + else + loginModuleName = properties.getProperty(keyParam); {noformat} Instead of overwriting loginModuleName, why not update the Atlas configuration (in file atlas-application.properties) with correct login module name? {noformat} + /** + * IBM JDK's Krb5LoginModule security module accepts only certain JAAS configuration parameters. + * Filtering those out appropriately. + */ ... + if (IBM_JAVA) { + options.put(JAAS_CREDSTYPE_PROP, JAAS_CREDSTYPE_VALUE); + } + {noformat} Again, I think it will be clearer to update Atlas configuration file to remove/add necessary options. No code change should be necessary here. Please let me know if you run into any issues with this approach. > Use of IBM JDK results in kafka login exceptions in a kerberized environment > ---------------------------------------------------------------------------- > > Key: ATLAS-2548 > URL: https://issues.apache.org/jira/browse/ATLAS-2548 > Project: Atlas > Issue Type: Bug > Components: atlas-intg > Affects Versions: 0.8-incubating > Reporter: Sailaja Navvluru > Priority: Major > Labels: security > Attachments: InMemoryJAASConfiguration.java.patch > > > Our product uses IBM JDK while interacting with hive metastore directly to > create metadata. When Atlas-Hive hook is enabled in kerberized environment, > our application logs are filled with the following errors as the Kerberos > login module is not found in the path specified by atlas application > properties file. IBM JDK has some more restrictions on Kerberos support where > some of the options supported by sun JDK are not available. > ERROR - Failed to notify atlas for entity [[{Id='(type: hive_db, id: > <unassigned>)', traits=[], values={owner=bigsql, ownerType=1, > qualifiedName=tpcdsorc1000@bigsql502 > org.apache.kafka.common.KafkaException: Failed to construct kafka producer > at > org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:338) > at > org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:188) > at > org.apache.atlas.kafka.KafkaNotification.createProducer(KafkaNotification.java:289) > at > org.apache.atlas.kafka.KafkaNotification.sendInternal(KafkaNotification.java:210) > at > org.apache.atlas.notification.AbstractNotification.send(AbstractNotification.java:84) > at > org.apache.atlas.hook.AtlasHook.notifyEntitiesInternal(AtlasHook.java:133) > at org.apache.atlas.hook.AtlasHook.notifyEntities(AtlasHook.java:118) > at org.apache.atlas.hook.AtlasHook.notifyEntities(AtlasHook.java:171) > at org.apache.atlas.hive.hook.HiveHook.access$300(HiveHook.java:83) > at org.apache.atlas.hive.hook.HiveHook$3.run(HiveHook.java:221) > at java.security.AccessController.doPrivileged(AccessController.java:686) > at javax.security.auth.Subject.doAs(Subject.java:569) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866) > at > org.apache.atlas.hive.hook.HiveHook.notifyAsPrivilegedAction(HiveHook.java:233) > at org.apache.atlas.hive.hook.HiveHook$2.run(HiveHook.java:203) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522) > at java.util.concurrent.FutureTask.run(FutureTask.java:277) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > at java.lang.Thread.run(Thread.java:785) > Caused by: org.apache.kafka.common.KafkaException: > javax.security.auth.login.LoginException: unable to find LoginModule class: > com.sun.security.auth.module.Krb5LoginModule > at > org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:86) > at > org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:71) > at > org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:85) > at > org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:302) > ... 19 more > Caused by: javax.security.auth.login.LoginException: unable to find > LoginModule class: com.sun.security.auth.module.Krb5LoginModule > Attaching a patch to the defect we have tested to support IBM JDK and > Kerberos on 0.8 level of Atlas -- This message was sent by Atlassian JIRA (v7.6.3#76005)